迁移 sudo-ldap 至普通的 sudo 或者 libsss-sudo #466
Description
根据 <trixie/sudo-ldap> 的说明以及 apt-listchanges 里能看到的信息:
sudo (1.9.15p2-1) unstable; urgency=medium
sudo-ldap has become a burden to maintain. This is mainly due to the fact
that the sudo team has neither the manpower nor the know-how to maintain
sudo-ldap adequately.
In practice, there are few installations that use sudo-ldap. Most
installations that use LDAP as a directory service and sudo have now opted
for sssd, sssd-ldap and libsss-sudo.
The Debian sudo team recommends the use of libsss-sudo for new
installations and the migration of existing installations from sudo-ldap
to libsss-sudo and sssd.
The combination of sudo and sssd is automatically tested in autopkgtest
of sudo.
This is also being discussed in #1033728 in the Debian BTS.
Debian 13, "trixie", will be the last version of Debian that supports
sudo-ldap. Please use the bookworm and trixie release cycles to migrate
your installation away from sudo-ldap.
Please make sure that you do not upgrade from Debian 13 to Debian 14
while you're still using sudo-ldap. This is not going to work and
will probably leave you without intended privilege escalation.
-- Marc Haber <[email protected]> Mon, 20 Nov 2023 10:07:57 +0100
Debian 14(2027 年)起就没有 sudo-ldap 了。考虑迁移的方案:
- 普通的
sudo:我们确实也没用啥 sudo-ldap 的高级功能,只是集中管理了 sudoers,完全可以把这些 sudo rules 写在系统内的 sudoers 文件里。 libsss-sudo:没用过,但是文档里有 CentOS 的配置说明,就是这么多年来不知道还有没有人配得动