[sudo-users] avoid LDAP search sudoUser=+*

Michael Ströder michael at stroeder.com
Wed Feb 5 12:17:59 MST 2014

On Wed, 05 Feb 2014 11:58:09 -0700 "Todd C. Miller" <Todd.Miller at courtesan.com>
> On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
> > I wondered why things are slow with sudo-ldap and then found this
> > search in the debug log:
> >
> > sudo: ldap search 'sudoUser=+*'
> That is to support sudoUser records that use netgroups.  For Unix
> groups, it is possible to get a list of all the user's groups before
> performing the query.  The same is not true for netgroups so we
> need to match any sudoUser that begins with a '+'.  This is unfortunate
> but I'm not aware of a better way, short of removing netgroup support
> (which people do use).  See "Anatomy of LDAP sudoers lookup" in the
> sudoers.ldap manual.

Substring searches are really bad! I'd consider the LDAP schema to be severely
broken. Different types of data (user, group, netgroup) should better be put
into different attributes. So if you want all netgroup-related sudoRole entries
you could search with


In this case one could define a presence and/or equality index leading to much
faster search processing.

Anyway at least the default value for SUDOERS_SEARCH_FILTER should be
"(objectClass=sudoRole)" to drastically reduce the number of search candidates
the LDAP server has to examine.

Disabling netgroups support by config option would be nice too for those of us
trying to get rid of the netgroups mess.

> > Additionally we have a rather restricted setup where 'sudoUser'
> > contains solely references to groups but not users. How to furthermore
> > restrict what sudo-ldap uses to generate the LDAP filter?
> There's not currently a way to override the LDAP query that sudo
> uses.

Optimizing furthermore is not really big performance improvement compared to
the substring search issue above but would be nice of course.

Ciao, Michael.

More information about the sudo-users mailing list