[sudo-users] ignore_local_sudoers does not work as expected
fabrice.b7 at gmail.com
Sat Dec 7 11:57:30 MST 2013
Thank you for the clarification.
In my case, there will be too much servers, managed by several admins.
I can recommend this kind of configuration, but there's no guaranty
(for me) that all servers plugged into openldap for sudo roles can't
use old local sudoers file.
Anyway, now I understand that the meaning of this option is how to
manage fallback to local sudoers when the ldap server is lost.
On Fri, Dec 6, 2013 at 12:25 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> Yes, the order in nsswitch.conf matters. If you have "files" first
> then the local sudoers file is already parsed by the time that the
> LDAP rules are read. The ignore_local_sudoers option predates the
> nsswitch.conf integration. You are probably better off just using:
> sudoers: ldap
> in nsswitch.conf if you want to prevent the local sudoers file from
> being read.
> However, if you want the local sudoers file to be used when the
> LDAP server is not reachable (and only then) you can configure
> nswitch.conf as:
> sudoers: ldap files
> and then set ignore_local_sudoers in the LDAP rules. This will
> allow the use of a fallback local sudoers file when LDAP is not
> - todd
"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
mutant à l'énergie dense, jamais conçu pour la production en série,
trop bizarre pour vivre, et trop rare pour mourir..."
More information about the sudo-users