--- embedaddon/sudo/doc/sudoers.ldap.cat	2012/10/09 09:29:52	1.1.1.3
+++ embedaddon/sudo/doc/sudoers.ldap.cat	2014/06/15 16:12:54	1.1.1.6
@@ -37,10 +37,10 @@ DDEESSCCRRIIPPTTIIOONN
      LDAP, ssuuddoo-specific Aliases are not supported.
 
      For the most part, there is really no need for ssuuddoo-specific Aliases.
-     Unix groups or user netgroups can be used in place of User_Aliases and
-     Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.
-     Since Unix groups and netgroups can also be stored in LDAP there is no
-     real need for ssuuddoo-specific aliases.
+     Unix groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can
+     be used in place of User_Aliases and Runas_Aliases.  Host netgroups can
+     be used in place of Host_Aliases.  Since groups and netgroups can also be
+     stored in LDAP there is no real need for ssuuddoo-specific aliases.
 
      Cmnd_Aliases are not really required either since it is possible to have
      multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias
@@ -67,21 +67,46 @@ DDEESSCCRRIIPPTTIIOONN
      following attributes:
 
      ssuuddooUUsseerr
-           A user name, user ID (prefixed with `#'), Unix group (prefixed with
-           `%'), Unix group ID (prefixed with `%#'), or user netgroup
-           (prefixed with `+').
+           A user name, user ID (prefixed with `#'), Unix group name or ID
+           (prefixed with `%' or `%#' respectively), user netgroup (prefixed
+           with `+'), or non-Unix group name or ID (prefixed with `%:' or
+           `%:#' respectively).  Non-Unix group support is only available when
+           an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s
+           sudoRole object.
 
      ssuuddooHHoosstt
            A host name, IP address, IP network, or host netgroup (prefixed
            with a `+').  The special value ALL will match any host.
 
      ssuuddooCCoommmmaanndd
-           A Unix command with optional command line arguments, potentially
-           including globbing characters (aka wild cards).  The special value
-           ALL will match any command.  If a command is prefixed with an
-           exclamation point `!', the user will be prohibited from running
-           that command.
+           A fully-qualified Unix command name with optional command line
+           arguments, potentially including globbing characters (aka wild
+           cards).  If a command name is preceded by an exclamation point,
+           `!', the user will be prohibited from running that command.
 
+           The built-in command ``sudoedit'' is used to permit a user to run
+           ssuuddoo with the --ee option (or as ssuuddooeeddiitt).  It may take command line
+           arguments just as a normal command does.  Note that ``sudoedit'' is
+           a command built into ssuuddoo itself and must be specified in without a
+           leading path.
+
+           The special value ALL will match any command.
+
+           If a command name is prefixed with a SHA-2 digest, it will only be
+           allowed if the digest matches.  This may be useful in situations
+           where the user invoking ssuuddoo has write access to the command or its
+           parent directory.  The following digest formats are supported:
+           sha224, sha256, sha384 and sha512.  The digest name must be
+           followed by a colon (`:') and then the actual digest, in either hex
+           or base64 format.  For example, given the following value for
+           sudoCommand:
+
+               sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+
+           The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the
+           specified value.  Command digests are only supported by version
+           1.8.7 or higher.
+
      ssuuddooOOppttiioonn
            Identical in function to the global options described above, but
            specific to the sudoRole in which it resides.
@@ -134,7 +159,7 @@ DDEESSCCRRIIPPTTIIOONN
            inherent order.  The sudoOrder attribute is an integer (or floating
            point value for LDAP servers that support it) that is used to sort
            the matching entries.  This allows LDAP-based sudoers entries to
-           more closely mimic the behaviour of the sudoers file, where the of
+           more closely mimic the behavior of the sudoers file, where the of
            the entries influences the result.  If multiple entries match, the
            entry with the highest sudoOrder attribute is chosen.  This
            corresponds to the ``last match'' behavior of the sudoers file.  If
@@ -168,7 +193,7 @@ DDEESSCCRRIIPPTTIIOONN
      user belongs to any of them.
 
      If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
-     directive, the LDAP queries include a subfilter that limits retrieval to
+     directive, the LDAP queries include a sub-filter that limits retrieval to
      entries that satisfy the time constraints, if any.
 
    DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
@@ -246,10 +271,11 @@ DDEESSCCRRIIPPTTIIOONN
 
    CCoonnffiigguurriinngg llddaapp..ccoonnff
      Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
-     Typically, this file is shared amongst different LDAP-aware clients.  As
+     Typically, this file is shared between different LDAP-aware clients.  As
      such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
      _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
-     described in the system's ldap.conf(1m) manual.
+     described in the system's ldap.conf(1m) manual.  The path to _l_d_a_p_._c_o_n_f may
+     be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).
 
