914 lines
38 KiB
Groff
914 lines
38 KiB
Groff
.\" Copyright (c) 2003-2011
|
|
.\" Todd C. Miller <Todd.Miller@courtesan.com>
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
|
.\" nothing in troff, for use with C<>.
|
|
.tr \(*W-
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C`
|
|
. ds C'
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
'br\}
|
|
.\"
|
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.ie \nF \{\
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. nr % 0
|
|
. rr F
|
|
.\}
|
|
.el \{\
|
|
. de IX
|
|
..
|
|
.\}
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "SUDOERS.LDAP @mansectform@"
|
|
.TH SUDOERS.LDAP @mansectform@ "February 21, 2011" "1.8.0rc1" "MAINTENANCE COMMANDS"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.if n .ad l
|
|
.nh
|
|
.SH "NAME"
|
|
sudoers.ldap \- sudo LDAP configuration
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
|
|
via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
|
|
in a large, distributed environment.
|
|
.PP
|
|
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
|
|
.IP "\(bu" 4
|
|
\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
|
|
\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
|
|
This makes it especially fast and particularly usable in \s-1LDAP\s0
|
|
environments.
|
|
.IP "\(bu" 4
|
|
\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
|
|
It is not possible to load \s-1LDAP\s0 data into the server that does
|
|
not conform to the sudoers schema, so proper syntax is guaranteed.
|
|
It is still possible to have typos in a user or host name, but
|
|
this will not prevent \fBsudo\fR from running.
|
|
.IP "\(bu" 4
|
|
It is possible to specify per-entry options that override the global
|
|
default options. \fI@sysconfdir@/sudoers\fR only supports default options and
|
|
limited options associated with user/host/commands/aliases. The
|
|
syntax is complicated and can be difficult for users to understand.
|
|
Placing the options directly in the entry is more natural.
|
|
.IP "\(bu" 4
|
|
The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
|
|
locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
|
|
Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
|
|
Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
|
|
is no need for a specialized tool to check syntax.
|
|
.PP
|
|
Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
|
|
is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
|
|
.PP
|
|
For the most part, there is really no need for \fBsudo\fR\-specific
|
|
Aliases. Unix groups or user netgroups can be used in place of
|
|
User_Aliases and Runas_Aliases. Host netgroups can be used in place
|
|
of Host_Aliases. Since Unix groups and netgroups can also be stored
|
|
in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
|
|
.PP
|
|
Cmnd_Aliases are not really required either since it is possible
|
|
to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
|
|
a Cmnd_Alias that is referenced by multiple users, one can create
|
|
a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
|
|
to it.
|
|
.SS "SUDOers \s-1LDAP\s0 container"
|
|
.IX Subsection "SUDOers LDAP container"
|
|
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
|
|
container.
|
|
.PP
|
|
Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
|
|
If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
|
|
same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
|
|
the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
|
|
in the environment for all users.
|
|
.PP
|
|
.Vb 6
|
|
\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
|
|
\& objectClass: top
|
|
\& objectClass: sudoRole
|
|
\& cn: defaults
|
|
\& description: Default sudoOption\*(Aqs go here
|
|
\& sudoOption: env_keep+=SSH_AUTH_SOCK
|
|
.Ve
|
|
.PP
|
|
The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
|
|
the following attributes:
|
|
.IP "\fBsudoUser\fR" 4
|
|
.IX Item "sudoUser"
|
|
A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
|
|
a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
|
|
.IP "\fBsudoHost\fR" 4
|
|
.IX Item "sudoHost"
|
|
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
|
|
with a \f(CW\*(Aq+\*(Aq\fR).
|
|
The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
|
|
.IP "\fBsudoCommand\fR" 4
|
|
.IX Item "sudoCommand"
|
|
A Unix command with optional command line arguments, potentially
|
|
including globbing characters (aka wild cards).
|
|
The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
|
|
If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
|
|
user will be prohibited from running that command.
|
|
.IP "\fBsudoOption\fR" 4
|
|
.IX Item "sudoOption"
|
|
Identical in function to the global options described above, but
|
|
specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
|
|
.IP "\fBsudoRunAsUser\fR" 4
|
|
.IX Item "sudoRunAsUser"
|
|
A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
|
|
as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
|
|
with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
|
|
run as.
