As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance. -- juniper ----- Original Message ----- From: "Doug Chapman" <prjctgeek@xxxxxxxxx> To: "General discussion list for the 389 Directory server project." <fedora-directory-users@xxxxxxxxxx> Sent: Wednesday, December 30, 2009 6:48:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [389-users] /etc/sudoers VS sudo-objects in directory server Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this: cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com sudoHost: sasapp*. prod.foo.com objectClass: sudoRole objectClass: top sudoCommand: /bin/su sas sudoCommand: /bin/su - sas sudoUser: %reporting sudoUser: %datawarehouse cn: reporting_admin_on_sas Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box. One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work). On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross < across@xxxxxxxxxxxxxxx > wrote: We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream. -- juniper ----- Original Message ----- From: "Kenneth Holter" < kenneho.ndu@xxxxxxxxx > To: fedora-directory-users@xxxxxxxxxx Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern Subject: [389-users] /etc/sudoers VS sudo-objects in directory server Hi. We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file. I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply. Best regards, Kenneth Holter -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users