[sudo-workers] Add support for DBIS netservices

Todd C. Miller Todd.Miller at courtesan.com
Mon Aug 24 14:19:42 MDT 2015

The sudo plugin interface is really intended to allow you to use a
foreign (i.e. not sudoers) security policy with the sudo front-end.
The sudoers plugin itself supports an nss-ish interface with file,
ldap and sssd backends.  What you seems to be proposing sounds
similar to sssd which also does caching of LDAP results and has its
own sudoers backend/source.

One of the biggest usability problems with user netgroups and LDAP
under sudo is you cannot use them in a simple query to return all
of a user's sudoRole objects as there is no interface to enumerate
all the netgroups a user is a member of.  In the past, sudo had to
query all matching sudoRoles with a member that matches "+*" which
was woefully inefficient (and slow).

Sudo 1.8.12 and above are capable of querying a user's netgroups
directly so they can be used in a query but not all LDAP servers
support such queries.  OpenLDAP in particular refuses to support
RFC2307bis since it was never standardized.  It looks like netservices
do support queries that would make it possible to enumberate a
user's netservices.  Is that correct?

 - todd

More information about the sudo-workers mailing list