[sudo-users] Fwd: SUDO centralization based on Server!
Todd C. Miller
Todd.Miller at courtesan.com
Tue Sep 6 14:41:14 EDT 2011
On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> Someone else will have to chime in to confirm or deny my failing memory,
> but I do know that when using LDAP in general, there are no guarantees
> as to the order that elements are returned from a search; leading from
> that, I seem to recall reading somewhere that the behavior of sudo deny
> rules when pulled from LDAP might not be the same as when reading rules
> from a file, again 'cause you can't specify or enforce a rule order.
That is correct; LDAP does not guarantee the order of the attributes
within a sudoRole. Newer versions of sudo support a sudoOrder
attribute but that only helps with ordering multiple sudoRoles.
- todd
More information about the sudo-users
mailing list