[sudo-users] avoid LDAP search sudoUser=+*
Michael Ströder
michael at stroeder.com
Wed Feb 5 10:55:56 MST 2014
I wondered why things are slow with sudo-ldap and then found this search in the
debug log:
sudo: ldap search 'sudoUser=+*'
What the hell is this for?
Note that when using this substring filter *every* entry in the LDAP server is
examined. It also does not even help to define a substring index for 'sudoUser'
because those are only used by typical LDAP server implementations if the
substring is at least 3 chars long.
So a query like this is pretty stupid and gives a hard performance penalty.
I managed to improve things in my case by adding
SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)(organizationalStatus=0))
But this config directive seems not to be available with the standard package
shipped with RHEL5 which currently is sudo-1.7.2p1-28.el5. Is that right?
Additionally we have a rather restricted setup where 'sudoUser' contains solely
references to groups but not users. How to furthermore restrict what sudo-ldap
uses to generate the LDAP filter?
Ciao, Michael.
More information about the sudo-users
mailing list