1: SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
2:
3:
4:
5: N�NA�AM�ME�E
6: sudoers.ldap - sudo LDAP configuration
7:
8: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
9: In addition to the standard _�s_�u_�d_�o_�e_�r_�s file, s�su�ud�do�o may be configured via
10: LDAP. This can be especially useful for synchronizing _�s_�u_�d_�o_�e_�r_�s in a
11: large, distributed environment.
12:
13: Using LDAP for _�s_�u_�d_�o_�e_�r_�s has several benefits:
14:
15: o s�su�ud�do�o no longer needs to read _�s_�u_�d_�o_�e_�r_�s in its entirety. When LDAP is
16: used, there are only two or three LDAP queries per invocation.
17: This makes it especially fast and particularly usable in LDAP
18: environments.
19:
20: o s�su�ud�do�o no longer exits if there is a typo in _�s_�u_�d_�o_�e_�r_�s. It is not
21: possible to load LDAP data into the server that does not conform to
22: the sudoers schema, so proper syntax is guaranteed. It is still
23: possible to have typos in a user or host name, but this will not
24: prevent s�su�ud�do�o from running.
25:
26: o It is possible to specify per-entry options that override the
27: global default options. _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s only supports default options
28: and limited options associated with user/host/commands/aliases.
29: The syntax is complicated and can be difficult for users to
30: understand. Placing the options directly in the entry is more
31: natural.
32:
33: o The v�vi�is�su�ud�do�o program is no longer needed. v�vi�is�su�ud�do�o provides locking
34: and syntax checking of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file. Since LDAP updates
35: are atomic, locking is no longer necessary. Because syntax is
36: checked when the data is inserted into LDAP, there is no need for a
37: specialized tool to check syntax.
38:
39: Another major difference between LDAP and file-based _�s_�u_�d_�o_�e_�r_�s is that in
40: LDAP, s�su�ud�do�o-specific Aliases are not supported.
41:
42: For the most part, there is really no need for s�su�ud�do�o-specific Aliases.
43: Unix groups or user netgroups can be used in place of User_Aliases and
44: Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
45: Since Unix groups and netgroups can also be stored in LDAP there is no
46: real need for s�su�ud�do�o-specific aliases.
47:
48: Cmnd_Aliases are not really required either since it is possible to
49: have multiple users listed in a sudoRole. Instead of defining a
50: Cmnd_Alias that is referenced by multiple users, one can create a
51: sudoRole that contains the commands and assign multiple users to it.
52:
53: S�SU�UD�DO�Oe�er�rs�s L�LD�DA�AP�P c�co�on�nt�ta�ai�in�ne�er�r
54: The _�s_�u_�d_�o_�e_�r_�s configuration is contained in the ou=SUDOers LDAP
55: container.
56:
57: Sudo first looks for the cn=default entry in the SUDOers container. If
58: found, the multi-valued sudoOption attribute is parsed in the same
59: manner as a global Defaults line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. In the following
60: example, the SSH_AUTH_SOCK variable will be preserved in the
61: environment for all users.
62:
63: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
64: objectClass: top
65: objectClass: sudoRole
66: cn: defaults
67: description: Default sudoOption's go here
68: sudoOption: env_keep+=SSH_AUTH_SOCK
69:
70: The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
71: following attributes:
72:
73: s�su�ud�do�oU�Us�se�er�r
74: A user name, user ID (prefixed with '#'), Unix group (prefixed with
75: '%'), Unix group ID (prefixed with '%#'), or user netgroup
76: (prefixed with '+').
77:
78: s�su�ud�do�oH�Ho�os�st�t
79: A host name, IP address, IP network, or host netgroup (prefixed
80: with a '+'). The special value ALL will match any host.
81:
82: s�su�ud�do�oC�Co�om�mm�ma�an�nd�d
83: A Unix command with optional command line arguments, potentially
84: including globbing characters (aka wild cards). The special value
85: ALL will match any command. If a command is prefixed with an
86: exclamation point '!', the user will be prohibited from running
87: that command.
