Thanks for all the replies.
We're running Puppet to manage files on our linux servers, so assuming that Puppet consistently distributes /etc/sudoers (we'll maintain only one copy of this file) to our linux servers, we in a way will have a centralized setup of sudoers, much like using an LDAP. So to me, the main difference between the two approaches, as far as I can tell, is simply wether we store sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must admit that /etc/sudoers seems like the best choice.
From the responsens I've got this far I can't see any major issues with the /etc/sudoers approach, as long as we can ensure that Puppet will do its job.
Regards,
Kenneth
On Wed, Dec 30, 2009 at 10:38 PM,
<patrick.morris@hp.com> wrote:
On Tue, 29 Dec 2009, Kenneth Holter wrote:
> We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
>
> I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...
As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the
appropriate decision.