      Also note that on systems using the OpenLDAP libraries, default values
      specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
@@ -259,8 +285,14 @@ DDEESSCCRRIIPPTTIIOONN
      by ssuuddoo are honored.  Configuration options are listed below in upper
      case but are parsed in a case-independent manner.
 
+     The pound sign (`#') is used to indicate a comment.  Both the comment
+     character and any text after it, up to the end of the line, are ignored.
+     Long lines can be continued with a backslash (`\') as the last character
+     on the line.  Note that leading white space is removed from the beginning
+     of lines even when the continuation character is used.
+
      UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
-           Specifies a whitespace-delimited list of one or more URIs
+           Specifies a white space-delimited list of one or more URIs
            describing the LDAP server(s) to connect to.  The _p_r_o_t_o_c_o_l may be
            either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
            (SSL) encryption.  If no _p_o_r_t is specified, the default is port 389
@@ -273,7 +305,7 @@ DDEESSCCRRIIPPTTIIOONN
            of supporting one or the other.
 
      HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
-           If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
+           If no UURRII is specified, the HHOOSSTT parameter specifies a white space-
            delimited list of LDAP servers to connect to.  Each host may
            include an optional _p_o_r_t separated by a colon (`:').  The HHOOSSTT
            parameter is deprecated in favor of the UURRII specification and is
@@ -314,7 +346,9 @@ DDEESSCCRRIIPPTTIIOONN
            An LDAP filter which is used to restrict the set of records
            returned when performing a ssuuddoo LDAP query.  Typically, this is of
            the form attribute=value or
-           (&(attribute=value)(attribute2=value2)).
+           (&(attribute=value)(attribute2=value2)).  The default search filter
+           is: objectClass=sudoRole.  If _l_d_a_p___f_i_l_t_e_r is omitted, no search
+           filter will be used.
 
      SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Whether or not to evaluate the sudoNotBefore and sudoNotAfter
@@ -328,6 +362,12 @@ DDEESSCCRRIIPPTTIIOONN
            be set in a production environment as the extra information is
            likely to confuse users.
 
+           The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a
+           future release.  The same information is now logged via the ssuuddoo
+           debugging framework using the ``ldap'' subsystem at priorities _d_i_a_g
+           and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively.  See the
+           sudo.conf(4) manual for details on how to configure ssuuddoo debugging.
+
      BBIINNDDDDNN _D_N
            The BBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing LDAP operations.
@@ -344,8 +384,10 @@ DDEESSCCRRIIPPTTIIOONN
            The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
            Distinguished Name (DN), to use when performing privileged LDAP
            operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to
-           the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If not
-           specified, the BBIINNDDDDNN identity is used (if any).
+           the identity should be stored in the or the path specified by the
+           _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
+           _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
+           identity is used (if any).
 
      LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
            The version of the LDAP protocol to use when connecting to the
@@ -427,20 +469,28 @@ DDEESSCCRRIIPPTTIIOONN
                  tls_key /var/ldap/key3.db
 
            Tivoli Directory Server:
-                 tls_cert /usr/ldap/ldapkey.kdb
+                 tls_key /usr/ldap/ldapkey.kdb
            When using Tivoli LDAP libraries, this file may also contain
            Certificate Authority and client certificates and may be encrypted.
 
      TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
            The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
            database on clients using the Tivoli Directory Server LDAP library.
+           This should be a simple string without quotes.  The password may
+           not include the comment character (`#') and escaping of special
+           characters with a backslash (`\') is not supported.  If this option
+           is used, _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid
+           exposing the password.  Alternately, a _s_t_a_s_h _f_i_l_e can be used to
+           store the password in encrypted form (see below).
+
            If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
            exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file
            specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
            .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with
            Tivoli Directory Server is encrypted with the password
-           ssl_password.  This option is only supported by the Tivoli LDAP
-           libraries.
+           ssl_password.  The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the
+           key database and create a _s_t_a_s_h _f_i_l_e.  This option is only
+           supported by the Tivoli LDAP libraries.
 
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
@@ -530,12 +580,12 @@ DDEESSCCRRIIPPTTIIOONN
 
          sudoers = ldap
 
-     To treat LDAP as authoratative and only use the local sudoers file if the
+     To treat LDAP as authoritative and only use the local sudoers file if the
      user is not present in LDAP, use:
 
          sudoers = ldap = auth, files
 
-     Note that in the above example, the auth qualfier only affects user
+     Note that in the above example, the auth qualifier only affects user
      lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
 
      If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
@@ -739,7 +789,7 @@ EEXXAAMMPPLLEESS
           )
 
 SSEEEE AALLSSOO
-     ldap.conf(1m), sudoers(1m)
+     ldap.conf(4), sudo.conf(4), sudoers(1m)
 
 CCAAVVEEAATTSS
      Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
@@ -762,4 +812,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.6                       July 12, 2012                      Sudo 1.8.6
+Sudo 1.8.10                    February 7, 2014                    Sudo 1.8.10