[sudo-users] can I prevent sudo on Solaris from performing ldap searches for local users?

Josh Daynard josh.daynard at icloud.com
Tue Feb 2 17:02:12 MST 2016 

I apologize in advance for the lack of deep knowledge on this topic … I have been digging around for a while and can’t seem to answer this seemingly simple question:

How can I make sudo NOT perform any ldap searches when sudo’ing between two local users?

The background - we have *lots* of Solaris hosts that we’re converting from OpenLDAP to IPA for authentication.  When we flipped the switch to convert, IPA was flooded with ldap searches with a filter of:

'(&(objectclass= SolarisUserAttr)(uid=my_local_user))’

requesting the attrs: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue

We determined that this was happening as a result of sudo.  We use nagios for monitoring and many times per second on thousands of hosts nagios performs a sudo from one local user to another to execute a check.  The resulting barrage of ldap searches completely brought down IPA sadly.

But the nagios user is a local user and the user it is sudo’ing to is a local user and it is allowed in /etc/sudoers with NOPASSWD … and neither of those users are in LDAP … so why does sudo insist on making that ldap search and can we stop it?

From /etc/sudoers:

# Nagios can run anything under /usr/local/nagios/libexec as nsmail
MONITORS ALL = (nsmail)      NOPASSWD:  /usr/local/nagios/libexec/, \
                                        /usr/local/monitor/libexec/
cat /etc/nsswitch.conf 
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.files     1.14    06/05/03 SMI"

passwd:     files ldap
group:      files ldap
hosts:      files dns
ipnodes:    files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:   user files

auth_attr:  files
prof_attr:  files
project:    files

tnrhtp:     files
tnrhdb:     files

We also have basically the same configuration in Linux (RHEL 6) and sudo there does not perform any ldapsearches when sudo’ing between two local users … 

Thanks!
Josh

More information about the sudo-users mailing list