Diff for /embedaddon/sudo/doc/sudoers.ldap.cat between versions 1.1 and 1.1.1.3

version 1.1, 2012/02/21 16:23:02 version 1.1.1.3, 2012/10/09 09:29:52
Line 1 Line 1
SUDOERS.LDAP(4)              MAINTENANCE COMMANDS              SUDOERS.LDAP(4)SUDOERS.LDAP(1m)             System Manager's Manual            SUDOERS.LDAP(1m)
   
   
   
 NNAAMMEE  NNAAMMEE
       sudoers.ldap - sudo LDAP configuration     ssuuddooeerrss..llddaapp - sudo LDAP configuration
   
 DDEESSCCRRIIPPTTIIOONN  DDEESSCCRRIIPPTTIIOONN
       In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via     In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
       LDAP.  This can be especially useful for synchronizing _s_u_d_o_e_r_s in a     LDAP.  This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
       large, distributed environment.     large, distributed environment.
   
       Using LDAP for _s_u_d_o_e_r_s has several benefits:     Using LDAP for _s_u_d_o_e_r_s has several benefits:
   
       +o   ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety.  When LDAP is     oo   ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety.  When LDAP is
           used, there are only two or three LDAP queries per invocation.         used, there are only two or three LDAP queries per invocation.  This
           This makes it especially fast and particularly usable in LDAP         makes it especially fast and particularly usable in LDAP
           environments.         environments.
   
       +o   ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s.  It is not     oo   ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s.  It is not
           possible to load LDAP data into the server that does not conform to         possible to load LDAP data into the server that does not conform to
           the sudoers schema, so proper syntax is guaranteed.  It is still         the sudoers schema, so proper syntax is guaranteed.  It is still
           possible to have typos in a user or host name, but this will not         possible to have typos in a user or host name, but this will not
           prevent ssuuddoo from running.         prevent ssuuddoo from running.
   
       +o   It is possible to specify per-entry options that override the     oo   It is possible to specify per-entry options that override the global
           global default options.  _/_e_t_c_/_s_u_d_o_e_r_s only supports default options         default options.  _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and
           and limited options associated with user/host/commands/aliases.         limited options associated with user/host/commands/aliases.  The
           The syntax is complicated and can be difficult for users to         syntax is complicated and can be difficult for users to understand.
           understand.  Placing the options directly in the entry is more         Placing the options directly in the entry is more natural.
           natural. 
   
       +o   The vviissuuddoo program is no longer needed.  vviissuuddoo provides locking     oo   The vviissuuddoo program is no longer needed.  vviissuuddoo provides locking and
           and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file.  Since LDAP updates         syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file.  Since LDAP updates are
           are atomic, locking is no longer necessary.  Because syntax is         atomic, locking is no longer necessary.  Because syntax is checked
           checked when the data is inserted into LDAP, there is no need for a         when the data is inserted into LDAP, there is no need for a
           specialized tool to check syntax.         specialized tool to check syntax.
   
       Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in     Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
       LDAP, ssuuddoo-specific Aliases are not supported.     LDAP, ssuuddoo-specific Aliases are not supported.
   
       For the most part, there is really no need for ssuuddoo-specific Aliases.     For the most part, there is really no need for ssuuddoo-specific Aliases.
       Unix groups or user netgroups can be used in place of User_Aliases and     Unix groups or user netgroups can be used in place of User_Aliases and
       Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.     Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.
       Since Unix groups and netgroups can also be stored in LDAP there is no     Since Unix groups and netgroups can also be stored in LDAP there is no
       real need for ssuuddoo-specific aliases.     real need for ssuuddoo-specific aliases.
   
       Cmnd_Aliases are not really required either since it is possible to     Cmnd_Aliases are not really required either since it is possible to have
       have multiple users listed in a sudoRole.  Instead of defining a     multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias
       Cmnd_Alias that is referenced by multiple users, one can create a     that is referenced by multiple users, one can create a sudoRole that
       sudoRole that contains the commands and assign multiple users to it.     contains the commands and assign multiple users to it.
   
    SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr     SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
       The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP     The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container.
       container. 
   
       Sudo first looks for the cn=default entry in the SUDOers container.  If     Sudo first looks for the cn=default entry in the SUDOers container.  If
       found, the multi-valued sudoOption attribute is parsed in the same     found, the multi-valued sudoOption attribute is parsed in the same manner
       manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s.  In the following     as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s.  In the following example, the
       example, the SSH_AUTH_SOCK variable will be preserved in the     SSH_AUTH_SOCK variable will be preserved in the environment for all
       environment for all users.     users.
   
           dn: cn=defaults,ou=SUDOers,dc=example,dc=com         dn: cn=defaults,ou=SUDOers,dc=example,dc=com
           objectClass: top         objectClass: top
           objectClass: sudoRole         objectClass: sudoRole
           cn: defaults         cn: defaults
           description: Default sudoOption's go here         description: Default sudoOption's go here
           sudoOption: env_keep+=SSH_AUTH_SOCK         sudoOption: env_keep+=SSH_AUTH_SOCK
   
       The equivalent of a sudoer in LDAP is a sudoRole.  It consists of the     The equivalent of a sudoer in LDAP is a sudoRole.  It consists of the
       following attributes:     following attributes:
   
       ssuuddooUUsseerr     ssuuddooUUsseerr
           A user name, uid (prefixed with '#'), Unix group (prefixed with a           A user name, user ID (prefixed with `#'), Unix group (prefixed with
           '%') or user netgroup (prefixed with a '+').           `%'), Unix group ID (prefixed with `%#'), or user netgroup
            (prefixed with `+').
   
       ssuuddooHHoosstt     ssuuddooHHoosstt
            A host name, IP address, IP network, or host netgroup (prefixed             A host name, IP address, IP network, or host netgroup (prefixed
           with a '+').  The special value ALL will match any host.           with a `+').  The special value ALL will match any host.
   
       ssuuddooCCoommmmaanndd     ssuuddooCCoommmmaanndd
            A Unix command with optional command line arguments, potentially             A Unix command with optional command line arguments, potentially
            including globbing characters (aka wild cards).  The special value             including globbing characters (aka wild cards).  The special value
            ALL will match any command.  If a command is prefixed with an             ALL will match any command.  If a command is prefixed with an
           exclamation point '!', the user will be prohibited from running           exclamation point `!', the user will be prohibited from running
            that command.             that command.
   
       ssuuddooOOppttiioonn     ssuuddooOOppttiioonn
            Identical in function to the global options described above, but             Identical in function to the global options described above, but
            specific to the sudoRole in which it resides.             specific to the sudoRole in which it resides.
   
       ssuuddooRRuunnAAssUUsseerr     ssuuddooRRuunnAAssUUsseerr
           A user name or uid (prefixed with '#') that commands may be run as           A user name or uid (prefixed with `#') that commands may be run as
           or a Unix group (prefixed with a '%') or user netgroup (prefixed           or a Unix group (prefixed with a `%') or user netgroup (prefixed
           with a '+') that contains a list of users that commands may be run           with a `+') that contains a list of users that commands may be run
            as.  The special value ALL will match any user.             as.  The special value ALL will match any user.
   
            The sudoRunAsUser attribute is only available in ssuuddoo versions             The sudoRunAsUser attribute is only available in ssuuddoo versions
            1.7.0 and higher.  Older versions of ssuuddoo use the sudoRunAs             1.7.0 and higher.  Older versions of ssuuddoo use the sudoRunAs
            attribute instead.             attribute instead.
   
       ssuuddooRRuunnAAssGGrroouupp     ssuuddooRRuunnAAssGGrroouupp
           A Unix group or gid (prefixed with '#') that commands may be run           A Unix group or gid (prefixed with `#') that commands may be run
            as.  The special value ALL will match any group.             as.  The special value ALL will match any group.
   
            The sudoRunAsGroup attribute is only available in ssuuddoo versions             The sudoRunAsGroup attribute is only available in ssuuddoo versions
            1.7.0 and higher.             1.7.0 and higher.
   
       ssuuddooNNoottBBeeffoorree     ssuuddooNNoottBBeeffoorree
            A timestamp in the form yyyymmddHHMMSSZ that can be used to provide             A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
            a start date/time for when the sudoRole will be valid.  If multiple             a start date/time for when the sudoRole will be valid.  If multiple
            sudoNotBefore entries are present, the earliest is used.  Note that             sudoNotBefore entries are present, the earliest is used.  Note that
Line 119  DDEESSCCRRIIPPTTIIOONN Line 116  DDEESSCCRRIIPPTTIIOONN
            1.7.5 and higher and must be explicitly enabled via the             1.7.5 and higher and must be explicitly enabled via the
            SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.             SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
   
       ssuuddooNNoottAAfftteerr     ssuuddooNNoottAAfftteerr
            A timestamp in the form yyyymmddHHMMSSZ that indicates an             A timestamp in the form yyyymmddHHMMSSZ that indicates an
            expiration date/time, after which the sudoRole will no longer be             expiration date/time, after which the sudoRole will no longer be
            valid.  If multiple sudoNotBefore entries are present, the last one             valid.  If multiple sudoNotBefore entries are present, the last one
Line 132  DDEESSCCRRIIPPTTIIOONN Line 129  DDEESSCCRRIIPPTTIIOONN
            and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD             and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD
            option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.             option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
   
       ssuuddooOOrrddeerr     ssuuddooOOrrddeerr
            The sudoRole entries retrieved from the LDAP directory have no             The sudoRole entries retrieved from the LDAP directory have no
            inherent order.  The sudoOrder attribute is an integer (or floating             inherent order.  The sudoOrder attribute is an integer (or floating
            point value for LDAP servers that support it) that is used to sort             point value for LDAP servers that support it) that is used to sort
Line 140  DDEESSCCRRIIPPTTIIOONN Line 137  DDEESSCCRRIIPPTTIIOONN
            more closely mimic the behaviour of the sudoers file, where the of             more closely mimic the behaviour of the sudoers file, where the of
            the entries influences the result.  If multiple entries match, the             the entries influences the result.  If multiple entries match, the
            entry with the highest sudoOrder attribute is chosen.  This             entry with the highest sudoOrder attribute is chosen.  This
           corresponds to the "last match" behavior of the sudoers file.  If           corresponds to the ``last match'' behavior of the sudoers file.  If
            the sudoOrder attribute is not present, a value of 0 is assumed.             the sudoOrder attribute is not present, a value of 0 is assumed.
   
            The sudoOrder attribute is only available in ssuuddoo versions 1.7.5             The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
            and higher.             and higher.
   
       Each attribute listed above should contain a single value, but there     Each attribute listed above should contain a single value, but there may
       may be multiple instances of each attribute type.  A sudoRole must     be multiple instances of each attribute type.  A sudoRole must contain at
       contain at least one sudoUser, sudoHost and sudoCommand.     least one sudoUser, sudoHost and sudoCommand.
   
       The following example allows users in group wheel to run any command on     The following example allows users in group wheel to run any command on
       any host via ssuuddoo:     any host via ssuuddoo:
   
           dn: cn=%wheel,ou=SUDOers,dc=example,dc=com         dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
           objectClass: top         objectClass: top
           objectClass: sudoRole         objectClass: sudoRole
           cn: %wheel         cn: %wheel
           sudoUser: %wheel         sudoUser: %wheel
           sudoHost: ALL         sudoHost: ALL
           sudoCommand: ALL         sudoCommand: ALL
   
    AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp     AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
       When looking up a sudoer using LDAP there are only two or three LDAP     When looking up a sudoer using LDAP there are only two or three LDAP
       queries per invocation.  The first query is to parse the global     queries per invocation.  The first query is to parse the global options.
       options.  The second is to match against the user's name and the groups     The second is to match against the user's name and the groups that the
       that the user belongs to.  (The special ALL tag is matched in this     user belongs to.  (The special ALL tag is matched in this query too.)  If
       query too.)  If no match is returned for the user's name and groups, a     no match is returned for the user's name and groups, a third query
       third query returns all entries containing user netgroups and checks to     returns all entries containing user netgroups and checks to see if the
       see if the user belongs to any of them.     user belongs to any of them.
   
       If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration     If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
       directive, the LDAP queries include a subfilter that limits retrieval     directive, the LDAP queries include a subfilter that limits retrieval to
       to entries that satisfy the time constraints, if any.     entries that satisfy the time constraints, if any.
   
    DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss     DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
       There are some subtle differences in the way sudoers is handled once in     There are some subtle differences in the way sudoers is handled once in
       LDAP.  Probably the biggest is that according to the RFC, LDAP ordering     LDAP.  Probably the biggest is that according to the RFC, LDAP ordering
       is arbitrary and you cannot expect that Attributes and Entries are     is arbitrary and you cannot expect that Attributes and Entries are
       returned in any specific order.     returned in any specific order.
   
       The order in which different entries are applied can be controlled     The order in which different entries are applied can be controlled using
       using the sudoOrder attribute, but there is no way to guarantee the     the sudoOrder attribute, but there is no way to guarantee the order of
       order of attributes within a specific entry.  If there are conflicting     attributes within a specific entry.  If there are conflicting command
       command rules in an entry, the negative takes precedence.  This is     rules in an entry, the negative takes precedence.  This is called
       called paranoid behavior (not necessarily the most specific match).     paranoid behavior (not necessarily the most specific match).
   
       Here is an example:     Here is an example:
   
           # /etc/sudoers:         # /etc/sudoers:
           # Allow all commands except shell         # Allow all commands except shell
           johnny  ALL=(root) ALL,!/bin/sh         johnny  ALL=(root) ALL,!/bin/sh
           # Always allows all commands because ALL is matched last         # Always allows all commands because ALL is matched last
           puddles ALL=(root) !/bin/sh,ALL         puddles ALL=(root) !/bin/sh,ALL
   
           # LDAP equivalent of johnny         # LDAP equivalent of johnny
           # Allows all commands except shell         # Allows all commands except shell
           dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com         dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
           objectClass: sudoRole         objectClass: sudoRole
           objectClass: top         objectClass: top
           cn: role1         cn: role1
           sudoUser: johnny         sudoUser: johnny
           sudoHost: ALL         sudoHost: ALL
           sudoCommand: ALL         sudoCommand: ALL
           sudoCommand: !/bin/sh         sudoCommand: !/bin/sh
   
           # LDAP equivalent of puddles         # LDAP equivalent of puddles
           # Notice that even though ALL comes last, it still behaves like         # Notice that even though ALL comes last, it still behaves like
           # role1 since the LDAP code assumes the more paranoid configuration         # role1 since the LDAP code assumes the more paranoid configuration
           dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com         dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
           objectClass: sudoRole         objectClass: sudoRole
           objectClass: top         objectClass: top
           cn: role2         cn: role2
           sudoUser: puddles         sudoUser: puddles
           sudoHost: ALL         sudoHost: ALL
           sudoCommand: !/bin/sh         sudoCommand: !/bin/sh
           sudoCommand: ALL         sudoCommand: ALL
   
       Another difference is that negations on the Host, User or Runas are     Another difference is that negations on the Host, User or Runas are
       currently ignored.  For example, the following attributes do not behave     currently ignored.  For example, the following attributes do not behave
       the way one might expect.     the way one might expect.
   
           # does not match all but joe         # does not match all but joe
           # rather, does not match anyone         # rather, does not match anyone
           sudoUser: !joe         sudoUser: !joe
   
           # does not match all but joe         # does not match all but joe
           # rather, matches everyone including Joe         # rather, matches everyone including Joe
           sudoUser: ALL         sudoUser: ALL
           sudoUser: !joe         sudoUser: !joe
   
           # does not match all but web01         # does not match all but web01
           # rather, matches all hosts including web01         # rather, matches all hosts including web01
           sudoHost: ALL         sudoHost: ALL
           sudoHost: !web01         sudoHost: !web01
   
   SSuuddooeerrss SScchheemmaa   SSuuddooeerrss sscchheemmaa
       In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed     In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on
       on your LDAP server.  In addition, be sure to index the 'sudoUser'     your LDAP server.  In addition, be sure to index the sudoUser attribute.
       attribute. 
   
       Three versions of the schema: one for OpenLDAP servers     Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P),
       (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),     one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft
       and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be     Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo
       found in the ssuuddoo distribution.     distribution.
   
       The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES     The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S
       section.     section.
   
    CCoonnffiigguurriinngg llddaapp..ccoonnff     CCoonnffiigguurriinngg llddaapp..ccoonnff
       Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.     Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
       Typically, this file is shared amongst different LDAP-aware clients.     Typically, this file is shared amongst different LDAP-aware clients.  As
       As such, most of the settings are not ssuuddoo-specific.  Note that ssuuddoo     such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
       parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from     _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
       those described in the _l_d_a_p_._c_o_n_f(4) manual.     described in the system's ldap.conf(1m) manual.
   
       Also note that on systems using the OpenLDAP libraries, default values     Also note that on systems using the OpenLDAP libraries, default values
       specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are     specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
       not used.     used.
   
       Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being     Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported
       supported by ssuuddoo are honored.  Configuration options are listed below     by ssuuddoo are honored.  Configuration options are listed below in upper
       in upper case but are parsed in a case-independent manner.     case but are parsed in a case-independent manner.
   
       UURRII ldap[s]://[hostname[:port]] ...     UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
            Specifies a whitespace-delimited list of one or more URIs             Specifies a whitespace-delimited list of one or more URIs
            describing the LDAP server(s) to connect to.  The _p_r_o_t_o_c_o_l may be             describing the LDAP server(s) to connect to.  The _p_r_o_t_o_c_o_l may be
           either llddaapp or llddaappss, the latter being for servers that support TLS           either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
            (SSL) encryption.  If no _p_o_r_t is specified, the default is port 389             (SSL) encryption.  If no _p_o_r_t is specified, the default is port 389
            for ldap:// or port 636 for ldaps://.  If no _h_o_s_t_n_a_m_e is specified,             for ldap:// or port 636 for ldaps://.  If no _h_o_s_t_n_a_m_e is specified,
           ssuuddoo will connect to llooccaallhhoosstt.  Multiple UURRII lines are treated           ssuuddoo will connect to _l_o_c_a_l_h_o_s_t.  Multiple UURRII lines are treated
            identically to a UURRII line containing multiple entries.  Only             identically to a UURRII line containing multiple entries.  Only
            systems using the OpenSSL libraries support the mixing of ldap://             systems using the OpenSSL libraries support the mixing of ldap://
           and ldaps:// URIs.  The Netscape-derived libraries used on most           and ldaps:// URIs.  Both the Netscape-derived and Tivoli LDAP
           commercial versions of Unix are only capable of supporting one or           libraries used on most commercial versions of Unix are only capable
           the other.           of supporting one or the other.
   
       HHOOSSTT name[:port] ...     HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
            If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-             If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
            delimited list of LDAP servers to connect to.  Each host may             delimited list of LDAP servers to connect to.  Each host may
           include an optional _p_o_r_t separated by a colon (':').  The HHOOSSTT           include an optional _p_o_r_t separated by a colon (`:').  The HHOOSSTT
            parameter is deprecated in favor of the UURRII specification and is             parameter is deprecated in favor of the UURRII specification and is
            included for backwards compatibility.             included for backwards compatibility.
   
       PPOORRTT port_number     PPOORRTT _p_o_r_t___n_u_m_b_e_r
            If no UURRII is specified, the PPOORRTT parameter specifies the default             If no UURRII is specified, the PPOORRTT parameter specifies the default
            port to connect to on the LDAP server if a HHOOSSTT parameter does not             port to connect to on the LDAP server if a HHOOSSTT parameter does not
            specify the port itself.  If no PPOORRTT parameter is used, the default             specify the port itself.  If no PPOORRTT parameter is used, the default
Line 291  DDEESSCCRRIIPPTTIIOONN Line 287  DDEESSCCRRIIPPTTIIOONN
            PPOORRTT parameter is deprecated in favor of the UURRII specification and             PPOORRTT parameter is deprecated in favor of the UURRII specification and
            is included for backwards compatibility.             is included for backwards compatibility.
   
       BBIINNDD__TTIIMMEELLIIMMIITT seconds     BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
            The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in             The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
            seconds, to wait while trying to connect to an LDAP server.  If             seconds, to wait while trying to connect to an LDAP server.  If
            multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to             multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
            wait before trying the next one in the list.             wait before trying the next one in the list.
   
       NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds     NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s
            An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.             An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.
   
       TTIIMMEELLIIMMIITT seconds     TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
            The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,             The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
            to wait for a response to an LDAP query.             to wait for a response to an LDAP query.
   
       TTIIMMEEOOUUTT seconds     TTIIMMEEOOUUTT _s_e_c_o_n_d_s
            The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to             The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
            wait for a response from the various LDAP APIs.             wait for a response from the various LDAP APIs.
   
       SSUUDDOOEERRSS__BBAASSEE base     SSUUDDOOEERRSS__BBAASSEE _b_a_s_e
            The base DN to use when performing ssuuddoo LDAP queries.  Typically             The base DN to use when performing ssuuddoo LDAP queries.  Typically
            this is of the form ou=SUDOers,dc=example,dc=com for the domain             this is of the form ou=SUDOers,dc=example,dc=com for the domain
            example.com.  Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in             example.com.  Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
            which case they are queried in the order specified.             which case they are queried in the order specified.
   
       SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter     SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
            An LDAP filter which is used to restrict the set of records             An LDAP filter which is used to restrict the set of records
            returned when performing a ssuuddoo LDAP query.  Typically, this is of             returned when performing a ssuuddoo LDAP query.  Typically, this is of
            the form attribute=value or             the form attribute=value or
            (&(attribute=value)(attribute2=value2)).             (&(attribute=value)(attribute2=value2)).
   
       SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no     SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Whether or not to evaluate the sudoNotBefore and sudoNotAfter             Whether or not to evaluate the sudoNotBefore and sudoNotAfter
            attributes that implement time-dependent sudoers entries.             attributes that implement time-dependent sudoers entries.
   
       SSUUDDOOEERRSS__DDEEBBUUGG debug_level     SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l
            This sets the debug level for ssuuddoo LDAP queries.  Debugging             This sets the debug level for ssuuddoo LDAP queries.  Debugging
            information is printed to the standard error.  A value of 1 results             information is printed to the standard error.  A value of 1 results
            in a moderate amount of debugging information.  A value of 2 shows             in a moderate amount of debugging information.  A value of 2 shows
Line 332  DDEESSCCRRIIPPTTIIOONN Line 328  DDEESSCCRRIIPPTTIIOONN
            be set in a production environment as the extra information is             be set in a production environment as the extra information is
            likely to confuse users.             likely to confuse users.
   
       BBIINNDDDDNN DN     BBIINNDDDDNN _D_N
            The BBIINNDDDDNN parameter specifies the identity, in the form of a             The BBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing LDAP operations.             Distinguished Name (DN), to use when performing LDAP operations.
            If not specified, LDAP operations are performed with an anonymous             If not specified, LDAP operations are performed with an anonymous
            identity.  By default, most LDAP servers will allow anonymous             identity.  By default, most LDAP servers will allow anonymous
            access.             access.
   
       BBIINNDDPPWW secret     BBIINNDDPPWW _s_e_c_r_e_t
            The BBIINNDDPPWW parameter specifies the password to use when performing             The BBIINNDDPPWW parameter specifies the password to use when performing
            LDAP operations.  This is typically used in conjunction with the             LDAP operations.  This is typically used in conjunction with the
            BBIINNDDDDNN parameter.             BBIINNDDDDNN parameter.
   
       RROOOOTTBBIINNDDDDNN DN     RROOOOTTBBIINNDDDDNN _D_N
            The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a             The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing privileged LDAP             Distinguished Name (DN), to use when performing privileged LDAP
            operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to             operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to
            the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If not             the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If not
            specified, the BBIINNDDDDNN identity is used (if any).             specified, the BBIINNDDDDNN identity is used (if any).
   
       LLDDAAPP__VVEERRSSIIOONN number     LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
            The version of the LDAP protocol to use when connecting to the             The version of the LDAP protocol to use when connecting to the
            server.  The default value is protocol version 3.             server.  The default value is protocol version 3.
   
       SSSSLL on/true/yes/off/false/no     SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            If the SSSSLL parameter is set to on, true or yes, TLS (SSL)             If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
            encryption is always used when communicating with the LDAP server.             encryption is always used when communicating with the LDAP server.
            Typically, this involves connecting to the server on port 636             Typically, this involves connecting to the server on port 636
            (ldaps).             (ldaps).
   
       SSSSLL start_tls     SSSSLL _s_t_a_r_t___t_l_s
            If the SSSSLL parameter is set to start_tls, the LDAP server             If the SSSSLL parameter is set to start_tls, the LDAP server
            connection is initiated normally and TLS encryption is begun before             connection is initiated normally and TLS encryption is begun before
            the bind credentials are sent.  This has the advantage of not             the bind credentials are sent.  This has the advantage of not
            requiring a dedicated port for encrypted communications.  This             requiring a dedicated port for encrypted communications.  This
            parameter is only supported by LDAP servers that honor the             parameter is only supported by LDAP servers that honor the
           start_tls extension, such as the OpenLDAP server.           _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory
            servers.
   
       TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no     TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS             If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
            certificated to be verified.  If the server's TLS certificate             certificated to be verified.  If the server's TLS certificate
            cannot be verified (usually because it is signed by an unknown             cannot be verified (usually because it is signed by an unknown
Line 378  DDEESSCCRRIIPPTTIIOONN Line 375  DDEESSCCRRIIPPTTIIOONN
            the check creates an opportunity for man-in-the-middle attacks             the check creates an opportunity for man-in-the-middle attacks
            since the server's identity will not be authenticated.  If             since the server's identity will not be authenticated.  If
            possible, the CA's certificate should be installed locally so it             possible, the CA's certificate should be installed locally so it
           can be verified.           can be verified.  This option is not supported by the Tivoli
            Directory Server LDAP libraries.
   
       TTLLSS__CCAACCEERRTT file name     TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e
            An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.             An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
   
       TTLLSS__CCAACCEERRTTFFIILLEE file name     TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e
            The path to a certificate authority bundle which contains the             The path to a certificate authority bundle which contains the
            certificates for all the Certificate Authorities the client knows             certificates for all the Certificate Authorities the client knows
            to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m.  This option is only             to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m.  This option is only
Line 391  DDEESSCCRRIIPPTTIIOONN Line 389  DDEESSCCRRIIPPTTIIOONN
            libraries use the same certificate database for CA and client             libraries use the same certificate database for CA and client
            certificates (see TTLLSS__CCEERRTT).             certificates (see TTLLSS__CCEERRTT).
   
       TTLLSS__CCAACCEERRTTDDIIRR directory     TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y
            Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory             Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
            containing individual Certificate Authority certificates, e.g.             containing individual Certificate Authority certificates, e.g.
            _/_e_t_c_/_s_s_l_/_c_e_r_t_s.  The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is             _/_e_t_c_/_s_s_l_/_c_e_r_t_s.  The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
            checked after TTLLSS__CCAACCEERRTTFFIILLEE.  This option is only supported by the             checked after TTLLSS__CCAACCEERRTTFFIILLEE.  This option is only supported by the
            OpenLDAP libraries.             OpenLDAP libraries.
   
       TTLLSS__CCEERRTT file name     TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e
            The path to a file containing the client certificate which can be             The path to a file containing the client certificate which can be
            used to authenticate the client to the LDAP server.  The             used to authenticate the client to the LDAP server.  The
            certificate type depends on the LDAP libraries used.             certificate type depends on the LDAP libraries used.
   
            OpenLDAP:             OpenLDAP:
               tls_cert /etc/ssl/client_cert.pem                 tls_cert /etc/ssl/client_cert.pem
   
            Netscape-derived:             Netscape-derived:
               tls_cert /var/ldap/cert7.db                 tls_cert /var/ldap/cert7.db
   
           When using Netscape-derived libraries, this file may also contain           Tivoli Directory Server:
           Certificate Authority certificates.                 Unused, the key database specified by TTLLSS__KKEEYY contains both
                  keys and certificates.
   
       TTLLSS__KKEEYY file name                 When using Netscape-derived libraries, this file may also
                  contain Certificate Authority certificates.
 
      TTLLSS__KKEEYY _f_i_l_e _n_a_m_e
            The path to a file containing the private key which matches the             The path to a file containing the private key which matches the
            certificate specified by TTLLSS__CCEERRTT.  The private key must not be             certificate specified by TTLLSS__CCEERRTT.  The private key must not be
            password-protected.  The key type depends on the LDAP libraries             password-protected.  The key type depends on the LDAP libraries
            used.             used.
   
            OpenLDAP:             OpenLDAP:
               tls_key /etc/ssl/client_key.pem                 tls_key /etc/ssl/client_key.pem
   
            Netscape-derived:             Netscape-derived:
               tls_key /var/ldap/key3.db                 tls_key /var/ldap/key3.db
   
       TTLLSS__RRAANNDDFFIILLEE file name           Tivoli Directory Server:
                  tls_cert /usr/ldap/ldapkey.kdb
            When using Tivoli LDAP libraries, this file may also contain
            Certificate Authority and client certificates and may be encrypted.
 
      TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
            The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
            database on clients using the Tivoli Directory Server LDAP library.
            If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
            exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file
            specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
            .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with
            Tivoli Directory Server is encrypted with the password
            ssl_password.  This option is only supported by the Tivoli LDAP
            libraries.
 
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source             The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
            for systems that lack a random device.  It is generally used in             for systems that lack a random device.  It is generally used in
            conjunction with _p_r_n_g_d or _e_g_d.  This option is only supported by             conjunction with _p_r_n_g_d or _e_g_d.  This option is only supported by
            the OpenLDAP libraries.             the OpenLDAP libraries.
   
       TTLLSS__CCIIPPHHEERRSS cipher list     TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t
            The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which             The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
            encryption algorithms may be used for TLS (SSL) connections.  See             encryption algorithms may be used for TLS (SSL) connections.  See
           the OpenSSL manual for a list of valid ciphers.  This option is           the OpenLDAP or Tivoli Directory Server manual for a list of valid
           only supported by the OpenLDAP libraries.           ciphers.  This option is not supported by Netscape-derived
            libraries.
   
       UUSSEE__SSAASSLL on/true/yes/off/false/no     UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.             Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
   
       SSAASSLL__AAUUTTHH__IIDD identity     SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
            The SASL user name to use when connecting to the LDAP server.  By             The SASL user name to use when connecting to the LDAP server.  By
            default, ssuuddoo will use an anonymous connection.             default, ssuuddoo will use an anonymous connection.
   
       RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no     RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting             Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
            to an LDAP server from a privileged process, such as ssuuddoo.             to an LDAP server from a privileged process, such as ssuuddoo.
   
       RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity     RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
            The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.             The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
   
       SSAASSLL__SSEECCPPRROOPPSS none/properties     SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
            SASL security properties or _n_o_n_e for no properties.  See the SASL             SASL security properties or _n_o_n_e for no properties.  See the SASL
            programmer's manual for details.             programmer's manual for details.
   
       KKRRBB55__CCCCNNAAMMEE file name     KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e
            The path to the Kerberos 5 credential cache to use when             The path to the Kerberos 5 credential cache to use when
            authenticating with the remote server.             authenticating with the remote server.
   
       DDEERREEFF never/searching/finding/always     DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s
            How alias dereferencing is to be performed when searching.  See the             How alias dereferencing is to be performed when searching.  See the
           _l_d_a_p_._c_o_n_f(4) manual for a full description of this option.           ldap.conf(1m) manual for a full description of this option.
   
       See the ldap.conf entry in the EXAMPLES section.     See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section.
   
    CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff     CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
       Unless it is disabled at build time, ssuuddoo consults the Name Service     Unless it is disabled at build time, ssuuddoo consults the Name Service
       Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.     Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
       Sudo looks for a line beginning with sudoers: and uses this to     Sudo looks for a line beginning with sudoers: and uses this to determine
       determine the search order.  Note that ssuuddoo does not stop searching     the search order.  Note that ssuuddoo does not stop searching after the first
       after the first match and later matches take precedence over earlier     match and later matches take precedence over earlier ones.  The following
       ones.     sources are recognized:
   
       The following sources are recognized:         files     read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s
          ldap      read sudoers from LDAP
   
           files       read sudoers from F</etc/sudoers>     In addition, the entry [NOTFOUND=return] will short-circuit the search if
           ldap        read sudoers from LDAP     the user was not found in the preceding source.
   
       In addition, the entry [NOTFOUND=return] will short-circuit the search     To consult LDAP first followed by the local sudoers file (if it exists),
       if the user was not found in the preceding source.     use:
   
       To consult LDAP first followed by the local sudoers file (if it         sudoers: ldap files
       exists), use: 
   
           sudoers: ldap files     The local _s_u_d_o_e_r_s file can be ignored completely by using:
   
       The local _s_u_d_o_e_r_s file can be ignored completely by using:         sudoers: ldap
   
           sudoers: ldap     If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
      line, the following default is assumed:
   
       If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers         sudoers: files
       line, the following default is assumed: 
   
           sudoers: files     Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
      operating system does not use an nsswitch.conf file, except on AIX (see
      below).
   
        Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying  
        operating system does not use an nsswitch.conf file.  
   
    CCoonnffiigguurriinngg nneettssvvcc..ccoonnff     CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
       On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of     On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
       _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f.  ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of     _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f.  ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
       _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the     _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file
       file format itself still applies.     format itself still applies.
   
       To consult LDAP first followed by the local sudoers file (if it     To consult LDAP first followed by the local sudoers file (if it exists),
       exists), use:     use:
   
           sudoers = ldap, files         sudoers = ldap, files
   
       The local _s_u_d_o_e_r_s file can be ignored completely by using:     The local _s_u_d_o_e_r_s file can be ignored completely by using:
   
           sudoers = ldap         sudoers = ldap
   
       To treat LDAP as authoratative and only use the local sudoers file if     To treat LDAP as authoratative and only use the local sudoers file if the
       the user is not present in LDAP, use:     user is not present in LDAP, use:
   
           sudoers = ldap = auth, files         sudoers = ldap = auth, files
   
       Note that in the above example, the auth qualfier only affects user     Note that in the above example, the auth qualfier only affects user
       lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.     lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
   
       If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers     If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
       line, the following default is assumed:     the following default is assumed:
   
           sudoers = files         sudoers = files
   
 FFIILLEESS  FFIILLEESS
       _/_e_t_c_/_l_d_a_p_._c_o_n_f          LDAP configuration file     _/_e_t_c_/_l_d_a_p_._c_o_n_f            LDAP configuration file
   
       _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f      determines sudoers source order     _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f        determines sudoers source order
   
       _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f        determines sudoers source order on AIX     _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f          determines sudoers source order on AIX
   
 EEXXAAMMPPLLEESS  EEXXAAMMPPLLEESS
    EExxaammppllee llddaapp..ccoonnff     EExxaammppllee llddaapp..ccoonnff
         # Either specify one or more URIs or one or more host:port pairs.       # Either specify one or more URIs or one or more host:port pairs.
         # If neither is specified sudo will default to localhost, port 389.       # If neither is specified sudo will default to localhost, port 389.
         #       #
         #host          ldapserver       #host          ldapserver
         #host          ldapserver1 ldapserver2:390       #host          ldapserver1 ldapserver2:390
         #       #
         # Default port if host is specified without one, defaults to 389.       # Default port if host is specified without one, defaults to 389.
         #port          389       #port          389
         #       #
         # URI will override the host and port settings.       # URI will override the host and port settings.
         uri            ldap://ldapserver       uri            ldap://ldapserver
         #uri            ldaps://secureldapserver       #uri            ldaps://secureldapserver
         #uri            ldaps://secureldapserver ldap://ldapserver       #uri            ldaps://secureldapserver ldap://ldapserver
         #       #
         # The amount of time, in seconds, to wait while trying to connect to       # The amount of time, in seconds, to wait while trying to connect to
         # an LDAP server.       # an LDAP server.
         bind_timelimit 30       bind_timelimit 30
         #       #
         # The amount of time, in seconds, to wait while performing an LDAP query.       # The amount of time, in seconds, to wait while performing an LDAP query.
         timelimit 30       timelimit 30
         #       #
         # Must be set or sudo will ignore LDAP; may be specified multiple times.       # Must be set or sudo will ignore LDAP; may be specified multiple times.
         sudoers_base   ou=SUDOers,dc=example,dc=com       sudoers_base   ou=SUDOers,dc=example,dc=com
         #       #
         # verbose sudoers matching from ldap       # verbose sudoers matching from ldap
         #sudoers_debug 2       #sudoers_debug 2
         #       #
         # Enable support for time-based entries in sudoers.       # Enable support for time-based entries in sudoers.
         #sudoers_timed yes       #sudoers_timed yes
         #       #
         # optional proxy credentials       # optional proxy credentials
         #binddn        <who to search as>       #binddn        <who to search as>
         #bindpw        <password>       #bindpw        <password>
         #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>       #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
         #       #
         # LDAP protocol version, defaults to 3       # LDAP protocol version, defaults to 3
         #ldap_version 3       #ldap_version 3
         #       #
         # Define if you want to use an encrypted LDAP connection.       # Define if you want to use an encrypted LDAP connection.
         # Typically, you must also set the port to 636 (ldaps).       # Typically, you must also set the port to 636 (ldaps).
         #ssl on       #ssl on
         #       #
         # Define if you want to use port 389 and switch to       # Define if you want to use port 389 and switch to
         # encryption before the bind credentials are sent.       # encryption before the bind credentials are sent.
         # Only supported by LDAP servers that support the start_tls       # Only supported by LDAP servers that support the start_tls
         # extension such as OpenLDAP.       # extension such as OpenLDAP.
         #ssl start_tls       #ssl start_tls
         #       #
         # Additional TLS options follow that allow tweaking of the       # Additional TLS options follow that allow tweaking of the
         # SSL/TLS connection.       # SSL/TLS connection.
         #       #
         #tls_checkpeer yes # verify server SSL certificate       #tls_checkpeer yes # verify server SSL certificate
         #tls_checkpeer no  # ignore server SSL certificate       #tls_checkpeer no  # ignore server SSL certificate
         #       #
         # If you enable tls_checkpeer, specify either tls_cacertfile       # If you enable tls_checkpeer, specify either tls_cacertfile
         # or tls_cacertdir.  Only supported when using OpenLDAP.       # or tls_cacertdir.  Only supported when using OpenLDAP.
         #       #
         #tls_cacertfile /etc/certs/trusted_signers.pem       #tls_cacertfile /etc/certs/trusted_signers.pem
         #tls_cacertdir  /etc/certs       #tls_cacertdir  /etc/certs
         #       #
         # For systems that don't have /dev/random       # For systems that don't have /dev/random
         # use this along with PRNGD or EGD.pl to seed the       # use this along with PRNGD or EGD.pl to seed the
         # random number pool to generate cryptographic session keys.       # random number pool to generate cryptographic session keys.
         # Only supported when using OpenLDAP.       # Only supported when using OpenLDAP.
         #       #
         #tls_randfile /etc/egd-pool       #tls_randfile /etc/egd-pool
         #       #
         # You may restrict which ciphers are used.  Consult your SSL       # You may restrict which ciphers are used.  Consult your SSL
         # documentation for which options go here.       # documentation for which options go here.
         # Only supported when using OpenLDAP.       # Only supported when using OpenLDAP.
         #       #
         #tls_ciphers <cipher-list>       #tls_ciphers <cipher-list>
         #       #
         # Sudo can provide a client certificate when communicating to       # Sudo can provide a client certificate when communicating to
         # the LDAP server.       # the LDAP server.
         # Tips:       # Tips:
         #   * Enable both lines at the same time.       #   * Enable both lines at the same time.
         #   * Do not password protect the key file.       #   * Do not password protect the key file.
         #   * Ensure the keyfile is only readable by root.       #   * Ensure the keyfile is only readable by root.
         #       #
         # For OpenLDAP:       # For OpenLDAP:
         #tls_cert /etc/certs/client_cert.pem       #tls_cert /etc/certs/client_cert.pem
         #tls_key  /etc/certs/client_key.pem       #tls_key  /etc/certs/client_key.pem
         #       #
         # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either       # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
         # a directory, in which case the files in the directory must have the       # a directory, in which case the files in the directory must have the
         # default names (e.g. cert8.db and key4.db), or the path to the cert       # default names (e.g. cert8.db and key4.db), or the path to the cert
         # and key files themselves.  However, a bug in version 5.0 of the LDAP       # and key files themselves.  However, a bug in version 5.0 of the LDAP
         # SDK will prevent specific file names from working.  For this reason       # SDK will prevent specific file names from working.  For this reason
         # it is suggested that tls_cert and tls_key be set to a directory,       # it is suggested that tls_cert and tls_key be set to a directory,
         # not a file name.       # not a file name.
         #       #
         # The certificate database specified by tls_cert may contain CA certs       # The certificate database specified by tls_cert may contain CA certs
         # and/or the client's cert.  If the client's cert is included, tls_key       # and/or the client's cert.  If the client's cert is included, tls_key
         # should be specified as well.       # should be specified as well.
         # For backward compatibility, "sslpath" may be used in place of tls_cert.       # For backward compatibility, "sslpath" may be used in place of tls_cert.
         #tls_cert /var/ldap       #tls_cert /var/ldap
         #tls_key /var/ldap       #tls_key /var/ldap
         #       #
         # If using SASL authentication for LDAP (OpenSSL)       # If using SASL authentication for LDAP (OpenSSL)
         # use_sasl yes       # use_sasl yes
         # sasl_auth_id <SASL user name>       # sasl_auth_id <SASL user name>
         # rootuse_sasl yes       # rootuse_sasl yes
         # rootsasl_auth_id <SASL user name for root access>       # rootsasl_auth_id <SASL user name for root access>
         # sasl_secprops none       # sasl_secprops none
         # krb5_ccname /etc/.ldapcache       # krb5_ccname /etc/.ldapcache
   
    SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP     SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
       The following schema, in OpenLDAP format, is included with ssuuddoo source     The following schema, in OpenLDAP format, is included with ssuuddoo source
       and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P.  Simply copy it to the     and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P.  Simply copy it to the
       schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include     schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line
       line in slapd.conf and restart ssllaappdd.     in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd.
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.1       attributetype ( 1.3.6.1.4.1.15953.9.1.1
           NAME 'sudoUser'          NAME 'sudoUser'
           DESC 'User(s) who may  run sudo'          DESC 'User(s) who may  run sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SUBSTR caseExactIA5SubstringsMatch          SUBSTR caseExactIA5SubstringsMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.2       attributetype ( 1.3.6.1.4.1.15953.9.1.2
           NAME 'sudoHost'          NAME 'sudoHost'
           DESC 'Host(s) who may run sudo'          DESC 'Host(s) who may run sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SUBSTR caseExactIA5SubstringsMatch          SUBSTR caseExactIA5SubstringsMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.3       attributetype ( 1.3.6.1.4.1.15953.9.1.3
           NAME 'sudoCommand'          NAME 'sudoCommand'
           DESC 'Command(s) to be executed by sudo'          DESC 'Command(s) to be executed by sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.4       attributetype ( 1.3.6.1.4.1.15953.9.1.4
           NAME 'sudoRunAs'          NAME 'sudoRunAs'
           DESC 'User(s) impersonated by sudo'          DESC 'User(s) impersonated by sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.5       attributetype ( 1.3.6.1.4.1.15953.9.1.5
           NAME 'sudoOption'          NAME 'sudoOption'
           DESC 'Options(s) followed by sudo'          DESC 'Options(s) followed by sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.6       attributetype ( 1.3.6.1.4.1.15953.9.1.6
           NAME 'sudoRunAsUser'          NAME 'sudoRunAsUser'
           DESC 'User(s) impersonated by sudo'          DESC 'User(s) impersonated by sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.7       attributetype ( 1.3.6.1.4.1.15953.9.1.7
           NAME 'sudoRunAsGroup'          NAME 'sudoRunAsGroup'
           DESC 'Group(s) impersonated by sudo'          DESC 'Group(s) impersonated by sudo'
           EQUALITY caseExactIA5Match          EQUALITY caseExactIA5Match
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.8       attributetype ( 1.3.6.1.4.1.15953.9.1.8
           NAME 'sudoNotBefore'          NAME 'sudoNotBefore'
           DESC 'Start of time interval for which the entry is valid'          DESC 'Start of time interval for which the entry is valid'
           EQUALITY generalizedTimeMatch          EQUALITY generalizedTimeMatch
           ORDERING generalizedTimeOrderingMatch          ORDERING generalizedTimeOrderingMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
   
        attributetype ( 1.3.6.1.4.1.15953.9.1.9       attributetype ( 1.3.6.1.4.1.15953.9.1.9
           NAME 'sudoNotAfter'          NAME 'sudoNotAfter'
           DESC 'End of time interval for which the entry is valid'          DESC 'End of time interval for which the entry is valid'
           EQUALITY generalizedTimeMatch          EQUALITY generalizedTimeMatch
           ORDERING generalizedTimeOrderingMatch          ORDERING generalizedTimeOrderingMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )          SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
   
        attributeTypes ( 1.3.6.1.4.1.15953.9.1.10       attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
            NAME 'sudoOrder'           NAME 'sudoOrder'
            DESC 'an integer to order the sudoRole entries'           DESC 'an integer to order the sudoRole entries'
            EQUALITY integerMatch           EQUALITY integerMatch
            ORDERING integerOrderingMatch           ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )           SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
   
        objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL       objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
           DESC 'Sudoer Entries'          DESC 'Sudoer Entries'
           MUST ( cn )          MUST ( cn )
           MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $          MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
                 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $                sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
                 sudoOrder $ description )                sudoOrder $ description )
           )          )
   
 SSEEEE AALLSSOO  SSEEEE AALLSSOO
       _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4)     ldap.conf(1m), sudoers(1m)
   
 CCAAVVEEAATTSS  CCAAVVEEAATTSS
       Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is     Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
       parsed compared to file-based _s_u_d_o_e_r_s.  See the "Differences between     parsed compared to file-based _s_u_d_o_e_r_s.  See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P
       LDAP and non-LDAP sudoers" section for more information.     _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information.
   
 BBUUGGSS  BBUUGGSS
       If you feel you have found a bug in ssuuddoo, please submit a bug report at     If you feel you have found a bug in ssuuddoo, please submit a bug report at
       http://www.sudo.ws/sudo/bugs/     http://www.sudo.ws/sudo/bugs/
   
 SSUUPPPPOORRTT  SSUUPPPPOORRTT
       Limited free support is available via the sudo-users mailing list, see     Limited free support is available via the sudo-users mailing list, see
       http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search     http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
       the archives.     archives.
   
 DDIISSCCLLAAIIMMEERR  DDIISSCCLLAAIIMMEERR
       ssuuddoo is provided ``AS IS'' and any express or implied warranties,     ssuuddoo is provided ``AS IS'' and any express or implied warranties,
       including, but not limited to, the implied warranties of     including, but not limited to, the implied warranties of merchantability
       merchantability and fitness for a particular purpose are disclaimed.     and fitness for a particular purpose are disclaimed.  See the LICENSE
       See the LICENSE file distributed with ssuuddoo or     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
       http://www.sudo.ws/sudo/license.html for complete details.     complete details.
   
Sudo 1.8.6                       July 12, 2012                      Sudo 1.8.6
 
1.8.3                         September 16, 2011               SUDOERS.LDAP(4) 

Removed from v.1.1  
changed lines
  Added in v.1.1.1.3


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>