[389-users] /etc/sudoers VS sudo-objects in directory server

Mon Jan 4 12:55:26 UTC 2010

Thanks for all the replies.

We're running Puppet to manage files on our linux servers, so assuming that
Puppet consistently distributes /etc/sudoers (we'll maintain only one copy
of this file) to our linux servers, we in a way will have a centralized
setup of sudoers, much like using an LDAP. So to me, the main difference
between the two approaches, as far as I can tell, is simply wether we store
sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must
admit that /etc/sudoers seems like the best choice.
>From the responsens I've got this far I can't see any major issues with the
/etc/sudoers approach, as long as we can ensure that Puppet will do its job.

Regards,
Kenneth

On Wed, Dec 30, 2009 at 10:38 PM, <patrick.morris at hp.com> wrote:

> On Tue, 29 Dec 2009, Kenneth Holter wrote:
>
> > We're working on setting up Red Hat Directory Server (RHDS), and need to
> make a decision about wether sudo information should be defined as
> sudo-objects in the directory server, or if we should stick to /etc/sudoers.
> I've played around with sudo-objects in the directory server, and got it
> working. But the way I see it, maintaining sudo information in /etc/sudoers
> is much easier than to maintain it in a directory server. In the latter
> case, I'd either have to use the GUI, or write scripts/ldif files to make
> necessary changes to the sudo setup, and they both seem less intuitive than
> to simply edit the /etc/sudoers file.
> >
> > I'd very much like to hear from others on their thoughts on wether to
> maintain sudo information in /etc/sudoers or in the directory server, so
> please feel free to post a reply.
>
> I know I'm stating the obvious here, and feel the need to mention that
> there's absolutely nothing directly RHDS or 389-related about your
> question, but you did ask...
>
> As with anything LDAP-related, you need to decide whether you want
> centralization or the status quo. It seems you already know the benefits
> to using LDAP (make changes in one place, replicate it everywhere) and
> the drawbacks (it's not a simple matter of editing a sudoers file), as
> well as the benefits of not using LDAP (flat, easy-to-read text files
> and no learning curve or additional tools involved).
>
> Personally, given more than one machine to administer, I'd go LDAP every
> time, but I've been bit too many times by inconsistencies, and I'm
> familiar enough with doing it the LDAP way that it's no big deal to me.
> I like being able to make one change in one place and know that it's
> instantly taking effect on every box I want it to, without question,
> every time. To me, consistency is a *huge* part of good security, and
> that's easier to accomplish when you're changing one thing on one place,
> rather than (in my case) changing one thing a few thousand places.
>
> That's just my situation, though, and I'm sure yours is different. Given
> that you already seem to know the pros and cons, it's really just a
> matter of deciding what's important to you, and then making the
> appropriate decision.
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20100104/eebe7612/attachment.htm>