[sudo-users] avoid LDAP search sudoUser=+*

Todd C. Miller Todd.Miller at courtesan.com
Wed Feb 5 11:58:09 MST 2014

On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:

> I wondered why things are slow with sudo-ldap and then found this
> search in the debug log:
> sudo: ldap search 'sudoUser=+*'

That is to support sudoUser records that use netgroups.  For Unix
groups, it is possible to get a list of all the user's groups before
performing the query.  The same is not true for netgroups so we
need to match any sudoUser that begins with a '+'.  This is unfortunate
but I'm not aware of a better way, short of removing netgroup support
(which people do use).  See "Anatomy of LDAP sudoers lookup" in the
sudoers.ldap manual.

> I managed to improve things in my case by adding
> SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)(organizationalStatus=0))
> But this config directive seems not to be available with the standard package
> shipped with RHEL5 which currently is sudo-1.7.2p1-28.el5. Is that right?

That was added in Sudo 1.7.6 (and 1.8.1 in the 1.8 branch).  RHEL5
was released in 2007 and includes a version of sudo that is now
rather old.  You can always find update to date sudo packages at

> Additionally we have a rather restricted setup where 'sudoUser'
> contains solely references to groups but not users. How to furthermore
> restrict what sudo-ldap uses to generate the LDAP filter?

There's not currently a way to override the LDAP query that sudo

 - todd

More information about the sudo-users mailing list