[389-users] 389-users Digest, Vol 126, Issue 2, in reply to: "passwordless sudo"

Karel Lang AFD lang at afd.cz
Tue Nov 3 14:04:22 UTC 2015 

Hi,
as for the sudo <-> ldap
or for sudo <-> sssd <-> ldap
i think this is good read:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html


cheers!

--
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz


On 11/03/2015 01:00 PM, 389-users-request at lists.fedoraproject.org wrote:
> Send 389-users mailing list submissions to
> 	389-users at lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/389-users
> or, via email, send a message with subject or body 'help' to
> 	389-users-request at lists.fedoraproject.org
>
> You can reach the person managing the list at
> 	389-users-owner at lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 389-users digest..."
>
>
> Today's Topics:
>
>     1. Re: DS crashed /killed by OS (Mark Reynolds)
>     2. Re: Passwordless sudo - is it possible? (Todor Petkov)
>     3. Re: Passwordless sudo - is it possible? (Alan Willis)
>     4. Re: Passwordless sudo - is it possible? (Gordon Messmer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 2 Nov 2015 09:52:27 -0500
> From: Mark Reynolds <mareynol at redhat.com>
> To: firstyear at redhat.com,	"General discussion list for the 389
> 	Directory server project."	<389-users at lists.fedoraproject.org>
> Subject: Re: [389-users] DS crashed /killed by OS
> Message-ID: <563778AB.6020603 at redhat.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>
>
> On 11/01/2015 08:50 PM, William Brown wrote:
>> On Thu, 2015-10-22 at 17:48 +0000, Fong, Trevor wrote:
>>> Hi German,
>>>
>>> Thanks for your suggestion.  I’m happy to confirm that setting
>>> userRoot’s nsslapd-cachememsize: 429496730 (1/15th of previous value
>>> of 6 GB) has addressed the memory issue for now, and % Mem for the ns
>>> -slapd process seems to be at a manageable level.
>>>
>>> Thanks very much,
>>> Trev
>>>
>>>
>>>
>> As I understand it, the fragmentation is due to the use of fastbins.
>> see man mallopt M_MXFAST for an explination.
>>
>> You may be able to reduce fragmentation with the setting nsslapd-malloc
>> -mxfast, but you may see a (potentially severe) degredation in
>> performance. As I understand the value is by default 64 on a 32 bit
>> system, and 128 on a 64bit one, so perhaps try reducing it by half and
>> see if that helps.
>>
>> I'm not sure if this is a supported option either so you may not wish
>> to enable it. You should always try changes like this on a non
>> -production system first.
> Well we have not seen any significant improvement modifying the fast
> bins(M_MXFAST).  So while it can slightly reduce fragmentation,
> unfortunately it's not really a solution.  Now using a different memory
> allocator, like jemalloc, has shown significant improvements in memory
> size/fragmentation.  Checkout:
>
> http://www.port389.org/docs/389ds/FAQ/jemalloc-testing.html
>
> The only issue is that jemalloc is not available on all platforms
> yet(especially older versions of RHEL/fedora).
>
> Mark
>>
>> Alternatelly, you can set the cachemem to autosize with nsslapd-cache
>> -autosize=50 or something like that. This way the cache will use only
>> 50% of the free ram on the system. I believe this value is determined
>> at server start up, rather than being constantly adjusted through the
>> lifetime of the process.
>>
>> Remember, that with the caching, there is some good material in the
>> tuning guide which may help you understand the correct values you
>> should set for your cache sizes based on the number of entries you
>> have.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
>> 10/html/Performance_Tuning_Guide/index.html
>>
>> As Germane said, there is work to reduce the impace of memory
>> fragmentation on process memory size, so these are hopefully temporary
>> solutions.
>>
>>> -
>> Sincerely,
>>
>> William Brown
>> Software Engineer
>> Red Hat, Brisbane
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20151102/3ce9cccc/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 02 Nov 2015 17:02:47 +0200
> From: Todor Petkov <zakk at online.bg>
> To: firstyear at redhat.com, "General discussion list for the 389
> 	Directory	server project." <389-users at lists.fedoraproject.org>
> Subject: Re: [389-users] Passwordless sudo - is it possible?
> Message-ID: <8b524973ea5bde440927c4a6997f52da at online.bg>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 02/11/2015 10:20 AM, Todor Petkov wrote:
>
>>
>> Hello,
>>
>> my bad, I meant that I have added the line in sudoers, but it was not
>> working.
>>
>> However, I have added the user as "uniquemember" of the group, not
>> just "gidNumber" and it's OK now.
>>
>> Thanks.
>
>
> Hi,
>
> small update:
>
> when the group is with NOPASSWD:ALL, it's not working.
> If the user has specific record, it's OK.
>
> I can change the sudoers record with pssh, but if someone can give a
> hint how to make the group record working, I will appreciate it.
>
> Regards,
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 2 Nov 2015 07:54:33 -0800
> From: Alan Willis <alwillis at riotgames.com>
> To: "General discussion list for the 389 Directory server project."
> 	<389-users at lists.fedoraproject.org>
> Cc: firstyear at redhat.com
> Subject: Re: [389-users] Passwordless sudo - is it possible?
> Message-ID:
> 	<CAAw=1wPi5f98WQbWb5sx0VV4QypycqcAX-zZ_gckDxmoc=szRA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> To get NOPASSWD behavior when using ldap to distribute your sudo records,
> you need to add a sudo options attribute to the sudo rule in ldap to negate
> the default authentication requirement.
>
>>From http://www.sudo.ws/man/1.8.13/sudoers.man.html
>
> authenticate:
>
> If set, users must authenticate themselves via a password (or other means
> of authentication) before they may run commands. This default may be
> overridden via the PASSWD and NOPASSWD tags. This flag is on by default.
>
> To negate it, place a '!' in front of it as the value to a sudo options
> attribute in ldap.
>
> On Mon, Nov 2, 2015 at 7:02 AM, Todor Petkov <zakk at online.bg> wrote:
>
>> On 02/11/2015 10:20 AM, Todor Petkov wrote:
>>
>>
>>> Hello,
>>>
>>> my bad, I meant that I have added the line in sudoers, but it was not
>>> working.
>>>
>>> However, I have added the user as "uniquemember" of the group, not
>>> just "gidNumber" and it's OK now.
>>>
>>> Thanks.
>>>
>>
>>
>> Hi,
>>
>> small update:
>>
>> when the group is with NOPASSWD:ALL, it's not working.
>> If the user has specific record, it's OK.
>>
>> I can change the sudoers record with pssh, but if someone can give a hint
>> how to make the group record working, I will appreciate it.
>>
>> Regards,
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>

More information about the 389-users mailing list