[sudo-users] Offtopic: Re: sudo + ldap - nisNetgroupTriple

Patrick Spinler spinler.patrick at mayo.edu
Wed May 26 10:51:36 EDT 2010

On 05/26/2010 09:16 AM, Jr Aquino wrote:

> As such, I'd like to have a list of hosts that both sudo and pam_ldap
> can look to without having to duplicate the same data in 2 different
> formats.

Here's where I'd urge you to give careful consideration to your 
approach.  You're talking about using the same object type for 
semantically different purposes, and in fact to contain different objects.

*) A group of hosts for use in sudo rules
*) A group of users for use in sudo rules
*) A group of users to provision to a host

In fact, these are all different, and *should* be represented 
differently in your repository.  We do something like this:

auth_<somegroup>   - a list of people provisioned to a host
sudo_<somegroup>   - a list of people granted a specific sudo command
hgrp_<somegroup>   - a list of hosts

Even in the first two instances, provisioning v. sudo, I *want* to keep 
these separate.  For example, when an intern joins our unix team for a 
summer assignment, I probably want to allow that intern to log into our 
machines so she can e.g. gather configuration info, but I probably don't 
want to grant that intern the full sudo rights I give normal unix admins.

-- Pat

More information about the sudo-users mailing list