|
version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.5, 2013/10/14 07:56:34
|
|
Line 37 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 37 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| LDAP, s�su�ud�do�o-specific Aliases are not supported. |
LDAP, s�su�ud�do�o-specific Aliases are not supported. |
| |
|
| For the most part, there is really no need for s�su�ud�do�o-specific Aliases. |
For the most part, there is really no need for s�su�ud�do�o-specific Aliases. |
| Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups, non-Unix groups (via the _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n) or user netgroups can |
| Runas_Aliases. Host netgroups can be used in place of Host_Aliases. | be used in place of User_Aliases and Runas_Aliases. Host netgroups can |
| Since Unix groups and netgroups can also be stored in LDAP there is no | be used in place of Host_Aliases. Since groups and netgroups can also be |
| real need for s�su�ud�do�o-specific aliases. | stored in LDAP there is no real need for s�su�ud�do�o-specific aliases. |
| |
|
| Cmnd_Aliases are not really required either since it is possible to have |
Cmnd_Aliases are not really required either since it is possible to have |
| multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias |
multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias |
|
Line 67 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 67 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| following attributes: |
following attributes: |
| |
|
| s�su�ud�do�oU�Us�se�er�r |
s�su�ud�do�oU�Us�se�er�r |
| A user name, user ID (prefixed with `#'), Unix group (prefixed with | A user name, user ID (prefixed with `#'), Unix group name or ID |
| `%'), Unix group ID (prefixed with `%#'), or user netgroup | (prefixed with `%' or `%#' respectively), user netgroup (prefixed |
| (prefixed with `+'). | with `+'), or non-Unix group name or ID (prefixed with `%:' or |
| | `%:#' respectively). Non-Unix group support is only available when |
| | an appropriate _�g_�r_�o_�u_�p_�__�p_�l_�u_�g_�i_�n is defined in the global _�d_�e_�f_�a_�u_�l_�t_�s |
| | sudoRole object. |
| |
|
| s�su�ud�do�oH�Ho�os�st�t |
s�su�ud�do�oH�Ho�os�st�t |
| A host name, IP address, IP network, or host netgroup (prefixed |
A host name, IP address, IP network, or host netgroup (prefixed |
| with a `+'). The special value ALL will match any host. |
with a `+'). The special value ALL will match any host. |
| |
|
| s�su�ud�do�oC�Co�om�mm�ma�an�nd�d |
s�su�ud�do�oC�Co�om�mm�ma�an�nd�d |
| A Unix command with optional command line arguments, potentially | A fully-qualified Unix command name with optional command line |
| including globbing characters (aka wild cards). The special value | arguments, potentially including globbing characters (aka wild |
| ALL will match any command. If a command is prefixed with an | cards). If a command name is preceded by an exclamation point, |
| exclamation point `!', the user will be prohibited from running | `!', the user will be prohibited from running that command. |
| that command. | |
| |
|
| |
The built-in command ``sudoedit'' is used to permit a user to run |
| |
s�su�ud�do�o with the -�-e�e option (or as s�su�ud�do�oe�ed�di�it�t). It may take command line |
| |
arguments just as a normal command does. Note that ``sudoedit'' is |
| |
a command built into s�su�ud�do�o itself and must be specified in without a |
| |
leading path. |
| |
|
| |
The special value ALL will match any command. |
| |
|
| |
If a command name is prefixed with a SHA-2 digest, it will only be |
| |
allowed if the digest matches. This may be useful in situations |
| |
where the user invoking s�su�ud�do�o has write access to the command or its |
| |
parent directory. The following digest formats are supported: |
| |
sha224, sha256, sha384 and sha512. The digest name must be |
| |
followed by a colon (`:') and then the actual digest, in either hex |
| |
or base64 format. For example, given the following value for |
| |
sudoCommand: |
| |
|
| |
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| |
|
| |
The user may only run _�/_�b_�i_�n_�/_�l_�s if its sha224 digest matches the |
| |
specified value. Command digests are only supported by version |
| |
1.8.7 or higher. |
| |
|
| s�su�ud�do�oO�Op�pt�ti�io�on�n |
s�su�ud�do�oO�Op�pt�ti�io�on�n |
| Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
| specific to the sudoRole in which it resides. |
specific to the sudoRole in which it resides. |
|
Line 134 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 159 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| inherent order. The sudoOrder attribute is an integer (or floating |
inherent order. The sudoOrder attribute is an integer (or floating |
| point value for LDAP servers that support it) that is used to sort |
point value for LDAP servers that support it) that is used to sort |
| the matching entries. This allows LDAP-based sudoers entries to |
the matching entries. This allows LDAP-based sudoers entries to |
| more closely mimic the behaviour of the sudoers file, where the of | more closely mimic the behavior of the sudoers file, where the of |
| the entries influences the result. If multiple entries match, the |
the entries influences the result. If multiple entries match, the |
| entry with the highest sudoOrder attribute is chosen. This |
entry with the highest sudoOrder attribute is chosen. This |
| corresponds to the ``last match'' behavior of the sudoers file. If |
corresponds to the ``last match'' behavior of the sudoers file. If |
|
Line 168 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 193 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| user belongs to any of them. |
user belongs to any of them. |
| |
|
| If timed entries are enabled with the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D configuration |
If timed entries are enabled with the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D configuration |
| directive, the LDAP queries include a subfilter that limits retrieval to | directive, the LDAP queries include a sub-filter that limits retrieval to |
| entries that satisfy the time constraints, if any. |
entries that satisfy the time constraints, if any. |
| |
|
| D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s |
D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s |
|
Line 246 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 271 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| |
|
| C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f |
C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f |
| Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration. |
Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration. |
| Typically, this file is shared amongst different LDAP-aware clients. As | Typically, this file is shared between different LDAP-aware clients. As |
| such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o parses |
such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o parses |
| _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from those |
_�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from those |
| described in the system's ldap.conf(1m) manual. | described in the system's ldap.conf(1m) manual. The path to _�l_�d_�a_�p_�._�c_�o_�n_�f may |
| | be overridden via the _�l_�d_�a_�p_�__�c_�o_�n_�f plugin argument in sudo.conf(4). |
| |
|
| Also note that on systems using the OpenLDAP libraries, default values |
Also note that on systems using the OpenLDAP libraries, default values |
| specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are not |
specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are not |
|
Line 259 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 285 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| by s�su�ud�do�o are honored. Configuration options are listed below in upper |
by s�su�ud�do�o are honored. Configuration options are listed below in upper |
| case but are parsed in a case-independent manner. |
case but are parsed in a case-independent manner. |
| |
|
| |
The pound sign (`#') is used to indicate a comment. Both the comment |
| |
character and any text after it, up to the end of the line, are ignored. |
| |
Long lines can be continued with a backslash (`\') as the last character |
| |
on the line. Note that leading white space is removed from the beginning |
| |
of lines even when the continuation character is used. |
| |
|
| U�UR�RI�I _�l_�d_�a_�p_�[_�s_�]_�:_�/_�/_�[_�h_�o_�s_�t_�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�]_�] _�._�._�. |
U�UR�RI�I _�l_�d_�a_�p_�[_�s_�]_�:_�/_�/_�[_�h_�o_�s_�t_�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�]_�] _�._�._�. |
| Specifies a whitespace-delimited list of one or more URIs | Specifies a white space-delimited list of one or more URIs |
| describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be |
describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be |
| either _�l_�d_�a_�p _�l_�d_�a_�p_�s, the latter being for servers that support TLS |
either _�l_�d_�a_�p _�l_�d_�a_�p_�s, the latter being for servers that support TLS |
| (SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389 |
(SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389 |
|
Line 273 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 305 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| of supporting one or the other. |
of supporting one or the other. |
| |
|
| H�HO�OS�ST�T _�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�] _�._�._�. |
H�HO�OS�ST�T _�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�] _�._�._�. |
| If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a whitespace- | If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a white space- |
| delimited list of LDAP servers to connect to. Each host may |
delimited list of LDAP servers to connect to. Each host may |
| include an optional _�p_�o_�r_�t separated by a colon (`:'). The H�HO�OS�ST�T |
include an optional _�p_�o_�r_�t separated by a colon (`:'). The H�HO�OS�ST�T |
| parameter is deprecated in favor of the U�UR�RI�I specification and is |
parameter is deprecated in favor of the U�UR�RI�I specification and is |
|
Line 328 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 360 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| be set in a production environment as the extra information is |
be set in a production environment as the extra information is |
| likely to confuse users. |
likely to confuse users. |
| |
|
| |
The S�SU�UD�DO�OE�ER�RS�S_�_D�DE�EB�BU�UG�G parameter is deprecated and will be removed in a |
| |
future release. The same information is now logged via the s�su�ud�do�o |
| |
debugging framework using the ``ldap'' subsystem at priorities _�d_�i_�a_�g |
| |
and _�i_�n_�f_�o for _�d_�e_�b_�u_�g_�__�l_�e_�v_�e_�l values 1 and 2 respectively. See the |
| |
sudo.conf(4) manual for details on how to configure s�su�ud�do�o debugging. |
| |
|
| B�BI�IN�ND�DD�DN�N _�D_�N |
B�BI�IN�ND�DD�DN�N _�D_�N |
| The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing LDAP operations. |
Distinguished Name (DN), to use when performing LDAP operations. |
|
Line 344 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 382 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing privileged LDAP |
Distinguished Name (DN), to use when performing privileged LDAP |
| operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to |
operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to |
| the identity should be stored in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If not | the identity should be stored in the or the path specified by the |
| specified, the B�BI�IN�ND�DD�DN�N identity is used (if any). | _�l_�d_�a_�p_�__�s_�e_�c_�r_�e_�t plugin argument in sudo.conf(4), which defaults to |
| | _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If no R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N is specified, the B�BI�IN�ND�DD�DN�N |
| | identity is used (if any). |
| |
|
| L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N _�n_�u_�m_�b_�e_�r |
L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N _�n_�u_�m_�b_�e_�r |
| The version of the LDAP protocol to use when connecting to the |
The version of the LDAP protocol to use when connecting to the |
|
Line 427 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 467 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| tls_key /var/ldap/key3.db |
tls_key /var/ldap/key3.db |
| |
|
| Tivoli Directory Server: |
Tivoli Directory Server: |
| tls_cert /usr/ldap/ldapkey.kdb | tls_key /usr/ldap/ldapkey.kdb |
| When using Tivoli LDAP libraries, this file may also contain |
When using Tivoli LDAP libraries, this file may also contain |
| Certificate Authority and client certificates and may be encrypted. |
Certificate Authority and client certificates and may be encrypted. |
| |
|
| T�TL�LS�S_�_K�KE�EY�YP�PW�W _�s_�e_�c_�r_�e_�t |
T�TL�LS�S_�_K�KE�EY�YP�PW�W _�s_�e_�c_�r_�e_�t |
| The T�TL�LS�S_�_K�KE�EY�YP�PW�W contains the password used to decrypt the key |
The T�TL�LS�S_�_K�KE�EY�YP�PW�W contains the password used to decrypt the key |
| database on clients using the Tivoli Directory Server LDAP library. |
database on clients using the Tivoli Directory Server LDAP library. |
| |
This should be a simple string without quotes. The password may |
| |
not include the comment character (`#') and escaping of special |
| |
characters with a backslash (`\') is not supported. If this option |
| |
is used, _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f must not be world-readable to avoid |
| |
exposing the password. Alternately, a _�s_�t_�a_�s_�h _�f_�i_�l_�e can be used to |
| |
store the password in encrypted form (see below). |
| |
|
| If no T�TL�LS�S_�_K�KE�EY�YP�PW�W is specified, a _�s_�t_�a_�s_�h _�f_�i_�l_�e will be used if it |
If no T�TL�LS�S_�_K�KE�EY�YP�PW�W is specified, a _�s_�t_�a_�s_�h _�f_�i_�l_�e will be used if it |
| exists. The _�s_�t_�a_�s_�h _�f_�i_�l_�e must have the same path as the file |
exists. The _�s_�t_�a_�s_�h _�f_�i_�l_�e must have the same path as the file |
| specified by T�TL�LS�S_�_K�KE�EY�Y, but use a .sth file extension instead of |
specified by T�TL�LS�S_�_K�KE�EY�Y, but use a .sth file extension instead of |
| .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with |
.kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with |
| Tivoli Directory Server is encrypted with the password |
Tivoli Directory Server is encrypted with the password |
| ssl_password. This option is only supported by the Tivoli LDAP | ssl_password. The _�g_�s_�k_�8_�c_�a_�p_�i_�c_�m_�d utility can be used to manage the |
| libraries. | key database and create a _�s_�t_�a_�s_�h _�f_�i_�l_�e. This option is only |
| | supported by the Tivoli LDAP libraries. |
| |
|
| T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E _�f_�i_�l_�e _�n_�a_�m_�e |
T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E _�f_�i_�l_�e _�n_�a_�m_�e |
| The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source |
The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source |
|
Line 530 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 578 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| |
|
| sudoers = ldap |
sudoers = ldap |
| |
|
| To treat LDAP as authoratative and only use the local sudoers file if the | To treat LDAP as authoritative and only use the local sudoers file if the |
| user is not present in LDAP, use: |
user is not present in LDAP, use: |
| |
|
| sudoers = ldap = auth, files |
sudoers = ldap = auth, files |
| |
|
| Note that in the above example, the auth qualfier only affects user | Note that in the above example, the auth qualifier only affects user |
| lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries. |
lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries. |
| |
|
| If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers line, |
If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers line, |
|
Line 739 E�EX�XA�AM�MP�PL�LE�ES�S
|
Line 787 E�EX�XA�AM�MP�PL�LE�ES�S
|
| ) |
) |
| |
|
| S�SE�EE�E A�AL�LS�SO�O |
S�SE�EE�E A�AL�LS�SO�O |
| ldap.conf(1m), sudoers(1m) | ldap.conf(4), sudo.conf(4), sudoers(1m) |
| |
|
| C�CA�AV�VE�EA�AT�TS�S |
C�CA�AV�VE�EA�AT�TS�S |
| Note that there are differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is |
Note that there are differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is |
|
Line 762 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
Line 810 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
| file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
| complete details. |
complete details. |
| |
|
| Sudo 1.8.6 July 12, 2012 Sudo 1.8.6 | Sudo 1.8.8 August 30, 2013 Sudo 1.8.8 |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc