The one thing I would look at is your /etc/sssd/sssd.conf file. Assuming you are
configured for LDAP, you could exclude the the local admin account in the [nss] section
with the "filter_users" setting.
Example:
[nss]
filter_users = root,nagios,local_admin_acct
That should get SSSD to not look up the user in LDAPS and hopefully expedite your login.
Again, assuming you are using SSSD.
Paul M. Whitney, RHCSA, CISSP
Chesapeake IT Consulting, Inc.
2680 Tobacco Rd
Chesapeake Beach, MD 20732
Work: 443-492-2872
Cell: 410.493.9448
Email: paul.whitney@chesapeake-it.com<mailto:paul.whitney@chesapeake-it.com>
CONFIDENTIALITY NOTICE
The information contained in this facsimile or electronic message is confidential
information intended for the use of the individual or entity named above. If the reader of
this message is not the intended recipient, or an employee or agent responsible for
delivering this facsimile message to the intended recipient, you are hereby notified that
any dissemination, or copying of this communication is strictly prohibited. If this
message contains non-public personal information about any consumer or customer of the
sender or intended recipient, you are further prohibited under penalty of law from using
or disclosing the information to any third party by provisions of the federal
Gramm-Leach-Bliley Act. If you have received this facsimile or electronic message in
error, please immediately notify us by telephone and return or destroy the original
message to assure that it is not read, copied, or distributed by others.
________________________________
From: Abhisheyk Deb <abhisheykdeb(a)gmail.com>
Sent: Wednesday, July 17, 2019 1:56 PM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] LDAP Groups in sudoers file.
Hi,
We have a ldap group called ldapadmin defined on our LDAP servers running 389 Directory
Server.
On the LDAP Client side. We have the following line added in /etc/sudoers
%ldapadmin ALL=(ALL:ALL) ALL
We are able to login as a LDAP user which is part of the ldapadmin group and are able to
get sudo privileges for that user by calling sudo before a command.
Now these LDAP Client machines also have a local admin user which has been added to their
local /etc/sudoers file.
If we get our LDAP Servers down and try to do sudo when we are logged in as the local
admin user, we are seeing a delay before sudo command can finish.
When we remove the line %ldapadmin ALL=(ALL:ALL) ALL from /etc/sudoers, the slowdowns do
not happen anymore when we try to do sudo as the local admin user.
That means every time we are trying to do sudo, it is reading the sudoers file and on
parsing the file when it comes across the line %ldapadmin ALL=(ALL:ALL) ALL, it is not
able to find this group since it is not a local group, but a group present on a LDAP
Server which is currently unavailable.
My question is why sudo command is trying to do a lookup for ldapadmin group when it is
ran by the local admin user? Is there any way to bypass this check, because our
LDAPClients have the need to have a local admin user. Any help would be appreciated.
Thank you
Abhishek Deb