Annotation of embedaddon/sudo/doc/sudoers.ldap.cat, revision 1.1.1.3
1.1.1.3 ! misho 1: SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
1.1 misho 2:
3: N�NA�AM�ME�E
1.1.1.3 ! misho 4: s�su�ud�do�oe�er�rs�s.�.l�ld�da�ap�p - sudo LDAP configuration
1.1 misho 5:
6: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
1.1.1.3 ! misho 7: In addition to the standard _�s_�u_�d_�o_�e_�r_�s file, s�su�ud�do�o may be configured via
! 8: LDAP. This can be especially useful for synchronizing _�s_�u_�d_�o_�e_�r_�s in a
! 9: large, distributed environment.
! 10:
! 11: Using LDAP for _�s_�u_�d_�o_�e_�r_�s has several benefits:
! 12:
! 13: o�o s�su�ud�do�o no longer needs to read _�s_�u_�d_�o_�e_�r_�s in its entirety. When LDAP is
! 14: used, there are only two or three LDAP queries per invocation. This
! 15: makes it especially fast and particularly usable in LDAP
! 16: environments.
! 17:
! 18: o�o s�su�ud�do�o no longer exits if there is a typo in _�s_�u_�d_�o_�e_�r_�s. It is not
! 19: possible to load LDAP data into the server that does not conform to
! 20: the sudoers schema, so proper syntax is guaranteed. It is still
! 21: possible to have typos in a user or host name, but this will not
! 22: prevent s�su�ud�do�o from running.
! 23:
! 24: o�o It is possible to specify per-entry options that override the global
! 25: default options. _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s only supports default options and
! 26: limited options associated with user/host/commands/aliases. The
! 27: syntax is complicated and can be difficult for users to understand.
! 28: Placing the options directly in the entry is more natural.
! 29:
! 30: o�o The v�vi�is�su�ud�do�o program is no longer needed. v�vi�is�su�ud�do�o provides locking and
! 31: syntax checking of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file. Since LDAP updates are
! 32: atomic, locking is no longer necessary. Because syntax is checked
! 33: when the data is inserted into LDAP, there is no need for a
! 34: specialized tool to check syntax.
! 35:
! 36: Another major difference between LDAP and file-based _�s_�u_�d_�o_�e_�r_�s is that in
! 37: LDAP, s�su�ud�do�o-specific Aliases are not supported.
! 38:
! 39: For the most part, there is really no need for s�su�ud�do�o-specific Aliases.
! 40: Unix groups or user netgroups can be used in place of User_Aliases and
! 41: Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
! 42: Since Unix groups and netgroups can also be stored in LDAP there is no
! 43: real need for s�su�ud�do�o-specific aliases.
! 44:
! 45: Cmnd_Aliases are not really required either since it is possible to have
! 46: multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
! 47: that is referenced by multiple users, one can create a sudoRole that
! 48: contains the commands and assign multiple users to it.
1.1 misho 49:
50: S�SU�UD�DO�Oe�er�rs�s L�LD�DA�AP�P c�co�on�nt�ta�ai�in�ne�er�r
1.1.1.3 ! misho 51: The _�s_�u_�d_�o_�e_�r_�s configuration is contained in the ou=SUDOers LDAP container.
1.1 misho 52:
1.1.1.3 ! misho 53: Sudo first looks for the cn=default entry in the SUDOers container. If
! 54: found, the multi-valued sudoOption attribute is parsed in the same manner
! 55: as a global Defaults line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. In the following example, the
! 56: SSH_AUTH_SOCK variable will be preserved in the environment for all
! 57: users.
! 58:
! 59: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
! 60: objectClass: top
! 61: objectClass: sudoRole
! 62: cn: defaults
! 63: description: Default sudoOption's go here
! 64: sudoOption: env_keep+=SSH_AUTH_SOCK
! 65:
! 66: The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
! 67: following attributes:
! 68:
! 69: s�su�ud�do�oU�Us�se�er�r
! 70: A user name, user ID (prefixed with `#'), Unix group (prefixed with
! 71: `%'), Unix group ID (prefixed with `%#'), or user netgroup
! 72: (prefixed with `+').
1.1 misho 73:
1.1.1.3 ! misho 74: s�su�ud�do�oH�Ho�os�st�t
1.1 misho 75: A host name, IP address, IP network, or host netgroup (prefixed
1.1.1.3 ! misho 76: with a `+'). The special value ALL will match any host.
1.1 misho 77:
1.1.1.3 ! misho 78: s�su�ud�do�oC�Co�om�mm�ma�an�nd�d
1.1 misho 79: A Unix command with optional command line arguments, potentially
80: including globbing characters (aka wild cards). The special value
81: ALL will match any command. If a command is prefixed with an
1.1.1.3 ! misho 82: exclamation point `!', the user will be prohibited from running
1.1 misho 83: that command.
84:
1.1.1.3 ! misho 85: s�su�ud�do�oO�Op�pt�ti�io�on�n
1.1 misho 86: Identical in function to the global options described above, but
87: specific to the sudoRole in which it resides.
88:
1.1.1.3 ! misho 89: s�su�ud�do�oR�Ru�un�nA�As�sU�Us�se�er�r
! 90: A user name or uid (prefixed with `#') that commands may be run as
! 91: or a Unix group (prefixed with a `%') or user netgroup (prefixed
! 92: with a `+') that contains a list of users that commands may be run
1.1 misho 93: as. The special value ALL will match any user.
94:
95: The sudoRunAsUser attribute is only available in s�su�ud�do�o versions
96: 1.7.0 and higher. Older versions of s�su�ud�do�o use the sudoRunAs
97: attribute instead.
98:
1.1.1.3 ! misho 99: s�su�ud�do�oR�Ru�un�nA�As�sG�Gr�ro�ou�up�p
! 100: A Unix group or gid (prefixed with `#') that commands may be run
1.1 misho 101: as. The special value ALL will match any group.
102:
103: The sudoRunAsGroup attribute is only available in s�su�ud�do�o versions
104: 1.7.0 and higher.
105:
1.1.1.3 ! misho 106: s�su�ud�do�oN�No�ot�tB�Be�ef�fo�or�re�e
1.1 misho 107: A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
108: a start date/time for when the sudoRole will be valid. If multiple
109: sudoNotBefore entries are present, the earliest is used. Note that
110: timestamps must be in Coordinated Universal Time (UTC), not the
111: local timezone. The minute and seconds portions are optional, but
112: some LDAP servers require that they be present (contrary to the
113: RFC).
114:
115: The sudoNotBefore attribute is only available in s�su�ud�do�o versions
116: 1.7.5 and higher and must be explicitly enabled via the
117: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
118:
1.1.1.3 ! misho 119: s�su�ud�do�oN�No�ot�tA�Af�ft�te�er�r
1.1 misho 120: A timestamp in the form yyyymmddHHMMSSZ that indicates an
121: expiration date/time, after which the sudoRole will no longer be
122: valid. If multiple sudoNotBefore entries are present, the last one
123: is used. Note that timestamps must be in Coordinated Universal
124: Time (UTC), not the local timezone. The minute and seconds
125: portions are optional, but some LDAP servers require that they be
126: present (contrary to the RFC).
127:
128: The sudoNotAfter attribute is only available in s�su�ud�do�o versions 1.7.5
129: and higher and must be explicitly enabled via the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D
130: option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
131:
1.1.1.3 ! misho 132: s�su�ud�do�oO�Or�rd�de�er�r
1.1 misho 133: The sudoRole entries retrieved from the LDAP directory have no
134: inherent order. The sudoOrder attribute is an integer (or floating
135: point value for LDAP servers that support it) that is used to sort
136: the matching entries. This allows LDAP-based sudoers entries to
137: more closely mimic the behaviour of the sudoers file, where the of
138: the entries influences the result. If multiple entries match, the
139: entry with the highest sudoOrder attribute is chosen. This
1.1.1.3 ! misho 140: corresponds to the ``last match'' behavior of the sudoers file. If
1.1 misho 141: the sudoOrder attribute is not present, a value of 0 is assumed.
142:
143: The sudoOrder attribute is only available in s�su�ud�do�o versions 1.7.5
144: and higher.
145:
1.1.1.3 ! misho 146: Each attribute listed above should contain a single value, but there may
! 147: be multiple instances of each attribute type. A sudoRole must contain at
! 148: least one sudoUser, sudoHost and sudoCommand.
! 149:
! 150: The following example allows users in group wheel to run any command on
! 151: any host via s�su�ud�do�o:
! 152:
! 153: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
! 154: objectClass: top
! 155: objectClass: sudoRole
! 156: cn: %wheel
! 157: sudoUser: %wheel
! 158: sudoHost: ALL
! 159: sudoCommand: ALL
1.1 misho 160:
161: A�An�na�at�to�om�my�y o�of�f L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s l�lo�oo�ok�ku�up�p
1.1.1.3 ! misho 162: When looking up a sudoer using LDAP there are only two or three LDAP
! 163: queries per invocation. The first query is to parse the global options.
! 164: The second is to match against the user's name and the groups that the
! 165: user belongs to. (The special ALL tag is matched in this query too.) If
! 166: no match is returned for the user's name and groups, a third query
! 167: returns all entries containing user netgroups and checks to see if the
! 168: user belongs to any of them.
! 169:
! 170: If timed entries are enabled with the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D configuration
! 171: directive, the LDAP queries include a subfilter that limits retrieval to
! 172: entries that satisfy the time constraints, if any.
1.1 misho 173:
174: D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s
1.1.1.3 ! misho 175: There are some subtle differences in the way sudoers is handled once in
! 176: LDAP. Probably the biggest is that according to the RFC, LDAP ordering
! 177: is arbitrary and you cannot expect that Attributes and Entries are
! 178: returned in any specific order.
! 179:
! 180: The order in which different entries are applied can be controlled using
! 181: the sudoOrder attribute, but there is no way to guarantee the order of
! 182: attributes within a specific entry. If there are conflicting command
! 183: rules in an entry, the negative takes precedence. This is called
! 184: paranoid behavior (not necessarily the most specific match).
! 185:
! 186: Here is an example:
! 187:
! 188: # /etc/sudoers:
! 189: # Allow all commands except shell
! 190: johnny ALL=(root) ALL,!/bin/sh
! 191: # Always allows all commands because ALL is matched last
! 192: puddles ALL=(root) !/bin/sh,ALL
! 193:
! 194: # LDAP equivalent of johnny
! 195: # Allows all commands except shell
! 196: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
! 197: objectClass: sudoRole
! 198: objectClass: top
! 199: cn: role1
! 200: sudoUser: johnny
! 201: sudoHost: ALL
! 202: sudoCommand: ALL
! 203: sudoCommand: !/bin/sh
! 204:
! 205: # LDAP equivalent of puddles
! 206: # Notice that even though ALL comes last, it still behaves like
! 207: # role1 since the LDAP code assumes the more paranoid configuration
! 208: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
! 209: objectClass: sudoRole
! 210: objectClass: top
! 211: cn: role2
! 212: sudoUser: puddles
! 213: sudoHost: ALL
! 214: sudoCommand: !/bin/sh
! 215: sudoCommand: ALL
! 216:
! 217: Another difference is that negations on the Host, User or Runas are
! 218: currently ignored. For example, the following attributes do not behave
! 219: the way one might expect.
! 220:
! 221: # does not match all but joe
! 222: # rather, does not match anyone
! 223: sudoUser: !joe
! 224:
! 225: # does not match all but joe
! 226: # rather, matches everyone including Joe
! 227: sudoUser: ALL
! 228: sudoUser: !joe
! 229:
! 230: # does not match all but web01
! 231: # rather, matches all hosts including web01
! 232: sudoHost: ALL
! 233: sudoHost: !web01
! 234:
! 235: S�Su�ud�do�oe�er�rs�s s�sc�ch�he�em�ma�a
! 236: In order to use s�su�ud�do�o's LDAP support, the s�su�ud�do�o schema must be installed on
! 237: your LDAP server. In addition, be sure to index the sudoUser attribute.
! 238:
! 239: Three versions of the schema: one for OpenLDAP servers (_�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P),
! 240: one for Netscape-derived servers (_�s_�c_�h_�e_�m_�a_�._�i_�P_�l_�a_�n_�e_�t), and one for Microsoft
! 241: Active Directory (_�s_�c_�h_�e_�m_�a_�._�A_�c_�t_�i_�v_�e_�D_�i_�r_�e_�c_�t_�o_�r_�y) may be found in the s�su�ud�do�o
! 242: distribution.
1.1 misho 243:
1.1.1.3 ! misho 244: The schema for s�su�ud�do�o in OpenLDAP form is also included in the _�E_�X_�A_�M_�P_�L_�E_�S
! 245: section.
1.1 misho 246:
247: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f
1.1.1.3 ! misho 248: Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration.
! 249: Typically, this file is shared amongst different LDAP-aware clients. As
! 250: such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o parses
! 251: _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from those
! 252: described in the system's ldap.conf(1m) manual.
! 253:
! 254: Also note that on systems using the OpenLDAP libraries, default values
! 255: specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are not
! 256: used.
! 257:
! 258: Only those options explicitly listed in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f as being supported
! 259: by s�su�ud�do�o are honored. Configuration options are listed below in upper
! 260: case but are parsed in a case-independent manner.
1.1 misho 261:
1.1.1.3 ! misho 262: U�UR�RI�I _�l_�d_�a_�p_�[_�s_�]_�:_�/_�/_�[_�h_�o_�s_�t_�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�]_�] _�._�._�.
1.1 misho 263: Specifies a whitespace-delimited list of one or more URIs
264: describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be
1.1.1.3 ! misho 265: either _�l_�d_�a_�p _�l_�d_�a_�p_�s, the latter being for servers that support TLS
1.1 misho 266: (SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389
267: for ldap:// or port 636 for ldaps://. If no _�h_�o_�s_�t_�n_�a_�m_�e is specified,
1.1.1.3 ! misho 268: s�su�ud�do�o will connect to _�l_�o_�c_�a_�l_�h_�o_�s_�t. Multiple U�UR�RI�I lines are treated
1.1 misho 269: identically to a U�UR�RI�I line containing multiple entries. Only
270: systems using the OpenSSL libraries support the mixing of ldap://
1.1.1.3 ! misho 271: and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
! 272: libraries used on most commercial versions of Unix are only capable
! 273: of supporting one or the other.
1.1 misho 274:
1.1.1.3 ! misho 275: H�HO�OS�ST�T _�n_�a_�m_�e_�[_�:_�p_�o_�r_�t_�] _�._�._�.
1.1 misho 276: If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a whitespace-
277: delimited list of LDAP servers to connect to. Each host may
1.1.1.3 ! misho 278: include an optional _�p_�o_�r_�t separated by a colon (`:'). The H�HO�OS�ST�T
1.1 misho 279: parameter is deprecated in favor of the U�UR�RI�I specification and is
280: included for backwards compatibility.
281:
1.1.1.3 ! misho 282: P�PO�OR�RT�T _�p_�o_�r_�t_�__�n_�u_�m_�b_�e_�r
1.1 misho 283: If no U�UR�RI�I is specified, the P�PO�OR�RT�T parameter specifies the default
284: port to connect to on the LDAP server if a H�HO�OS�ST�T parameter does not
285: specify the port itself. If no P�PO�OR�RT�T parameter is used, the default
286: is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
287: P�PO�OR�RT�T parameter is deprecated in favor of the U�UR�RI�I specification and
288: is included for backwards compatibility.
289:
1.1.1.3 ! misho 290: B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T _�s_�e_�c_�o_�n_�d_�s
1.1 misho 291: The B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in
292: seconds, to wait while trying to connect to an LDAP server. If
293: multiple U�UR�RI�Is or H�HO�OS�ST�Ts are specified, this is the amount of time to
294: wait before trying the next one in the list.
295:
1.1.1.3 ! misho 296: N�NE�ET�TW�WO�OR�RK�K_�_T�TI�IM�ME�EO�OU�UT�T _�s_�e_�c_�o_�n_�d_�s
1.1 misho 297: An alias for B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T for OpenLDAP compatibility.
298:
1.1.1.3 ! misho 299: T�TI�IM�ME�EL�LI�IM�MI�IT�T _�s_�e_�c_�o_�n_�d_�s
1.1 misho 300: The T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in seconds,
301: to wait for a response to an LDAP query.
302:
1.1.1.3 ! misho 303: T�TI�IM�ME�EO�OU�UT�T _�s_�e_�c_�o_�n_�d_�s
1.1 misho 304: The T�TI�IM�ME�EO�OU�UT�T parameter specifies the amount of time, in seconds, to
305: wait for a response from the various LDAP APIs.
306:
1.1.1.3 ! misho 307: S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E _�b_�a_�s_�e
1.1 misho 308: The base DN to use when performing s�su�ud�do�o LDAP queries. Typically
309: this is of the form ou=SUDOers,dc=example,dc=com for the domain
310: example.com. Multiple S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E lines may be specified, in
311: which case they are queried in the order specified.
312:
1.1.1.3 ! misho 313: S�SU�UD�DO�OE�ER�RS�S_�_S�SE�EA�AR�RC�CH�H_�_F�FI�IL�LT�TE�ER�R _�l_�d_�a_�p_�__�f_�i_�l_�t_�e_�r
1.1 misho 314: An LDAP filter which is used to restrict the set of records
315: returned when performing a s�su�ud�do�o LDAP query. Typically, this is of
316: the form attribute=value or
317: (&(attribute=value)(attribute2=value2)).
318:
1.1.1.3 ! misho 319: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D _�o_�n_�/_�t_�r_�u_�e_�/_�y_�e_�s_�/_�o_�f_�f_�/_�f_�a_�l_�s_�e_�/_�n_�o
1.1 misho 320: Whether or not to evaluate the sudoNotBefore and sudoNotAfter
321: attributes that implement time-dependent sudoers entries.
322:
1.1.1.3 ! misho 323: S�SU�UD�DO�OE�ER�RS�S_�_D�DE�EB�BU�UG�G _�d_�e_�b_�u_�g_�__�l_�e_�v_�e_�l
1.1 misho 324: This sets the debug level for s�su�ud�do�o LDAP queries. Debugging
325: information is printed to the standard error. A value of 1 results
326: in a moderate amount of debugging information. A value of 2 shows
327: the results of the matches themselves. This parameter should not
328: be set in a production environment as the extra information is
329: likely to confuse users.
330:
1.1.1.3 ! misho 331: B�BI�IN�ND�DD�DN�N _�D_�N
1.1 misho 332: The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
333: Distinguished Name (DN), to use when performing LDAP operations.
334: If not specified, LDAP operations are performed with an anonymous
335: identity. By default, most LDAP servers will allow anonymous
336: access.
337:
1.1.1.3 ! misho 338: B�BI�IN�ND�DP�PW�W _�s_�e_�c_�r_�e_�t
1.1 misho 339: The B�BI�IN�ND�DP�PW�W parameter specifies the password to use when performing
340: LDAP operations. This is typically used in conjunction with the
341: B�BI�IN�ND�DD�DN�N parameter.
342:
1.1.1.3 ! misho 343: R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N _�D_�N
1.1 misho 344: The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
345: Distinguished Name (DN), to use when performing privileged LDAP
346: operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to
347: the identity should be stored in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If not
348: specified, the B�BI�IN�ND�DD�DN�N identity is used (if any).
349:
1.1.1.3 ! misho 350: L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N _�n_�u_�m_�b_�e_�r
1.1 misho 351: The version of the LDAP protocol to use when connecting to the
352: server. The default value is protocol version 3.
353:
1.1.1.3 ! misho 354: S�SS�SL�L _�o_�n_�/_�t_�r_�u_�e_�/_�y_�e_�s_�/_�o_�f_�f_�/_�f_�a_�l_�s_�e_�/_�n_�o
1.1 misho 355: If the S�SS�SL�L parameter is set to on, true or yes, TLS (SSL)
356: encryption is always used when communicating with the LDAP server.
357: Typically, this involves connecting to the server on port 636
358: (ldaps).
