[sudo-users] Sudo performance with LDAP netgroups in /etc/sudoers

Patrick Spinler spinler.patrick at mayo.edu
Thu Jan 28 22:02:25 EST 2010

Hash: SHA1

Sorry for continuing to follow up to myself.  I've managed, with some
advice, to track down a likely culprit, and it's all in our configuration.

Our clients appear to experience some not insignificant delay
negotiating TLS encryption on the ldap channel.  When I turn tls off in
my /etc/ldap.conf, my "sudo -l" times reliably fall to about 0.5
seconds.  That's something very tolerable.

Now, I just need to figure out if there's a way to improve that.
Unfortunately for me, we can't just drop TLS/SSL

Thanks anyway.
- -- Pat

Patrick Spinler wrote:
> Bugger.  My apologies, I forgot some more critical information.
> Much of my testing was on the RHEL supplied versions of sudo, Sudo
> version 1.6.9p17 on my redhat 5.3 box, and Sudo version 1.6.7p5 on my
> RHEL 4.8 box.
> However, I've also compiled and tried Sudo version 1.7.2p1 on RHEL 4,
> and see almost identical performance characteristics as the 1.6.*
> versions on the same host.
> So unfortunately whatever's going on here seems to be the same in the
> latest versions of sudo.
> Thanks!
> -- Pat
> Patrick Spinler wrote:
>> Hi all sudo knowledge gods. :-)  I'd like to place a sudo performance
>> question before you.
>> We have an environment (using redhat enterprise linux 5.3 as my test
>> box) where I am using netgroups in my sudoers, like so:
>>   +netgroup   ALL=(ALL) NOPASSWD: ALL
>> and direct my netgroup database to use LDAP via /etc/nsswitch.conf, like so:
>>   netgroup:   files ldap
>> Unfortunately, in my test box, I'm seeing abysmal performance invoking
>> sudo, on the order of 4 seconds to run a "sudo -l"
>> I've established a very strong correlation between the number of
>> netgroups listed in /etc/sudoers and the invocation time.  On my test
>> machine, with 15 netgroups listed, I had the 4 second invocation time
>> I just mentioned.  When I reduced the number of netgroups to 7 by
>> combining lines using line continuation characters, my "sudo -l" time
>> dropped to an average 2.2 seconds over 10 tests.
>> Sure enough, when I examined my ldap server logs, I see an ldap search
>> for each listing of a netgroup in /etc/sudoers directly resulting from
>> any invocation of sudo.  This includes several searches for the same
>> netgroup per invocation if the netgroup is listed multiple times.  E.g.
>> this:
>>   +netgroup ALL=(root)   /bin/su - tomcat
>>   +netgroup ALL=(tomcat) ALL
>> would produce two searches for with the ldap filter
>> "(&(objectClass=nisNetgroup)(cn=netgroup))" on my servers.
>> However, while there is a strong correlation between the number of ldap
>> searches and the experienced delay, that's not the whole story.  My ldap
>> servers are, in fact, quite fast.  I can run the following search (yes,
>> the duplication is intentional, intended to mirror the duplicate
>> netgroups in sudoers like above):
>> time for i in netgr1 netgr2 netgr2 netgr3 netgr3 netgr4 netgr4; do
>>   ldapsearch -x "(&(objectClass=nisNetgroup)(cn=$i))"
>> done > /dev/null
>> in, on average, 0.14 seconds.
>> So, for 7 netgroups, it's a fair assumption that my 2.2 second "sudo -l"
>> spends < .2 seconds searching ldap for netgroups, and about 2 seconds
>> doing "something else".
>> Frustratingly, I haven't been able to profile this.  The command:
>>   time strace sudo -l
>> ends up complaining that:
>> write(2, "sudo: ", 6sudo: )                   = 6
>> write(2, "must be setuid root", 19must be setuid root)     = 19
>> write(2, "\n", 1
>> and so gives no useful information. :-(
>> Can anyone offer advice in tracing down the source of my delay?
>> Thanks!
>> -- Pat
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the sudo-users mailing list