[sudo-users] Fallback to local sudo when LDAP sudo is unavailable
Michael W. Lucas
mwlucas at michaelwlucas.com
Wed Nov 20 13:15:37 MST 2013
On Wed, Nov 20, 2013 at 02:54:00PM -0500, Forrest Aldrich wrote:
>
> On 11/20/13 1:07 PM, Wong Ren wrote:
> >
> > When LDAP sudo is unavailable due to network or LDAP server issue, will the LDAP sudo falls back to local sudo and thus allow the service to continue ?
> > assuming that he accounts exist locally and also in the LDAP server and LDAP and local has the same sudo policy.
> >
> > If the answer is yes, what would be best practice?
> >
> >
>
> Wouldn't this fall under the caching mechanisms of SSSD or NCSD (if
> configured to do so)?
>
> I'm curious as well - but I believe that's the case.
Sudo tests information sources in the order listed in
/etc/nsswitch.conf. Something like
sudo: ldap files
will work.
Using the ignore_local_sudoers option in your LDAP config will tell
sudo to ignore the local file, so you can have a backup config that
only works when you have no LDAP.
==ml
--
Michael W. Lucas - mwlucas at michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
More information about the sudo-users
mailing list