359:
1.1.1.3 ! misho 360: S�SS�SL�L _�s_�t_�a_�r_�t_�__�t_�l_�s
1.1 misho 361: If the S�SS�SL�L parameter is set to start_tls, the LDAP server
362: connection is initiated normally and TLS encryption is begun before
363: the bind credentials are sent. This has the advantage of not
364: requiring a dedicated port for encrypted communications. This
365: parameter is only supported by LDAP servers that honor the
1.1.1.3 ! misho 366: _�s_�t_�a_�r_�t_�__�t_�l_�s extension, such as the OpenLDAP and Tivoli Directory
! 367: servers.
1.1 misho 368:
1.1.1.3 ! misho 369: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R _�o_�n_�/_�t_�r_�u_�e_�/_�y_�e_�s_�/_�o_�f_�f_�/_�f_�a_�l_�s_�e_�/_�n_�o
1.1 misho 370: If enabled, T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R will cause the LDAP server's TLS
371: certificated to be verified. If the server's TLS certificate
372: cannot be verified (usually because it is signed by an unknown
373: certificate authority), s�su�ud�do�o will be unable to connect to it. If
374: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R is disabled, no check is made. Note that disabling
375: the check creates an opportunity for man-in-the-middle attacks
376: since the server's identity will not be authenticated. If
377: possible, the CA's certificate should be installed locally so it
1.1.1.3 ! misho 378: can be verified. This option is not supported by the Tivoli
! 379: Directory Server LDAP libraries.
1.1 misho 380:
1.1.1.3 ! misho 381: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�T _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 382: An alias for T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E for OpenLDAP compatibility.
383:
1.1.1.3 ! misho 384: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 385: The path to a certificate authority bundle which contains the
386: certificates for all the Certificate Authorities the client knows
387: to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only
388: supported by the OpenLDAP libraries. Netscape-derived LDAP
389: libraries use the same certificate database for CA and client
390: certificates (see T�TL�LS�S_�_C�CE�ER�RT�T).
391:
1.1.1.3 ! misho 392: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R _�d_�i_�r_�e_�c_�t_�o_�r_�y
1.1 misho 393: Similar to T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E but instead of a file, it is a directory
394: containing individual Certificate Authority certificates, e.g.
395: _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�e_�r_�t_�s. The directory specified by T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R is
396: checked after T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E. This option is only supported by the
397: OpenLDAP libraries.
398:
1.1.1.3 ! misho 399: T�TL�LS�S_�_C�CE�ER�RT�T _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 400: The path to a file containing the client certificate which can be
401: used to authenticate the client to the LDAP server. The
402: certificate type depends on the LDAP libraries used.
403:
404: OpenLDAP:
1.1.1.3 ! misho 405: tls_cert /etc/ssl/client_cert.pem
1.1 misho 406:
407: Netscape-derived:
1.1.1.3 ! misho 408: tls_cert /var/ldap/cert7.db
1.1 misho 409:
1.1.1.3 ! misho 410: Tivoli Directory Server:
! 411: Unused, the key database specified by T�TL�LS�S_�_K�KE�EY�Y contains both
! 412: keys and certificates.
1.1 misho 413:
1.1.1.3 ! misho 414: When using Netscape-derived libraries, this file may also
! 415: contain Certificate Authority certificates.
! 416:
! 417: T�TL�LS�S_�_K�KE�EY�Y _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 418: The path to a file containing the private key which matches the
419: certificate specified by T�TL�LS�S_�_C�CE�ER�RT�T. The private key must not be
420: password-protected. The key type depends on the LDAP libraries
421: used.
422:
423: OpenLDAP:
1.1.1.3 ! misho 424: tls_key /etc/ssl/client_key.pem
1.1 misho 425:
426: Netscape-derived:
1.1.1.3 ! misho 427: tls_key /var/ldap/key3.db
! 428:
! 429: Tivoli Directory Server:
! 430: tls_cert /usr/ldap/ldapkey.kdb
! 431: When using Tivoli LDAP libraries, this file may also contain
! 432: Certificate Authority and client certificates and may be encrypted.
! 433:
! 434: T�TL�LS�S_�_K�KE�EY�YP�PW�W _�s_�e_�c_�r_�e_�t
! 435: The T�TL�LS�S_�_K�KE�EY�YP�PW�W contains the password used to decrypt the key
! 436: database on clients using the Tivoli Directory Server LDAP library.
! 437: If no T�TL�LS�S_�_K�KE�EY�YP�PW�W is specified, a _�s_�t_�a_�s_�h _�f_�i_�l_�e will be used if it
! 438: exists. The _�s_�t_�a_�s_�h _�f_�i_�l_�e must have the same path as the file
! 439: specified by T�TL�LS�S_�_K�KE�EY�Y, but use a .sth file extension instead of
! 440: .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
! 441: Tivoli Directory Server is encrypted with the password
! 442: ssl_password. This option is only supported by the Tivoli LDAP
! 443: libraries.
1.1 misho 444:
1.1.1.3 ! misho 445: T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 446: The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source
447: for systems that lack a random device. It is generally used in
448: conjunction with _�p_�r_�n_�g_�d or _�e_�g_�d. This option is only supported by
449: the OpenLDAP libraries.
450:
1.1.1.3 ! misho 451: T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S _�c_�i_�p_�h_�e_�r _�l_�i_�s_�t
1.1 misho 452: The T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S parameter allows the administer to restrict which
453: encryption algorithms may be used for TLS (SSL) connections. See
1.1.1.3 ! misho 454: the OpenLDAP or Tivoli Directory Server manual for a list of valid
! 455: ciphers. This option is not supported by Netscape-derived
! 456: libraries.
