[sudo-workers] LDAP: sudo searches only 1 level deep

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Wed Feb 15 07:22:15 EST 2006

Hi everyone,

We have deployed sudo in combination with LDAP, on several hundreds of machines. It's a wonderful combination.

However, we have one wish left. We have quite a lot of entries under ou=SUDOers. And due to security requirements, sudo authorizations often have to be created and deleted on an ad hoc basis (we're a financial institution, so paranoid by nature). This implies a constant creation and deletion of entries under ou=SUDOers.

It would be really nice if it were possible to create subcontainers under ou=SUDOers, in orden to group all our SUDO entries. But we have noticed that the SUDO client will search only one level deep. Creating SUDO entries in, say, ou=System Management,ou=SUDOers simply doesn't work. All entries have to be created straight under ou=SUDOers.

Is there a way to circumvent this issue during compilation? Or would such a feature (subcontainers) require a change in the source? We would be grateful if such a change would be implemented. 

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits
Locatiecode NA 00.92
T (020) 563 73 33, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-workers mailing list