[sudo-workers] caching sudo ldap queries

Robert Beard Robert.Beard at colesmyer.com.au
Fri Jun 23 02:30:03 EDT 2006


Is it possible to have sudo ldap queries cached locally for a period of
time similar to the password timeout feature?

I'm looking at moving our BIG /etc/sudoers file into ldap but sudo is
invoked around 240000 times a day (mostly via cron batch jobs) across a
large server fleet which would result in at least 478000 LDAP queries 
(~5.5 queries per sec). Caching would defiantly help to reduce the potential
load on the ldap servers for these repetitive tasks.

Also saw that ldap.c has been updated in CVS to perform ldap SUBTREE
searches. I noticed that the ldap query for the cn=defaults object is
now also a SUBTREE search. This could result in multiple defaults entries
being found below the SUDOers root. Shouldn't sudo just look in the
SUDOers root for the one defaults entry and not through the whole sub


Linux Systems Engineer

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.

More information about the sudo-workers mailing list