[sudo-users] sudo + ldap - nisNetgroupTriple

Patrick Spinler spinler.patrick at mayo.edu
Tue May 25 17:45:46 EDT 2010

Hash: SHA1

Jr Aquino wrote:
> I am writing the mailing list in hopes that someone has information  
> regarding the use of sudo for 'hostgroups' without having to use the  
> nisNetgroupTriple attributes.
> I would like to be able to utilize sudo with ldap entries that sanely  
> list the hostnames under a 'host:' attribute ideally.
> I've spoken to several of the nss_ldap developers and they have  
> strongly cautioned me against leveraging nisNetgroup's for storing my  
> hosts because of various rfc schema enforcements present in various  
> ldap server implementations. (Not being able to modify/add/remove a  
> nisNetgroupTriple without fully removing and readding all  
> nisNetgroupTriple's from an object being one of the major  
> disadvantages...)

For what it's worth, I got no clue what they're talking about, unless
it's some weird ldap server specific thing.

I've used nisNetGroup style hostgroups & sudo successfully with both
openldap and sun dsee ldap server without issue, including liberally
adding modifying and removing nisnetgrouptriples containing host (and
user) attributes.

- -- Pat

Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the sudo-users mailing list