[sudo-users] avoid LDAP search sudoUser=+*
Todd C. Miller
Todd.Miller at courtesan.com
Wed Feb 5 11:58:09 MST 2014
On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
> I wondered why things are slow with sudo-ldap and then found this
> search in the debug log:
> sudo: ldap search 'sudoUser=+*'
That is to support sudoUser records that use netgroups. For Unix
groups, it is possible to get a list of all the user's groups before
performing the query. The same is not true for netgroups so we
need to match any sudoUser that begins with a '+'. This is unfortunate
but I'm not aware of a better way, short of removing netgroup support
(which people do use). See "Anatomy of LDAP sudoers lookup" in the
> I managed to improve things in my case by adding
> SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)(organizationalStatus=0))
> But this config directive seems not to be available with the standard package
> shipped with RHEL5 which currently is sudo-1.7.2p1-28.el5. Is that right?
That was added in Sudo 1.7.6 (and 1.8.1 in the 1.8 branch). RHEL5
was released in 2007 and includes a version of sudo that is now
rather old. You can always find update to date sudo packages at
> Additionally we have a rather restricted setup where 'sudoUser'
> contains solely references to groups but not users. How to furthermore
> restrict what sudo-ldap uses to generate the LDAP filter?
There's not currently a way to override the LDAP query that sudo
More information about the sudo-users