[sudo-users] avoid LDAP search sudoUser=+*

Michael Ströder michael at stroeder.com
Wed Feb 5 14:01:15 MST 2014

Michael Ströder wrote:
> On Wed, 05 Feb 2014 11:58:09 -0700 "Todd C. Miller" <Todd.Miller at courtesan.com>
> wrote
>> On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
>>> I wondered why things are slow with sudo-ldap and then found this
>>> search in the debug log:
>>> sudo: ldap search 'sudoUser=+*'
>> That is to support sudoUser records that use netgroups.  For Unix
>> groups, it is possible to get a list of all the user's groups before
>> performing the query.  The same is not true for netgroups so we
>> need to match any sudoUser that begins with a '+'.  This is unfortunate
>> but I'm not aware of a better way, short of removing netgroup support
>> (which people do use).  See "Anatomy of LDAP sudoers lookup" in the
>> sudoers.ldap manual.
> Substring searches are really bad! I'd consider the LDAP schema to be severely
> broken. Different types of data (user, group, netgroup) should better be put
> into different attributes. So if you want all netgroup-related sudoRole entries
> you could search with
> (sudoNetGroups=*)
> In this case one could define a presence and/or equality index leading to much
> faster search processing.
> Anyway at least the default value for SUDOERS_SEARCH_FILTER should be
> "(objectClass=sudoRole)" to drastically reduce the number of search candidates
> the LDAP server has to examine.

Thinking about this a bit more:
Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's a
presence index configured for 'sudoUser'.

Ciao, Michael.

More information about the sudo-users mailing list