|
|
The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
|
|
.Sp
|
|
The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
|
|
1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
|
|
attribute instead.
|
|
.IP "\fBsudoRunAsGroup\fR" 4
|
|
.IX Item "sudoRunAsGroup"
|
|
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
|
|
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
|
|
.Sp
|
|
The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
|
|
1.7.0 and higher.
|
|
.IP "\fBsudoNotBefore\fR" 4
|
|
.IX Item "sudoNotBefore"
|
|
A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
|
|
a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
|
|
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
|
|
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
|
|
not the local timezone.
|
|
.Sp
|
|
The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
|
|
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
|
|
option in \fI@ldap_conf@\fR.
|
|
.IP "\fBsudoNotAfter\fR" 4
|
|
.IX Item "sudoNotAfter"
|
|
A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
|
|
date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
|
|
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
|
|
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
|
|
not the local timezone.
|
|
.Sp
|
|
The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
|
|
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
|
|
option in \fI@ldap_conf@\fR.
|
|
.IP "\fBsudoOrder\fR" 4
|
|
.IX Item "sudoOrder"
|
|
The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
|
|
inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
|
|
floating point value for \s-1LDAP\s0 servers that support it) that is used
|
|
to sort the matching entries. This allows LDAP-based sudoers entries
|
|
to more closely mimic the behaviour of the sudoers file, where the
|
|
of the entries influences the result. If multiple entries match,
|
|
the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
|
|
corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
|
|
the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
|
|
.Sp
|
|
The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
|
|
1.7.5 and higher.
|
|
.PP
|
|
Each attribute listed above should contain a single value, but there
|
|
may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
|
|
contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
|
|
.PP
|
|
The following example allows users in group wheel to run any command
|
|
on any host via \fBsudo\fR:
|
|
.PP
|
|
.Vb 7
|
|
\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
|
|
\& objectClass: top
|
|
\& objectClass: sudoRole
|
|
\& cn: %wheel
|
|
\& sudoUser: %wheel
|
|
\& sudoHost: ALL
|
|
\& sudoCommand: ALL
|
|
.Ve
|
|
.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
|
|
.IX Subsection "Anatomy of LDAP sudoers lookup"
|
|
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
|
|
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
|
|
options. The second is to match against the user's name and the
|
|
groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
|
|
in this query too.) If no match is returned for the user's name
|
|
and groups, a third query returns all entries containing user
|
|
netgroups and checks to see if the user belongs to any of them.
|
|
.PP
|
|
If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
|
|
directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
|
|
to entries that satisfy the time constraints, if any.
|
|
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
|
|
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
|
|
There are some subtle differences in the way sudoers is handled
|
|
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
|
|
\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
|
|
and Entries are returned in any specific order.
|
|
.PP
|
|
The order in which different entries are applied can be controlled
|
|
using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
|
|
the order of attributes within a specific entry. If there are
|
|
conflicting command rules in an entry, the negative takes precedence.
|
|
This is called paranoid behavior (not necessarily the most specific
|
|
match).
|
|
.PP
|
|
Here is an example:
|
|
.PP
|
|
.Vb 5
|
|
\& # /etc/sudoers:
|
|
\& # Allow all commands except shell
|
|
\& johnny ALL=(root) ALL,!/bin/sh
|
|
\& # Always allows all commands because ALL is matched last
|
|
\& puddles ALL=(root) !/bin/sh,ALL
|
|
\&
|
|
\& # LDAP equivalent of johnny
|
|
\& # Allows all commands except shell
|
|
\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
|
|
\& objectClass: sudoRole
|
|
\& objectClass: top
|
|
\& cn: role1
|
|
\& sudoUser: johnny
|
|
\& sudoHost: ALL
|
|
\& sudoCommand: ALL
|
|
\& sudoCommand: !/bin/sh
|
|
\&
|
|
\& # LDAP equivalent of puddles
|
|
\& # Notice that even though ALL comes last, it still behaves like
|
|
\& # role1 since the LDAP code assumes the more paranoid configuration
|
|
\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
|
|
\& objectClass: sudoRole
|
|
\& objectClass: top
|
|
\& cn: role2
|
|
\& sudoUser: puddles
|
|
\& sudoHost: ALL
|
|
\& sudoCommand: !/bin/sh
|
|
\& sudoCommand: ALL
|
|
.Ve
|
|
.PP
|
|
Another difference is that negations on the Host, User or Runas are
|
|
currently ignored. For example, the following attributes do not
|
|
behave the way one might expect.
|
|
.PP
|
|
.Vb 3
|
|
\& # does not match all but joe
|
|
\& # rather, does not match anyone
|
|
\& sudoUser: !joe
|
|
\&
|
|
\& # does not match all but joe
|
|
\& # rather, matches everyone including Joe
|
|
\& sudoUser: ALL
|
|
\& sudoUser: !joe
|
|
\&
|
|
\& # does not match all but web01
|
|
\& # rather, matches all hosts including web01
|
|
\& sudoHost: ALL
|
|
\& sudoHost: !web01
|
|
.Ve
|
|
.SS "Sudoers Schema"
|
|
.IX Subsection "Sudoers Schema"
|
|
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
|
|
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
|
|
\&'sudoUser' attribute.
|
|
.PP
|
|
Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
|
|
one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
|
|
Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
|
|
be found in the \fBsudo\fR distribution.
|
|
.PP
|
|
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
|
|
section.
|
|
.SS "Configuring ldap.conf"
|
|
.IX Subsection "Configuring ldap.conf"
|
|
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
|
|
Typically, this file is shared amongst different LDAP-aware clients.
|
|
As such, most of the settings are not \fBsudo\fR\-specific. Note that
|
|
\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
|
|
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
|
|
.PP
|
|
Also note that on systems using the OpenLDAP libraries, default
|
|
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
|
|
\&\fI.ldaprc\fR files are not used.
|
|
.PP
|
|
Only those options explicitly listed in \fI@ldap_conf@\fR as being
|
|
supported by \fBsudo\fR are honored. Configuration options are listed
|
|
below in upper case but are parsed in a case-independent manner.
|
|
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
|
|
.IX Item "URI ldap[s]://[hostname[:port]] ..."
|
|
Specifies a whitespace-delimited list of one or more URIs describing
|
|
the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
|
|
\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
|
|
(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
|
|
389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
|
|
is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
|
|
lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
|
|
entries. Only systems using the OpenSSL libraries support the
|
|
mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
|
|
libraries used on most commercial versions of Unix are only capable
|
|
of supporting one or the other.
|
|
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
|
|
.IX Item "HOST name[:port] ..."
|
|
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
|
|
whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
|
|
may include an optional \fIport\fR separated by a colon (':'). The
|
|
\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
|
|
and is included for backwards compatibility.
|
|
.IP "\fB\s-1PORT\s0\fR port_number" 4
|
|
.IX Item "PORT port_number"
|
|
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
|
|
default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
|
|
does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
|
|
the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
|
|
(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
|
|
specification and is included for backwards compatibility.
|
|
.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
|
|
.IX Item "BIND_TIMELIMIT seconds"
|
|
The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
|
|
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
|
|
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
|
|
the next one in the list.
|
|
.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
|
|
.IX Item "NETWORK_TIMEOUT seconds"
|
|
An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
|
|
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
|
|
.IX Item "TIMELIMIT seconds"
|
|
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
|
|
to wait for a response to an \s-1LDAP\s0 query.
|
|
.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
|
|
.IX Item "TIMEOUT seconds"
|
|
The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
|
|
to wait for a response from the various \s-1LDAP\s0 APIs.
|
|
.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
|
|
.IX Item "SUDOERS_BASE base"
|
|
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
|
|
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
|
|
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
|
|
in which case they are queried in the order specified.
|
|
.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
|
|
.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
|
|
Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
|
|
attributes that implement time-dependent sudoers entries.
|
|
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
|
|
.IX Item "SUDOERS_DEBUG debug_level"
|
|
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
|
|
information is printed to the standard error. A value of 1 results
|
|
in a moderate amount of debugging information. A value of 2 shows
|
|
the results of the matches themselves. This parameter should not
|
|
be set in a production environment as the extra information is
|
|
likely to confuse users.
|
|
.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
|
|
.IX Item "BINDDN DN"
|
|
The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
|
|
Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
|
|
If not specified, \s-1LDAP\s0 operations are performed with an anonymous
|
|
identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
|
|
.IP "\fB\s-1BINDPW\s0\fR secret" 4
|
|
.IX Item "BINDPW secret"
|
|
The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
|
|
\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
|
|
\&\fB\s-1BINDDN\s0\fR parameter.
|
|
.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
|
|
.IX Item "ROOTBINDDN DN"
|
|
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
|
|
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
|
|
operations, such as \fIsudoers\fR queries. The password corresponding
|
|
to the identity should be stored in \fI@ldap_secret@\fR.
|
|
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
|
|
.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
|
|
.IX Item "LDAP_VERSION number"
|
|
The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
|
|
The default value is protocol version 3.
|
|
.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
|
|
.IX Item "SSL on/true/yes/off/false/no"
|
|
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
|
|
(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
|
|
server. Typically, this involves connecting to the server on port
|
|
636 (ldaps).
|
|
.IP "\fB\s-1SSL\s0\fR start_tls" 4
|
|
.IX Item "SSL start_tls"
|
|
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
|
|
connection is initiated normally and \s-1TLS\s0 encryption is begun before
|
|
the bind credentials are sent. This has the advantage of not
|
|
requiring a dedicated port for encrypted communications. This
|
|
parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
|
|
extension, such as the OpenLDAP server.
|
|
.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
|
|
.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
|
|
If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
|
|
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
|
|
be verified (usually because it is signed by an unknown certificate
|
|
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
|
|
is disabled, no check is made. Note that disabling the check creates
|
|
an opportunity for man-in-the-middle attacks since the server's
|
|
identity will not be authenticated. If possible, the \s-1CA\s0's certificate
|
|
should be installed locally so it can be verified.
|
|
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
|
|
.IX Item "TLS_CACERT file name"
|
|
An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
|
|
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
|
|
.IX Item "TLS_CACERTFILE file name"
|
|
The path to a certificate authority bundle which contains the certificates
|
|
for all the Certificate Authorities the client knows to be valid,
|
|
e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
|
|
This option is only supported by the OpenLDAP libraries.
|
|
Netscape-derived \s-1LDAP\s0 libraries use the same certificate
|
|
database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
|
|
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
|
|
.IX Item "TLS_CACERTDIR directory"
|
|
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
|
|
directory containing individual Certificate Authority certificates,
|
|
e.g. \fI/etc/ssl/certs\fR.
|
|
The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
|
|
\&\fB\s-1TLS_CACERTFILE\s0\fR.
|
|
This option is only supported by the OpenLDAP libraries.
|
|
.IP "\fB\s-1TLS_CERT\s0\fR file name" 4
|
|
.IX Item "TLS_CERT file name"
|
|
The path to a file containing the client certificate which can
|
|
be used to authenticate the client to the \s-1LDAP\s0 server.
|
|
The certificate type depends on the \s-1LDAP\s0 libraries used.
|
|
.Sp
|
|
OpenLDAP:
|
|
\f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
|
|
.Sp
|
|
Netscape-derived:
|
|
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
|
|
.Sp
|
|
When using Netscape-derived libraries, this file may also contain
|
|
Certificate Authority certificates.
|
|
.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
|
|
.IX Item "TLS_KEY file name"
|
|
The path to a file containing the private key which matches the
|
|
certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
|
|
password-protected. The key type depends on the \s-1LDAP\s0 libraries
|
|
used.
|
|
.Sp
|
|
OpenLDAP:
|
|
\f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
|
|
.Sp
|
|
Netscape-derived:
|
|
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
|
|
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
|
|
.IX Item "TLS_RANDFILE file name"
|
|
The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
|
|
source for systems that lack a random device. It is generally used
|
|
in conjunction with \fIprngd\fR or \fIegd\fR.
|
|
This option is only supported by the OpenLDAP libraries.
|
|
.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
|
|
.IX Item "TLS_CIPHERS cipher list"
|
|
The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
|
|
which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
|
|
See the OpenSSL manual for a list of valid ciphers.
|
|
This option is only supported by the OpenLDAP libraries.
|
|
.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
|
|
.IX Item "USE_SASL on/true/yes/off/false/no"
|
|
Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
|
|
.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
|
|
.IX Item "SASL_AUTH_ID identity"
|
|
The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
|
|
By default, \fBsudo\fR will use an anonymous connection.
|
|
.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
|
|
.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
|
|
Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
|
|
to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
|
|
.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
|
|
.IX Item "ROOTSASL_AUTH_ID identity"
|
|
The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
|
|
.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
|
|
.IX Item "SASL_SECPROPS none/properties"
|
|
\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
|
|
\&\s-1SASL\s0 programmer's manual for details.
|
|
.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
|
|
.IX Item "KRB5_CCNAME file name"
|
|
The path to the Kerberos 5 credential cache to use when authenticating
|
|
with the remote server.
|
|
.PP
|
|
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
|
|
.SS "Configuring nsswitch.conf"
|
|
.IX Subsection "Configuring nsswitch.conf"
|
|
Unless it is disabled at build time, \fBsudo\fR consults the Name
|
|
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
|
|
search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
|
|
uses this to determine the search order. Note that \fBsudo\fR does
|
|
not stop searching after the first match and later matches take
|
|
precedence over earlier ones.
|
|
.PP
|
|
The following sources are recognized:
|
|
.PP
|
|
.Vb 2
|
|
\& files read sudoers from F<@sysconfdir@/sudoers>
|
|
\& ldap read sudoers from LDAP
|
|
.Ve
|
|
.PP
|
|
In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
|
|
search if the user was not found in the preceding source.
|
|
.PP
|
|
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
|
|
exists), use:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers: ldap files
|
|
.Ve
|
|
.PP
|
|
The local \fIsudoers\fR file can be ignored completely by using:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers: ldap
|
|
.Ve
|
|
.PP
|
|
If the \fI@nsswitch_conf@\fR file is not present or there is no
|
|
sudoers line, the following default is assumed:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers: files
|
|
.Ve
|
|
.PP
|
|
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
|
|
operating system does not use an nsswitch.conf file.
|
|
.SS "Configuring netsvc.conf"
|
|
.IX Subsection "Configuring netsvc.conf"
|
|
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
|
|
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
|
|
variant of \fInsswitch.conf\fR; information in the previous section
|
|
unrelated to the file format itself still applies.
|
|
.PP
|
|
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
|
|
exists), use:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers = ldap, files
|
|
.Ve
|
|
.PP
|
|
The local \fIsudoers\fR file can be ignored completely by using:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers = ldap
|
|
.Ve
|
|
.PP
|
|
To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
|
|
if the user is not present in \s-1LDAP\s0, use:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers = ldap = auth, files
|
|
.Ve
|
|
.PP
|
|
Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
|
|
user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
|
|
entries.
|
|
.PP
|
|
If the \fI@netsvc_conf@\fR file is not present or there is no
|
|
sudoers line, the following default is assumed:
|
|
.PP
|
|
.Vb 1
|
|
\& sudoers = files
|
|
.Ve
|
|
.SH "FILES"
|
|
.IX Header "FILES"
|
|
.ie n .IP "\fI@ldap_conf@\fR" 24
|
|
.el .IP "\fI@ldap_conf@\fR" 24
|
|
.IX Item "@ldap_conf@"
|
|
\&\s-1LDAP\s0 configuration file
|
|
.ie n .IP "\fI@nsswitch_conf@\fR" 24
|
|
.el .IP "\fI@nsswitch_conf@\fR" 24
|
|
.IX Item "@nsswitch_conf@"
|
|
determines sudoers source order
|
|
.ie n .IP "\fI@netsvc_conf@\fR" 24
|
|
.el .IP "\fI@netsvc_conf@\fR" 24
|
|
.IX Item "@netsvc_conf@"
|
|
determines sudoers source order on \s-1AIX\s0
|
|
.SH "EXAMPLES"
|
|
.IX Header "EXAMPLES"
|
|
.SS "Example ldap.conf"
|
|
.IX Subsection "Example ldap.conf"
|
|
.Vb 10
|
|
\& # Either specify one or more URIs or one or more host:port pairs.
