new user question

mackay at mackay at
Thu Mar 8 13:14:52 EST 2001

From: Scott D. MacKay

Well, failing a SUDO ability to incorporate LDAP group information,
something you *could* probably do is generate the local group file based on
the LDAP database.  Maybe have a core set of groups (probably like the
initial subset of  groups) and have a nightly LDAP script suck down current
group information.  Just a thought....


"Arnold, Jason" <Jason.Arnold at> on 03/07/2001 10:39:21 AM

To:   "'sudo-workers at'" <sudo-workers at>
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  new user question

Hi, I'm new to this list, but am curious to see if anyone is either
or interested in, or would at least have some tips on working on some
functionality that we need.

We're in the initial phases of trying to implement LDAP based centralized
administration of several hundred Solaris and HP-UX servers.  As such,
shooting for two goals:
1)  Role based account access.  I.e., configure all servers to allow access
to users in that are in sysadmin and info security roles, some servers to
users in DBA roles, some servers to users in legal, or developers, or HR,
whatnot.  We don't want to use groups as we don't do a good job of
maintaining group information (most of our users are just "staff" or
similar), but we can pull business level heirarchial data from HR type
2) Leverage the same directory service to grant elevated privilages via
(i.e., SAs can do almost everything, DBAs can do stuff as oracle or sybase,
etc).  Basically, we need a sudo that is capable of looking up group
membership in an LDAP database instead of using system groups.

Is anyone working on this?  If not, is there any other interest in this?
What's the acceptable way to add new functionality?

--Jason Arnold, Systems Technical Specialist
Technical Services - Unix Arch.

WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-workers/attachments/20010308/e481c632/attachment.htm>

More information about the sudo-workers mailing list