[sudo-users] avoid LDAP search sudoUser=+*

Michael Ströder michael at stroeder.com
Wed Feb 5 10:55:56 MST 2014

I wondered why things are slow with sudo-ldap and then found this search in the
debug log:

sudo: ldap search 'sudoUser=+*'

What the hell is this for?

Note that when using this substring filter *every* entry in the LDAP server is
examined. It also does not even help to define a substring index for 'sudoUser'
because those are only used by typical LDAP server implementations if the
substring is at least 3 chars long.
So a query like this is pretty stupid and gives a hard performance penalty.

I managed to improve things in my case by adding

SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)(organizationalStatus=0))

But this config directive seems not to be available with the standard package
shipped with RHEL5 which currently is sudo-1.7.2p1-28.el5. Is that right?

Additionally we have a rather restricted setup where 'sudoUser' contains solely
references to groups but not users. How to furthermore restrict what sudo-ldap
uses to generate the LDAP filter?

Ciao, Michael.

More information about the sudo-users mailing list