|
|
\& # If neither is specified sudo will default to localhost, port 389.
|
|
\& #
|
|
\& #host ldapserver
|
|
\& #host ldapserver1 ldapserver2:390
|
|
\& #
|
|
\& # Default port if host is specified without one, defaults to 389.
|
|
\& #port 389
|
|
\& #
|
|
\& # URI will override the host and port settings.
|
|
\& uri ldap://ldapserver
|
|
\& #uri ldaps://secureldapserver
|
|
\& #uri ldaps://secureldapserver ldap://ldapserver
|
|
\& #
|
|
\& # The amount of time, in seconds, to wait while trying to connect to
|
|
\& # an LDAP server.
|
|
\& bind_timelimit 30
|
|
\& #
|
|
\& # The amount of time, in seconds, to wait while performing an LDAP query.
|
|
\& timelimit 30
|
|
\& #
|
|
\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
|
|
\& sudoers_base ou=SUDOers,dc=example,dc=com
|
|
\& #
|
|
\& # verbose sudoers matching from ldap
|
|
\& #sudoers_debug 2
|
|
\& #
|
|
\& # Enable support for time\-based entries in sudoers.
|
|
\& #sudoers_timed yes
|
|
\& #
|
|
\& # optional proxy credentials
|
|
\& #binddn <who to search as>
|
|
\& #bindpw <password>
|
|
\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
|
|
\& #
|
|
\& # LDAP protocol version, defaults to 3
|
|
\& #ldap_version 3
|
|
\& #
|
|
\& # Define if you want to use an encrypted LDAP connection.
|
|
\& # Typically, you must also set the port to 636 (ldaps).
|
|
\& #ssl on
|
|
\& #
|
|
\& # Define if you want to use port 389 and switch to
|
|
\& # encryption before the bind credentials are sent.
|
|
\& # Only supported by LDAP servers that support the start_tls
|
|
\& # extension such as OpenLDAP.
|
|
\& #ssl start_tls
|
|
\& #
|
|
\& # Additional TLS options follow that allow tweaking of the
|
|
\& # SSL/TLS connection.
|
|
\& #
|
|
\& #tls_checkpeer yes # verify server SSL certificate
|
|
\& #tls_checkpeer no # ignore server SSL certificate
|
|
\& #
|
|
\& # If you enable tls_checkpeer, specify either tls_cacertfile
|
|
\& # or tls_cacertdir. Only supported when using OpenLDAP.
|
|
\& #
|
|
\& #tls_cacertfile /etc/certs/trusted_signers.pem
|
|
\& #tls_cacertdir /etc/certs
|
|
\& #
|
|
\& # For systems that don\*(Aqt have /dev/random
|
|
\& # use this along with PRNGD or EGD.pl to seed the
|
|
\& # random number pool to generate cryptographic session keys.
|
|
\& # Only supported when using OpenLDAP.
|
|
\& #
|
|
\& #tls_randfile /etc/egd\-pool
|
|
\& #
|
|
\& # You may restrict which ciphers are used. Consult your SSL
|
|
\& # documentation for which options go here.
|
|
\& # Only supported when using OpenLDAP.
|
|
\& #
|
|
\& #tls_ciphers <cipher\-list>
|
|
\& #
|
|
\& # Sudo can provide a client certificate when communicating to
|
|
\& # the LDAP server.
|
|
\& # Tips:
|
|
\& # * Enable both lines at the same time.
|
|
\& # * Do not password protect the key file.
|
|
\& # * Ensure the keyfile is only readable by root.
|
|
\& #
|
|
\& # For OpenLDAP:
|
|
\& #tls_cert /etc/certs/client_cert.pem
|
|
\& #tls_key /etc/certs/client_key.pem
|
|
\& #
|
|
\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
|
|
\& # a directory, in which case the files in the directory must have the
|
|
\& # default names (e.g. cert8.db and key4.db), or the path to the cert
|
|
\& # and key files themselves. However, a bug in version 5.0 of the LDAP
|
|
\& # SDK will prevent specific file names from working. For this reason
|
|
\& # it is suggested that tls_cert and tls_key be set to a directory,
|
|
\& # not a file name.
|
|
\& #
|
|
\& # The certificate database specified by tls_cert may contain CA certs
|
|
\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
|
|
\& # should be specified as well.
|
|
\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
|
|
\& #tls_cert /var/ldap
|
|
\& #tls_key /var/ldap
|
|
\& #
|
|
\& # If using SASL authentication for LDAP (OpenSSL)
|
|
\& # use_sasl yes
|
|
\& # sasl_auth_id <SASL user name>
|
|
\& # rootuse_sasl yes
|
|
\& # rootsasl_auth_id <SASL user name for root access>
|
|
\& # sasl_secprops none
|
|
\& # krb5_ccname /etc/.ldapcache
|
|
.Ve
|
|
.SS "Sudo schema for OpenLDAP"
|
|
.IX Subsection "Sudo schema for OpenLDAP"
|
|
The following schema, in OpenLDAP format, is included with \fBsudo\fR
|
|
source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
|
|
it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
|
|
proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
|
|
.PP
|
|
.Vb 6
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
|
|
\& NAME \*(AqsudoUser\*(Aq
|
|
\& DESC \*(AqUser(s) who may run sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SUBSTR caseExactIA5SubstringsMatch
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
|
|
\& NAME \*(AqsudoHost\*(Aq
|
|
\& DESC \*(AqHost(s) who may run sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SUBSTR caseExactIA5SubstringsMatch
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
|
|
\& NAME \*(AqsudoCommand\*(Aq
|
|
\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
|
|
\& NAME \*(AqsudoRunAs\*(Aq
|
|
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
|
|
\& NAME \*(AqsudoOption\*(Aq
|
|
\& DESC \*(AqOptions(s) followed by sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
|
|
\& NAME \*(AqsudoRunAsUser\*(Aq
|
|
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
|
|
\& NAME \*(AqsudoRunAsGroup\*(Aq
|
|
\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
|
|
\& EQUALITY caseExactIA5Match
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
|
|
\& NAME \*(AqsudoNotBefore\*(Aq
|
|
\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
|
|
\& EQUALITY generalizedTimeMatch
|
|
\& ORDERING generalizedTimeOrderingMatch
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
|
|
\&
|
|
\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
|
|
\& NAME \*(AqsudoNotAfter\*(Aq
|
|
\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
|
|
\& EQUALITY generalizedTimeMatch
|
|
\& ORDERING generalizedTimeOrderingMatch
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
|
|
\&
|
|
\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
|
|
\& NAME \*(AqsudoOrder\*(Aq
|
|
\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
|
|
\& EQUALITY integerMatch
|
|
\& ORDERING integerOrderingMatch
|
|
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|
\&
|
|
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
|
|
\& DESC \*(AqSudoer Entries\*(Aq
|
|
\& MUST ( cn )
|
|
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
|
|
\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
|
|
\& sudoOrder $ description )
|
|
\& )
|
|
.Ve
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
|
|
.SH "CAVEATS"
|
|
.IX Header "CAVEATS"
|
|
Note that there are differences in the way that LDAP-based \fIsudoers\fR
|
|
is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
|
|
between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
|
|
.SH "BUGS"
|
|
.IX Header "BUGS"
|
|
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
|
|
at http://www.sudo.ws/sudo/bugs/
|
|
.SH "SUPPORT"
|
|
.IX Header "SUPPORT"
|
|
Limited free support is available via the sudo-users mailing list,
|
|
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
|
|
search the archives.
|
|
.SH "DISCLAIMER"
|
|
.IX Header "DISCLAIMER"
|
|
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
|
|
including, but not limited to, the implied warranties of merchantability
|
|
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
|
|
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
|
|
for complete details.
|