[389-users] /etc/sudoers VS sudo-objects in directory server

[Anne Cross]

We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure.  I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.

-- juniper

----- Original Message -----
From: "Kenneth Holter" <kenneho.ndu at gmail.com>
To: fedora-directory-users at redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server



Hi. 


We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file. 

I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply. 


Best regards, 
Kenneth Holter 
--
389 users mailing list
389-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users