Annotation of embedaddon/sudo/doc/sudoers.ldap.cat, revision 1.1.1.4
1.1.1.3 misho 1: SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
1.1 misho 2:
3: NNAAMMEE
1.1.1.3 misho 4: ssuuddooeerrss..llddaapp - sudo LDAP configuration
1.1 misho 5:
6: DDEESSCCRRIIPPTTIIOONN
1.1.1.3 misho 7: In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
8: LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
9: large, distributed environment.
10:
11: Using LDAP for _s_u_d_o_e_r_s has several benefits:
12:
13: oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
14: used, there are only two or three LDAP queries per invocation. This
15: makes it especially fast and particularly usable in LDAP
16: environments.
17:
18: oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
19: possible to load LDAP data into the server that does not conform to
20: the sudoers schema, so proper syntax is guaranteed. It is still
21: possible to have typos in a user or host name, but this will not
22: prevent ssuuddoo from running.
23:
24: oo It is possible to specify per-entry options that override the global
25: default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and
26: limited options associated with user/host/commands/aliases. The
27: syntax is complicated and can be difficult for users to understand.
28: Placing the options directly in the entry is more natural.
29:
30: oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and
31: syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are
32: atomic, locking is no longer necessary. Because syntax is checked
33: when the data is inserted into LDAP, there is no need for a
34: specialized tool to check syntax.
35:
36: Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
37: LDAP, ssuuddoo-specific Aliases are not supported.
38:
39: For the most part, there is really no need for ssuuddoo-specific Aliases.
1.1.1.4 ! misho 40: Unix groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can
! 41: be used in place of User_Aliases and Runas_Aliases. Host netgroups can
! 42: be used in place of Host_Aliases. Since groups and netgroups can also be
! 43: stored in LDAP there is no real need for ssuuddoo-specific aliases.
1.1.1.3 misho 44:
45: Cmnd_Aliases are not really required either since it is possible to have
46: multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
47: that is referenced by multiple users, one can create a sudoRole that
48: contains the commands and assign multiple users to it.
1.1 misho 49:
50: SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
1.1.1.3 misho 51: The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container.
1.1 misho 52:
1.1.1.3 misho 53: Sudo first looks for the cn=default entry in the SUDOers container. If
54: found, the multi-valued sudoOption attribute is parsed in the same manner
55: as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the
56: SSH_AUTH_SOCK variable will be preserved in the environment for all
57: users.
58:
59: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
60: objectClass: top
61: objectClass: sudoRole
62: cn: defaults
63: description: Default sudoOption's go here
64: sudoOption: env_keep+=SSH_AUTH_SOCK
65:
66: The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
67: following attributes:
68:
69: ssuuddooUUsseerr
1.1.1.4 ! misho 70: A user name, user ID (prefixed with `#'), Unix group name or ID
! 71: (prefixed with `%' or `%#' respectively), user netgroup (prefixed
! 72: with `+'), or non-Unix group name or ID (prefixed with `%:' or
! 73: `%:#' respectively). Non-Unix group support is only available when
! 74: an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s
! 75: sudoRole object.
1.1 misho 76:
1.1.1.3 misho 77: ssuuddooHHoosstt
1.1 misho 78: A host name, IP address, IP network, or host netgroup (prefixed
1.1.1.3 misho 79: with a `+'). The special value ALL will match any host.
1.1 misho 80:
1.1.1.3 misho 81: ssuuddooCCoommmmaanndd
1.1.1.4 ! misho 82: A fully-qualified Unix command name with optional command line
! 83: arguments, potentially including globbing characters (aka wild
! 84: cards). If a command name is preceded by an exclamation point,
! 85: `!', the user will be prohibited from running that command.
! 86:
! 87: The built-in command ``sudoedit'' is used to permit a user to run
! 88: ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line
! 89: arguments just as a normal command does. Note that ``sudoedit'' is
! 90: a command built into ssuuddoo itself and must be specified in without a
! 91: leading path.
! 92:
! 93: The special value ALL will match any command.
