Thanks for all the replies.
We're running Puppet to manage files on our linux servers, so assuming that
Puppet consistently distributes /etc/sudoers (we'll maintain only one copy
of this file) to our linux servers, we in a way will have a centralized
setup of sudoers, much like using an LDAP. So to me, the main difference
between the two approaches, as far as I can tell, is simply wether we store
sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must
admit that /etc/sudoers seems like the best choice.
From the responsens I've got this far I can't see any major
issues with the
/etc/sudoers approach, as long as we can ensure that Puppet will do
its job.
Regards,
Kenneth
On Wed, Dec 30, 2009 at 10:38 PM, <patrick.morris(a)hp.com> wrote:
On Tue, 29 Dec 2009, Kenneth Holter wrote:
> We're working on setting up Red Hat Directory Server (RHDS), and need to
make a decision about wether sudo information should be defined as
sudo-objects in the directory server, or if we should stick to /etc/sudoers.
I've played around with sudo-objects in the directory server, and got it
working. But the way I see it, maintaining sudo information in /etc/sudoers
is much easier than to maintain it in a directory server. In the latter
case, I'd either have to use the GUI, or write scripts/ldif files to make
necessary changes to the sudo setup, and they both seem less intuitive than
to simply edit the /etc/sudoers file.
>
> I'd very much like to hear from others on their thoughts on wether to
maintain sudo information in /etc/sudoers or in the directory server, so
please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...
As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the
appropriate decision.
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users