[sudo-workers] caching sudo ldap queries
tom at tomjudge.com
Fri Jun 23 12:58:41 EDT 2006
The patch to ldap.c was submitted by me. I have no idea how sudo would
handle finding more than one defaults object, in theory it should bail
out at that point and ignore all entries called defaults if not ignore
all ldap entries. I patched defaults because I wanted to file the entry
in a sub section of my ldap tree with the default privileges for all
users on all systems on my site. I guess there are good pros and cons
to a sub tree search at this point. Maybe the configuration file should
store whether to perform a sub tree or one level search for these 2
As for your cache issue, there are 2 solutions available to improve the
performance of you ldap servers without modifying sudo:
1) The very complex way, would be to install a local ldap server on
each box, not my idea of fun, or a good idea imho.
2) If you are using openldap there is a caching overlay that you could
use to improve the performance of regular searches on the tree.
Robert Beard wrote:
> Is it possible to have sudo ldap queries cached locally for a period of
> time similar to the password timeout feature?
> I'm looking at moving our BIG /etc/sudoers file into ldap but sudo is
> invoked around 240000 times a day (mostly via cron batch jobs) across a
> large server fleet which would result in at least 478000 LDAP queries
> (~5.5 queries per sec). Caching would defiantly help to reduce the potential
> load on the ldap servers for these repetitive tasks.
> Also saw that ldap.c has been updated in CVS to perform ldap SUBTREE
> searches. I noticed that the ldap query for the cn=defaults object is
> now also a SUBTREE search. This could result in multiple defaults entries
> being found below the SUDOers root. Shouldn't sudo just look in the
> SUDOers root for the one defaults entry and not through the whole sub
> Linux Systems Engineer
> This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. The sender's entire liability will be limited to resupplying the material.
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-workers