[sudo-users] Fallback to local sudo when LDAP sudo is unavailable

Michael W. Lucas mwlucas at michaelwlucas.com
Wed Nov 20 13:15:37 MST 2013

On Wed, Nov 20, 2013 at 02:54:00PM -0500, Forrest Aldrich wrote:
> On 11/20/13 1:07 PM, Wong Ren wrote:
> >
> > When LDAP sudo is unavailable due to network or LDAP server  issue, will the LDAP sudo falls back to local sudo and thus allow the service to continue ?
> > assuming that he accounts exist locally and also in the LDAP server and LDAP and local has the same sudo policy.
> >
> > If the answer is yes,  what would be best practice?
> >
> >
> Wouldn't this fall under the caching mechanisms of SSSD or NCSD (if 
> configured to do so)?
> I'm curious as well - but I believe that's the case.

Sudo tests information sources in the order listed in
/etc/nsswitch.conf. Something like

sudo: ldap files 

will work.

Using the ignore_local_sudoers option in your LDAP config will tell
sudo to ignore the local file, so you can have a backup config that
only works when you have no LDAP.


Michael W. Lucas  -  mwlucas at michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.

More information about the sudo-users mailing list