! 94:
! 95: If a command name is prefixed with a SHA-2 digest, it will only be
! 96: allowed if the digest matches. This may be useful in situations
! 97: where the user invoking ssuuddoo has write access to the command or its
! 98: parent directory. The following digest formats are supported:
! 99: sha224, sha256, sha384 and sha512. The digest name must be
! 100: followed by a colon (`:') and then the actual digest, in either hex
! 101: or base64 format. For example, given the following value for
! 102: sudoCommand:
! 103:
! 104: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
! 105:
! 106: The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the
! 107: specified value. Command digests are only supported by version
! 108: 1.8.7 or higher.
1.1 misho 109:
1.1.1.3 misho 110: ssuuddooOOppttiioonn
1.1 misho 111: Identical in function to the global options described above, but
112: specific to the sudoRole in which it resides.
113:
1.1.1.3 misho 114: ssuuddooRRuunnAAssUUsseerr
115: A user name or uid (prefixed with `#') that commands may be run as
116: or a Unix group (prefixed with a `%') or user netgroup (prefixed
117: with a `+') that contains a list of users that commands may be run
1.1 misho 118: as. The special value ALL will match any user.
119:
120: The sudoRunAsUser attribute is only available in ssuuddoo versions
121: 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs
122: attribute instead.
123:
1.1.1.3 misho 124: ssuuddooRRuunnAAssGGrroouupp
125: A Unix group or gid (prefixed with `#') that commands may be run
1.1 misho 126: as. The special value ALL will match any group.
127:
128: The sudoRunAsGroup attribute is only available in ssuuddoo versions
129: 1.7.0 and higher.
130:
1.1.1.3 misho 131: ssuuddooNNoottBBeeffoorree
1.1 misho 132: A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
133: a start date/time for when the sudoRole will be valid. If multiple
134: sudoNotBefore entries are present, the earliest is used. Note that
135: timestamps must be in Coordinated Universal Time (UTC), not the
136: local timezone. The minute and seconds portions are optional, but
137: some LDAP servers require that they be present (contrary to the
138: RFC).
139:
140: The sudoNotBefore attribute is only available in ssuuddoo versions
141: 1.7.5 and higher and must be explicitly enabled via the
142: SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
143:
1.1.1.3 misho 144: ssuuddooNNoottAAfftteerr
1.1 misho 145: A timestamp in the form yyyymmddHHMMSSZ that indicates an
146: expiration date/time, after which the sudoRole will no longer be
147: valid. If multiple sudoNotBefore entries are present, the last one
148: is used. Note that timestamps must be in Coordinated Universal
149: Time (UTC), not the local timezone. The minute and seconds
150: portions are optional, but some LDAP servers require that they be
151: present (contrary to the RFC).
152:
153: The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5
154: and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD
155: option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
156:
1.1.1.3 misho 157: ssuuddooOOrrddeerr
1.1 misho 158: The sudoRole entries retrieved from the LDAP directory have no
159: inherent order. The sudoOrder attribute is an integer (or floating
160: point value for LDAP servers that support it) that is used to sort
161: the matching entries. This allows LDAP-based sudoers entries to
1.1.1.4 ! misho 162: more closely mimic the behavior of the sudoers file, where the of
1.1 misho 163: the entries influences the result. If multiple entries match, the
164: entry with the highest sudoOrder attribute is chosen. This
1.1.1.3 misho 165: corresponds to the ``last match'' behavior of the sudoers file. If
1.1 misho 166: the sudoOrder attribute is not present, a value of 0 is assumed.
167:
168: The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
169: and higher.
170:
1.1.1.3 misho 171: Each attribute listed above should contain a single value, but there may
172: be multiple instances of each attribute type. A sudoRole must contain at
173: least one sudoUser, sudoHost and sudoCommand.
174:
175: The following example allows users in group wheel to run any command on
176: any host via ssuuddoo:
177:
178: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
179: objectClass: top
180: objectClass: sudoRole
181: cn: %wheel
182: sudoUser: %wheel
183: sudoHost: ALL
184: sudoCommand: ALL
1.1 misho 185:
186: AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
1.1.1.3 misho 187: When looking up a sudoer using LDAP there are only two or three LDAP
188: queries per invocation. The first query is to parse the global options.
189: The second is to match against the user's name and the groups that the
190: user belongs to. (The special ALL tag is matched in this query too.) If
191: no match is returned for the user's name and groups, a third query
192: returns all entries containing user netgroups and checks to see if the
193: user belongs to any of them.
194:
195: If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
1.1.1.4 ! misho 196: directive, the LDAP queries include a sub-filter that limits retrieval to
1.1.1.3 misho 197: entries that satisfy the time constraints, if any.
1.1 misho 198:
199: DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
1.1.1.3 misho 200: There are some subtle differences in the way sudoers is handled once in
201: LDAP. Probably the biggest is that according to the RFC, LDAP ordering
202: is arbitrary and you cannot expect that Attributes and Entries are
203: returned in any specific order.
204:
205: The order in which different entries are applied can be controlled using
206: the sudoOrder attribute, but there is no way to guarantee the order of
207: attributes within a specific entry. If there are conflicting command
208: rules in an entry, the negative takes precedence. This is called
209: paranoid behavior (not necessarily the most specific match).
210:
211: Here is an example:
212:
213: # /etc/sudoers:
214: # Allow all commands except shell
215: johnny ALL=(root) ALL,!/bin/sh
216: # Always allows all commands because ALL is matched last
217: puddles ALL=(root) !/bin/sh,ALL
218:
219: # LDAP equivalent of johnny
220: # Allows all commands except shell
221: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
222: objectClass: sudoRole
223: objectClass: top
224: cn: role1
225: sudoUser: johnny
226: sudoHost: ALL
227: sudoCommand: ALL
228: sudoCommand: !/bin/sh
229:
230: # LDAP equivalent of puddles
231: # Notice that even though ALL comes last, it still behaves like
232: # role1 since the LDAP code assumes the more paranoid configuration
233: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
234: objectClass: sudoRole
235: objectClass: top
236: cn: role2
237: sudoUser: puddles
238: sudoHost: ALL
239: sudoCommand: !/bin/sh
240: sudoCommand: ALL
241:
242: Another difference is that negations on the Host, User or Runas are
243: currently ignored. For example, the following attributes do not behave
244: the way one might expect.
245:
246: # does not match all but joe
247: # rather, does not match anyone
248: sudoUser: !joe
249:
250: # does not match all but joe
251: # rather, matches everyone including Joe
252: sudoUser: ALL
253: sudoUser: !joe
254:
255: # does not match all but web01
256: # rather, matches all hosts including web01
257: sudoHost: ALL
258: sudoHost: !web01
259:
260: SSuuddooeerrss sscchheemmaa
261: In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on
262: your LDAP server. In addition, be sure to index the sudoUser attribute.
263:
264: Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P),
265: one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft
266: Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo
267: distribution.
1.1 misho 268:
1.1.1.3 misho 269: The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S
270: section.
1.1 misho 271:
272: CCoonnffiigguurriinngg llddaapp..ccoonnff
1.1.1.3 misho 273: Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
1.1.1.4 ! misho 274: Typically, this file is shared between different LDAP-aware clients. As
1.1.1.3 misho 275: such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
276: _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
1.1.1.4 ! misho 277: described in the system's ldap.conf(1m) manual. The path to _l_d_a_p_._c_o_n_f may
! 278: be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).
1.1.1.3 misho 279:
280: Also note that on systems using the OpenLDAP libraries, default values
281: specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
282: used.
283:
284: Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported
285: by ssuuddoo are honored. Configuration options are listed below in upper
286: case but are parsed in a case-independent manner.
1.1 misho 287:
1.1.1.4 ! misho 288: Long lines can be continued with a backslash (`\') as the last character
! 289: on the line. Note that leading white space is removed from the beginning
! 290: of lines even when the continuation character is used.
! 291:
1.1.1.3 misho 292: UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
1.1.1.4 ! misho 293: Specifies a white space-delimited list of one or more URIs
1.1 misho 294: describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
1.1.1.3 misho 295: either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
1.1 misho 296: (SSL) encryption. If no _p_o_r_t is specified, the default is port 389
297: for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
1.1.1.3 misho 298: ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated
1.1 misho 299: identically to a UURRII line containing multiple entries. Only
300: systems using the OpenSSL libraries support the mixing of ldap://
1.1.1.3 misho 301: and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
302: libraries used on most commercial versions of Unix are only capable
303: of supporting one or the other.