1.1 misho 457:
1.1.1.3 ! misho 458: U�US�SE�E_�_S�SA�AS�SL�L _�o_�n_�/_�t_�r_�u_�e_�/_�y_�e_�s_�/_�o_�f_�f_�/_�f_�a_�l_�s_�e_�/_�n_�o
1.1 misho 459: Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication.
460:
1.1.1.3 ! misho 461: S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D _�i_�d_�e_�n_�t_�i_�t_�y
1.1 misho 462: The SASL user name to use when connecting to the LDAP server. By
463: default, s�su�ud�do�o will use an anonymous connection.
464:
1.1.1.3 ! misho 465: R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L _�o_�n_�/_�t_�r_�u_�e_�/_�y_�e_�s_�/_�o_�f_�f_�/_�f_�a_�l_�s_�e_�/_�n_�o
1.1 misho 466: Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting
467: to an LDAP server from a privileged process, such as s�su�ud�do�o.
468:
1.1.1.3 ! misho 469: R�RO�OO�OT�TS�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D _�i_�d_�e_�n_�t_�i_�t_�y
1.1 misho 470: The SASL user name to use when R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L is enabled.
471:
1.1.1.3 ! misho 472: S�SA�AS�SL�L_�_S�SE�EC�CP�PR�RO�OP�PS�S _�n_�o_�n_�e_�/_�p_�r_�o_�p_�e_�r_�t_�i_�e_�s
1.1 misho 473: SASL security properties or _�n_�o_�n_�e for no properties. See the SASL
474: programmer's manual for details.
475:
1.1.1.3 ! misho 476: K�KR�RB�B5�5_�_C�CC�CN�NA�AM�ME�E _�f_�i_�l_�e _�n_�a_�m_�e
1.1 misho 477: The path to the Kerberos 5 credential cache to use when
478: authenticating with the remote server.
479:
1.1.1.3 ! misho 480: D�DE�ER�RE�EF�F _�n_�e_�v_�e_�r_�/_�s_�e_�a_�r_�c_�h_�i_�n_�g_�/_�f_�i_�n_�d_�i_�n_�g_�/_�a_�l_�w_�a_�y_�s
1.1 misho 481: How alias dereferencing is to be performed when searching. See the
1.1.1.3 ! misho 482: ldap.conf(1m) manual for a full description of this option.
1.1 misho 483:
1.1.1.3 ! misho 484: See the _�l_�d_�a_�p_�._�c_�o_�n_�f entry in the _�E_�X_�A_�M_�P_�L_�E_�S section.
1.1 misho 485:
486: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ns�ss�sw�wi�it�tc�ch�h.�.c�co�on�nf�f
1.1.1.3 ! misho 487: Unless it is disabled at build time, s�su�ud�do�o consults the Name Service
! 488: Switch file, _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, to specify the _�s_�u_�d_�o_�e_�r_�s search order.
! 489: Sudo looks for a line beginning with sudoers: and uses this to determine
! 490: the search order. Note that s�su�ud�do�o does not stop searching after the first
! 491: match and later matches take precedence over earlier ones. The following
! 492: sources are recognized:
1.1 misho 493:
1.1.1.3 ! misho 494: files read sudoers from _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s
! 495: ldap read sudoers from LDAP
1.1 misho 496:
1.1.1.3 ! misho 497: In addition, the entry [NOTFOUND=return] will short-circuit the search if
! 498: the user was not found in the preceding source.
1.1 misho 499:
1.1.1.3 ! misho 500: To consult LDAP first followed by the local sudoers file (if it exists),
! 501: use:
1.1 misho 502:
1.1.1.3 ! misho 503: sudoers: ldap files
1.1 misho 504:
1.1.1.3 ! misho 505: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
1.1 misho 506:
1.1.1.3 ! misho 507: sudoers: ldap
1.1 misho 508:
1.1.1.3 ! misho 509: If the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f file is not present or there is no sudoers
! 510: line, the following default is assumed:
1.1 misho 511:
1.1.1.3 ! misho 512: sudoers: files
1.1 misho 513:
1.1.1.3 ! misho 514: Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying
! 515: operating system does not use an nsswitch.conf file, except on AIX (see
! 516: below).
1.1 misho 517:
518: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f
1.1.1.3 ! misho 519: On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of
! 520: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of
! 521: _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the file
! 522: format itself still applies.
1.1 misho 523:
1.1.1.3 ! misho 524: To consult LDAP first followed by the local sudoers file (if it exists),
! 525: use:
1.1 misho 526:
1.1.1.3 ! misho 527: sudoers = ldap, files
1.1 misho 528:
1.1.1.3 ! misho 529: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
1.1 misho 530:
1.1.1.3 ! misho 531: sudoers = ldap
1.1 misho 532:
1.1.1.3 ! misho 533: To treat LDAP as authoratative and only use the local sudoers file if the
! 534: user is not present in LDAP, use:
1.1 misho 535:
1.1.1.3 ! misho 536: sudoers = ldap = auth, files
1.1 misho 537:
1.1.1.3 ! misho 538: Note that in the above example, the auth qualfier only affects user
! 539: lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries.
1.1 misho 540:
1.1.1.3 ! misho 541: If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers line,
! 542: the following default is assumed:
1.1 misho 543:
1.1.1.3 ! misho 544: sudoers = files
1.1 misho 545:
546: F�FI�IL�LE�ES�S
1.1.1.3 ! misho 547: _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f LDAP configuration file
1.1 misho 548:
1.1.1.3 ! misho 549: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f determines sudoers source order
1.1 misho 550:
1.1.1.3 ! misho 551: _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f determines sudoers source order on AIX
1.1 misho 552:
553: E�EX�XA�AM�MP�PL�LE�ES�S
554: E�Ex�xa�am�mp�pl�le�e l�ld�da�ap�p.�.c�co�on�nf�f
1.1.1.3 ! misho 555: # Either specify one or more URIs or one or more host:port pairs.
! 556: # If neither is specified sudo will default to localhost, port 389.
! 557: #
! 558: #host ldapserver
! 559: #host ldapserver1 ldapserver2:390
! 560: #
! 561: # Default port if host is specified without one, defaults to 389.
! 562: #port 389
! 563: #
! 564: # URI will override the host and port settings.
! 565: uri ldap://ldapserver
! 566: #uri ldaps://secureldapserver
! 567: #uri ldaps://secureldapserver ldap://ldapserver
! 568: #
! 569: # The amount of time, in seconds, to wait while trying to connect to
! 570: # an LDAP server.
! 571: bind_timelimit 30
! 572: #
! 573: # The amount of time, in seconds, to wait while performing an LDAP query.
! 574: timelimit 30
! 575: #
! 576: # Must be set or sudo will ignore LDAP; may be specified multiple times.
! 577: sudoers_base ou=SUDOers,dc=example,dc=com
! 578: #
! 579: # verbose sudoers matching from ldap
! 580: #sudoers_debug 2
! 581: #
! 582: # Enable support for time-based entries in sudoers.
! 583: #sudoers_timed yes
! 584: #
! 585: # optional proxy credentials
! 586: #binddn <who to search as>
! 587: #bindpw <password>
! 588: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
! 589: #
! 590: # LDAP protocol version, defaults to 3
! 591: #ldap_version 3
! 592: #
! 593: # Define if you want to use an encrypted LDAP connection.
! 594: # Typically, you must also set the port to 636 (ldaps).
! 595: #ssl on
! 596: #
! 597: # Define if you want to use port 389 and switch to
! 598: # encryption before the bind credentials are sent.
! 599: # Only supported by LDAP servers that support the start_tls
! 600: # extension such as OpenLDAP.
! 601: #ssl start_tls
! 602: #
! 603: # Additional TLS options follow that allow tweaking of the
! 604: # SSL/TLS connection.
! 605: #
! 606: #tls_checkpeer yes # verify server SSL certificate
! 607: #tls_checkpeer no # ignore server SSL certificate
! 608: #
! 609: # If you enable tls_checkpeer, specify either tls_cacertfile
! 610: # or tls_cacertdir. Only supported when using OpenLDAP.
! 611: #
! 612: #tls_cacertfile /etc/certs/trusted_signers.pem
! 613: #tls_cacertdir /etc/certs
! 614: #
! 615: # For systems that don't have /dev/random
! 616: # use this along with PRNGD or EGD.pl to seed the
! 617: # random number pool to generate cryptographic session keys.
! 618: # Only supported when using OpenLDAP.
! 619: #
! 620: #tls_randfile /etc/egd-pool
! 621: #
! 622: # You may restrict which ciphers are used. Consult your SSL
! 623: # documentation for which options go here.
! 624: # Only supported when using OpenLDAP.
! 625: #
! 626: #tls_ciphers <cipher-list>
! 627: #
! 628: # Sudo can provide a client certificate when communicating to
! 629: # the LDAP server.
! 630: # Tips:
! 631: # * Enable both lines at the same time.
! 632: # * Do not password protect the key file.
! 633: # * Ensure the keyfile is only readable by root.
! 634: #
! 635: # For OpenLDAP:
! 636: #tls_cert /etc/certs/client_cert.pem
! 637: #tls_key /etc/certs/client_key.pem
! 638: #
! 639: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
! 640: # a directory, in which case the files in the directory must have the
! 641: # default names (e.g. cert8.db and key4.db), or the path to the cert
! 642: # and key files themselves. However, a bug in version 5.0 of the LDAP
! 643: # SDK will prevent specific file names from working. For this reason
! 644: # it is suggested that tls_cert and tls_key be set to a directory,
! 645: # not a file name.
! 646: #
! 647: # The certificate database specified by tls_cert may contain CA certs
! 648: # and/or the client's cert. If the client's cert is included, tls_key
! 649: # should be specified as well.
! 650: # For backward compatibility, "sslpath" may be used in place of tls_cert.
! 651: #tls_cert /var/ldap
! 652: #tls_key /var/ldap
! 653: #
! 654: # If using SASL authentication for LDAP (OpenSSL)
! 655: # use_sasl yes
! 656: # sasl_auth_id <SASL user name>
! 657: # rootuse_sasl yes
! 658: # rootsasl_auth_id <SASL user name for root access>
! 659: # sasl_secprops none
! 660: # krb5_ccname /etc/.ldapcache
1.1 misho 661:
662: S�Su�ud�do�o s�sc�ch�he�em�ma�a f�fo�or�r O�Op�pe�en�nL�LD�DA�AP�P
1.1.1.3 ! misho 663: The following schema, in OpenLDAP format, is included with s�su�ud�do�o source
! 664: and binary distributions as _�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P. Simply copy it to the
! 665: schema directory (e.g. _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�s_�c_�h_�e_�m_�a), add the proper include line
! 666: in _�s_�l_�a_�p_�d_�._�c_�o_�n_�f and restart s�sl�la�ap�pd�d.
! 667:
! 668: attributetype ( 1.3.6.1.4.1.15953.9.1.1
! 669: NAME 'sudoUser'
! 670: DESC 'User(s) who may run sudo'
! 671: EQUALITY caseExactIA5Match
! 672: SUBSTR caseExactIA5SubstringsMatch
! 673: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 674:
! 675: attributetype ( 1.3.6.1.4.1.15953.9.1.2
! 676: NAME 'sudoHost'
! 677: DESC 'Host(s) who may run sudo'
! 678: EQUALITY caseExactIA5Match
! 679: SUBSTR caseExactIA5SubstringsMatch
! 680: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 681:
! 682: attributetype ( 1.3.6.1.4.1.15953.9.1.3
! 683: NAME 'sudoCommand'
! 684: DESC 'Command(s) to be executed by sudo'
! 685: EQUALITY caseExactIA5Match
! 686: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 687:
! 688: attributetype ( 1.3.6.1.4.1.15953.9.1.4
! 689: NAME 'sudoRunAs'
! 690: DESC 'User(s) impersonated by sudo'
! 691: EQUALITY caseExactIA5Match
! 692: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 693:
! 694: attributetype ( 1.3.6.1.4.1.15953.9.1.5
! 695: NAME 'sudoOption'
! 696: DESC 'Options(s) followed by sudo'
! 697: EQUALITY caseExactIA5Match
! 698: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 699:
! 700: attributetype ( 1.3.6.1.4.1.15953.9.1.6
! 701: NAME 'sudoRunAsUser'
! 702: DESC 'User(s) impersonated by sudo'
! 703: EQUALITY caseExactIA5Match
! 704: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 705:
! 706: attributetype ( 1.3.6.1.4.1.15953.9.1.7
! 707: NAME 'sudoRunAsGroup'
! 708: DESC 'Group(s) impersonated by sudo'
! 709: EQUALITY caseExactIA5Match
! 710: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 711:
! 712: attributetype ( 1.3.6.1.4.1.15953.9.1.8
! 713: NAME 'sudoNotBefore'
! 714: DESC 'Start of time interval for which the entry is valid'
! 715: EQUALITY generalizedTimeMatch
! 716: ORDERING generalizedTimeOrderingMatch
! 717: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 718:
! 719: attributetype ( 1.3.6.1.4.1.15953.9.1.9
! 720: NAME 'sudoNotAfter'
! 721: DESC 'End of time interval for which the entry is valid'
! 722: EQUALITY generalizedTimeMatch
! 723: ORDERING generalizedTimeOrderingMatch
! 724: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 725:
! 726: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
! 727: NAME 'sudoOrder'
! 728: DESC 'an integer to order the sudoRole entries'
! 729: EQUALITY integerMatch
! 730: ORDERING integerOrderingMatch
! 731: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
! 732:
! 733: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
! 734: DESC 'Sudoer Entries'
! 735: MUST ( cn )
! 736: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
! 737: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
! 738: sudoOrder $ description )
! 739: )
1.1 misho 740:
741: S�SE�EE�E A�AL�LS�SO�O
1.1.1.3 ! misho 742: ldap.conf(1m), sudoers(1m)
1.1 misho 743:
744: C�CA�AV�VE�EA�AT�TS�S
1.1.1.3 ! misho 745: Note that there are differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is
! 746: parsed compared to file-based _�s_�u_�d_�o_�e_�r_�s. See the _�D_�i_�f_�f_�e_�r_�e_�n_�c_�e_�s _�b_�e_�t_�w_�e_�e_�n _�L_�D_�A_�P
! 747: _�a_�n_�d _�n_�o_�n_�-_�L_�D_�A_�P _�s_�u_�d_�o_�e_�r_�s section for more information.
1.1 misho 748:
749: B�BU�UG�GS�S
1.1.1.3 ! misho 750: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
! 751: http://www.sudo.ws/sudo/bugs/
1.1 misho 752:
753: S�SU�UP�PP�PO�OR�RT�T
1.1.1.3 ! misho 754: Limited free support is available via the sudo-users mailing list, see
! 755: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
! 756: archives.
1.1 misho 757:
758: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1.1.1.3 ! misho 759: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
! 760: including, but not limited to, the implied warranties of merchantability
! 761: and fitness for a particular purpose are disclaimed. See the LICENSE
! 762: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
! 763: complete details.
1.1 misho 764:
1.1.1.3 ! misho 765: Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc