[sudo-users] avoid LDAP search sudoUser=+*
Todd C. Miller
Todd.Miller at courtesan.com
Thu Feb 6 14:27:20 MST 2014
On Wed, 05 Feb 2014 22:01:15 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
> Thinking about this a bit more:
> Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's
> a presence index configured for 'sudoUser'.
The sudoUser=+* query is only performed if there is no match returned
for the user and groups query. As such it should only be slow for
people using netgroups or in cases where the command is not allowed.
Performing the sudoUser=+* query all the time would penalize all
users.
- todd
More information about the sudo-users
mailing list