1.1 misho 304:
1.1.1.3 misho 305: HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
1.1.1.4 ! misho 306: If no UURRII is specified, the HHOOSSTT parameter specifies a white space-
1.1 misho 307: delimited list of LDAP servers to connect to. Each host may
1.1.1.3 misho 308: include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT
1.1 misho 309: parameter is deprecated in favor of the UURRII specification and is
310: included for backwards compatibility.
311:
1.1.1.3 misho 312: PPOORRTT _p_o_r_t___n_u_m_b_e_r
1.1 misho 313: If no UURRII is specified, the PPOORRTT parameter specifies the default
314: port to connect to on the LDAP server if a HHOOSSTT parameter does not
315: specify the port itself. If no PPOORRTT parameter is used, the default
316: is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
317: PPOORRTT parameter is deprecated in favor of the UURRII specification and
318: is included for backwards compatibility.
319:
1.1.1.3 misho 320: BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
1.1 misho 321: The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
322: seconds, to wait while trying to connect to an LDAP server. If
323: multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
324: wait before trying the next one in the list.
325:
1.1.1.3 misho 326: NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s
1.1 misho 327: An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.
328:
1.1.1.3 misho 329: TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
1.1 misho 330: The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
331: to wait for a response to an LDAP query.
332:
1.1.1.3 misho 333: TTIIMMEEOOUUTT _s_e_c_o_n_d_s
1.1 misho 334: The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
335: wait for a response from the various LDAP APIs.
336:
1.1.1.3 misho 337: SSUUDDOOEERRSS__BBAASSEE _b_a_s_e
1.1 misho 338: The base DN to use when performing ssuuddoo LDAP queries. Typically
339: this is of the form ou=SUDOers,dc=example,dc=com for the domain
340: example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
341: which case they are queried in the order specified.
342:
1.1.1.3 misho 343: SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
1.1 misho 344: An LDAP filter which is used to restrict the set of records
345: returned when performing a ssuuddoo LDAP query. Typically, this is of
346: the form attribute=value or
347: (&(attribute=value)(attribute2=value2)).
348:
1.1.1.3 misho 349: SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
1.1 misho 350: Whether or not to evaluate the sudoNotBefore and sudoNotAfter
351: attributes that implement time-dependent sudoers entries.
352:
1.1.1.3 misho 353: SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l
1.1 misho 354: This sets the debug level for ssuuddoo LDAP queries. Debugging
355: information is printed to the standard error. A value of 1 results
356: in a moderate amount of debugging information. A value of 2 shows
357: the results of the matches themselves. This parameter should not
358: be set in a production environment as the extra information is
359: likely to confuse users.
360:
1.1.1.4 ! misho 361: The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a
! 362: future release. The same information is now logged via the ssuuddoo
! 363: debugging framework using the ``ldap'' subsystem at priorities _d_i_a_g
! 364: and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively. See the
! 365: sudo.conf(4) manual for details on how to configure ssuuddoo debugging.
! 366:
1.1.1.3 misho 367: BBIINNDDDDNN _D_N
1.1 misho 368: The BBIINNDDDDNN parameter specifies the identity, in the form of a
369: Distinguished Name (DN), to use when performing LDAP operations.
370: If not specified, LDAP operations are performed with an anonymous
371: identity. By default, most LDAP servers will allow anonymous
372: access.
373:
1.1.1.3 misho 374: BBIINNDDPPWW _s_e_c_r_e_t
1.1 misho 375: The BBIINNDDPPWW parameter specifies the password to use when performing
376: LDAP operations. This is typically used in conjunction with the
377: BBIINNDDDDNN parameter.
378:
1.1.1.3 misho 379: RROOOOTTBBIINNDDDDNN _D_N
1.1 misho 380: The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
381: Distinguished Name (DN), to use when performing privileged LDAP
382: operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
1.1.1.4 ! misho 383: the identity should be stored in the or the path specified by the
! 384: _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
! 385: _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
! 386: identity is used (if any).
