On Tue, 29 Dec 2009, Kenneth Holter wrote: > We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file. > > I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply. I know I'm stating the obvious here, and feel the need to mention that there's absolutely nothing directly RHDS or 389-related about your question, but you did ask... As with anything LDAP-related, you need to decide whether you want centralization or the status quo. It seems you already know the benefits to using LDAP (make changes in one place, replicate it everywhere) and the drawbacks (it's not a simple matter of editing a sudoers file), as well as the benefits of not using LDAP (flat, easy-to-read text files and no learning curve or additional tools involved). Personally, given more than one machine to administer, I'd go LDAP every time, but I've been bit too many times by inconsistencies, and I'm familiar enough with doing it the LDAP way that it's no big deal to me. I like being able to make one change in one place and know that it's instantly taking effect on every box I want it to, without question, every time. To me, consistency is a *huge* part of good security, and that's easier to accomplish when you're changing one thing on one place, rather than (in my case) changing one thing a few thousand places. That's just my situation, though, and I'm sure yours is different. Given that you already seem to know the pros and cons, it's really just a matter of deciding what's important to you, and then making the appropriate decision. -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
