[389-users] /etc/sudoers VS sudo-objects in directory server

[patrick.morris at hp.com]

On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across itasoftware com>
wrote:

    We're going to go with sudoers in ldap, not because I think it's
    better, but because it's somewhat more secure.  I think the layout
    of how it's managed in ldap is much inferior (having to declare each
    group multiple times, and not being able to apply privileges to a
    *group*, is stupid) but it is at least someplace where I know the
    clever people can't get easy access to it, and if the sudoers file
    gets modified, I can have tripwire scream.

        -- juniper

It's most definitely *not* the case that you cannot use groups in LDAP
sudoers objects. I'm also not sure why you'd need to declare groups
multiple times, or what "groups" means in this context, but it sounds
like you may just be doing things the hard way.