[sudo-users] avoid LDAP search sudoUser=+*
Todd C. Miller
Todd.Miller at courtesan.com
Thu Feb 6 15:45:40 MST 2014
On Thu, 06 Feb 2014 22:39:03 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
> Not true. Otherwise I would not have raised this issue here.
> On some systems with older sudo versions the sudoUser=+* is even sent
> *before* the normal user/group query.
I don't recall that ever being the case (though my memory is far
from perfect), and I see nothing in the ChangeLog related to a bug
like that. It might be a something introduced by one of RedHat's
patches. They tend to create large patch sets instead of just
updating packages.
> If you perform the netgroup query you have to use
>
> (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
>
> to get reasonable performance (provided there's present index for
> 'sudoUser'). Otherwise sudo-ldap is a DoS tool because the LDAP
> server has to check each entry and LDAP admins have to protect their
> servers by setting time limits.
Now I understand. I thought you were proposing using a single query
to fetch all sudoRole records instead. I will make that change for
the next sudo release.
- todd
More information about the sudo-users
mailing list