[sudo-workers] LDAP sudoers search Performance

Thomas, Matthew (GE Tech Infra, US) matthewt.thomas at ge.com
Thu Mar 17 10:47:04 EDT 2011

Thanks for the response.

In ldap, I have adopted a very flat directory structure for easier acount
management. (Auditing, etc..). However, I make use of the service search
descriptor feature in the UNIX client configuration to "virtualize" the ou.
This is around the concept that some of the records should be visible to all
servers, while other records should only be visible to smaller groups of

Its hard to go into specifics, but I can talk about an abstract example
which may help. Servers could be grouped into different categories based on
things like "Development" servers and "Production servers". Some records in
ldap may apply to both Development servers and Production servers, while
other records only apply to Development servers. Without a search filter, to
accomplish this I would need two different OUs, requiring me to duplicate
some records among the OUs and keep them in sync.

This is somewhat easier in sudo roles because I can use the sudoHost
attribute to make specific sudo roles apply only to specific hosts. However,
because the sudo ldap search is based only on the sudoUser field, using the
sudoHost attribute does not limit the search to only records applicable to a
specific server. While it works technically, searching 1000+ sudo roles to
see if the netgroup in sudoUser and the netgroup in sudoHost match can take
excessive amounts of time.

If I could use the search filter to limit the records returned by sudo
during a search It can significantly increase the search speed. 

Example Filter for a development server:
Example for a production server:

This simple filter would halve the amount of records returned in the search.
In practice, I have a lot more than 2 groups of servers, so this will
provide a significant boost to the search speed.

The other option I looked at would be to change the pass1 search to find all
the netgroups the users belongs to and add them to the search (similar to
unix groups). However, I don't know how easy that is to implement. I know I
can ask which users belong to a certain netgroup, but reversing the question
and asking which netgroups a user belongs to is harder.


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Thursday, March 17, 2011 10:05 AM
To: Thomas, Matthew (GE Tech Infra, US)
Cc: sudo-workers at sudo.ws
Subject: Re: [sudo-workers] LDAP sudoers search Performance

Can you give a real-world example of how you are using this?
I'd like to better understand the performance issues and how this improves

 - todd

More information about the sudo-workers mailing list