[sudo-users] ignore_local_sudoers does not work as expected
fabrice bessettes
fabrice.b7 at gmail.com
Sat Dec 7 11:57:30 MST 2013
Thank you for the clarification.
In my case, there will be too much servers, managed by several admins.
I can recommend this kind of configuration, but there's no guaranty
(for me) that all servers plugged into openldap for sudo roles can't
use old local sudoers file.
Anyway, now I understand that the meaning of this option is how to
manage fallback to local sudoers when the ldap server is lost.
Best regards,
Fabrice
On Fri, Dec 6, 2013 at 12:25 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> Yes, the order in nsswitch.conf matters. If you have "files" first
> then the local sudoers file is already parsed by the time that the
> LDAP rules are read. The ignore_local_sudoers option predates the
> nsswitch.conf integration. You are probably better off just using:
>
> sudoers: ldap
>
> in nsswitch.conf if you want to prevent the local sudoers file from
> being read.
>
> However, if you want the local sudoers file to be used when the
> LDAP server is not reachable (and only then) you can configure
> nswitch.conf as:
>
> sudoers: ldap files
>
> and then set ignore_local_sudoers in the LDAP rules. This will
> allow the use of a fallback local sudoers file when LDAP is not
> working.
>
> - todd
--
"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
mutant à l'énergie dense, jamais conçu pour la production en série,
trop bizarre pour vivre, et trop rare pour mourir..."
More information about the sudo-users
mailing list