[sudo-users] avoid LDAP search sudoUser=+*

Todd C. Miller Todd.Miller at courtesan.com
Thu Feb 6 14:27:20 MST 2014

On Wed, 05 Feb 2014 22:01:15 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:

> Thinking about this a bit more:
> Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's
> a presence index configured for 'sudoUser'.

The sudoUser=+* query is only performed if there is no match returned
for the user and groups query.  As such it should only be slow for
people using netgroups or in cases where the command is not allowed.
Performing the sudoUser=+* query all the time would penalize all

 - todd

More information about the sudo-users mailing list