[sudo-users] avoid LDAP search sudoUser=+*
JR.Aquino at citrix.com
Wed Feb 5 12:36:41 MST 2014
Michael, FYI, there has been a parallel effort to address the deficiencies of nics netgroups in the FreeIPA project:
There may be some areas of synergy that could be leveraged.
On Feb 5, 2014, at 11:17 AM, Michael Ströder <michael at stroeder.com> wrote:
> On Wed, 05 Feb 2014 11:58:09 -0700 "Todd C. Miller" <Todd.Miller at courtesan.com>
>> On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
>>> I wondered why things are slow with sudo-ldap and then found this
>>> search in the debug log:
>>> sudo: ldap search 'sudoUser=+*'
>> That is to support sudoUser records that use netgroups. For Unix
>> groups, it is possible to get a list of all the user's groups before
>> performing the query. The same is not true for netgroups so we
>> need to match any sudoUser that begins with a '+'. This is unfortunate
>> but I'm not aware of a better way, short of removing netgroup support
>> (which people do use). See "Anatomy of LDAP sudoers lookup" in the
>> sudoers.ldap manual.
> Substring searches are really bad! I'd consider the LDAP schema to be severely
> broken. Different types of data (user, group, netgroup) should better be put
> into different attributes. So if you want all netgroup-related sudoRole entries
> you could search with
> In this case one could define a presence and/or equality index leading to much
> faster search processing.
> Anyway at least the default value for SUDOERS_SEARCH_FILTER should be
> "(objectClass=sudoRole)" to drastically reduce the number of search candidates
> the LDAP server has to examine.
> Disabling netgroups support by config option would be nice too for those of us
> trying to get rid of the netgroups mess.
>>> Additionally we have a rather restricted setup where 'sudoUser'
>>> contains solely references to groups but not users. How to furthermore
>>> restrict what sudo-ldap uses to generate the LDAP filter?
>> There's not currently a way to override the LDAP query that sudo
> Optimizing furthermore is not really big performance improvement compared to
> the substring search issue above but would be nice of course.
> Ciao, Michael.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the sudo-users