[sudo-users] LDAP defaults for commands

Todd C. Miller Todd.Miller at sudo.ws
Wed Dec 6 20:48:07 MST 2017

On Thu, 07 Dec 2017 00:34:01 +0100, Daniele Palumbo wrote:

> I have filed then
> https://bugzilla.sudo.ws/show_bug.cgi?id=810
> for the lack of this functionality.

I don't really consider this a bug.  There is not a one to one
mapping of file sudoers to LDAP sudoers (in either direction) and
there probably never will be.  They just work very differently.

The LDAP backend works by making a query that contains the user
name and ID as well as the group names and IDs.  There is also an
additional query for the global options (cn: defaults).

In constrast, the sudoers file is parsed from beginning to end with
the last matching rule taking precedence.  That means there is
access to the entire contents of sudoers, which is not the case for

It may be possible to do an additional query matching on sudoRole
objects that contain a specific sudoCommand.  Maybe a sudoRole with
no sudoUser but containg one or more sudoCommands and sudoOptions
could be treated as option-only object.  I will have to give it
some thought.  I'm leary of adding additional LDAP queries so this
would be functionality that needs to be explicitly enabled, either
in an ldap.conf entry or in the cn:default sudoRole.

 - todd

More information about the sudo-users mailing list