[sudo-workers] group_plugin and LDAP Host_Alias clarification

Daniele Palumbo daniele at retaggio.net
Sun Aug 4 07:32:20 MDT 2019

Hi there,

i were looking for more infomation over group_plugin.
the idea was to create a LDAP non-unix group (groupOfUniqueNames or groupOfNames, https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames)

The idea was to create a group of hosts in LDAP, as suggested in
For the most part, there is little need for sudo-specific Aliases. Unix groups, non-Unix groups (via the group_plugin) or user netgroups can be used in place of User_Aliases and Runas_Aliases. Host netgroups can be used in place of Host_Aliases. Since groups and netgroups can also be stored in LDAP there is no real need for sudo-specific aliases.

I already know netgroup, so i wished to check the non-Unix groups possibility for benchmarking purpose.

I have found the following in the docs:

A string containing a sudoers group plugin with optional arguments. The string should consist of the plugin path, either fully-qualified or relative to the/usr/local/libexec/sudo directory, followed by any configuration arguments the plugin requires. These arguments (if any) will be passed to the plugin's initialization function. If arguments are present, the string must be enclosed in double quotes ("").

For more information see GROUP PROVIDER PLUGINS.

And following the link
The following group provider plugins are installed by default:

group_fileThe group_file plugin supports an alternate group file that uses the same syntax as the /etc/group file. The path to the group file should be specified as an option to the plugin. For example, if the group file to be used is/etc/sudo-group:

Defaults group_plugin="group_file.so /etc/sudo-group" 

system_groupThe system_group plugin supports group lookups via the standard C library functions getgrnam() and getgrid(). This plugin can be used in instances where the user belongs to groups not present in the user's supplemental group vector. This plugin takes no options:

Defaults group_plugin=system_group.so 

The group provider plugin API is described in detail insudo_plugin(5).

- i have found in internet some vendor plugin for AD support (e.g.: from OneIdentity);
- i am considering overkilling the unix groups, as every host should be defined as a user (with a uid, home, ...) and a group must be defined as well (with a gid, ...)

- is correct to state that there is no out of the box support for groupOfUniqueNames/groupOfNames in sudo?
- do you know any free/non-free plugin working with groupOfUniqueNames/groupOfNames?
- is anyone aware of other method to define hosts groups in LDAP apart from netgroup which works out of the box with sudo?

Any hint would be more than useful.

Thank you very much,

More information about the sudo-workers mailing list