[sudo-workers] caching sudo ldap queries

Tom Judge tom at tomjudge.com
Fri Jun 23 12:58:41 EDT 2006

Hi Rob,

The patch to ldap.c was submitted by me.  I have no idea how sudo would 
handle finding more than one defaults object, in theory it should bail 
out at that point and ignore all entries called defaults if not ignore 
all ldap entries.  I patched defaults because I wanted to file the entry 
in a sub section of my ldap tree with the default privileges for all 
users on all systems on my site.  I guess there are good pros and cons 
to a sub tree search at this point.  Maybe the configuration file should 
store whether to perform a sub tree or one level search for these 2 
searches independently.

As for your cache issue, there are 2 solutions available to improve the 
performance of you ldap servers without modifying sudo:

1) The very complex way,  would be to install a local ldap server on 
each box,  not my idea of fun, or a good idea imho.

2) If you are using openldap there is a caching overlay that you could 
use to improve the performance of regular searches on the tree.


Robert Beard wrote:
> Hi,
> Is it possible to have sudo ldap queries cached locally for a period of
> time similar to the password timeout feature?
> I'm looking at moving our BIG /etc/sudoers file into ldap but sudo is
> invoked around 240000 times a day (mostly via cron batch jobs) across a
> large server fleet which would result in at least 478000 LDAP queries 
> (~5.5 queries per sec). Caching would defiantly help to reduce the potential
> load on the ldap servers for these repetitive tasks.
> Also saw that ldap.c has been updated in CVS to perform ldap SUBTREE
> searches. I noticed that the ldap query for the cn=defaults object is
> now also a SUBTREE search. This could result in multiple defaults entries
> being found below the SUDOers root. Shouldn't sudo just look in the
> SUDOers root for the one defaults entry and not through the whole sub
> tree?
> Thanx
> Rob.
> Linux Systems Engineer
> This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.
> ____________________________________________________________ 
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers

More information about the sudo-workers mailing list