[sudo-workers] LDAP optimizations

Pablo Averbuj lists+sudo at vanitude.com
Wed Aug 5 15:11:37 EDT 2009

I've been doing some poking and testing with the LDAP/Netgroup integration
for my project and I see the opportunity for optimization. But before I
start making dramatic/stupid changes, I want to make sure I'm thinking about
this all wrong.
Currently my read of ldap.c indicates that when it's resolving sudoRole
objects after it tries the explicit sudoUser values (username, primary unix
group, additional unix groups) it looks for sudoRoles with nisNetgroups

So far so good. The next steps are where I want to make improvements. Now
that it has a bunch of sudoRole objects, it starts to resolve sudoUser
netgroups to see if the user is in the netgroup until it finds the user,
etc. I propose (and if agreed, may attempt) the following change:

Validate that the command is in sudoCommand / sudoRunas _before_ querying
the sudoUser netgroups and sudoHost netgroups

I don't see any downside and that makes me think that I'm crazy. Thoughts?

More information about the sudo-workers mailing list