UNIX for Advanced & Expert Users

The company I work for is trying to implement Sudoers.LDAP to centralize their sudoers infrastructure so the access management team and compliance teams don't have to run ragged over all of our servers. The AD team decided it would be better to set up a separate LDAP server rather than put a new schema in our main AD domain, so we got an OpenLDAP server set up and ready to go for the project. Now, however, I'm being told by the Unix guys that it's not possible to have the user authentication pointing to one domain and the Sudoers authorization pointing to another domain and that we have to go back and have the schema put into the main domain.

Could one of you guys clarify on whether it is possible to point to one domain for authentication (user logins to the server) and a second for authorization (sudoers access)?

So, answered my own question here. How this works is this: most guides I've seen on the topic will have you edit the ldap.conf file, which appears to control the Unix server's ability to authenticate users from an LDAP domain. The sudo package, when ldap enabled, will read the sudo-ldap.conf file for where to fetch sudoers records from. Most guides will have you symbolically link ldap.conf to this file (which is great in environments where your sudoers records are on the same domain as your user records -- which they don't have to be), but if you create sudo-ldap.conf by itself and put the uri and sudoers_base records into it, the sudo package will automatically read from a second LDAP server without causing any headache or conflict with other LDAP sources.

Overall, a pretty simple way to centralize the sudoers files for all of your Unix servers.