Diff for /embedaddon/sudo/doc/sudoers.ldap.cat between versions 1.1.1.3 and 1.1.1.5

version 1.1.1.3, 2012/10/09 09:29:52 version 1.1.1.5, 2013/10/14 07:56:34
Line 37  DDEESSCCRRIIPPTTIIOONN Line 37  DDEESSCCRRIIPPTTIIOONN
      LDAP, ssuuddoo-specific Aliases are not supported.       LDAP, ssuuddoo-specific Aliases are not supported.
   
      For the most part, there is really no need for ssuuddoo-specific Aliases.       For the most part, there is really no need for ssuuddoo-specific Aliases.
     Unix groups or user netgroups can be used in place of User_Aliases and     Unix groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can
     Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.     be used in place of User_Aliases and Runas_Aliases.  Host netgroups can
     Since Unix groups and netgroups can also be stored in LDAP there is no     be used in place of Host_Aliases.  Since groups and netgroups can also be
     real need for ssuuddoo-specific aliases.     stored in LDAP there is no real need for ssuuddoo-specific aliases.
   
      Cmnd_Aliases are not really required either since it is possible to have       Cmnd_Aliases are not really required either since it is possible to have
      multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias       multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias
Line 67  DDEESSCCRRIIPPTTIIOONN Line 67  DDEESSCCRRIIPPTTIIOONN
      following attributes:       following attributes:
   
      ssuuddooUUsseerr       ssuuddooUUsseerr
           A user name, user ID (prefixed with `#'), Unix group (prefixed with           A user name, user ID (prefixed with `#'), Unix group name or ID
           `%'), Unix group ID (prefixed with `%#'), or user netgroup           (prefixed with `%' or `%#' respectively), user netgroup (prefixed
           (prefixed with `+').           with `+'), or non-Unix group name or ID (prefixed with `%:' or
            `%:#' respectively).  Non-Unix group support is only available when
            an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s
            sudoRole object.
   
      ssuuddooHHoosstt       ssuuddooHHoosstt
            A host name, IP address, IP network, or host netgroup (prefixed             A host name, IP address, IP network, or host netgroup (prefixed
            with a `+').  The special value ALL will match any host.             with a `+').  The special value ALL will match any host.
   
      ssuuddooCCoommmmaanndd       ssuuddooCCoommmmaanndd
           A Unix command with optional command line arguments, potentially           A fully-qualified Unix command name with optional command line
           including globbing characters (aka wild cards).  The special value           arguments, potentially including globbing characters (aka wild
           ALL will match any command.  If a command is prefixed with an           cards).  If a command name is preceded by an exclamation point,
           exclamation point `!', the user will be prohibited from running           `!', the user will be prohibited from running that command.
           that command. 
   
              The built-in command ``sudoedit'' is used to permit a user to run
              ssuuddoo with the --ee option (or as ssuuddooeeddiitt).  It may take command line
              arguments just as a normal command does.  Note that ``sudoedit'' is
              a command built into ssuuddoo itself and must be specified in without a
              leading path.
   
              The special value ALL will match any command.
   
              If a command name is prefixed with a SHA-2 digest, it will only be
              allowed if the digest matches.  This may be useful in situations
              where the user invoking ssuuddoo has write access to the command or its
              parent directory.  The following digest formats are supported:
              sha224, sha256, sha384 and sha512.  The digest name must be
              followed by a colon (`:') and then the actual digest, in either hex
              or base64 format.  For example, given the following value for
              sudoCommand:
   
                  sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
   
              The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the
              specified value.  Command digests are only supported by version
              1.8.7 or higher.
   
      ssuuddooOOppttiioonn       ssuuddooOOppttiioonn
            Identical in function to the global options described above, but             Identical in function to the global options described above, but
            specific to the sudoRole in which it resides.             specific to the sudoRole in which it resides.
Line 134  DDEESSCCRRIIPPTTIIOONN Line 159  DDEESSCCRRIIPPTTIIOONN
            inherent order.  The sudoOrder attribute is an integer (or floating             inherent order.  The sudoOrder attribute is an integer (or floating
            point value for LDAP servers that support it) that is used to sort             point value for LDAP servers that support it) that is used to sort
            the matching entries.  This allows LDAP-based sudoers entries to             the matching entries.  This allows LDAP-based sudoers entries to
           more closely mimic the behaviour of the sudoers file, where the of           more closely mimic the behavior of the sudoers file, where the of
            the entries influences the result.  If multiple entries match, the             the entries influences the result.  If multiple entries match, the
            entry with the highest sudoOrder attribute is chosen.  This             entry with the highest sudoOrder attribute is chosen.  This
            corresponds to the ``last match'' behavior of the sudoers file.  If             corresponds to the ``last match'' behavior of the sudoers file.  If
Line 168  DDEESSCCRRIIPPTTIIOONN Line 193  DDEESSCCRRIIPPTTIIOONN
      user belongs to any of them.       user belongs to any of them.
   
      If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration       If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
     directive, the LDAP queries include a subfilter that limits retrieval to     directive, the LDAP queries include a sub-filter that limits retrieval to
      entries that satisfy the time constraints, if any.       entries that satisfy the time constraints, if any.
   
    DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss     DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
Line 246  DDEESSCCRRIIPPTTIIOONN Line 271  DDEESSCCRRIIPPTTIIOONN
   
    CCoonnffiigguurriinngg llddaapp..ccoonnff     CCoonnffiigguurriinngg llddaapp..ccoonnff
      Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.       Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
     Typically, this file is shared amongst different LDAP-aware clients.  As     Typically, this file is shared between different LDAP-aware clients.  As
      such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses       such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
      _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those       _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
     described in the system's ldap.conf(1m) manual.     described in the system's ldap.conf(1m) manual.  The path to _l_d_a_p_._c_o_n_f may
      be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).
   
      Also note that on systems using the OpenLDAP libraries, default values       Also note that on systems using the OpenLDAP libraries, default values
      specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not       specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
Line 259  DDEESSCCRRIIPPTTIIOONN Line 285  DDEESSCCRRIIPPTTIIOONN
      by ssuuddoo are honored.  Configuration options are listed below in upper       by ssuuddoo are honored.  Configuration options are listed below in upper
      case but are parsed in a case-independent manner.       case but are parsed in a case-independent manner.
   
        The pound sign (`#') is used to indicate a comment.  Both the comment
        character and any text after it, up to the end of the line, are ignored.
        Long lines can be continued with a backslash (`\') as the last character
        on the line.  Note that leading white space is removed from the beginning
        of lines even when the continuation character is used.
   
      UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.       UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
           Specifies a whitespace-delimited list of one or more URIs           Specifies a white space-delimited list of one or more URIs
            describing the LDAP server(s) to connect to.  The _p_r_o_t_o_c_o_l may be             describing the LDAP server(s) to connect to.  The _p_r_o_t_o_c_o_l may be
            either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS             either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
            (SSL) encryption.  If no _p_o_r_t is specified, the default is port 389             (SSL) encryption.  If no _p_o_r_t is specified, the default is port 389
Line 273  DDEESSCCRRIIPPTTIIOONN Line 305  DDEESSCCRRIIPPTTIIOONN
            of supporting one or the other.             of supporting one or the other.
   
      HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.       HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
           If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-           If no UURRII is specified, the HHOOSSTT parameter specifies a white space-
            delimited list of LDAP servers to connect to.  Each host may             delimited list of LDAP servers to connect to.  Each host may
            include an optional _p_o_r_t separated by a colon (`:').  The HHOOSSTT             include an optional _p_o_r_t separated by a colon (`:').  The HHOOSSTT
            parameter is deprecated in favor of the UURRII specification and is             parameter is deprecated in favor of the UURRII specification and is
Line 328  DDEESSCCRRIIPPTTIIOONN Line 360  DDEESSCCRRIIPPTTIIOONN
            be set in a production environment as the extra information is             be set in a production environment as the extra information is
            likely to confuse users.             likely to confuse users.
   
              The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a
              future release.  The same information is now logged via the ssuuddoo
              debugging framework using the ``ldap'' subsystem at priorities _d_i_a_g
              and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively.  See the
              sudo.conf(4) manual for details on how to configure ssuuddoo debugging.
   
      BBIINNDDDDNN _D_N       BBIINNDDDDNN _D_N
            The BBIINNDDDDNN parameter specifies the identity, in the form of a             The BBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing LDAP operations.             Distinguished Name (DN), to use when performing LDAP operations.
Line 344  DDEESSCCRRIIPPTTIIOONN Line 382  DDEESSCCRRIIPPTTIIOONN
            The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a             The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing privileged LDAP             Distinguished Name (DN), to use when performing privileged LDAP
            operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to             operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to
           the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If not           the identity should be stored in the or the path specified by the
           specified, the BBIINNDDDDNN identity is used (if any).           _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
            _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
            identity is used (if any).
   
      LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r       LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
            The version of the LDAP protocol to use when connecting to the             The version of the LDAP protocol to use when connecting to the
Line 427  DDEESSCCRRIIPPTTIIOONN Line 467  DDEESSCCRRIIPPTTIIOONN
                  tls_key /var/ldap/key3.db                   tls_key /var/ldap/key3.db
   
            Tivoli Directory Server:             Tivoli Directory Server:
                 tls_cert /usr/ldap/ldapkey.kdb                 tls_key /usr/ldap/ldapkey.kdb
            When using Tivoli LDAP libraries, this file may also contain             When using Tivoli LDAP libraries, this file may also contain
            Certificate Authority and client certificates and may be encrypted.             Certificate Authority and client certificates and may be encrypted.
   
      TTLLSS__KKEEYYPPWW _s_e_c_r_e_t       TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
            The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key             The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
            database on clients using the Tivoli Directory Server LDAP library.             database on clients using the Tivoli Directory Server LDAP library.
              This should be a simple string without quotes.  The password may
              not include the comment character (`#') and escaping of special
              characters with a backslash (`\') is not supported.  If this option
              is used, _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid
              exposing the password.  Alternately, a _s_t_a_s_h _f_i_l_e can be used to
              store the password in encrypted form (see below).
   
            If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it             If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
            exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file             exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file
            specified by TTLLSS__KKEEYY, but use a .sth file extension instead of             specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
            .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with             .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with
            Tivoli Directory Server is encrypted with the password             Tivoli Directory Server is encrypted with the password
           ssl_password.  This option is only supported by the Tivoli LDAP           ssl_password.  The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the
           libraries.           key database and create a _s_t_a_s_h _f_i_l_e.  This option is only
            supported by the Tivoli LDAP libraries.
   
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e       TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source             The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
Line 530  DDEESSCCRRIIPPTTIIOONN Line 578  DDEESSCCRRIIPPTTIIOONN
   
          sudoers = ldap           sudoers = ldap
   
     To treat LDAP as authoratative and only use the local sudoers file if the     To treat LDAP as authoritative and only use the local sudoers file if the
      user is not present in LDAP, use:       user is not present in LDAP, use:
   
          sudoers = ldap = auth, files           sudoers = ldap = auth, files
   
     Note that in the above example, the auth qualfier only affects user     Note that in the above example, the auth qualifier only affects user
      lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.       lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
   
      If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,       If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
Line 739  EEXXAAMMPPLLEESS Line 787  EEXXAAMMPPLLEESS
           )            )
   
 SSEEEE AALLSSOO  SSEEEE AALLSSOO
     ldap.conf(1m), sudoers(1m)     ldap.conf(4), sudo.conf(4), sudoers(1m)
   
 CCAAVVEEAATTSS  CCAAVVEEAATTSS
      Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is       Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
Line 762  DDIISSCCLLAAIIMMEERR Line 810  DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for       file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.       complete details.
   
Sudo 1.8.6                       July 12, 2012                      Sudo 1.8.6Sudo 1.8.8                      August 30, 2013                     Sudo 1.8.8

Removed from v.1.1.1.3  
changed lines
  Added in v.1.1.1.5


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>