[389-users] /etc/sudoers VS sudo-objects in directory server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 29 Dec 2009, Kenneth Holter wrote:

> We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
> 
> I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.

I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...

As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).

Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.

That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the
appropriate decision.
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux