version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2012/10/09 09:29:52
|
Line 1
|
Line 1
|
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) | SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m) |
|
|
|
|
|
|
NNAAMMEE |
NNAAMMEE |
sudoers.ldap - sudo LDAP configuration | ssuuddooeerrss..llddaapp - sudo LDAP configuration |
|
|
DDEESSCCRRIIPPTTIIOONN |
DDEESSCCRRIIPPTTIIOONN |
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via | In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via |
LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a | LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a |
large, distributed environment. | large, distributed environment. |
|
|
Using LDAP for _s_u_d_o_e_r_s has several benefits: | Using LDAP for _s_u_d_o_e_r_s has several benefits: |
|
|
+o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is | oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is |
used, there are only two or three LDAP queries per invocation. | used, there are only two or three LDAP queries per invocation. This |
This makes it especially fast and particularly usable in LDAP | makes it especially fast and particularly usable in LDAP |
environments. | environments. |
|
|
+o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not | oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not |
possible to load LDAP data into the server that does not conform to | possible to load LDAP data into the server that does not conform to |
the sudoers schema, so proper syntax is guaranteed. It is still | the sudoers schema, so proper syntax is guaranteed. It is still |
possible to have typos in a user or host name, but this will not | possible to have typos in a user or host name, but this will not |
prevent ssuuddoo from running. | prevent ssuuddoo from running. |
|
|
+o It is possible to specify per-entry options that override the | oo It is possible to specify per-entry options that override the global |
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options | default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and |
and limited options associated with user/host/commands/aliases. | limited options associated with user/host/commands/aliases. The |
The syntax is complicated and can be difficult for users to | syntax is complicated and can be difficult for users to understand. |
understand. Placing the options directly in the entry is more | Placing the options directly in the entry is more natural. |
natural. | |
|
|
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking | oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and |
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates | syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are |
are atomic, locking is no longer necessary. Because syntax is | atomic, locking is no longer necessary. Because syntax is checked |
checked when the data is inserted into LDAP, there is no need for a | when the data is inserted into LDAP, there is no need for a |
specialized tool to check syntax. | specialized tool to check syntax. |
|
|
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in | Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in |
LDAP, ssuuddoo-specific Aliases are not supported. | LDAP, ssuuddoo-specific Aliases are not supported. |
|
|
For the most part, there is really no need for ssuuddoo-specific Aliases. | For the most part, there is really no need for ssuuddoo-specific Aliases. |
Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups or user netgroups can be used in place of User_Aliases and |
Runas_Aliases. Host netgroups can be used in place of Host_Aliases. | Runas_Aliases. Host netgroups can be used in place of Host_Aliases. |
Since Unix groups and netgroups can also be stored in LDAP there is no | Since Unix groups and netgroups can also be stored in LDAP there is no |
real need for ssuuddoo-specific aliases. | real need for ssuuddoo-specific aliases. |
|
|
Cmnd_Aliases are not really required either since it is possible to | Cmnd_Aliases are not really required either since it is possible to have |
have multiple users listed in a sudoRole. Instead of defining a | multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias |
Cmnd_Alias that is referenced by multiple users, one can create a | that is referenced by multiple users, one can create a sudoRole that |
sudoRole that contains the commands and assign multiple users to it. | contains the commands and assign multiple users to it. |
|
|
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr |
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr |
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP | The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. |
container. | |
|
|
Sudo first looks for the cn=default entry in the SUDOers container. If | Sudo first looks for the cn=default entry in the SUDOers container. If |
found, the multi-valued sudoOption attribute is parsed in the same | found, the multi-valued sudoOption attribute is parsed in the same manner |
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following | as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the |
example, the SSH_AUTH_SOCK variable will be preserved in the | SSH_AUTH_SOCK variable will be preserved in the environment for all |
environment for all users. | users. |
|
|
dn: cn=defaults,ou=SUDOers,dc=example,dc=com | dn: cn=defaults,ou=SUDOers,dc=example,dc=com |
objectClass: top | objectClass: top |
objectClass: sudoRole | objectClass: sudoRole |
cn: defaults | cn: defaults |
description: Default sudoOption's go here | description: Default sudoOption's go here |
sudoOption: env_keep+=SSH_AUTH_SOCK | sudoOption: env_keep+=SSH_AUTH_SOCK |
|
|
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the | The equivalent of a sudoer in LDAP is a sudoRole. It consists of the |
following attributes: | following attributes: |
|
|
ssuuddooUUsseerr | ssuuddooUUsseerr |
A user name, uid (prefixed with '#'), Unix group (prefixed with a | A user name, user ID (prefixed with `#'), Unix group (prefixed with |
'%') or user netgroup (prefixed with a '+'). | `%'), Unix group ID (prefixed with `%#'), or user netgroup |
| (prefixed with `+'). |
|
|
ssuuddooHHoosstt | ssuuddooHHoosstt |
A host name, IP address, IP network, or host netgroup (prefixed |
A host name, IP address, IP network, or host netgroup (prefixed |
with a '+'). The special value ALL will match any host. | with a `+'). The special value ALL will match any host. |
|
|
ssuuddooCCoommmmaanndd | ssuuddooCCoommmmaanndd |
A Unix command with optional command line arguments, potentially |
A Unix command with optional command line arguments, potentially |
including globbing characters (aka wild cards). The special value |
including globbing characters (aka wild cards). The special value |
ALL will match any command. If a command is prefixed with an |
ALL will match any command. If a command is prefixed with an |
exclamation point '!', the user will be prohibited from running | exclamation point `!', the user will be prohibited from running |
that command. |
that command. |
|
|
ssuuddooOOppttiioonn | ssuuddooOOppttiioonn |
Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
specific to the sudoRole in which it resides. |
specific to the sudoRole in which it resides. |
|
|
ssuuddooRRuunnAAssUUsseerr | ssuuddooRRuunnAAssUUsseerr |
A user name or uid (prefixed with '#') that commands may be run as | A user name or uid (prefixed with `#') that commands may be run as |
or a Unix group (prefixed with a '%') or user netgroup (prefixed | or a Unix group (prefixed with a `%') or user netgroup (prefixed |
with a '+') that contains a list of users that commands may be run | with a `+') that contains a list of users that commands may be run |
as. The special value ALL will match any user. |
as. The special value ALL will match any user. |
|
|
The sudoRunAsUser attribute is only available in ssuuddoo versions |
The sudoRunAsUser attribute is only available in ssuuddoo versions |
1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs |
1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs |
attribute instead. |
attribute instead. |
|
|
ssuuddooRRuunnAAssGGrroouupp | ssuuddooRRuunnAAssGGrroouupp |
A Unix group or gid (prefixed with '#') that commands may be run | A Unix group or gid (prefixed with `#') that commands may be run |
as. The special value ALL will match any group. |
as. The special value ALL will match any group. |
|
|
The sudoRunAsGroup attribute is only available in ssuuddoo versions |
The sudoRunAsGroup attribute is only available in ssuuddoo versions |
1.7.0 and higher. |
1.7.0 and higher. |
|
|
ssuuddooNNoottBBeeffoorree | ssuuddooNNoottBBeeffoorree |
A timestamp in the form yyyymmddHHMMSSZ that can be used to provide |
A timestamp in the form yyyymmddHHMMSSZ that can be used to provide |
a start date/time for when the sudoRole will be valid. If multiple |
a start date/time for when the sudoRole will be valid. If multiple |
sudoNotBefore entries are present, the earliest is used. Note that |
sudoNotBefore entries are present, the earliest is used. Note that |
Line 119 DDEESSCCRRIIPPTTIIOONN
|
Line 116 DDEESSCCRRIIPPTTIIOONN
|
1.7.5 and higher and must be explicitly enabled via the |
1.7.5 and higher and must be explicitly enabled via the |
SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. |
SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. |
|
|
ssuuddooNNoottAAfftteerr | ssuuddooNNoottAAfftteerr |
A timestamp in the form yyyymmddHHMMSSZ that indicates an |
A timestamp in the form yyyymmddHHMMSSZ that indicates an |
expiration date/time, after which the sudoRole will no longer be |
expiration date/time, after which the sudoRole will no longer be |
valid. If multiple sudoNotBefore entries are present, the last one |
valid. If multiple sudoNotBefore entries are present, the last one |
Line 132 DDEESSCCRRIIPPTTIIOONN
|
Line 129 DDEESSCCRRIIPPTTIIOONN
|
and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD |
and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD |
option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. |
option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. |
|
|
ssuuddooOOrrddeerr | ssuuddooOOrrddeerr |
The sudoRole entries retrieved from the LDAP directory have no |
The sudoRole entries retrieved from the LDAP directory have no |
inherent order. The sudoOrder attribute is an integer (or floating |
inherent order. The sudoOrder attribute is an integer (or floating |
point value for LDAP servers that support it) that is used to sort |
point value for LDAP servers that support it) that is used to sort |
Line 140 DDEESSCCRRIIPPTTIIOONN
|
Line 137 DDEESSCCRRIIPPTTIIOONN
|
more closely mimic the behaviour of the sudoers file, where the of |
more closely mimic the behaviour of the sudoers file, where the of |
the entries influences the result. If multiple entries match, the |
the entries influences the result. If multiple entries match, the |
entry with the highest sudoOrder attribute is chosen. This |
entry with the highest sudoOrder attribute is chosen. This |
corresponds to the "last match" behavior of the sudoers file. If | corresponds to the ``last match'' behavior of the sudoers file. If |
the sudoOrder attribute is not present, a value of 0 is assumed. |
the sudoOrder attribute is not present, a value of 0 is assumed. |
|
|
The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 |
The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 |
and higher. |
and higher. |
|
|
Each attribute listed above should contain a single value, but there | Each attribute listed above should contain a single value, but there may |
may be multiple instances of each attribute type. A sudoRole must | be multiple instances of each attribute type. A sudoRole must contain at |
contain at least one sudoUser, sudoHost and sudoCommand. | least one sudoUser, sudoHost and sudoCommand. |
|
|
The following example allows users in group wheel to run any command on | The following example allows users in group wheel to run any command on |
any host via ssuuddoo: | any host via ssuuddoo: |
|
|
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com | dn: cn=%wheel,ou=SUDOers,dc=example,dc=com |
objectClass: top | objectClass: top |
objectClass: sudoRole | objectClass: sudoRole |
cn: %wheel | cn: %wheel |
sudoUser: %wheel | sudoUser: %wheel |
sudoHost: ALL | sudoHost: ALL |
sudoCommand: ALL | sudoCommand: ALL |
|
|
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp |
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp |
When looking up a sudoer using LDAP there are only two or three LDAP | When looking up a sudoer using LDAP there are only two or three LDAP |
queries per invocation. The first query is to parse the global | queries per invocation. The first query is to parse the global options. |
options. The second is to match against the user's name and the groups | The second is to match against the user's name and the groups that the |
that the user belongs to. (The special ALL tag is matched in this | user belongs to. (The special ALL tag is matched in this query too.) If |
query too.) If no match is returned for the user's name and groups, a | no match is returned for the user's name and groups, a third query |
third query returns all entries containing user netgroups and checks to | returns all entries containing user netgroups and checks to see if the |
see if the user belongs to any of them. | user belongs to any of them. |
|
|
If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration | If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration |
directive, the LDAP queries include a subfilter that limits retrieval | directive, the LDAP queries include a subfilter that limits retrieval to |
to entries that satisfy the time constraints, if any. | entries that satisfy the time constraints, if any. |
|
|
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss |
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss |
There are some subtle differences in the way sudoers is handled once in | There are some subtle differences in the way sudoers is handled once in |
LDAP. Probably the biggest is that according to the RFC, LDAP ordering | LDAP. Probably the biggest is that according to the RFC, LDAP ordering |
is arbitrary and you cannot expect that Attributes and Entries are | is arbitrary and you cannot expect that Attributes and Entries are |
returned in any specific order. | returned in any specific order. |
|
|
The order in which different entries are applied can be controlled | The order in which different entries are applied can be controlled using |
using the sudoOrder attribute, but there is no way to guarantee the | the sudoOrder attribute, but there is no way to guarantee the order of |
order of attributes within a specific entry. If there are conflicting | attributes within a specific entry. If there are conflicting command |
command rules in an entry, the negative takes precedence. This is | rules in an entry, the negative takes precedence. This is called |
called paranoid behavior (not necessarily the most specific match). | paranoid behavior (not necessarily the most specific match). |
|
|
Here is an example: | Here is an example: |
|
|
# /etc/sudoers: | # /etc/sudoers: |
# Allow all commands except shell | # Allow all commands except shell |
johnny ALL=(root) ALL,!/bin/sh | johnny ALL=(root) ALL,!/bin/sh |
# Always allows all commands because ALL is matched last | # Always allows all commands because ALL is matched last |
puddles ALL=(root) !/bin/sh,ALL | puddles ALL=(root) !/bin/sh,ALL |
|
|
# LDAP equivalent of johnny | # LDAP equivalent of johnny |
# Allows all commands except shell | # Allows all commands except shell |
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com | dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com |
objectClass: sudoRole | objectClass: sudoRole |
objectClass: top | objectClass: top |
cn: role1 | cn: role1 |
sudoUser: johnny | sudoUser: johnny |
sudoHost: ALL | sudoHost: ALL |
sudoCommand: ALL | sudoCommand: ALL |
sudoCommand: !/bin/sh | sudoCommand: !/bin/sh |
|
|
# LDAP equivalent of puddles | # LDAP equivalent of puddles |
# Notice that even though ALL comes last, it still behaves like | # Notice that even though ALL comes last, it still behaves like |
# role1 since the LDAP code assumes the more paranoid configuration | # role1 since the LDAP code assumes the more paranoid configuration |
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com | dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com |
objectClass: sudoRole | objectClass: sudoRole |
objectClass: top | objectClass: top |
cn: role2 | cn: role2 |
sudoUser: puddles | sudoUser: puddles |
sudoHost: ALL | sudoHost: ALL |
sudoCommand: !/bin/sh | sudoCommand: !/bin/sh |
sudoCommand: ALL | sudoCommand: ALL |
|
|
Another difference is that negations on the Host, User or Runas are | Another difference is that negations on the Host, User or Runas are |
currently ignored. For example, the following attributes do not behave | currently ignored. For example, the following attributes do not behave |
the way one might expect. | the way one might expect. |
|
|
# does not match all but joe | # does not match all but joe |
# rather, does not match anyone | # rather, does not match anyone |
sudoUser: !joe | sudoUser: !joe |
|
|
# does not match all but joe | # does not match all but joe |
# rather, matches everyone including Joe | # rather, matches everyone including Joe |
sudoUser: ALL | sudoUser: ALL |
sudoUser: !joe | sudoUser: !joe |
|
|
# does not match all but web01 | # does not match all but web01 |
# rather, matches all hosts including web01 | # rather, matches all hosts including web01 |
sudoHost: ALL | sudoHost: ALL |
sudoHost: !web01 | sudoHost: !web01 |
|
|
SSuuddooeerrss SScchheemmaa | SSuuddooeerrss sscchheemmaa |
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed | In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on |
on your LDAP server. In addition, be sure to index the 'sudoUser' | your LDAP server. In addition, be sure to index the sudoUser attribute. |
attribute. | |
|
|
Three versions of the schema: one for OpenLDAP servers | Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), |
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), | one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft |
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be | Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo |
found in the ssuuddoo distribution. | distribution. |
|
|
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES | The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S |
section. | section. |
|
|
CCoonnffiigguurriinngg llddaapp..ccoonnff |
CCoonnffiigguurriinngg llddaapp..ccoonnff |
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. | Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. |
Typically, this file is shared amongst different LDAP-aware clients. | Typically, this file is shared amongst different LDAP-aware clients. As |
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo | such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses |
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from | _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those |
those described in the _l_d_a_p_._c_o_n_f(4) manual. | described in the system's ldap.conf(1m) manual. |
|
|
Also note that on systems using the OpenLDAP libraries, default values | Also note that on systems using the OpenLDAP libraries, default values |
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are | specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not |
not used. | used. |
|
|
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being | Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported |
supported by ssuuddoo are honored. Configuration options are listed below | by ssuuddoo are honored. Configuration options are listed below in upper |
in upper case but are parsed in a case-independent manner. | case but are parsed in a case-independent manner. |
|
|
UURRII ldap[s]://[hostname[:port]] ... | UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._. |
Specifies a whitespace-delimited list of one or more URIs |
Specifies a whitespace-delimited list of one or more URIs |
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be |
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be |
either llddaapp or llddaappss, the latter being for servers that support TLS | either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS |
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389 |
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389 |
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, |
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, |
ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated | ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated |
identically to a UURRII line containing multiple entries. Only |
identically to a UURRII line containing multiple entries. Only |
systems using the OpenSSL libraries support the mixing of ldap:// |
systems using the OpenSSL libraries support the mixing of ldap:// |
and ldaps:// URIs. The Netscape-derived libraries used on most | and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP |
commercial versions of Unix are only capable of supporting one or | libraries used on most commercial versions of Unix are only capable |
the other. | of supporting one or the other. |
|
|
HHOOSSTT name[:port] ... | HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._. |
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- |
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- |
delimited list of LDAP servers to connect to. Each host may |
delimited list of LDAP servers to connect to. Each host may |
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT | include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT |
parameter is deprecated in favor of the UURRII specification and is |
parameter is deprecated in favor of the UURRII specification and is |
included for backwards compatibility. |
included for backwards compatibility. |
|
|
PPOORRTT port_number | PPOORRTT _p_o_r_t___n_u_m_b_e_r |
If no UURRII is specified, the PPOORRTT parameter specifies the default |
If no UURRII is specified, the PPOORRTT parameter specifies the default |
port to connect to on the LDAP server if a HHOOSSTT parameter does not |
port to connect to on the LDAP server if a HHOOSSTT parameter does not |
specify the port itself. If no PPOORRTT parameter is used, the default |
specify the port itself. If no PPOORRTT parameter is used, the default |
Line 291 DDEESSCCRRIIPPTTIIOONN
|
Line 287 DDEESSCCRRIIPPTTIIOONN
|
PPOORRTT parameter is deprecated in favor of the UURRII specification and |
PPOORRTT parameter is deprecated in favor of the UURRII specification and |
is included for backwards compatibility. |
is included for backwards compatibility. |
|
|
BBIINNDD__TTIIMMEELLIIMMIITT seconds | BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s |
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in |
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in |
seconds, to wait while trying to connect to an LDAP server. If |
seconds, to wait while trying to connect to an LDAP server. If |
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to |
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to |
wait before trying the next one in the list. |
wait before trying the next one in the list. |
|
|
NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds | NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s |
An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. |
An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. |
|
|
TTIIMMEELLIIMMIITT seconds | TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s |
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, |
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, |
to wait for a response to an LDAP query. |
to wait for a response to an LDAP query. |
|
|
TTIIMMEEOOUUTT seconds | TTIIMMEEOOUUTT _s_e_c_o_n_d_s |
The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to |
The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to |
wait for a response from the various LDAP APIs. |
wait for a response from the various LDAP APIs. |
|
|
SSUUDDOOEERRSS__BBAASSEE base | SSUUDDOOEERRSS__BBAASSEE _b_a_s_e |
The base DN to use when performing ssuuddoo LDAP queries. Typically |
The base DN to use when performing ssuuddoo LDAP queries. Typically |
this is of the form ou=SUDOers,dc=example,dc=com for the domain |
this is of the form ou=SUDOers,dc=example,dc=com for the domain |
example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in |
example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in |
which case they are queried in the order specified. |
which case they are queried in the order specified. |
|
|
SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter | SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r |
An LDAP filter which is used to restrict the set of records |
An LDAP filter which is used to restrict the set of records |
returned when performing a ssuuddoo LDAP query. Typically, this is of |
returned when performing a ssuuddoo LDAP query. Typically, this is of |
the form attribute=value or |
the form attribute=value or |
(&(attribute=value)(attribute2=value2)). |
(&(attribute=value)(attribute2=value2)). |
|
|
SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no | SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o |
Whether or not to evaluate the sudoNotBefore and sudoNotAfter |
Whether or not to evaluate the sudoNotBefore and sudoNotAfter |
attributes that implement time-dependent sudoers entries. |
attributes that implement time-dependent sudoers entries. |
|
|
SSUUDDOOEERRSS__DDEEBBUUGG debug_level | SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l |
This sets the debug level for ssuuddoo LDAP queries. Debugging |
This sets the debug level for ssuuddoo LDAP queries. Debugging |
information is printed to the standard error. A value of 1 results |
information is printed to the standard error. A value of 1 results |
in a moderate amount of debugging information. A value of 2 shows |
in a moderate amount of debugging information. A value of 2 shows |
Line 332 DDEESSCCRRIIPPTTIIOONN
|
Line 328 DDEESSCCRRIIPPTTIIOONN
|
be set in a production environment as the extra information is |
be set in a production environment as the extra information is |
likely to confuse users. |
likely to confuse users. |
|
|
BBIINNDDDDNN DN | BBIINNDDDDNN _D_N |
The BBIINNDDDDNN parameter specifies the identity, in the form of a |
The BBIINNDDDDNN parameter specifies the identity, in the form of a |
Distinguished Name (DN), to use when performing LDAP operations. |
Distinguished Name (DN), to use when performing LDAP operations. |
If not specified, LDAP operations are performed with an anonymous |
If not specified, LDAP operations are performed with an anonymous |
identity. By default, most LDAP servers will allow anonymous |
identity. By default, most LDAP servers will allow anonymous |
access. |
access. |
|
|
BBIINNDDPPWW secret | BBIINNDDPPWW _s_e_c_r_e_t |
The BBIINNDDPPWW parameter specifies the password to use when performing |
The BBIINNDDPPWW parameter specifies the password to use when performing |
LDAP operations. This is typically used in conjunction with the |
LDAP operations. This is typically used in conjunction with the |
BBIINNDDDDNN parameter. |
BBIINNDDDDNN parameter. |
|
|
RROOOOTTBBIINNDDDDNN DN | RROOOOTTBBIINNDDDDNN _D_N |
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a |
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a |
Distinguished Name (DN), to use when performing privileged LDAP |
Distinguished Name (DN), to use when performing privileged LDAP |
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to |
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to |
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not |
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not |
specified, the BBIINNDDDDNN identity is used (if any). |
specified, the BBIINNDDDDNN identity is used (if any). |
|
|
LLDDAAPP__VVEERRSSIIOONN number | LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r |
The version of the LDAP protocol to use when connecting to the |
The version of the LDAP protocol to use when connecting to the |
server. The default value is protocol version 3. |
server. The default value is protocol version 3. |
|
|
SSSSLL on/true/yes/off/false/no | SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o |
If the SSSSLL parameter is set to on, true or yes, TLS (SSL) |
If the SSSSLL parameter is set to on, true or yes, TLS (SSL) |
encryption is always used when communicating with the LDAP server. |
encryption is always used when communicating with the LDAP server. |
Typically, this involves connecting to the server on port 636 |
Typically, this involves connecting to the server on port 636 |
(ldaps). |
(ldaps). |
|
|
SSSSLL start_tls | SSSSLL _s_t_a_r_t___t_l_s |
If the SSSSLL parameter is set to start_tls, the LDAP server |
If the SSSSLL parameter is set to start_tls, the LDAP server |
connection is initiated normally and TLS encryption is begun before |
connection is initiated normally and TLS encryption is begun before |
the bind credentials are sent. This has the advantage of not |
the bind credentials are sent. This has the advantage of not |
requiring a dedicated port for encrypted communications. This |
requiring a dedicated port for encrypted communications. This |
parameter is only supported by LDAP servers that honor the |
parameter is only supported by LDAP servers that honor the |
start_tls extension, such as the OpenLDAP server. | _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory |
| servers. |
|
|
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no | TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o |
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS |
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS |
certificated to be verified. If the server's TLS certificate |
certificated to be verified. If the server's TLS certificate |
cannot be verified (usually because it is signed by an unknown |
cannot be verified (usually because it is signed by an unknown |
Line 378 DDEESSCCRRIIPPTTIIOONN
|
Line 375 DDEESSCCRRIIPPTTIIOONN
|
the check creates an opportunity for man-in-the-middle attacks |
the check creates an opportunity for man-in-the-middle attacks |
since the server's identity will not be authenticated. If |
since the server's identity will not be authenticated. If |
possible, the CA's certificate should be installed locally so it |
possible, the CA's certificate should be installed locally so it |
can be verified. | can be verified. This option is not supported by the Tivoli |
| Directory Server LDAP libraries. |
|
|
TTLLSS__CCAACCEERRTT file name | TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e |
An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. |
An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. |
|
|
TTLLSS__CCAACCEERRTTFFIILLEE file name | TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e |
The path to a certificate authority bundle which contains the |
The path to a certificate authority bundle which contains the |
certificates for all the Certificate Authorities the client knows |
certificates for all the Certificate Authorities the client knows |
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only |
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only |
Line 391 DDEESSCCRRIIPPTTIIOONN
|
Line 389 DDEESSCCRRIIPPTTIIOONN
|
libraries use the same certificate database for CA and client |
libraries use the same certificate database for CA and client |
certificates (see TTLLSS__CCEERRTT). |
certificates (see TTLLSS__CCEERRTT). |
|
|
TTLLSS__CCAACCEERRTTDDIIRR directory | TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y |
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory |
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory |
containing individual Certificate Authority certificates, e.g. |
containing individual Certificate Authority certificates, e.g. |
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is |
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is |
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the |
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the |
OpenLDAP libraries. |
OpenLDAP libraries. |
|
|
TTLLSS__CCEERRTT file name | TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e |
The path to a file containing the client certificate which can be |
The path to a file containing the client certificate which can be |
used to authenticate the client to the LDAP server. The |
used to authenticate the client to the LDAP server. The |
certificate type depends on the LDAP libraries used. |
certificate type depends on the LDAP libraries used. |
|
|
OpenLDAP: |
OpenLDAP: |
tls_cert /etc/ssl/client_cert.pem | tls_cert /etc/ssl/client_cert.pem |
|
|
Netscape-derived: |
Netscape-derived: |
tls_cert /var/ldap/cert7.db | tls_cert /var/ldap/cert7.db |
|
|
When using Netscape-derived libraries, this file may also contain | Tivoli Directory Server: |
Certificate Authority certificates. | Unused, the key database specified by TTLLSS__KKEEYY contains both |
| keys and certificates. |
|
|
TTLLSS__KKEEYY file name | When using Netscape-derived libraries, this file may also |
| contain Certificate Authority certificates. |
| |
| TTLLSS__KKEEYY _f_i_l_e _n_a_m_e |
The path to a file containing the private key which matches the |
The path to a file containing the private key which matches the |
certificate specified by TTLLSS__CCEERRTT. The private key must not be |
certificate specified by TTLLSS__CCEERRTT. The private key must not be |
password-protected. The key type depends on the LDAP libraries |
password-protected. The key type depends on the LDAP libraries |
used. |
used. |
|
|
OpenLDAP: |
OpenLDAP: |
tls_key /etc/ssl/client_key.pem | tls_key /etc/ssl/client_key.pem |
|
|
Netscape-derived: |
Netscape-derived: |
tls_key /var/ldap/key3.db | tls_key /var/ldap/key3.db |
|
|
TTLLSS__RRAANNDDFFIILLEE file name | Tivoli Directory Server: |
| tls_cert /usr/ldap/ldapkey.kdb |
| When using Tivoli LDAP libraries, this file may also contain |
| Certificate Authority and client certificates and may be encrypted. |
| |
| TTLLSS__KKEEYYPPWW _s_e_c_r_e_t |
| The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key |
| database on clients using the Tivoli Directory Server LDAP library. |
| If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it |
| exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file |
| specified by TTLLSS__KKEEYY, but use a .sth file extension instead of |
| .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with |
| Tivoli Directory Server is encrypted with the password |
| ssl_password. This option is only supported by the Tivoli LDAP |
| libraries. |
| |
| TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e |
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source |
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source |
for systems that lack a random device. It is generally used in |
for systems that lack a random device. It is generally used in |
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by |
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by |
the OpenLDAP libraries. |
the OpenLDAP libraries. |
|
|
TTLLSS__CCIIPPHHEERRSS cipher list | TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t |
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which |
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which |
encryption algorithms may be used for TLS (SSL) connections. See |
encryption algorithms may be used for TLS (SSL) connections. See |
the OpenSSL manual for a list of valid ciphers. This option is | the OpenLDAP or Tivoli Directory Server manual for a list of valid |
only supported by the OpenLDAP libraries. | ciphers. This option is not supported by Netscape-derived |
| libraries. |
|
|
UUSSEE__SSAASSLL on/true/yes/off/false/no | UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o |
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. |
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. |
|
|
SSAASSLL__AAUUTTHH__IIDD identity | SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y |
The SASL user name to use when connecting to the LDAP server. By |
The SASL user name to use when connecting to the LDAP server. By |
default, ssuuddoo will use an anonymous connection. |
default, ssuuddoo will use an anonymous connection. |
|
|
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no | RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o |
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting |
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting |
to an LDAP server from a privileged process, such as ssuuddoo. |
to an LDAP server from a privileged process, such as ssuuddoo. |
|
|
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity | RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y |
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. |
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. |
|
|
SSAASSLL__SSEECCPPRROOPPSS none/properties | SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s |
SASL security properties or _n_o_n_e for no properties. See the SASL |
SASL security properties or _n_o_n_e for no properties. See the SASL |
programmer's manual for details. |
programmer's manual for details. |
|
|
KKRRBB55__CCCCNNAAMMEE file name | KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e |
The path to the Kerberos 5 credential cache to use when |
The path to the Kerberos 5 credential cache to use when |
authenticating with the remote server. |
authenticating with the remote server. |
|
|
DDEERREEFF never/searching/finding/always | DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s |
How alias dereferencing is to be performed when searching. See the |
How alias dereferencing is to be performed when searching. See the |
_l_d_a_p_._c_o_n_f(4) manual for a full description of this option. | ldap.conf(1m) manual for a full description of this option. |
|
|
See the ldap.conf entry in the EXAMPLES section. | See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section. |
|
|
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff |
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff |
Unless it is disabled at build time, ssuuddoo consults the Name Service | Unless it is disabled at build time, ssuuddoo consults the Name Service |
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. | Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. |
Sudo looks for a line beginning with sudoers: and uses this to | Sudo looks for a line beginning with sudoers: and uses this to determine |
determine the search order. Note that ssuuddoo does not stop searching | the search order. Note that ssuuddoo does not stop searching after the first |
after the first match and later matches take precedence over earlier | match and later matches take precedence over earlier ones. The following |
ones. | sources are recognized: |
|
|
The following sources are recognized: | files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s |
| ldap read sudoers from LDAP |
|
|
files read sudoers from F</etc/sudoers> | In addition, the entry [NOTFOUND=return] will short-circuit the search if |
ldap read sudoers from LDAP | the user was not found in the preceding source. |
|
|
In addition, the entry [NOTFOUND=return] will short-circuit the search | To consult LDAP first followed by the local sudoers file (if it exists), |
if the user was not found in the preceding source. | use: |
|
|
To consult LDAP first followed by the local sudoers file (if it | sudoers: ldap files |
exists), use: | |
|
|
sudoers: ldap files | The local _s_u_d_o_e_r_s file can be ignored completely by using: |
|
|
The local _s_u_d_o_e_r_s file can be ignored completely by using: | sudoers: ldap |
|
|
sudoers: ldap | If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers |
| line, the following default is assumed: |
|
|
If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers | sudoers: files |
line, the following default is assumed: | |
|
|
sudoers: files | Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying |
| operating system does not use an nsswitch.conf file, except on AIX (see |
| below). |
|
|
Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying |
|
operating system does not use an nsswitch.conf file. |
|
|
|
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff |
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff |
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of | On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of |
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of | _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of |
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the | _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file |
file format itself still applies. | format itself still applies. |
|
|
To consult LDAP first followed by the local sudoers file (if it | To consult LDAP first followed by the local sudoers file (if it exists), |
exists), use: | use: |
|
|
sudoers = ldap, files | sudoers = ldap, files |
|
|
The local _s_u_d_o_e_r_s file can be ignored completely by using: | The local _s_u_d_o_e_r_s file can be ignored completely by using: |
|
|
sudoers = ldap | sudoers = ldap |
|
|
To treat LDAP as authoratative and only use the local sudoers file if | To treat LDAP as authoratative and only use the local sudoers file if the |
the user is not present in LDAP, use: | user is not present in LDAP, use: |
|
|
sudoers = ldap = auth, files | sudoers = ldap = auth, files |
|
|
Note that in the above example, the auth qualfier only affects user | Note that in the above example, the auth qualfier only affects user |
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. | lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. |
|
|
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers | If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line, |
line, the following default is assumed: | the following default is assumed: |
|
|
sudoers = files | sudoers = files |
|
|
FFIILLEESS |
FFIILLEESS |
_/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file | _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file |
|
|
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order | _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order |
|
|
_/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX | _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX |
|
|
EEXXAAMMPPLLEESS |
EEXXAAMMPPLLEESS |
EExxaammppllee llddaapp..ccoonnff |
EExxaammppllee llddaapp..ccoonnff |
# Either specify one or more URIs or one or more host:port pairs. | # Either specify one or more URIs or one or more host:port pairs. |
# If neither is specified sudo will default to localhost, port 389. | # If neither is specified sudo will default to localhost, port 389. |
# | # |
#host ldapserver | #host ldapserver |
#host ldapserver1 ldapserver2:390 | #host ldapserver1 ldapserver2:390 |
# | # |
# Default port if host is specified without one, defaults to 389. | # Default port if host is specified without one, defaults to 389. |
#port 389 | #port 389 |
# | # |
# URI will override the host and port settings. | # URI will override the host and port settings. |
uri ldap://ldapserver | uri ldap://ldapserver |
#uri ldaps://secureldapserver | #uri ldaps://secureldapserver |
#uri ldaps://secureldapserver ldap://ldapserver | #uri ldaps://secureldapserver ldap://ldapserver |
# | # |
# The amount of time, in seconds, to wait while trying to connect to | # The amount of time, in seconds, to wait while trying to connect to |
# an LDAP server. | # an LDAP server. |
bind_timelimit 30 | bind_timelimit 30 |
# | # |
# The amount of time, in seconds, to wait while performing an LDAP query. | # The amount of time, in seconds, to wait while performing an LDAP query. |
timelimit 30 | timelimit 30 |
# | # |
# Must be set or sudo will ignore LDAP; may be specified multiple times. | # Must be set or sudo will ignore LDAP; may be specified multiple times. |
sudoers_base ou=SUDOers,dc=example,dc=com | sudoers_base ou=SUDOers,dc=example,dc=com |
# | # |
# verbose sudoers matching from ldap | # verbose sudoers matching from ldap |
#sudoers_debug 2 | #sudoers_debug 2 |
# | # |
# Enable support for time-based entries in sudoers. | # Enable support for time-based entries in sudoers. |
#sudoers_timed yes | #sudoers_timed yes |
# | # |
# optional proxy credentials | # optional proxy credentials |
#binddn <who to search as> | #binddn <who to search as> |
#bindpw <password> | #bindpw <password> |
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> | #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> |
# | # |
# LDAP protocol version, defaults to 3 | # LDAP protocol version, defaults to 3 |
#ldap_version 3 | #ldap_version 3 |
# | # |
# Define if you want to use an encrypted LDAP connection. | # Define if you want to use an encrypted LDAP connection. |
# Typically, you must also set the port to 636 (ldaps). | # Typically, you must also set the port to 636 (ldaps). |
#ssl on | #ssl on |
# | # |
# Define if you want to use port 389 and switch to | # Define if you want to use port 389 and switch to |
# encryption before the bind credentials are sent. | # encryption before the bind credentials are sent. |
# Only supported by LDAP servers that support the start_tls | # Only supported by LDAP servers that support the start_tls |
# extension such as OpenLDAP. | # extension such as OpenLDAP. |
#ssl start_tls | #ssl start_tls |
# | # |
# Additional TLS options follow that allow tweaking of the | # Additional TLS options follow that allow tweaking of the |
# SSL/TLS connection. | # SSL/TLS connection. |
# | # |
#tls_checkpeer yes # verify server SSL certificate | #tls_checkpeer yes # verify server SSL certificate |
#tls_checkpeer no # ignore server SSL certificate | #tls_checkpeer no # ignore server SSL certificate |
# | # |
# If you enable tls_checkpeer, specify either tls_cacertfile | # If you enable tls_checkpeer, specify either tls_cacertfile |
# or tls_cacertdir. Only supported when using OpenLDAP. | # or tls_cacertdir. Only supported when using OpenLDAP. |
# | # |
#tls_cacertfile /etc/certs/trusted_signers.pem | #tls_cacertfile /etc/certs/trusted_signers.pem |
#tls_cacertdir /etc/certs | #tls_cacertdir /etc/certs |
# | # |
# For systems that don't have /dev/random | # For systems that don't have /dev/random |
# use this along with PRNGD or EGD.pl to seed the | # use this along with PRNGD or EGD.pl to seed the |
# random number pool to generate cryptographic session keys. | # random number pool to generate cryptographic session keys. |
# Only supported when using OpenLDAP. | # Only supported when using OpenLDAP. |
# | # |
#tls_randfile /etc/egd-pool | #tls_randfile /etc/egd-pool |
# | # |
# You may restrict which ciphers are used. Consult your SSL | # You may restrict which ciphers are used. Consult your SSL |
# documentation for which options go here. | # documentation for which options go here. |
# Only supported when using OpenLDAP. | # Only supported when using OpenLDAP. |
# | # |
#tls_ciphers <cipher-list> | #tls_ciphers <cipher-list> |
# | # |
# Sudo can provide a client certificate when communicating to | # Sudo can provide a client certificate when communicating to |
# the LDAP server. | # the LDAP server. |
# Tips: | # Tips: |
# * Enable both lines at the same time. | # * Enable both lines at the same time. |
# * Do not password protect the key file. | # * Do not password protect the key file. |
# * Ensure the keyfile is only readable by root. | # * Ensure the keyfile is only readable by root. |
# | # |
# For OpenLDAP: | # For OpenLDAP: |
#tls_cert /etc/certs/client_cert.pem | #tls_cert /etc/certs/client_cert.pem |
#tls_key /etc/certs/client_key.pem | #tls_key /etc/certs/client_key.pem |
# | # |
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either | # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either |
# a directory, in which case the files in the directory must have the | # a directory, in which case the files in the directory must have the |
# default names (e.g. cert8.db and key4.db), or the path to the cert | # default names (e.g. cert8.db and key4.db), or the path to the cert |
# and key files themselves. However, a bug in version 5.0 of the LDAP | # and key files themselves. However, a bug in version 5.0 of the LDAP |
# SDK will prevent specific file names from working. For this reason | # SDK will prevent specific file names from working. For this reason |
# it is suggested that tls_cert and tls_key be set to a directory, | # it is suggested that tls_cert and tls_key be set to a directory, |
# not a file name. | # not a file name. |
# | # |
# The certificate database specified by tls_cert may contain CA certs | # The certificate database specified by tls_cert may contain CA certs |
# and/or the client's cert. If the client's cert is included, tls_key | # and/or the client's cert. If the client's cert is included, tls_key |
# should be specified as well. | # should be specified as well. |
# For backward compatibility, "sslpath" may be used in place of tls_cert. | # For backward compatibility, "sslpath" may be used in place of tls_cert. |
#tls_cert /var/ldap | #tls_cert /var/ldap |
#tls_key /var/ldap | #tls_key /var/ldap |
# | # |
# If using SASL authentication for LDAP (OpenSSL) | # If using SASL authentication for LDAP (OpenSSL) |
# use_sasl yes | # use_sasl yes |
# sasl_auth_id <SASL user name> | # sasl_auth_id <SASL user name> |
# rootuse_sasl yes | # rootuse_sasl yes |
# rootsasl_auth_id <SASL user name for root access> | # rootsasl_auth_id <SASL user name for root access> |
# sasl_secprops none | # sasl_secprops none |
# krb5_ccname /etc/.ldapcache | # krb5_ccname /etc/.ldapcache |
|
|
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP |
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP |
The following schema, in OpenLDAP format, is included with ssuuddoo source | The following schema, in OpenLDAP format, is included with ssuuddoo source |
and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the | and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the |
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include | schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line |
line in slapd.conf and restart ssllaappdd. | in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.1 | attributetype ( 1.3.6.1.4.1.15953.9.1.1 |
NAME 'sudoUser' | NAME 'sudoUser' |
DESC 'User(s) who may run sudo' | DESC 'User(s) who may run sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SUBSTR caseExactIA5SubstringsMatch | SUBSTR caseExactIA5SubstringsMatch |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.2 | attributetype ( 1.3.6.1.4.1.15953.9.1.2 |
NAME 'sudoHost' | NAME 'sudoHost' |
DESC 'Host(s) who may run sudo' | DESC 'Host(s) who may run sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SUBSTR caseExactIA5SubstringsMatch | SUBSTR caseExactIA5SubstringsMatch |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.3 | attributetype ( 1.3.6.1.4.1.15953.9.1.3 |
NAME 'sudoCommand' | NAME 'sudoCommand' |
DESC 'Command(s) to be executed by sudo' | DESC 'Command(s) to be executed by sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.4 | attributetype ( 1.3.6.1.4.1.15953.9.1.4 |
NAME 'sudoRunAs' | NAME 'sudoRunAs' |
DESC 'User(s) impersonated by sudo' | DESC 'User(s) impersonated by sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.5 | attributetype ( 1.3.6.1.4.1.15953.9.1.5 |
NAME 'sudoOption' | NAME 'sudoOption' |
DESC 'Options(s) followed by sudo' | DESC 'Options(s) followed by sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.6 | attributetype ( 1.3.6.1.4.1.15953.9.1.6 |
NAME 'sudoRunAsUser' | NAME 'sudoRunAsUser' |
DESC 'User(s) impersonated by sudo' | DESC 'User(s) impersonated by sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.7 | attributetype ( 1.3.6.1.4.1.15953.9.1.7 |
NAME 'sudoRunAsGroup' | NAME 'sudoRunAsGroup' |
DESC 'Group(s) impersonated by sudo' | DESC 'Group(s) impersonated by sudo' |
EQUALITY caseExactIA5Match | EQUALITY caseExactIA5Match |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.8 | attributetype ( 1.3.6.1.4.1.15953.9.1.8 |
NAME 'sudoNotBefore' | NAME 'sudoNotBefore' |
DESC 'Start of time interval for which the entry is valid' | DESC 'Start of time interval for which the entry is valid' |
EQUALITY generalizedTimeMatch | EQUALITY generalizedTimeMatch |
ORDERING generalizedTimeOrderingMatch | ORDERING generalizedTimeOrderingMatch |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.9 | attributetype ( 1.3.6.1.4.1.15953.9.1.9 |
NAME 'sudoNotAfter' | NAME 'sudoNotAfter' |
DESC 'End of time interval for which the entry is valid' | DESC 'End of time interval for which the entry is valid' |
EQUALITY generalizedTimeMatch | EQUALITY generalizedTimeMatch |
ORDERING generalizedTimeOrderingMatch | ORDERING generalizedTimeOrderingMatch |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
|
|
attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 | attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 |
NAME 'sudoOrder' | NAME 'sudoOrder' |
DESC 'an integer to order the sudoRole entries' | DESC 'an integer to order the sudoRole entries' |
EQUALITY integerMatch | EQUALITY integerMatch |
ORDERING integerOrderingMatch | ORDERING integerOrderingMatch |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) |
|
|
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL | objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL |
DESC 'Sudoer Entries' | DESC 'Sudoer Entries' |
MUST ( cn ) | MUST ( cn ) |
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ | MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ | sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ |
sudoOrder $ description ) | sudoOrder $ description ) |
) | ) |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) | ldap.conf(1m), sudoers(1m) |
|
|
CCAAVVEEAATTSS |
CCAAVVEEAATTSS |
Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is | Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is |
parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between | parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P |
LDAP and non-LDAP sudoers" section for more information. | _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information. |
|
|
BBUUGGSS |
BBUUGGSS |
If you feel you have found a bug in ssuuddoo, please submit a bug report at | If you feel you have found a bug in ssuuddoo, please submit a bug report at |
http://www.sudo.ws/sudo/bugs/ | http://www.sudo.ws/sudo/bugs/ |
|
|
SSUUPPPPOORRTT |
SSUUPPPPOORRTT |
Limited free support is available via the sudo-users mailing list, see | Limited free support is available via the sudo-users mailing list, see |
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search | http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the |
the archives. | archives. |
|
|
DDIISSCCLLAAIIMMEERR |
DDIISSCCLLAAIIMMEERR |
ssuuddoo is provided ``AS IS'' and any express or implied warranties, | ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
including, but not limited to, the implied warranties of | including, but not limited to, the implied warranties of merchantability |
merchantability and fitness for a particular purpose are disclaimed. | and fitness for a particular purpose are disclaimed. See the LICENSE |
See the LICENSE file distributed with ssuuddoo or | file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
http://www.sudo.ws/sudo/license.html for complete details. | complete details. |
|
|
| Sudo 1.8.6 July 12, 2012 Sudo 1.8.6 |
| |
1.8.3 September 16, 2011 SUDOERS.LDAP(4) | |