1.1 misho 387:
1.1.1.3 misho 388: LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
1.1 misho 389: The version of the LDAP protocol to use when connecting to the
390: server. The default value is protocol version 3.
391:
1.1.1.3 misho 392: SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
1.1 misho 393: If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
394: encryption is always used when communicating with the LDAP server.
395: Typically, this involves connecting to the server on port 636
396: (ldaps).
397:
1.1.1.3 misho 398: SSSSLL _s_t_a_r_t___t_l_s
1.1 misho 399: If the SSSSLL parameter is set to start_tls, the LDAP server
400: connection is initiated normally and TLS encryption is begun before
401: the bind credentials are sent. This has the advantage of not
402: requiring a dedicated port for encrypted communications. This
403: parameter is only supported by LDAP servers that honor the
1.1.1.3 misho 404: _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory
405: servers.
1.1 misho 406:
1.1.1.3 misho 407: TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
1.1 misho 408: If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
409: certificated to be verified. If the server's TLS certificate
410: cannot be verified (usually because it is signed by an unknown
411: certificate authority), ssuuddoo will be unable to connect to it. If
412: TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling
413: the check creates an opportunity for man-in-the-middle attacks
414: since the server's identity will not be authenticated. If
415: possible, the CA's certificate should be installed locally so it
1.1.1.3 misho 416: can be verified. This option is not supported by the Tivoli
417: Directory Server LDAP libraries.
1.1 misho 418:
1.1.1.3 misho 419: TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e
1.1 misho 420: An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
421:
1.1.1.3 misho 422: TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e
1.1 misho 423: The path to a certificate authority bundle which contains the
424: certificates for all the Certificate Authorities the client knows
425: to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
426: supported by the OpenLDAP libraries. Netscape-derived LDAP
427: libraries use the same certificate database for CA and client
428: certificates (see TTLLSS__CCEERRTT).
429:
1.1.1.3 misho 430: TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y
1.1 misho 431: Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
432: containing individual Certificate Authority certificates, e.g.
433: _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
434: checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
435: OpenLDAP libraries.
436:
1.1.1.3 misho 437: TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e
1.1 misho 438: The path to a file containing the client certificate which can be
439: used to authenticate the client to the LDAP server. The
440: certificate type depends on the LDAP libraries used.
441:
442: OpenLDAP:
1.1.1.3 misho 443: tls_cert /etc/ssl/client_cert.pem
1.1 misho 444:
445: Netscape-derived:
1.1.1.3 misho 446: tls_cert /var/ldap/cert7.db
1.1 misho 447:
1.1.1.3 misho 448: Tivoli Directory Server:
449: Unused, the key database specified by TTLLSS__KKEEYY contains both
450: keys and certificates.
1.1 misho 451:
1.1.1.3 misho 452: When using Netscape-derived libraries, this file may also
453: contain Certificate Authority certificates.
454:
455: TTLLSS__KKEEYY _f_i_l_e _n_a_m_e
1.1 misho 456: The path to a file containing the private key which matches the
457: certificate specified by TTLLSS__CCEERRTT. The private key must not be
458: password-protected. The key type depends on the LDAP libraries
459: used.
460:
461: OpenLDAP:
1.1.1.3 misho 462: tls_key /etc/ssl/client_key.pem
1.1 misho 463:
464: Netscape-derived:
1.1.1.3 misho 465: tls_key /var/ldap/key3.db
466:
467: Tivoli Directory Server:
468: tls_cert /usr/ldap/ldapkey.kdb
469: When using Tivoli LDAP libraries, this file may also contain
470: Certificate Authority and client certificates and may be encrypted.
471:
472: TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
473: The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
474: database on clients using the Tivoli Directory Server LDAP library.
475: If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
476: exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file
477: specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
478: .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
479: Tivoli Directory Server is encrypted with the password
480: ssl_password. This option is only supported by the Tivoli LDAP
481: libraries.
1.1 misho 482:
1.1.1.3 misho 483: TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
1.1 misho 484: The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
485: for systems that lack a random device. It is generally used in
486: conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
487: the OpenLDAP libraries.
488:
1.1.1.3 misho 489: TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t
1.1 misho 490: The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
491: encryption algorithms may be used for TLS (SSL) connections. See
1.1.1.3 misho 492: the OpenLDAP or Tivoli Directory Server manual for a list of valid
493: ciphers. This option is not supported by Netscape-derived
494: libraries.
1.1 misho 495:
1.1.1.3 misho 496: UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
1.1 misho 497: Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
498:
1.1.1.3 misho 499: SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
1.1 misho 500: The SASL user name to use when connecting to the LDAP server. By
501: default, ssuuddoo will use an anonymous connection.
502:
1.1.1.3 misho 503: RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
1.1 misho 504: Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
505: to an LDAP server from a privileged process, such as ssuuddoo.
506:
1.1.1.3 misho 507: RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
1.1 misho 508: The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
509:
1.1.1.3 misho 510: SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
1.1 misho 511: SASL security properties or _n_o_n_e for no properties. See the SASL
512: programmer's manual for details.
513:
1.1.1.3 misho 514: KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e
1.1 misho 515: The path to the Kerberos 5 credential cache to use when
516: authenticating with the remote server.
517:
1.1.1.3 misho 518: DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s
1.1 misho 519: How alias dereferencing is to be performed when searching. See the
1.1.1.3 misho 520: ldap.conf(1m) manual for a full description of this option.
1.1 misho 521:
1.1.1.3 misho 522: See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section.
1.1 misho 523:
524: CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
1.1.1.3 misho 525: Unless it is disabled at build time, ssuuddoo consults the Name Service
526: Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
527: Sudo looks for a line beginning with sudoers: and uses this to determine
528: the search order. Note that ssuuddoo does not stop searching after the first
529: match and later matches take precedence over earlier ones. The following
530: sources are recognized:
1.1 misho 531:
1.1.1.3 misho 532: files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s
533: ldap read sudoers from LDAP
1.1 misho 534:
1.1.1.3 misho 535: In addition, the entry [NOTFOUND=return] will short-circuit the search if
536: the user was not found in the preceding source.
1.1 misho 537:
1.1.1.3 misho 538: To consult LDAP first followed by the local sudoers file (if it exists),
539: use:
1.1 misho 540:
1.1.1.3 misho 541: sudoers: ldap files
1.1 misho 542:
1.1.1.3 misho 543: The local _s_u_d_o_e_r_s file can be ignored completely by using:
1.1 misho 544:
1.1.1.3 misho 545: sudoers: ldap
1.1 misho 546:
1.1.1.3 misho 547: If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
548: line, the following default is assumed:
1.1 misho 549:
1.1.1.3 misho 550: sudoers: files
1.1 misho 551:
1.1.1.3 misho 552: Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
553: operating system does not use an nsswitch.conf file, except on AIX (see
554: below).
1.1 misho 555:
556: CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
1.1.1.3 misho 557: On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
558: _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
559: _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file
560: format itself still applies.
1.1 misho 561:
1.1.1.3 misho 562: To consult LDAP first followed by the local sudoers file (if it exists),
563: use:
1.1 misho 564:
1.1.1.3 misho 565: sudoers = ldap, files
1.1 misho 566:
1.1.1.3 misho 567: The local _s_u_d_o_e_r_s file can be ignored completely by using:
1.1 misho 568:
1.1.1.3 misho 569: sudoers = ldap
1.1 misho 570:
1.1.1.4 ! misho 571: To treat LDAP as authoritative and only use the local sudoers file if the
1.1.1.3 misho 572: user is not present in LDAP, use:
1.1 misho 573:
1.1.1.3 misho 574: sudoers = ldap = auth, files
1.1 misho 575:
1.1.1.4 ! misho 576: Note that in the above example, the auth qualifier only affects user
1.1.1.3 misho 577: lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
1.1 misho 578:
1.1.1.3 misho 579: If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
580: the following default is assumed:
1.1 misho 581:
1.1.1.3 misho 582: sudoers = files
1.1 misho 583:
584: FFIILLEESS
1.1.1.3 misho 585: _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
1.1 misho 586:
1.1.1.3 misho 587: _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
1.1 misho 588:
1.1.1.3 misho 589: _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
1.1 misho 590:
591: EEXXAAMMPPLLEESS
592: EExxaammppllee llddaapp..ccoonnff
1.1.1.3 misho 593: # Either specify one or more URIs or one or more host:port pairs.
594: # If neither is specified sudo will default to localhost, port 389.
595: #
596: #host ldapserver
597: #host ldapserver1 ldapserver2:390
598: #
599: # Default port if host is specified without one, defaults to 389.
600: #port 389
601: #
602: # URI will override the host and port settings.
603: uri ldap://ldapserver
604: #uri ldaps://secureldapserver
605: #uri ldaps://secureldapserver ldap://ldapserver
606: #
607: # The amount of time, in seconds, to wait while trying to connect to
608: # an LDAP server.
609: bind_timelimit 30
610: #
611: # The amount of time, in seconds, to wait while performing an LDAP query.
612: timelimit 30
613: #
614: # Must be set or sudo will ignore LDAP; may be specified multiple times.
615: sudoers_base ou=SUDOers,dc=example,dc=com
616: #
617: # verbose sudoers matching from ldap
618: #sudoers_debug 2
619: #
620: # Enable support for time-based entries in sudoers.
621: #sudoers_timed yes
622: #
623: # optional proxy credentials
624: #binddn <who to search as>
625: #bindpw <password>
626: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
627: #
628: # LDAP protocol version, defaults to 3
629: #ldap_version 3
630: #
631: # Define if you want to use an encrypted LDAP connection.
632: # Typically, you must also set the port to 636 (ldaps).
633: #ssl on
634: #
635: # Define if you want to use port 389 and switch to
636: # encryption before the bind credentials are sent.
637: # Only supported by LDAP servers that support the start_tls
638: # extension such as OpenLDAP.
639: #ssl start_tls
640: #
641: # Additional TLS options follow that allow tweaking of the
642: # SSL/TLS connection.
643: #
644: #tls_checkpeer yes # verify server SSL certificate
645: #tls_checkpeer no # ignore server SSL certificate
646: #
647: # If you enable tls_checkpeer, specify either tls_cacertfile
648: # or tls_cacertdir. Only supported when using OpenLDAP.
649: #
650: #tls_cacertfile /etc/certs/trusted_signers.pem
651: #tls_cacertdir /etc/certs
652: #
653: # For systems that don't have /dev/random
654: # use this along with PRNGD or EGD.pl to seed the
655: # random number pool to generate cryptographic session keys.
656: # Only supported when using OpenLDAP.
657: #
658: #tls_randfile /etc/egd-pool
659: #
660: # You may restrict which ciphers are used. Consult your SSL
661: # documentation for which options go here.
662: # Only supported when using OpenLDAP.
663: #
664: #tls_ciphers <cipher-list>
665: #
666: # Sudo can provide a client certificate when communicating to
667: # the LDAP server.
668: # Tips:
669: # * Enable both lines at the same time.
670: # * Do not password protect the key file.
671: # * Ensure the keyfile is only readable by root.
672: #
673: # For OpenLDAP:
674: #tls_cert /etc/certs/client_cert.pem
675: #tls_key /etc/certs/client_key.pem
676: #
677: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
678: # a directory, in which case the files in the directory must have the
679: # default names (e.g. cert8.db and key4.db), or the path to the cert
680: # and key files themselves. However, a bug in version 5.0 of the LDAP
681: # SDK will prevent specific file names from working. For this reason
682: # it is suggested that tls_cert and tls_key be set to a directory,
683: # not a file name.
684: #
685: # The certificate database specified by tls_cert may contain CA certs
686: # and/or the client's cert. If the client's cert is included, tls_key
687: # should be specified as well.
688: # For backward compatibility, "sslpath" may be used in place of tls_cert.
