[sudo-users] avoid LDAP search sudoUser=+*

Michael Ströder michael at stroeder.com
Thu Feb 6 14:39:03 MST 2014

Todd C. Miller wrote:
> On Wed, 05 Feb 2014 22:01:15 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
>> Thinking about this a bit more:
>> Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's
>> a presence index configured for 'sudoUser'.
> The sudoUser=+* query is only performed if there is no match returned
> for the user and groups query.

Not true. Otherwise I would not have raised this issue here.
On some systems with older sudo versions the sudoUser=+* is even sent *before*
the normal user/group query.

>  As such it should only be slow for
> people using netgroups or in cases where the command is not allowed.

Not true. And also please re-read what I said about indexes on LDAP servers.

If you perform the netgroup query you have to use


to get reasonable performance (provided there's present index for 'sudoUser').
Otherwise sudo-ldap is a DoS tool because the LDAP server has to check each
entry and LDAP admins have to protect their servers by setting time limits.

Personally I stripped SUBSTR matching rule from the attribute type description
for 'sudoUser' since we're not using net groups. This is a rather ugly
work-around but helped without having to upgrade all clients. ;-}

Ciao, Michael.

More information about the sudo-users mailing list