[sudo-users] can I prevent sudo on Solaris from performing ldap searches for local users?
josh.daynard at icloud.com
Tue Feb 2 17:02:12 MST 2016
I apologize in advance for the lack of deep knowledge on this topic … I have been digging around for a while and can’t seem to answer this seemingly simple question:
How can I make sudo NOT perform any ldap searches when sudo’ing between two local users?
The background - we have *lots* of Solaris hosts that we’re converting from OpenLDAP to IPA for authentication. When we flipped the switch to convert, IPA was flooded with ldap searches with a filter of:
requesting the attrs: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
We determined that this was happening as a result of sudo. We use nagios for monitoring and many times per second on thousands of hosts nagios performs a sudo from one local user to another to execute a check. The resulting barrage of ldap searches completely brought down IPA sadly.
But the nagios user is a local user and the user it is sudo’ing to is a local user and it is allowed in /etc/sudoers with NOPASSWD … and neither of those users are in LDAP … so why does sudo insist on making that ldap search and can we stop it?
# Nagios can run anything under /usr/local/nagios/libexec as nsmail
MONITORS ALL = (nsmail) NOPASSWD: /usr/local/nagios/libexec/, \
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
printers: user files
We also have basically the same configuration in Linux (RHEL 6) and sudo there does not perform any ldapsearches when sudo’ing between two local users …
More information about the sudo-users