689: #tls_cert /var/ldap
690: #tls_key /var/ldap
691: #
692: # If using SASL authentication for LDAP (OpenSSL)
693: # use_sasl yes
694: # sasl_auth_id <SASL user name>
695: # rootuse_sasl yes
696: # rootsasl_auth_id <SASL user name for root access>
697: # sasl_secprops none
698: # krb5_ccname /etc/.ldapcache
1.1 misho 699:
700: SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
1.1.1.3 misho 701: The following schema, in OpenLDAP format, is included with ssuuddoo source
702: and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the
703: schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line
704: in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd.
705:
706: attributetype ( 1.3.6.1.4.1.15953.9.1.1
707: NAME 'sudoUser'
708: DESC 'User(s) who may run sudo'
709: EQUALITY caseExactIA5Match
710: SUBSTR caseExactIA5SubstringsMatch
711: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
712:
713: attributetype ( 1.3.6.1.4.1.15953.9.1.2
714: NAME 'sudoHost'
715: DESC 'Host(s) who may run sudo'
716: EQUALITY caseExactIA5Match
717: SUBSTR caseExactIA5SubstringsMatch
718: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
719:
720: attributetype ( 1.3.6.1.4.1.15953.9.1.3
721: NAME 'sudoCommand'
722: DESC 'Command(s) to be executed by sudo'
723: EQUALITY caseExactIA5Match
724: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
725:
726: attributetype ( 1.3.6.1.4.1.15953.9.1.4
727: NAME 'sudoRunAs'
728: DESC 'User(s) impersonated by sudo'
729: EQUALITY caseExactIA5Match
730: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
731:
732: attributetype ( 1.3.6.1.4.1.15953.9.1.5
733: NAME 'sudoOption'
734: DESC 'Options(s) followed by sudo'
735: EQUALITY caseExactIA5Match
736: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
737:
738: attributetype ( 1.3.6.1.4.1.15953.9.1.6
739: NAME 'sudoRunAsUser'
740: DESC 'User(s) impersonated by sudo'
741: EQUALITY caseExactIA5Match
742: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
743:
744: attributetype ( 1.3.6.1.4.1.15953.9.1.7
745: NAME 'sudoRunAsGroup'
746: DESC 'Group(s) impersonated by sudo'
747: EQUALITY caseExactIA5Match
748: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
749:
750: attributetype ( 1.3.6.1.4.1.15953.9.1.8
751: NAME 'sudoNotBefore'
752: DESC 'Start of time interval for which the entry is valid'
753: EQUALITY generalizedTimeMatch
754: ORDERING generalizedTimeOrderingMatch
755: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
756:
757: attributetype ( 1.3.6.1.4.1.15953.9.1.9
758: NAME 'sudoNotAfter'
759: DESC 'End of time interval for which the entry is valid'
760: EQUALITY generalizedTimeMatch
761: ORDERING generalizedTimeOrderingMatch
762: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
763:
764: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
765: NAME 'sudoOrder'
766: DESC 'an integer to order the sudoRole entries'
767: EQUALITY integerMatch
768: ORDERING integerOrderingMatch
769: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
770:
771: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
772: DESC 'Sudoer Entries'
773: MUST ( cn )
774: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
775: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
776: sudoOrder $ description )
777: )
1.1 misho 778:
779: SSEEEE AALLSSOO
1.1.1.4 ! misho 780: ldap.conf(4), sudo.conf(4), sudoers(1m)
1.1 misho 781:
782: CCAAVVEEAATTSS
1.1.1.3 misho 783: Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
784: parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P
785: _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information.
1.1 misho 786:
787: BBUUGGSS
1.1.1.3 misho 788: If you feel you have found a bug in ssuuddoo, please submit a bug report at
789: http://www.sudo.ws/sudo/bugs/
1.1 misho 790:
791: SSUUPPPPOORRTT
1.1.1.3 misho 792: Limited free support is available via the sudo-users mailing list, see
793: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
794: archives.
1.1 misho 795:
796: DDIISSCCLLAAIIMMEERR
1.1.1.3 misho 797: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
798: including, but not limited to, the implied warranties of merchantability
799: and fitness for a particular purpose are disclaimed. See the LICENSE
800: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
801: complete details.
1.1 misho 802:
1.1.1.4 ! misho 803: Sudo 1.8.7 April 25, 2013 Sudo 1.8.7
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>