Annotation of embedaddon/sudo/doc/sudoers.ldap.cat, revision 1.1.1.1
1.1 misho 1: SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
2:
3:
4:
5: NNAAMMEE
6: sudoers.ldap - sudo LDAP configuration
7:
8: DDEESSCCRRIIPPTTIIOONN
9: In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
10: LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
11: large, distributed environment.
12:
13: Using LDAP for _s_u_d_o_e_r_s has several benefits:
14:
15: +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
16: used, there are only two or three LDAP queries per invocation.
17: This makes it especially fast and particularly usable in LDAP
18: environments.
19:
20: +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
21: possible to load LDAP data into the server that does not conform to
22: the sudoers schema, so proper syntax is guaranteed. It is still
23: possible to have typos in a user or host name, but this will not
24: prevent ssuuddoo from running.
25:
26: +o It is possible to specify per-entry options that override the
27: global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options
28: and limited options associated with user/host/commands/aliases.
29: The syntax is complicated and can be difficult for users to
30: understand. Placing the options directly in the entry is more
31: natural.
32:
33: +o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
34: and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates
35: are atomic, locking is no longer necessary. Because syntax is
36: checked when the data is inserted into LDAP, there is no need for a
37: specialized tool to check syntax.
38:
39: Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
40: LDAP, ssuuddoo-specific Aliases are not supported.
41:
42: For the most part, there is really no need for ssuuddoo-specific Aliases.
43: Unix groups or user netgroups can be used in place of User_Aliases and
44: Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
45: Since Unix groups and netgroups can also be stored in LDAP there is no
46: real need for ssuuddoo-specific aliases.
47:
48: Cmnd_Aliases are not really required either since it is possible to
49: have multiple users listed in a sudoRole. Instead of defining a
50: Cmnd_Alias that is referenced by multiple users, one can create a
51: sudoRole that contains the commands and assign multiple users to it.
52:
53: SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
54: The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
55: container.
56:
57: Sudo first looks for the cn=default entry in the SUDOers container. If
58: found, the multi-valued sudoOption attribute is parsed in the same
59: manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
60: example, the SSH_AUTH_SOCK variable will be preserved in the
61: environment for all users.
62:
63: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
64: objectClass: top
65: objectClass: sudoRole
66: cn: defaults
67: description: Default sudoOption's go here
68: sudoOption: env_keep+=SSH_AUTH_SOCK
69:
70: The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
71: following attributes:
72:
73: ssuuddooUUsseerr
74: A user name, uid (prefixed with '#'), Unix group (prefixed with a
75: '%') or user netgroup (prefixed with a '+').
76:
77: ssuuddooHHoosstt
78: A host name, IP address, IP network, or host netgroup (prefixed
79: with a '+'). The special value ALL will match any host.
80:
81: ssuuddooCCoommmmaanndd
82: A Unix command with optional command line arguments, potentially
83: including globbing characters (aka wild cards). The special value
84: ALL will match any command. If a command is prefixed with an
85: exclamation point '!', the user will be prohibited from running
86: that command.
87:
88: ssuuddooOOppttiioonn
89: Identical in function to the global options described above, but
90: specific to the sudoRole in which it resides.
91:
92: ssuuddooRRuunnAAssUUsseerr
93: A user name or uid (prefixed with '#') that commands may be run as
94: or a Unix group (prefixed with a '%') or user netgroup (prefixed
95: with a '+') that contains a list of users that commands may be run
96: as. The special value ALL will match any user.
97:
98: The sudoRunAsUser attribute is only available in ssuuddoo versions
99: 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs
100: attribute instead.
101:
102: ssuuddooRRuunnAAssGGrroouupp
103: A Unix group or gid (prefixed with '#') that commands may be run
104: as. The special value ALL will match any group.
105:
106: The sudoRunAsGroup attribute is only available in ssuuddoo versions
107: 1.7.0 and higher.
108:
109: ssuuddooNNoottBBeeffoorree
110: A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
111: a start date/time for when the sudoRole will be valid. If multiple
112: sudoNotBefore entries are present, the earliest is used. Note that
113: timestamps must be in Coordinated Universal Time (UTC), not the
114: local timezone. The minute and seconds portions are optional, but
115: some LDAP servers require that they be present (contrary to the
116: RFC).
117:
118: The sudoNotBefore attribute is only available in ssuuddoo versions
119: 1.7.5 and higher and must be explicitly enabled via the
120: SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
121:
122: ssuuddooNNoottAAfftteerr
123: A timestamp in the form yyyymmddHHMMSSZ that indicates an
124: expiration date/time, after which the sudoRole will no longer be
125: valid. If multiple sudoNotBefore entries are present, the last one
126: is used. Note that timestamps must be in Coordinated Universal
127: Time (UTC), not the local timezone. The minute and seconds
128: portions are optional, but some LDAP servers require that they be
129: present (contrary to the RFC).
130:
131: The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5
132: and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD
133: option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
134:
135: ssuuddooOOrrddeerr
136: The sudoRole entries retrieved from the LDAP directory have no
137: inherent order. The sudoOrder attribute is an integer (or floating
138: point value for LDAP servers that support it) that is used to sort
139: the matching entries. This allows LDAP-based sudoers entries to
140: more closely mimic the behaviour of the sudoers file, where the of
141: the entries influences the result. If multiple entries match, the
142: entry with the highest sudoOrder attribute is chosen. This
143: corresponds to the "last match" behavior of the sudoers file. If
144: the sudoOrder attribute is not present, a value of 0 is assumed.
145:
146: The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
147: and higher.
148:
149: Each attribute listed above should contain a single value, but there
150: may be multiple instances of each attribute type. A sudoRole must
151: contain at least one sudoUser, sudoHost and sudoCommand.
152:
153: The following example allows users in group wheel to run any command on
154: any host via ssuuddoo:
155:
156: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
157: objectClass: top
158: objectClass: sudoRole
159: cn: %wheel
160: sudoUser: %wheel
161: sudoHost: ALL
162: sudoCommand: ALL
163:
164: AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
165: When looking up a sudoer using LDAP there are only two or three LDAP
166: queries per invocation. The first query is to parse the global
167: options. The second is to match against the user's name and the groups
168: that the user belongs to. (The special ALL tag is matched in this
169: query too.) If no match is returned for the user's name and groups, a
170: third query returns all entries containing user netgroups and checks to
171: see if the user belongs to any of them.
172:
173: If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
174: directive, the LDAP queries include a subfilter that limits retrieval
175: to entries that satisfy the time constraints, if any.
176:
177: DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
178: There are some subtle differences in the way sudoers is handled once in
179: LDAP. Probably the biggest is that according to the RFC, LDAP ordering
180: is arbitrary and you cannot expect that Attributes and Entries are
181: returned in any specific order.
182:
183: The order in which different entries are applied can be controlled
184: using the sudoOrder attribute, but there is no way to guarantee the
185: order of attributes within a specific entry. If there are conflicting
186: command rules in an entry, the negative takes precedence. This is
187: called paranoid behavior (not necessarily the most specific match).
188:
189: Here is an example:
190:
191: # /etc/sudoers:
192: # Allow all commands except shell
193: johnny ALL=(root) ALL,!/bin/sh
194: # Always allows all commands because ALL is matched last
195: puddles ALL=(root) !/bin/sh,ALL
196:
197: # LDAP equivalent of johnny
198: # Allows all commands except shell
199: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
200: objectClass: sudoRole
201: objectClass: top
202: cn: role1
203: sudoUser: johnny
204: sudoHost: ALL
205: sudoCommand: ALL
206: sudoCommand: !/bin/sh
207:
208: # LDAP equivalent of puddles
209: # Notice that even though ALL comes last, it still behaves like
210: # role1 since the LDAP code assumes the more paranoid configuration
211: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
212: objectClass: sudoRole
213: objectClass: top
214: cn: role2
215: sudoUser: puddles
216: sudoHost: ALL
217: sudoCommand: !/bin/sh
218: sudoCommand: ALL
219:
220: Another difference is that negations on the Host, User or Runas are
221: currently ignored. For example, the following attributes do not behave
222: the way one might expect.
223:
224: # does not match all but joe
225: # rather, does not match anyone
226: sudoUser: !joe
227:
228: # does not match all but joe
229: # rather, matches everyone including Joe
230: sudoUser: ALL
231: sudoUser: !joe
232:
233: # does not match all but web01
234: # rather, matches all hosts including web01
235: sudoHost: ALL
236: sudoHost: !web01
237:
238: SSuuddooeerrss SScchheemmaa
239: In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
240: on your LDAP server. In addition, be sure to index the 'sudoUser'
241: attribute.
242:
243: Three versions of the schema: one for OpenLDAP servers
244: (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),
245: and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be
246: found in the ssuuddoo distribution.
247:
248: The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
249: section.
250:
251: CCoonnffiigguurriinngg llddaapp..ccoonnff
252: Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
253: Typically, this file is shared amongst different LDAP-aware clients.
254: As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
255: parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
256: those described in the _l_d_a_p_._c_o_n_f(4) manual.
257:
258: Also note that on systems using the OpenLDAP libraries, default values
259: specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
260: not used.
261:
262: Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being
263: supported by ssuuddoo are honored. Configuration options are listed below
264: in upper case but are parsed in a case-independent manner.
265:
266: UURRII ldap[s]://[hostname[:port]] ...
267: Specifies a whitespace-delimited list of one or more URIs
268: describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
269: either llddaapp or llddaappss, the latter being for servers that support TLS
270: (SSL) encryption. If no _p_o_r_t is specified, the default is port 389
271: for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
272: ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated
273: identically to a UURRII line containing multiple entries. Only
274: systems using the OpenSSL libraries support the mixing of ldap://
275: and ldaps:// URIs. The Netscape-derived libraries used on most
276: commercial versions of Unix are only capable of supporting one or
277: the other.
278:
279: HHOOSSTT name[:port] ...
280: If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
281: delimited list of LDAP servers to connect to. Each host may
282: include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT
283: parameter is deprecated in favor of the UURRII specification and is
284: included for backwards compatibility.
285:
286: PPOORRTT port_number
287: If no UURRII is specified, the PPOORRTT parameter specifies the default
288: port to connect to on the LDAP server if a HHOOSSTT parameter does not
289: specify the port itself. If no PPOORRTT parameter is used, the default
290: is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
291: PPOORRTT parameter is deprecated in favor of the UURRII specification and
292: is included for backwards compatibility.
293:
294: BBIINNDD__TTIIMMEELLIIMMIITT seconds
295: The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
296: seconds, to wait while trying to connect to an LDAP server. If
297: multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
298: wait before trying the next one in the list.
299:
300: NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds
301: An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.
302:
303: TTIIMMEELLIIMMIITT seconds
304: The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
305: to wait for a response to an LDAP query.
306:
307: TTIIMMEEOOUUTT seconds
308: The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
309: wait for a response from the various LDAP APIs.
310:
311: SSUUDDOOEERRSS__BBAASSEE base
312: The base DN to use when performing ssuuddoo LDAP queries. Typically
313: this is of the form ou=SUDOers,dc=example,dc=com for the domain
314: example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
315: which case they are queried in the order specified.
316:
317: SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter
318: An LDAP filter which is used to restrict the set of records
319: returned when performing a ssuuddoo LDAP query. Typically, this is of
320: the form attribute=value or
321: (&(attribute=value)(attribute2=value2)).
322:
323: SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no
324: Whether or not to evaluate the sudoNotBefore and sudoNotAfter
325: attributes that implement time-dependent sudoers entries.
326:
327: SSUUDDOOEERRSS__DDEEBBUUGG debug_level
328: This sets the debug level for ssuuddoo LDAP queries. Debugging
329: information is printed to the standard error. A value of 1 results
330: in a moderate amount of debugging information. A value of 2 shows
331: the results of the matches themselves. This parameter should not
332: be set in a production environment as the extra information is
333: likely to confuse users.
334:
335: BBIINNDDDDNN DN
336: The BBIINNDDDDNN parameter specifies the identity, in the form of a
337: Distinguished Name (DN), to use when performing LDAP operations.
338: If not specified, LDAP operations are performed with an anonymous
339: identity. By default, most LDAP servers will allow anonymous
340: access.
341:
342: BBIINNDDPPWW secret
343: The BBIINNDDPPWW parameter specifies the password to use when performing
344: LDAP operations. This is typically used in conjunction with the
345: BBIINNDDDDNN parameter.
346:
347: RROOOOTTBBIINNDDDDNN DN
348: The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
349: Distinguished Name (DN), to use when performing privileged LDAP
350: operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
351: the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
352: specified, the BBIINNDDDDNN identity is used (if any).
353:
354: LLDDAAPP__VVEERRSSIIOONN number
355: The version of the LDAP protocol to use when connecting to the
356: server. The default value is protocol version 3.
357:
358: SSSSLL on/true/yes/off/false/no
359: If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
360: encryption is always used when communicating with the LDAP server.
361: Typically, this involves connecting to the server on port 636
362: (ldaps).
363:
364: SSSSLL start_tls
365: If the SSSSLL parameter is set to start_tls, the LDAP server
366: connection is initiated normally and TLS encryption is begun before
367: the bind credentials are sent. This has the advantage of not
368: requiring a dedicated port for encrypted communications. This
369: parameter is only supported by LDAP servers that honor the
370: start_tls extension, such as the OpenLDAP server.
371:
372: TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no
373: If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
374: certificated to be verified. If the server's TLS certificate
375: cannot be verified (usually because it is signed by an unknown
376: certificate authority), ssuuddoo will be unable to connect to it. If
377: TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling
378: the check creates an opportunity for man-in-the-middle attacks
379: since the server's identity will not be authenticated. If
380: possible, the CA's certificate should be installed locally so it
381: can be verified.
382:
383: TTLLSS__CCAACCEERRTT file name
384: An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
385:
386: TTLLSS__CCAACCEERRTTFFIILLEE file name
387: The path to a certificate authority bundle which contains the
388: certificates for all the Certificate Authorities the client knows
389: to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
390: supported by the OpenLDAP libraries. Netscape-derived LDAP
391: libraries use the same certificate database for CA and client
392: certificates (see TTLLSS__CCEERRTT).
393:
394: TTLLSS__CCAACCEERRTTDDIIRR directory
395: Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
396: containing individual Certificate Authority certificates, e.g.
397: _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
398: checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
399: OpenLDAP libraries.
400:
401: TTLLSS__CCEERRTT file name
402: The path to a file containing the client certificate which can be
403: used to authenticate the client to the LDAP server. The
404: certificate type depends on the LDAP libraries used.
405:
406: OpenLDAP:
407: tls_cert /etc/ssl/client_cert.pem
408:
409: Netscape-derived:
410: tls_cert /var/ldap/cert7.db
411:
412: When using Netscape-derived libraries, this file may also contain
413: Certificate Authority certificates.
414:
415: TTLLSS__KKEEYY file name
416: The path to a file containing the private key which matches the
417: certificate specified by TTLLSS__CCEERRTT. The private key must not be
418: password-protected. The key type depends on the LDAP libraries
419: used.
420:
421: OpenLDAP:
422: tls_key /etc/ssl/client_key.pem
423:
424: Netscape-derived:
425: tls_key /var/ldap/key3.db
426:
427: TTLLSS__RRAANNDDFFIILLEE file name
428: The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
429: for systems that lack a random device. It is generally used in
430: conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
431: the OpenLDAP libraries.
432:
433: TTLLSS__CCIIPPHHEERRSS cipher list
434: The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
435: encryption algorithms may be used for TLS (SSL) connections. See
436: the OpenSSL manual for a list of valid ciphers. This option is
437: only supported by the OpenLDAP libraries.
438:
439: UUSSEE__SSAASSLL on/true/yes/off/false/no
440: Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
441:
442: SSAASSLL__AAUUTTHH__IIDD identity
443: The SASL user name to use when connecting to the LDAP server. By
444: default, ssuuddoo will use an anonymous connection.
445:
446: RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no
447: Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
448: to an LDAP server from a privileged process, such as ssuuddoo.
449:
450: RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
451: The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
452:
453: SSAASSLL__SSEECCPPRROOPPSS none/properties
454: SASL security properties or _n_o_n_e for no properties. See the SASL
455: programmer's manual for details.
456:
457: KKRRBB55__CCCCNNAAMMEE file name
458: The path to the Kerberos 5 credential cache to use when
459: authenticating with the remote server.
460:
461: DDEERREEFF never/searching/finding/always
462: How alias dereferencing is to be performed when searching. See the
463: _l_d_a_p_._c_o_n_f(4) manual for a full description of this option.
464:
465: See the ldap.conf entry in the EXAMPLES section.
466:
467: CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
468: Unless it is disabled at build time, ssuuddoo consults the Name Service
469: Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
470: Sudo looks for a line beginning with sudoers: and uses this to
471: determine the search order. Note that ssuuddoo does not stop searching
472: after the first match and later matches take precedence over earlier
473: ones.
474:
475: The following sources are recognized:
476:
477: files read sudoers from F</etc/sudoers>
478: ldap read sudoers from LDAP
479:
480: In addition, the entry [NOTFOUND=return] will short-circuit the search
481: if the user was not found in the preceding source.
482:
483: To consult LDAP first followed by the local sudoers file (if it
484: exists), use:
485:
486: sudoers: ldap files
487:
488: The local _s_u_d_o_e_r_s file can be ignored completely by using:
489:
490: sudoers: ldap
491:
492: If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
493: line, the following default is assumed:
494:
495: sudoers: files
496:
497: Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
498: operating system does not use an nsswitch.conf file.
499:
500: CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
501: On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
502: _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
503: _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
504: file format itself still applies.
505:
506: To consult LDAP first followed by the local sudoers file (if it
507: exists), use:
508:
509: sudoers = ldap, files
510:
511: The local _s_u_d_o_e_r_s file can be ignored completely by using:
512:
513: sudoers = ldap
514:
515: To treat LDAP as authoratative and only use the local sudoers file if
516: the user is not present in LDAP, use:
517:
518: sudoers = ldap = auth, files
519:
520: Note that in the above example, the auth qualfier only affects user
521: lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
522:
523: If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
524: line, the following default is assumed:
525:
526: sudoers = files
527:
528: FFIILLEESS
529: _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
530:
531: _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
532:
533: _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
534:
535: EEXXAAMMPPLLEESS
536: EExxaammppllee llddaapp..ccoonnff
537: # Either specify one or more URIs or one or more host:port pairs.
538: # If neither is specified sudo will default to localhost, port 389.
539: #
540: #host ldapserver
541: #host ldapserver1 ldapserver2:390
542: #
543: # Default port if host is specified without one, defaults to 389.
544: #port 389
545: #
546: # URI will override the host and port settings.
547: uri ldap://ldapserver
548: #uri ldaps://secureldapserver
549: #uri ldaps://secureldapserver ldap://ldapserver
550: #
551: # The amount of time, in seconds, to wait while trying to connect to
552: # an LDAP server.
553: bind_timelimit 30
554: #
555: # The amount of time, in seconds, to wait while performing an LDAP query.
556: timelimit 30
557: #
558: # Must be set or sudo will ignore LDAP; may be specified multiple times.
559: sudoers_base ou=SUDOers,dc=example,dc=com
560: #
561: # verbose sudoers matching from ldap
562: #sudoers_debug 2
563: #
564: # Enable support for time-based entries in sudoers.
565: #sudoers_timed yes
566: #
567: # optional proxy credentials
568: #binddn <who to search as>
569: #bindpw <password>
570: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
571: #
572: # LDAP protocol version, defaults to 3
573: #ldap_version 3
574: #
575: # Define if you want to use an encrypted LDAP connection.
576: # Typically, you must also set the port to 636 (ldaps).
577: #ssl on
578: #
579: # Define if you want to use port 389 and switch to
580: # encryption before the bind credentials are sent.
581: # Only supported by LDAP servers that support the start_tls
582: # extension such as OpenLDAP.
583: #ssl start_tls
584: #
585: # Additional TLS options follow that allow tweaking of the
586: # SSL/TLS connection.
587: #
588: #tls_checkpeer yes # verify server SSL certificate
589: #tls_checkpeer no # ignore server SSL certificate
590: #
591: # If you enable tls_checkpeer, specify either tls_cacertfile
592: # or tls_cacertdir. Only supported when using OpenLDAP.
593: #
594: #tls_cacertfile /etc/certs/trusted_signers.pem
595: #tls_cacertdir /etc/certs
596: #
597: # For systems that don't have /dev/random
598: # use this along with PRNGD or EGD.pl to seed the
599: # random number pool to generate cryptographic session keys.
600: # Only supported when using OpenLDAP.
601: #
602: #tls_randfile /etc/egd-pool
603: #
604: # You may restrict which ciphers are used. Consult your SSL
605: # documentation for which options go here.
606: # Only supported when using OpenLDAP.
607: #
608: #tls_ciphers <cipher-list>
609: #
610: # Sudo can provide a client certificate when communicating to
611: # the LDAP server.
612: # Tips:
613: # * Enable both lines at the same time.
614: # * Do not password protect the key file.
615: # * Ensure the keyfile is only readable by root.
616: #
617: # For OpenLDAP:
618: #tls_cert /etc/certs/client_cert.pem
619: #tls_key /etc/certs/client_key.pem
620: #
621: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
622: # a directory, in which case the files in the directory must have the
623: # default names (e.g. cert8.db and key4.db), or the path to the cert
624: # and key files themselves. However, a bug in version 5.0 of the LDAP
625: # SDK will prevent specific file names from working. For this reason
626: # it is suggested that tls_cert and tls_key be set to a directory,
627: # not a file name.
628: #
629: # The certificate database specified by tls_cert may contain CA certs
630: # and/or the client's cert. If the client's cert is included, tls_key
631: # should be specified as well.
632: # For backward compatibility, "sslpath" may be used in place of tls_cert.
633: #tls_cert /var/ldap
634: #tls_key /var/ldap
635: #
636: # If using SASL authentication for LDAP (OpenSSL)
637: # use_sasl yes
638: # sasl_auth_id <SASL user name>
639: # rootuse_sasl yes
640: # rootsasl_auth_id <SASL user name for root access>
641: # sasl_secprops none
642: # krb5_ccname /etc/.ldapcache
643:
644: SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
645: The following schema, in OpenLDAP format, is included with ssuuddoo source
646: and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the
647: schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
648: line in slapd.conf and restart ssllaappdd.
649:
650: attributetype ( 1.3.6.1.4.1.15953.9.1.1
651: NAME 'sudoUser'
652: DESC 'User(s) who may run sudo'
653: EQUALITY caseExactIA5Match
654: SUBSTR caseExactIA5SubstringsMatch
655: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
656:
657: attributetype ( 1.3.6.1.4.1.15953.9.1.2
658: NAME 'sudoHost'
659: DESC 'Host(s) who may run sudo'
660: EQUALITY caseExactIA5Match
661: SUBSTR caseExactIA5SubstringsMatch
662: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
663:
664: attributetype ( 1.3.6.1.4.1.15953.9.1.3
665: NAME 'sudoCommand'
666: DESC 'Command(s) to be executed by sudo'
667: EQUALITY caseExactIA5Match
668: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
669:
670: attributetype ( 1.3.6.1.4.1.15953.9.1.4
671: NAME 'sudoRunAs'
672: DESC 'User(s) impersonated by sudo'
673: EQUALITY caseExactIA5Match
674: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
675:
676: attributetype ( 1.3.6.1.4.1.15953.9.1.5
677: NAME 'sudoOption'
678: DESC 'Options(s) followed by sudo'
679: EQUALITY caseExactIA5Match
680: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
681:
682: attributetype ( 1.3.6.1.4.1.15953.9.1.6
683: NAME 'sudoRunAsUser'
684: DESC 'User(s) impersonated by sudo'
685: EQUALITY caseExactIA5Match
686: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
687:
688: attributetype ( 1.3.6.1.4.1.15953.9.1.7
689: NAME 'sudoRunAsGroup'
690: DESC 'Group(s) impersonated by sudo'
691: EQUALITY caseExactIA5Match
692: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
693:
694: attributetype ( 1.3.6.1.4.1.15953.9.1.8
695: NAME 'sudoNotBefore'
696: DESC 'Start of time interval for which the entry is valid'
697: EQUALITY generalizedTimeMatch
698: ORDERING generalizedTimeOrderingMatch
699: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
700:
701: attributetype ( 1.3.6.1.4.1.15953.9.1.9
702: NAME 'sudoNotAfter'
703: DESC 'End of time interval for which the entry is valid'
704: EQUALITY generalizedTimeMatch
705: ORDERING generalizedTimeOrderingMatch
706: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
707:
708: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
709: NAME 'sudoOrder'
710: DESC 'an integer to order the sudoRole entries'
711: EQUALITY integerMatch
712: ORDERING integerOrderingMatch
713: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
714:
715: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
716: DESC 'Sudoer Entries'
717: MUST ( cn )
718: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
719: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
720: sudoOrder $ description )
721: )
722:
723: SSEEEE AALLSSOO
724: _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4)
725:
726: CCAAVVEEAATTSS
727: Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
728: parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between
729: LDAP and non-LDAP sudoers" section for more information.
730:
731: BBUUGGSS
732: If you feel you have found a bug in ssuuddoo, please submit a bug report at
733: http://www.sudo.ws/sudo/bugs/
734:
735: SSUUPPPPOORRTT
736: Limited free support is available via the sudo-users mailing list, see
737: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
738: the archives.
739:
740: DDIISSCCLLAAIIMMEERR
741: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
742: including, but not limited to, the implied warranties of
743: merchantability and fitness for a particular purpose are disclaimed.
744: See the LICENSE file distributed with ssuuddoo or
745: http://www.sudo.ws/sudo/license.html for complete details.
746:
747:
748:
749: 1.8.3 September 16, 2011 SUDOERS.LDAP(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>