--- embedaddon/sudo/doc/sudoers.ldap.cat	2013/07/22 10:46:12	1.1.1.4
+++ embedaddon/sudo/doc/sudoers.ldap.cat	2014/06/15 16:12:54	1.1.1.6
@@ -285,6 +285,8 @@ DDEESSCCRRIIPPTTIIOONN
      by ssuuddoo are honored.  Configuration options are listed below in upper
      case but are parsed in a case-independent manner.
 
+     The pound sign (`#') is used to indicate a comment.  Both the comment
+     character and any text after it, up to the end of the line, are ignored.
      Long lines can be continued with a backslash (`\') as the last character
      on the line.  Note that leading white space is removed from the beginning
      of lines even when the continuation character is used.
@@ -344,7 +346,9 @@ DDEESSCCRRIIPPTTIIOONN
            An LDAP filter which is used to restrict the set of records
            returned when performing a ssuuddoo LDAP query.  Typically, this is of
            the form attribute=value or
-           (&(attribute=value)(attribute2=value2)).
+           (&(attribute=value)(attribute2=value2)).  The default search filter
+           is: objectClass=sudoRole.  If _l_d_a_p___f_i_l_t_e_r is omitted, no search
+           filter will be used.
 
      SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Whether or not to evaluate the sudoNotBefore and sudoNotAfter
@@ -465,20 +469,28 @@ DDEESSCCRRIIPPTTIIOONN
                  tls_key /var/ldap/key3.db
 
            Tivoli Directory Server:
-                 tls_cert /usr/ldap/ldapkey.kdb
+                 tls_key /usr/ldap/ldapkey.kdb
            When using Tivoli LDAP libraries, this file may also contain
            Certificate Authority and client certificates and may be encrypted.
 
      TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
            The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
            database on clients using the Tivoli Directory Server LDAP library.
+           This should be a simple string without quotes.  The password may
+           not include the comment character (`#') and escaping of special
+           characters with a backslash (`\') is not supported.  If this option
+           is used, _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid
+           exposing the password.  Alternately, a _s_t_a_s_h _f_i_l_e can be used to
+           store the password in encrypted form (see below).
+
            If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
            exists.  The _s_t_a_s_h _f_i_l_e must have the same path as the file
            specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
            .kdb, e.g. ldapkey.sth.  The default ldapkey.kdb that ships with
            Tivoli Directory Server is encrypted with the password
-           ssl_password.  This option is only supported by the Tivoli LDAP
-           libraries.
+           ssl_password.  The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the
+           key database and create a _s_t_a_s_h _f_i_l_e.  This option is only
+           supported by the Tivoli LDAP libraries.
 
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
@@ -800,4 +812,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.7                      April 25, 2013                      Sudo 1.8.7
+Sudo 1.8.10                    February 7, 2014                    Sudo 1.8.10