On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across itasoftware com>
wrote:
We're going to go with sudoers in ldap, not because I think it's
better, but because it's somewhat more secure. I think the layout
of how it's managed in ldap is much inferior (having to declare each
group multiple times, and not being able to apply privileges to a
*group*, is stupid) but it is at least someplace where I know the
clever people can't get easy access to it, and if the sudoers file
gets modified, I can have tripwire scream.
-- juniper
It's most definitely *not* the case that you cannot use groups in LDAP
sudoers objects. I'm also not sure why you'd need to declare groups
multiple times, or what "groups" means in this context, but it sounds
like you may just be doing things the hard way.
