Annotation of embedaddon/sudo/doc/sudoers.ldap.cat, revision 1.1
1.1 ! misho 1: SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
! 2:
! 3:
! 4:
! 5: N�NA�AM�ME�E
! 6: sudoers.ldap - sudo LDAP configuration
! 7:
! 8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
! 9: In addition to the standard _�s_�u_�d_�o_�e_�r_�s file, s�su�ud�do�o may be configured via
! 10: LDAP. This can be especially useful for synchronizing _�s_�u_�d_�o_�e_�r_�s in a
! 11: large, distributed environment.
! 12:
! 13: Using LDAP for _�s_�u_�d_�o_�e_�r_�s has several benefits:
! 14:
! 15: +�o s�su�ud�do�o no longer needs to read _�s_�u_�d_�o_�e_�r_�s in its entirety. When LDAP is
! 16: used, there are only two or three LDAP queries per invocation.
! 17: This makes it especially fast and particularly usable in LDAP
! 18: environments.
! 19:
! 20: +�o s�su�ud�do�o no longer exits if there is a typo in _�s_�u_�d_�o_�e_�r_�s. It is not
! 21: possible to load LDAP data into the server that does not conform to
! 22: the sudoers schema, so proper syntax is guaranteed. It is still
! 23: possible to have typos in a user or host name, but this will not
! 24: prevent s�su�ud�do�o from running.
! 25:
! 26: +�o It is possible to specify per-entry options that override the
! 27: global default options. _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s only supports default options
! 28: and limited options associated with user/host/commands/aliases.
! 29: The syntax is complicated and can be difficult for users to
! 30: understand. Placing the options directly in the entry is more
! 31: natural.
! 32:
! 33: +�o The v�vi�is�su�ud�do�o program is no longer needed. v�vi�is�su�ud�do�o provides locking
! 34: and syntax checking of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file. Since LDAP updates
! 35: are atomic, locking is no longer necessary. Because syntax is
! 36: checked when the data is inserted into LDAP, there is no need for a
! 37: specialized tool to check syntax.
! 38:
! 39: Another major difference between LDAP and file-based _�s_�u_�d_�o_�e_�r_�s is that in
! 40: LDAP, s�su�ud�do�o-specific Aliases are not supported.
! 41:
! 42: For the most part, there is really no need for s�su�ud�do�o-specific Aliases.
! 43: Unix groups or user netgroups can be used in place of User_Aliases and
! 44: Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
! 45: Since Unix groups and netgroups can also be stored in LDAP there is no
! 46: real need for s�su�ud�do�o-specific aliases.
! 47:
! 48: Cmnd_Aliases are not really required either since it is possible to
! 49: have multiple users listed in a sudoRole. Instead of defining a
! 50: Cmnd_Alias that is referenced by multiple users, one can create a
! 51: sudoRole that contains the commands and assign multiple users to it.
! 52:
! 53: S�SU�UD�DO�Oe�er�rs�s L�LD�DA�AP�P c�co�on�nt�ta�ai�in�ne�er�r
! 54: The _�s_�u_�d_�o_�e_�r_�s configuration is contained in the ou=SUDOers LDAP
! 55: container.
! 56:
! 57: Sudo first looks for the cn=default entry in the SUDOers container. If
! 58: found, the multi-valued sudoOption attribute is parsed in the same
! 59: manner as a global Defaults line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. In the following
! 60: example, the SSH_AUTH_SOCK variable will be preserved in the
! 61: environment for all users.
! 62:
! 63: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
! 64: objectClass: top
! 65: objectClass: sudoRole
! 66: cn: defaults
! 67: description: Default sudoOption's go here
! 68: sudoOption: env_keep+=SSH_AUTH_SOCK
! 69:
! 70: The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
! 71: following attributes:
! 72:
! 73: s�su�ud�do�oU�Us�se�er�r
! 74: A user name, uid (prefixed with '#'), Unix group (prefixed with a
! 75: '%') or user netgroup (prefixed with a '+').
! 76:
! 77: s�su�ud�do�oH�Ho�os�st�t
! 78: A host name, IP address, IP network, or host netgroup (prefixed
! 79: with a '+'). The special value ALL will match any host.
! 80:
! 81: s�su�ud�do�oC�Co�om�mm�ma�an�nd�d
! 82: A Unix command with optional command line arguments, potentially
! 83: including globbing characters (aka wild cards). The special value
! 84: ALL will match any command. If a command is prefixed with an
! 85: exclamation point '!', the user will be prohibited from running
! 86: that command.
! 87:
! 88: s�su�ud�do�oO�Op�pt�ti�io�on�n
! 89: Identical in function to the global options described above, but
! 90: specific to the sudoRole in which it resides.
! 91:
! 92: s�su�ud�do�oR�Ru�un�nA�As�sU�Us�se�er�r
! 93: A user name or uid (prefixed with '#') that commands may be run as
! 94: or a Unix group (prefixed with a '%') or user netgroup (prefixed
! 95: with a '+') that contains a list of users that commands may be run
! 96: as. The special value ALL will match any user.
! 97:
! 98: The sudoRunAsUser attribute is only available in s�su�ud�do�o versions
! 99: 1.7.0 and higher. Older versions of s�su�ud�do�o use the sudoRunAs
! 100: attribute instead.
! 101:
! 102: s�su�ud�do�oR�Ru�un�nA�As�sG�Gr�ro�ou�up�p
! 103: A Unix group or gid (prefixed with '#') that commands may be run
! 104: as. The special value ALL will match any group.
! 105:
! 106: The sudoRunAsGroup attribute is only available in s�su�ud�do�o versions
! 107: 1.7.0 and higher.
! 108:
! 109: s�su�ud�do�oN�No�ot�tB�Be�ef�fo�or�re�e
! 110: A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
! 111: a start date/time for when the sudoRole will be valid. If multiple
! 112: sudoNotBefore entries are present, the earliest is used. Note that
! 113: timestamps must be in Coordinated Universal Time (UTC), not the
! 114: local timezone. The minute and seconds portions are optional, but
! 115: some LDAP servers require that they be present (contrary to the
! 116: RFC).
! 117:
! 118: The sudoNotBefore attribute is only available in s�su�ud�do�o versions
! 119: 1.7.5 and higher and must be explicitly enabled via the
! 120: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
! 121:
! 122: s�su�ud�do�oN�No�ot�tA�Af�ft�te�er�r
! 123: A timestamp in the form yyyymmddHHMMSSZ that indicates an
! 124: expiration date/time, after which the sudoRole will no longer be
! 125: valid. If multiple sudoNotBefore entries are present, the last one
! 126: is used. Note that timestamps must be in Coordinated Universal
! 127: Time (UTC), not the local timezone. The minute and seconds
! 128: portions are optional, but some LDAP servers require that they be
! 129: present (contrary to the RFC).
! 130:
! 131: The sudoNotAfter attribute is only available in s�su�ud�do�o versions 1.7.5
! 132: and higher and must be explicitly enabled via the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D
! 133: option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
! 134:
! 135: s�su�ud�do�oO�Or�rd�de�er�r
! 136: The sudoRole entries retrieved from the LDAP directory have no
! 137: inherent order. The sudoOrder attribute is an integer (or floating
! 138: point value for LDAP servers that support it) that is used to sort
! 139: the matching entries. This allows LDAP-based sudoers entries to
! 140: more closely mimic the behaviour of the sudoers file, where the of
! 141: the entries influences the result. If multiple entries match, the
! 142: entry with the highest sudoOrder attribute is chosen. This
! 143: corresponds to the "last match" behavior of the sudoers file. If
! 144: the sudoOrder attribute is not present, a value of 0 is assumed.
! 145:
! 146: The sudoOrder attribute is only available in s�su�ud�do�o versions 1.7.5
! 147: and higher.
! 148:
! 149: Each attribute listed above should contain a single value, but there
! 150: may be multiple instances of each attribute type. A sudoRole must
! 151: contain at least one sudoUser, sudoHost and sudoCommand.
! 152:
! 153: The following example allows users in group wheel to run any command on
! 154: any host via s�su�ud�do�o:
! 155:
! 156: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
! 157: objectClass: top
! 158: objectClass: sudoRole
! 159: cn: %wheel
! 160: sudoUser: %wheel
! 161: sudoHost: ALL
! 162: sudoCommand: ALL
! 163:
! 164: A�An�na�at�to�om�my�y o�of�f L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s l�lo�oo�ok�ku�up�p
! 165: When looking up a sudoer using LDAP there are only two or three LDAP
! 166: queries per invocation. The first query is to parse the global
! 167: options. The second is to match against the user's name and the groups
! 168: that the user belongs to. (The special ALL tag is matched in this
! 169: query too.) If no match is returned for the user's name and groups, a
! 170: third query returns all entries containing user netgroups and checks to
! 171: see if the user belongs to any of them.
! 172:
! 173: If timed entries are enabled with the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D configuration
! 174: directive, the LDAP queries include a subfilter that limits retrieval
! 175: to entries that satisfy the time constraints, if any.
! 176:
! 177: D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s
! 178: There are some subtle differences in the way sudoers is handled once in
! 179: LDAP. Probably the biggest is that according to the RFC, LDAP ordering
! 180: is arbitrary and you cannot expect that Attributes and Entries are
! 181: returned in any specific order.
! 182:
! 183: The order in which different entries are applied can be controlled
! 184: using the sudoOrder attribute, but there is no way to guarantee the
! 185: order of attributes within a specific entry. If there are conflicting
! 186: command rules in an entry, the negative takes precedence. This is
! 187: called paranoid behavior (not necessarily the most specific match).
! 188:
! 189: Here is an example:
! 190:
! 191: # /etc/sudoers:
! 192: # Allow all commands except shell
! 193: johnny ALL=(root) ALL,!/bin/sh
! 194: # Always allows all commands because ALL is matched last
! 195: puddles ALL=(root) !/bin/sh,ALL
! 196:
! 197: # LDAP equivalent of johnny
! 198: # Allows all commands except shell
! 199: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
! 200: objectClass: sudoRole
! 201: objectClass: top
! 202: cn: role1
! 203: sudoUser: johnny
! 204: sudoHost: ALL
! 205: sudoCommand: ALL
! 206: sudoCommand: !/bin/sh
! 207:
! 208: # LDAP equivalent of puddles
! 209: # Notice that even though ALL comes last, it still behaves like
! 210: # role1 since the LDAP code assumes the more paranoid configuration
! 211: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
! 212: objectClass: sudoRole
! 213: objectClass: top
! 214: cn: role2
! 215: sudoUser: puddles
! 216: sudoHost: ALL
! 217: sudoCommand: !/bin/sh
! 218: sudoCommand: ALL
! 219:
! 220: Another difference is that negations on the Host, User or Runas are
! 221: currently ignored. For example, the following attributes do not behave
! 222: the way one might expect.
! 223:
! 224: # does not match all but joe
! 225: # rather, does not match anyone
! 226: sudoUser: !joe
! 227:
! 228: # does not match all but joe
! 229: # rather, matches everyone including Joe
! 230: sudoUser: ALL
! 231: sudoUser: !joe
! 232:
! 233: # does not match all but web01
! 234: # rather, matches all hosts including web01
! 235: sudoHost: ALL
! 236: sudoHost: !web01
! 237:
! 238: S�Su�ud�do�oe�er�rs�s S�Sc�ch�he�em�ma�a
! 239: In order to use s�su�ud�do�o's LDAP support, the s�su�ud�do�o schema must be installed
! 240: on your LDAP server. In addition, be sure to index the 'sudoUser'
! 241: attribute.
! 242:
! 243: Three versions of the schema: one for OpenLDAP servers
! 244: (_�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P), one for Netscape-derived servers (_�s_�c_�h_�e_�m_�a_�._�i_�P_�l_�a_�n_�e_�t),
! 245: and one for Microsoft Active Directory (_�s_�c_�h_�e_�m_�a_�._�A_�c_�t_�i_�v_�e_�D_�i_�r_�e_�c_�t_�o_�r_�y) may be
! 246: found in the s�su�ud�do�o distribution.
! 247:
! 248: The schema for s�su�ud�do�o in OpenLDAP form is included in the EXAMPLES
! 249: section.
! 250:
! 251: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f
! 252: Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration.
! 253: Typically, this file is shared amongst different LDAP-aware clients.
! 254: As such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o
! 255: parses _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from
! 256: those described in the _�l_�d_�a_�p_�._�c_�o_�n_�f(4) manual.
! 257:
! 258: Also note that on systems using the OpenLDAP libraries, default values
! 259: specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are
! 260: not used.
! 261:
! 262: Only those options explicitly listed in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f as being
! 263: supported by s�su�ud�do�o are honored. Configuration options are listed below
! 264: in upper case but are parsed in a case-independent manner.
! 265:
! 266: U�UR�RI�I ldap[s]://[hostname[:port]] ...
! 267: Specifies a whitespace-delimited list of one or more URIs
! 268: describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be
! 269: either l�ld�da�ap�p or l�ld�da�ap�ps�s, the latter being for servers that support TLS
! 270: (SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389
! 271: for ldap:// or port 636 for ldaps://. If no _�h_�o_�s_�t_�n_�a_�m_�e is specified,
! 272: s�su�ud�do�o will connect to l�lo�oc�ca�al�lh�ho�os�st�t. Multiple U�UR�RI�I lines are treated
! 273: identically to a U�UR�RI�I line containing multiple entries. Only
! 274: systems using the OpenSSL libraries support the mixing of ldap://
! 275: and ldaps:// URIs. The Netscape-derived libraries used on most
! 276: commercial versions of Unix are only capable of supporting one or
! 277: the other.
! 278:
! 279: H�HO�OS�ST�T name[:port] ...
! 280: If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a whitespace-
! 281: delimited list of LDAP servers to connect to. Each host may
! 282: include an optional _�p_�o_�r_�t separated by a colon (':'). The H�HO�OS�ST�T
! 283: parameter is deprecated in favor of the U�UR�RI�I specification and is
! 284: included for backwards compatibility.
! 285:
! 286: P�PO�OR�RT�T port_number
! 287: If no U�UR�RI�I is specified, the P�PO�OR�RT�T parameter specifies the default
! 288: port to connect to on the LDAP server if a H�HO�OS�ST�T parameter does not
! 289: specify the port itself. If no P�PO�OR�RT�T parameter is used, the default
! 290: is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
! 291: P�PO�OR�RT�T parameter is deprecated in favor of the U�UR�RI�I specification and
! 292: is included for backwards compatibility.
! 293:
! 294: B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds
! 295: The B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in
! 296: seconds, to wait while trying to connect to an LDAP server. If
! 297: multiple U�UR�RI�Is or H�HO�OS�ST�Ts are specified, this is the amount of time to
! 298: wait before trying the next one in the list.
! 299:
! 300: N�NE�ET�TW�WO�OR�RK�K_�_T�TI�IM�ME�EO�OU�UT�T seconds
! 301: An alias for B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T for OpenLDAP compatibility.
! 302:
! 303: T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds
! 304: The T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in seconds,
! 305: to wait for a response to an LDAP query.
! 306:
! 307: T�TI�IM�ME�EO�OU�UT�T seconds
! 308: The T�TI�IM�ME�EO�OU�UT�T parameter specifies the amount of time, in seconds, to
! 309: wait for a response from the various LDAP APIs.
! 310:
! 311: S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E base
! 312: The base DN to use when performing s�su�ud�do�o LDAP queries. Typically
! 313: this is of the form ou=SUDOers,dc=example,dc=com for the domain
! 314: example.com. Multiple S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E lines may be specified, in
! 315: which case they are queried in the order specified.
! 316:
! 317: S�SU�UD�DO�OE�ER�RS�S_�_S�SE�EA�AR�RC�CH�H_�_F�FI�IL�LT�TE�ER�R ldap_filter
! 318: An LDAP filter which is used to restrict the set of records
! 319: returned when performing a s�su�ud�do�o LDAP query. Typically, this is of
! 320: the form attribute=value or
! 321: (&(attribute=value)(attribute2=value2)).
! 322:
! 323: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D on/true/yes/off/false/no
! 324: Whether or not to evaluate the sudoNotBefore and sudoNotAfter
! 325: attributes that implement time-dependent sudoers entries.
! 326:
! 327: S�SU�UD�DO�OE�ER�RS�S_�_D�DE�EB�BU�UG�G debug_level
! 328: This sets the debug level for s�su�ud�do�o LDAP queries. Debugging
! 329: information is printed to the standard error. A value of 1 results
! 330: in a moderate amount of debugging information. A value of 2 shows
! 331: the results of the matches themselves. This parameter should not
! 332: be set in a production environment as the extra information is
! 333: likely to confuse users.
! 334:
! 335: B�BI�IN�ND�DD�DN�N DN
! 336: The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
! 337: Distinguished Name (DN), to use when performing LDAP operations.
! 338: If not specified, LDAP operations are performed with an anonymous
! 339: identity. By default, most LDAP servers will allow anonymous
! 340: access.
! 341:
! 342: B�BI�IN�ND�DP�PW�W secret
! 343: The B�BI�IN�ND�DP�PW�W parameter specifies the password to use when performing
! 344: LDAP operations. This is typically used in conjunction with the
! 345: B�BI�IN�ND�DD�DN�N parameter.
! 346:
! 347: R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N DN
! 348: The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
! 349: Distinguished Name (DN), to use when performing privileged LDAP
! 350: operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to
! 351: the identity should be stored in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If not
! 352: specified, the B�BI�IN�ND�DD�DN�N identity is used (if any).
! 353:
! 354: L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N number
! 355: The version of the LDAP protocol to use when connecting to the
! 356: server. The default value is protocol version 3.
! 357:
! 358: S�SS�SL�L on/true/yes/off/false/no
! 359: If the S�SS�SL�L parameter is set to on, true or yes, TLS (SSL)
! 360: encryption is always used when communicating with the LDAP server.
! 361: Typically, this involves connecting to the server on port 636
! 362: (ldaps).
! 363:
! 364: S�SS�SL�L start_tls
! 365: If the S�SS�SL�L parameter is set to start_tls, the LDAP server
! 366: connection is initiated normally and TLS encryption is begun before
! 367: the bind credentials are sent. This has the advantage of not
! 368: requiring a dedicated port for encrypted communications. This
! 369: parameter is only supported by LDAP servers that honor the
! 370: start_tls extension, such as the OpenLDAP server.
! 371:
! 372: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R on/true/yes/off/false/no
! 373: If enabled, T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R will cause the LDAP server's TLS
! 374: certificated to be verified. If the server's TLS certificate
! 375: cannot be verified (usually because it is signed by an unknown
! 376: certificate authority), s�su�ud�do�o will be unable to connect to it. If
! 377: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R is disabled, no check is made. Note that disabling
! 378: the check creates an opportunity for man-in-the-middle attacks
! 379: since the server's identity will not be authenticated. If
! 380: possible, the CA's certificate should be installed locally so it
! 381: can be verified.
! 382:
! 383: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�T file name
! 384: An alias for T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E for OpenLDAP compatibility.
! 385:
! 386: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E file name
! 387: The path to a certificate authority bundle which contains the
! 388: certificates for all the Certificate Authorities the client knows
! 389: to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only
! 390: supported by the OpenLDAP libraries. Netscape-derived LDAP
! 391: libraries use the same certificate database for CA and client
! 392: certificates (see T�TL�LS�S_�_C�CE�ER�RT�T).
! 393:
! 394: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R directory
! 395: Similar to T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E but instead of a file, it is a directory
! 396: containing individual Certificate Authority certificates, e.g.
! 397: _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�e_�r_�t_�s. The directory specified by T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R is
! 398: checked after T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E. This option is only supported by the
! 399: OpenLDAP libraries.
! 400:
! 401: T�TL�LS�S_�_C�CE�ER�RT�T file name
! 402: The path to a file containing the client certificate which can be
! 403: used to authenticate the client to the LDAP server. The
! 404: certificate type depends on the LDAP libraries used.
! 405:
! 406: OpenLDAP:
! 407: tls_cert /etc/ssl/client_cert.pem
! 408:
! 409: Netscape-derived:
! 410: tls_cert /var/ldap/cert7.db
! 411:
! 412: When using Netscape-derived libraries, this file may also contain
! 413: Certificate Authority certificates.
! 414:
! 415: T�TL�LS�S_�_K�KE�EY�Y file name
! 416: The path to a file containing the private key which matches the
! 417: certificate specified by T�TL�LS�S_�_C�CE�ER�RT�T. The private key must not be
! 418: password-protected. The key type depends on the LDAP libraries
! 419: used.
! 420:
! 421: OpenLDAP:
! 422: tls_key /etc/ssl/client_key.pem
! 423:
! 424: Netscape-derived:
! 425: tls_key /var/ldap/key3.db
! 426:
! 427: T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E file name
! 428: The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source
! 429: for systems that lack a random device. It is generally used in
! 430: conjunction with _�p_�r_�n_�g_�d or _�e_�g_�d. This option is only supported by
! 431: the OpenLDAP libraries.
! 432:
! 433: T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S cipher list
! 434: The T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S parameter allows the administer to restrict which
! 435: encryption algorithms may be used for TLS (SSL) connections. See
! 436: the OpenSSL manual for a list of valid ciphers. This option is
! 437: only supported by the OpenLDAP libraries.
! 438:
! 439: U�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
! 440: Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication.
! 441:
! 442: S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
! 443: The SASL user name to use when connecting to the LDAP server. By
! 444: default, s�su�ud�do�o will use an anonymous connection.
! 445:
! 446: R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
! 447: Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting
! 448: to an LDAP server from a privileged process, such as s�su�ud�do�o.
! 449:
! 450: R�RO�OO�OT�TS�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
! 451: The SASL user name to use when R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L is enabled.
! 452:
! 453: S�SA�AS�SL�L_�_S�SE�EC�CP�PR�RO�OP�PS�S none/properties
! 454: SASL security properties or _�n_�o_�n_�e for no properties. See the SASL
! 455: programmer's manual for details.
! 456:
! 457: K�KR�RB�B5�5_�_C�CC�CN�NA�AM�ME�E file name
! 458: The path to the Kerberos 5 credential cache to use when
! 459: authenticating with the remote server.
! 460:
! 461: D�DE�ER�RE�EF�F never/searching/finding/always
! 462: How alias dereferencing is to be performed when searching. See the
! 463: _�l_�d_�a_�p_�._�c_�o_�n_�f(4) manual for a full description of this option.
! 464:
! 465: See the ldap.conf entry in the EXAMPLES section.
! 466:
! 467: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ns�ss�sw�wi�it�tc�ch�h.�.c�co�on�nf�f
! 468: Unless it is disabled at build time, s�su�ud�do�o consults the Name Service
! 469: Switch file, _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, to specify the _�s_�u_�d_�o_�e_�r_�s search order.
! 470: Sudo looks for a line beginning with sudoers: and uses this to
! 471: determine the search order. Note that s�su�ud�do�o does not stop searching
! 472: after the first match and later matches take precedence over earlier
! 473: ones.
! 474:
! 475: The following sources are recognized:
! 476:
! 477: files read sudoers from F</etc/sudoers>
! 478: ldap read sudoers from LDAP
! 479:
! 480: In addition, the entry [NOTFOUND=return] will short-circuit the search
! 481: if the user was not found in the preceding source.
! 482:
! 483: To consult LDAP first followed by the local sudoers file (if it
! 484: exists), use:
! 485:
! 486: sudoers: ldap files
! 487:
! 488: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
! 489:
! 490: sudoers: ldap
! 491:
! 492: If the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f file is not present or there is no sudoers
! 493: line, the following default is assumed:
! 494:
! 495: sudoers: files
! 496:
! 497: Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying
! 498: operating system does not use an nsswitch.conf file.
! 499:
! 500: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f
! 501: On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of
! 502: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of
! 503: _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the
! 504: file format itself still applies.
! 505:
! 506: To consult LDAP first followed by the local sudoers file (if it
! 507: exists), use:
! 508:
! 509: sudoers = ldap, files
! 510:
! 511: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
! 512:
! 513: sudoers = ldap
! 514:
! 515: To treat LDAP as authoratative and only use the local sudoers file if
! 516: the user is not present in LDAP, use:
! 517:
! 518: sudoers = ldap = auth, files
! 519:
! 520: Note that in the above example, the auth qualfier only affects user
! 521: lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries.
! 522:
! 523: If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers
! 524: line, the following default is assumed:
! 525:
! 526: sudoers = files
! 527:
! 528: F�FI�IL�LE�ES�S
! 529: _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f LDAP configuration file
! 530:
! 531: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f determines sudoers source order
! 532:
! 533: _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f determines sudoers source order on AIX
! 534:
! 535: E�EX�XA�AM�MP�PL�LE�ES�S
! 536: E�Ex�xa�am�mp�pl�le�e l�ld�da�ap�p.�.c�co�on�nf�f
! 537: # Either specify one or more URIs or one or more host:port pairs.
! 538: # If neither is specified sudo will default to localhost, port 389.
! 539: #
! 540: #host ldapserver
! 541: #host ldapserver1 ldapserver2:390
! 542: #
! 543: # Default port if host is specified without one, defaults to 389.
! 544: #port 389
! 545: #
! 546: # URI will override the host and port settings.
! 547: uri ldap://ldapserver
! 548: #uri ldaps://secureldapserver
! 549: #uri ldaps://secureldapserver ldap://ldapserver
! 550: #
! 551: # The amount of time, in seconds, to wait while trying to connect to
! 552: # an LDAP server.
! 553: bind_timelimit 30
! 554: #
! 555: # The amount of time, in seconds, to wait while performing an LDAP query.
! 556: timelimit 30
! 557: #
! 558: # Must be set or sudo will ignore LDAP; may be specified multiple times.
! 559: sudoers_base ou=SUDOers,dc=example,dc=com
! 560: #
! 561: # verbose sudoers matching from ldap
! 562: #sudoers_debug 2
! 563: #
! 564: # Enable support for time-based entries in sudoers.
! 565: #sudoers_timed yes
! 566: #
! 567: # optional proxy credentials
! 568: #binddn <who to search as>
! 569: #bindpw <password>
! 570: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
! 571: #
! 572: # LDAP protocol version, defaults to 3
! 573: #ldap_version 3
! 574: #
! 575: # Define if you want to use an encrypted LDAP connection.
! 576: # Typically, you must also set the port to 636 (ldaps).
! 577: #ssl on
! 578: #
! 579: # Define if you want to use port 389 and switch to
! 580: # encryption before the bind credentials are sent.
! 581: # Only supported by LDAP servers that support the start_tls
! 582: # extension such as OpenLDAP.
! 583: #ssl start_tls
! 584: #
! 585: # Additional TLS options follow that allow tweaking of the
! 586: # SSL/TLS connection.
! 587: #
! 588: #tls_checkpeer yes # verify server SSL certificate
! 589: #tls_checkpeer no # ignore server SSL certificate
! 590: #
! 591: # If you enable tls_checkpeer, specify either tls_cacertfile
! 592: # or tls_cacertdir. Only supported when using OpenLDAP.
! 593: #
! 594: #tls_cacertfile /etc/certs/trusted_signers.pem
! 595: #tls_cacertdir /etc/certs
! 596: #
! 597: # For systems that don't have /dev/random
! 598: # use this along with PRNGD or EGD.pl to seed the
! 599: # random number pool to generate cryptographic session keys.
! 600: # Only supported when using OpenLDAP.
! 601: #
! 602: #tls_randfile /etc/egd-pool
! 603: #
! 604: # You may restrict which ciphers are used. Consult your SSL
! 605: # documentation for which options go here.
! 606: # Only supported when using OpenLDAP.
! 607: #
! 608: #tls_ciphers <cipher-list>
! 609: #
! 610: # Sudo can provide a client certificate when communicating to
! 611: # the LDAP server.
! 612: # Tips:
! 613: # * Enable both lines at the same time.
! 614: # * Do not password protect the key file.
! 615: # * Ensure the keyfile is only readable by root.
! 616: #
! 617: # For OpenLDAP:
! 618: #tls_cert /etc/certs/client_cert.pem
! 619: #tls_key /etc/certs/client_key.pem
! 620: #
! 621: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
! 622: # a directory, in which case the files in the directory must have the
! 623: # default names (e.g. cert8.db and key4.db), or the path to the cert
! 624: # and key files themselves. However, a bug in version 5.0 of the LDAP
! 625: # SDK will prevent specific file names from working. For this reason
! 626: # it is suggested that tls_cert and tls_key be set to a directory,
! 627: # not a file name.
! 628: #
! 629: # The certificate database specified by tls_cert may contain CA certs
! 630: # and/or the client's cert. If the client's cert is included, tls_key
! 631: # should be specified as well.
! 632: # For backward compatibility, "sslpath" may be used in place of tls_cert.
! 633: #tls_cert /var/ldap
! 634: #tls_key /var/ldap
! 635: #
! 636: # If using SASL authentication for LDAP (OpenSSL)
! 637: # use_sasl yes
! 638: # sasl_auth_id <SASL user name>
! 639: # rootuse_sasl yes
! 640: # rootsasl_auth_id <SASL user name for root access>
! 641: # sasl_secprops none
! 642: # krb5_ccname /etc/.ldapcache
! 643:
! 644: S�Su�ud�do�o s�sc�ch�he�em�ma�a f�fo�or�r O�Op�pe�en�nL�LD�DA�AP�P
! 645: The following schema, in OpenLDAP format, is included with s�su�ud�do�o source
! 646: and binary distributions as _�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P. Simply copy it to the
! 647: schema directory (e.g. _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�s_�c_�h_�e_�m_�a), add the proper include
! 648: line in slapd.conf and restart s�sl�la�ap�pd�d.
! 649:
! 650: attributetype ( 1.3.6.1.4.1.15953.9.1.1
! 651: NAME 'sudoUser'
! 652: DESC 'User(s) who may run sudo'
! 653: EQUALITY caseExactIA5Match
! 654: SUBSTR caseExactIA5SubstringsMatch
! 655: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 656:
! 657: attributetype ( 1.3.6.1.4.1.15953.9.1.2
! 658: NAME 'sudoHost'
! 659: DESC 'Host(s) who may run sudo'
! 660: EQUALITY caseExactIA5Match
! 661: SUBSTR caseExactIA5SubstringsMatch
! 662: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 663:
! 664: attributetype ( 1.3.6.1.4.1.15953.9.1.3
! 665: NAME 'sudoCommand'
! 666: DESC 'Command(s) to be executed by sudo'
! 667: EQUALITY caseExactIA5Match
! 668: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 669:
! 670: attributetype ( 1.3.6.1.4.1.15953.9.1.4
! 671: NAME 'sudoRunAs'
! 672: DESC 'User(s) impersonated by sudo'
! 673: EQUALITY caseExactIA5Match
! 674: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 675:
! 676: attributetype ( 1.3.6.1.4.1.15953.9.1.5
! 677: NAME 'sudoOption'
! 678: DESC 'Options(s) followed by sudo'
! 679: EQUALITY caseExactIA5Match
! 680: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 681:
! 682: attributetype ( 1.3.6.1.4.1.15953.9.1.6
! 683: NAME 'sudoRunAsUser'
! 684: DESC 'User(s) impersonated by sudo'
! 685: EQUALITY caseExactIA5Match
! 686: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 687:
! 688: attributetype ( 1.3.6.1.4.1.15953.9.1.7
! 689: NAME 'sudoRunAsGroup'
! 690: DESC 'Group(s) impersonated by sudo'
! 691: EQUALITY caseExactIA5Match
! 692: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 693:
! 694: attributetype ( 1.3.6.1.4.1.15953.9.1.8
! 695: NAME 'sudoNotBefore'
! 696: DESC 'Start of time interval for which the entry is valid'
! 697: EQUALITY generalizedTimeMatch
! 698: ORDERING generalizedTimeOrderingMatch
! 699: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 700:
! 701: attributetype ( 1.3.6.1.4.1.15953.9.1.9
! 702: NAME 'sudoNotAfter'
! 703: DESC 'End of time interval for which the entry is valid'
! 704: EQUALITY generalizedTimeMatch
! 705: ORDERING generalizedTimeOrderingMatch
! 706: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 707:
! 708: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
! 709: NAME 'sudoOrder'
! 710: DESC 'an integer to order the sudoRole entries'
! 711: EQUALITY integerMatch
! 712: ORDERING integerOrderingMatch
! 713: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
! 714:
! 715: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
! 716: DESC 'Sudoer Entries'
! 717: MUST ( cn )
! 718: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
! 719: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
! 720: sudoOrder $ description )
! 721: )
! 722:
! 723: S�SE�EE�E A�AL�LS�SO�O
! 724: _�l_�d_�a_�p_�._�c_�o_�n_�f(4), _�s_�u_�d_�o_�e_�r_�s(4)
! 725:
! 726: C�CA�AV�VE�EA�AT�TS�S
! 727: Note that there are differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is
! 728: parsed compared to file-based _�s_�u_�d_�o_�e_�r_�s. See the "Differences between
! 729: LDAP and non-LDAP sudoers" section for more information.
! 730:
! 731: B�BU�UG�GS�S
! 732: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
! 733: http://www.sudo.ws/sudo/bugs/
! 734:
! 735: S�SU�UP�PP�PO�OR�RT�T
! 736: Limited free support is available via the sudo-users mailing list, see
! 737: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
! 738: the archives.
! 739:
! 740: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
! 741: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
! 742: including, but not limited to, the implied warranties of
! 743: merchantability and fitness for a particular purpose are disclaimed.
! 744: See the LICENSE file distributed with s�su�ud�do�o or
! 745: http://www.sudo.ws/sudo/license.html for complete details.
! 746:
! 747:
! 748:
! 749: 1.8.3 September 16, 2011 SUDOERS.LDAP(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc