[sudo-users] Fwd: SUDO centralization based on Server!

pradyumna dash neomatrixgem at gmail.com
Tue Sep 6 16:21:45 EDT 2011


If i understood correctly, i can't restrict a user from executing some
command by centralizing SUDO with OpenLDAP?


On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <Todd.Miller at courtesan.com>wrote:

> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> > Someone else will have to chime in to confirm or deny my failing memory,
> > but I do know that when using LDAP in general, there are no guarantees
> > as to the order that elements are returned from a search; leading from
> > that, I seem to recall reading somewhere that the behavior of sudo deny
> > rules when pulled from LDAP might not be the same as when reading rules
> > from a file, again 'cause you can't specify or enforce a rule order.
> That is correct; LDAP does not guarantee the order of the attributes
> within a sudoRole.  Newer versions of sudo support a sudoOrder
> attribute but that only helps with ordering multiple sudoRoles.
>  - todd

More information about the sudo-users mailing list