On Tue, 29 Dec 2009, Kenneth Holter wrote:
We're working on setting up Red Hat Directory Server (RHDS), and
need to make a decision about wether sudo information should be defined as sudo-objects in
the directory server, or if we should stick to /etc/sudoers. I've played around with
sudo-objects in the directory server, and got it working. But the way I see it,
maintaining sudo information in /etc/sudoers is much easier than to maintain it in a
directory server. In the latter case, I'd either have to use the GUI, or write
scripts/ldif files to make necessary changes to the sudo setup, and they both seem less
intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo
information in /etc/sudoers or in the directory server, so please feel free to post a
I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...
As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the