[sudo-users] avoid LDAP search sudoUser=+*

JR Aquino JR.Aquino at citrix.com
Wed Feb 5 12:36:41 MST 2014 

Michael, FYI, there has been a parallel effort to address the deficiencies of nics netgroups in the FreeIPA project:
* http://www.freeipa.org/page/FreeIPAv2:SUDO_Schema_Design
* http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html

There may be some areas of synergy that could be leveraged.


On Feb 5, 2014, at 11:17 AM, Michael Ströder <michael at stroeder.com> wrote:

> On Wed, 05 Feb 2014 11:58:09 -0700 "Todd C. Miller" <Todd.Miller at courtesan.com>
> wrote
>> On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
>> 
>>> I wondered why things are slow with sudo-ldap and then found this
>>> search in the debug log:
>>> 
>>> sudo: ldap search 'sudoUser=+*'
>> 
>> That is to support sudoUser records that use netgroups.  For Unix
>> groups, it is possible to get a list of all the user's groups before
>> performing the query.  The same is not true for netgroups so we
>> need to match any sudoUser that begins with a '+'.  This is unfortunate
>> but I'm not aware of a better way, short of removing netgroup support
>> (which people do use).  See "Anatomy of LDAP sudoers lookup" in the
>> sudoers.ldap manual.
> 
> Substring searches are really bad! I'd consider the LDAP schema to be severely
> broken. Different types of data (user, group, netgroup) should better be put
> into different attributes. So if you want all netgroup-related sudoRole entries
> you could search with
> 
> (sudoNetGroups=*)
> 
> In this case one could define a presence and/or equality index leading to much
> faster search processing.
> 
> Anyway at least the default value for SUDOERS_SEARCH_FILTER should be
> "(objectClass=sudoRole)" to drastically reduce the number of search candidates
> the LDAP server has to examine.
> 
> Disabling netgroups support by config option would be nice too for those of us
> trying to get rid of the netgroups mess.
> 
>>> Additionally we have a rather restricted setup where 'sudoUser'
>>> contains solely references to groups but not users. How to furthermore
>>> restrict what sudo-ldap uses to generate the LDAP filter?
>> 
>> There's not currently a way to override the LDAP query that sudo
>> uses.
> 
> Optimizing furthermore is not really big performance improvement compared to
> the substring search issue above but would be nice of course.
> 
> Ciao, Michael.
> 
> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/sudo-users/attachments/20140205/c6221efe/attachment.bin>

More information about the sudo-users mailing list