Thanks for all the replies. We're running Puppet to manage files on our linux servers, so assuming that Puppet consistently distributes /etc/sudoers (we'll maintain only one copy of this file) to our linux servers, we in a way will have a centralized setup of sudoers, much like using an LDAP. So to me, the main difference between the two approaches, as far as I can tell, is simply wether we store sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must admit that /etc/sudoers seems like the best choice. >From the responsens I've got this far I can't see any major issues with the /etc/sudoers approach, as long as we can ensure that Puppet will do its job. Regards, Kenneth On Wed, Dec 30, 2009 at 10:38 PM, <patrick.morris at hp.com> wrote: > On Tue, 29 Dec 2009, Kenneth Holter wrote: > > > We're working on setting up Red Hat Directory Server (RHDS), and need to > make a decision about wether sudo information should be defined as > sudo-objects in the directory server, or if we should stick to /etc/sudoers. > I've played around with sudo-objects in the directory server, and got it > working. But the way I see it, maintaining sudo information in /etc/sudoers > is much easier than to maintain it in a directory server. In the latter > case, I'd either have to use the GUI, or write scripts/ldif files to make > necessary changes to the sudo setup, and they both seem less intuitive than > to simply edit the /etc/sudoers file. > > > > I'd very much like to hear from others on their thoughts on wether to > maintain sudo information in /etc/sudoers or in the directory server, so > please feel free to post a reply. > > I know I'm stating the obvious here, and feel the need to mention that > there's absolutely nothing directly RHDS or 389-related about your > question, but you did ask... > > As with anything LDAP-related, you need to decide whether you want > centralization or the status quo. It seems you already know the benefits > to using LDAP (make changes in one place, replicate it everywhere) and > the drawbacks (it's not a simple matter of editing a sudoers file), as > well as the benefits of not using LDAP (flat, easy-to-read text files > and no learning curve or additional tools involved). > > Personally, given more than one machine to administer, I'd go LDAP every > time, but I've been bit too many times by inconsistencies, and I'm > familiar enough with doing it the LDAP way that it's no big deal to me. > I like being able to make one change in one place and know that it's > instantly taking effect on every box I want it to, without question, > every time. To me, consistency is a *huge* part of good security, and > that's easier to accomplish when you're changing one thing on one place, > rather than (in my case) changing one thing a few thousand places. > > That's just my situation, though, and I'm sure yours is different. Given > that you already seem to know the pros and cons, it's really just a > matter of deciding what's important to you, and then making the > appropriate decision. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100104/eebe7612/attachment.html