88:
89: s�su�ud�do�oO�Op�pt�ti�io�on�n
90: Identical in function to the global options described above, but
91: specific to the sudoRole in which it resides.
92:
93: s�su�ud�do�oR�Ru�un�nA�As�sU�Us�se�er�r
94: A user name or uid (prefixed with '#') that commands may be run as
95: or a Unix group (prefixed with a '%') or user netgroup (prefixed
96: with a '+') that contains a list of users that commands may be run
97: as. The special value ALL will match any user.
98:
99: The sudoRunAsUser attribute is only available in s�su�ud�do�o versions
100: 1.7.0 and higher. Older versions of s�su�ud�do�o use the sudoRunAs
101: attribute instead.
102:
103: s�su�ud�do�oR�Ru�un�nA�As�sG�Gr�ro�ou�up�p
104: A Unix group or gid (prefixed with '#') that commands may be run
105: as. The special value ALL will match any group.
106:
107: The sudoRunAsGroup attribute is only available in s�su�ud�do�o versions
108: 1.7.0 and higher.
109:
110: s�su�ud�do�oN�No�ot�tB�Be�ef�fo�or�re�e
111: A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
112: a start date/time for when the sudoRole will be valid. If multiple
113: sudoNotBefore entries are present, the earliest is used. Note that
114: timestamps must be in Coordinated Universal Time (UTC), not the
115: local timezone. The minute and seconds portions are optional, but
116: some LDAP servers require that they be present (contrary to the
117: RFC).
118:
119: The sudoNotBefore attribute is only available in s�su�ud�do�o versions
120: 1.7.5 and higher and must be explicitly enabled via the
121: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
122:
123: s�su�ud�do�oN�No�ot�tA�Af�ft�te�er�r
124: A timestamp in the form yyyymmddHHMMSSZ that indicates an
125: expiration date/time, after which the sudoRole will no longer be
126: valid. If multiple sudoNotBefore entries are present, the last one
127: is used. Note that timestamps must be in Coordinated Universal
128: Time (UTC), not the local timezone. The minute and seconds
129: portions are optional, but some LDAP servers require that they be
130: present (contrary to the RFC).
131:
132: The sudoNotAfter attribute is only available in s�su�ud�do�o versions 1.7.5
133: and higher and must be explicitly enabled via the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D
134: option in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f.
135:
136: s�su�ud�do�oO�Or�rd�de�er�r
137: The sudoRole entries retrieved from the LDAP directory have no
138: inherent order. The sudoOrder attribute is an integer (or floating
139: point value for LDAP servers that support it) that is used to sort
140: the matching entries. This allows LDAP-based sudoers entries to
141: more closely mimic the behaviour of the sudoers file, where the of
142: the entries influences the result. If multiple entries match, the
143: entry with the highest sudoOrder attribute is chosen. This
144: corresponds to the "last match" behavior of the sudoers file. If
145: the sudoOrder attribute is not present, a value of 0 is assumed.
146:
147: The sudoOrder attribute is only available in s�su�ud�do�o versions 1.7.5
148: and higher.
149:
150: Each attribute listed above should contain a single value, but there
151: may be multiple instances of each attribute type. A sudoRole must
152: contain at least one sudoUser, sudoHost and sudoCommand.
153:
154: The following example allows users in group wheel to run any command on
155: any host via s�su�ud�do�o:
156:
157: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
158: objectClass: top
159: objectClass: sudoRole
160: cn: %wheel
161: sudoUser: %wheel
162: sudoHost: ALL
163: sudoCommand: ALL
164:
165: A�An�na�at�to�om�my�y o�of�f L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s l�lo�oo�ok�ku�up�p
166: When looking up a sudoer using LDAP there are only two or three LDAP
167: queries per invocation. The first query is to parse the global
168: options. The second is to match against the user's name and the groups
169: that the user belongs to. (The special ALL tag is matched in this
170: query too.) If no match is returned for the user's name and groups, a
171: third query returns all entries containing user netgroups and checks to
172: see if the user belongs to any of them.
173:
174: If timed entries are enabled with the S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D configuration
175: directive, the LDAP queries include a subfilter that limits retrieval
176: to entries that satisfy the time constraints, if any.
177:
178: D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s
179: There are some subtle differences in the way sudoers is handled once in
180: LDAP. Probably the biggest is that according to the RFC, LDAP ordering
181: is arbitrary and you cannot expect that Attributes and Entries are
182: returned in any specific order.
183:
184: The order in which different entries are applied can be controlled
185: using the sudoOrder attribute, but there is no way to guarantee the
186: order of attributes within a specific entry. If there are conflicting
187: command rules in an entry, the negative takes precedence. This is
188: called paranoid behavior (not necessarily the most specific match).
189:
190: Here is an example:
191:
192: # /etc/sudoers:
193: # Allow all commands except shell
194: johnny ALL=(root) ALL,!/bin/sh
195: # Always allows all commands because ALL is matched last
196: puddles ALL=(root) !/bin/sh,ALL
197:
198: # LDAP equivalent of johnny
199: # Allows all commands except shell
200: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
201: objectClass: sudoRole
202: objectClass: top
203: cn: role1
204: sudoUser: johnny
205: sudoHost: ALL
206: sudoCommand: ALL
207: sudoCommand: !/bin/sh
208:
209: # LDAP equivalent of puddles
210: # Notice that even though ALL comes last, it still behaves like
211: # role1 since the LDAP code assumes the more paranoid configuration
212: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
213: objectClass: sudoRole
214: objectClass: top
215: cn: role2
216: sudoUser: puddles
217: sudoHost: ALL
218: sudoCommand: !/bin/sh
219: sudoCommand: ALL
220:
221: Another difference is that negations on the Host, User or Runas are
222: currently ignored. For example, the following attributes do not behave
223: the way one might expect.
224:
225: # does not match all but joe
226: # rather, does not match anyone
227: sudoUser: !joe
228:
229: # does not match all but joe
230: # rather, matches everyone including Joe
231: sudoUser: ALL
232: sudoUser: !joe
233:
234: # does not match all but web01
235: # rather, matches all hosts including web01
236: sudoHost: ALL
237: sudoHost: !web01
238:
239: S�Su�ud�do�oe�er�rs�s S�Sc�ch�he�em�ma�a
240: In order to use s�su�ud�do�o's LDAP support, the s�su�ud�do�o schema must be installed
241: on your LDAP server. In addition, be sure to index the 'sudoUser'
242: attribute.
243:
244: Three versions of the schema: one for OpenLDAP servers
245: (_�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P), one for Netscape-derived servers (_�s_�c_�h_�e_�m_�a_�._�i_�P_�l_�a_�n_�e_�t),
246: and one for Microsoft Active Directory (_�s_�c_�h_�e_�m_�a_�._�A_�c_�t_�i_�v_�e_�D_�i_�r_�e_�c_�t_�o_�r_�y) may be
247: found in the s�su�ud�do�o distribution.
248:
249: The schema for s�su�ud�do�o in OpenLDAP form is included in the EXAMPLES
250: section.
251:
252: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f
253: Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration.
254: Typically, this file is shared amongst different LDAP-aware clients.
255: As such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o
256: parses _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from
257: those described in the _�l_�d_�a_�p_�._�c_�o_�n_�f(4) manual.
258:
259: Also note that on systems using the OpenLDAP libraries, default values
260: specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are
261: not used.
262:
263: Only those options explicitly listed in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f as being
264: supported by s�su�ud�do�o are honored. Configuration options are listed below
265: in upper case but are parsed in a case-independent manner.
266:
267: U�UR�RI�I ldap[s]://[hostname[:port]] ...
268: Specifies a whitespace-delimited list of one or more URIs
269: describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be
270: either l�ld�da�ap�p or l�ld�da�ap�ps�s, the latter being for servers that support TLS
271: (SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389
272: for ldap:// or port 636 for ldaps://. If no _�h_�o_�s_�t_�n_�a_�m_�e is specified,
273: s�su�ud�do�o will connect to l�lo�oc�ca�al�lh�ho�os�st�t. Multiple U�UR�RI�I lines are treated
274: identically to a U�UR�RI�I line containing multiple entries. Only
275: systems using the OpenSSL libraries support the mixing of ldap://
276: and ldaps:// URIs. The Netscape-derived libraries used on most
277: commercial versions of Unix are only capable of supporting one or
278: the other.
279:
280: H�HO�OS�ST�T name[:port] ...
281: If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a whitespace-
282: delimited list of LDAP servers to connect to. Each host may
283: include an optional _�p_�o_�r_�t separated by a colon (':'). The H�HO�OS�ST�T
284: parameter is deprecated in favor of the U�UR�RI�I specification and is
285: included for backwards compatibility.
286:
287: P�PO�OR�RT�T port_number
288: If no U�UR�RI�I is specified, the P�PO�OR�RT�T parameter specifies the default
289: port to connect to on the LDAP server if a H�HO�OS�ST�T parameter does not
290: specify the port itself. If no P�PO�OR�RT�T parameter is used, the default
291: is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
292: P�PO�OR�RT�T parameter is deprecated in favor of the U�UR�RI�I specification and
293: is included for backwards compatibility.
294:
295: B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds
296: The B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in
297: seconds, to wait while trying to connect to an LDAP server. If
298: multiple U�UR�RI�Is or H�HO�OS�ST�Ts are specified, this is the amount of time to
299: wait before trying the next one in the list.
300:
301: N�NE�ET�TW�WO�OR�RK�K_�_T�TI�IM�ME�EO�OU�UT�T seconds
302: An alias for B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T for OpenLDAP compatibility.
303:
304: T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds
305: The T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in seconds,
306: to wait for a response to an LDAP query.
307:
308: T�TI�IM�ME�EO�OU�UT�T seconds
309: The T�TI�IM�ME�EO�OU�UT�T parameter specifies the amount of time, in seconds, to
310: wait for a response from the various LDAP APIs.
311:
312: S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E base
313: The base DN to use when performing s�su�ud�do�o LDAP queries. Typically
314: this is of the form ou=SUDOers,dc=example,dc=com for the domain
315: example.com. Multiple S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E lines may be specified, in
316: which case they are queried in the order specified.
317:
318: S�SU�UD�DO�OE�ER�RS�S_�_S�SE�EA�AR�RC�CH�H_�_F�FI�IL�LT�TE�ER�R ldap_filter
319: An LDAP filter which is used to restrict the set of records
320: returned when performing a s�su�ud�do�o LDAP query. Typically, this is of
321: the form attribute=value or
322: (&(attribute=value)(attribute2=value2)).
323:
324: S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D on/true/yes/off/false/no
325: Whether or not to evaluate the sudoNotBefore and sudoNotAfter
326: attributes that implement time-dependent sudoers entries.
327:
328: S�SU�UD�DO�OE�ER�RS�S_�_D�DE�EB�BU�UG�G debug_level
329: This sets the debug level for s�su�ud�do�o LDAP queries. Debugging
330: information is printed to the standard error. A value of 1 results
331: in a moderate amount of debugging information. A value of 2 shows
332: the results of the matches themselves. This parameter should not
333: be set in a production environment as the extra information is
334: likely to confuse users.
335:
336: B�BI�IN�ND�DD�DN�N DN
337: The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
338: Distinguished Name (DN), to use when performing LDAP operations.
339: If not specified, LDAP operations are performed with an anonymous
340: identity. By default, most LDAP servers will allow anonymous
341: access.
342:
343: B�BI�IN�ND�DP�PW�W secret
344: The B�BI�IN�ND�DP�PW�W parameter specifies the password to use when performing
345: LDAP operations. This is typically used in conjunction with the
346: B�BI�IN�ND�DD�DN�N parameter.
347:
348: R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N DN
349: The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
350: Distinguished Name (DN), to use when performing privileged LDAP
351: operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to
352: the identity should be stored in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If not
353: specified, the B�BI�IN�ND�DD�DN�N identity is used (if any).
354:
355: L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N number
356: The version of the LDAP protocol to use when connecting to the
357: server. The default value is protocol version 3.
358:
359: S�SS�SL�L on/true/yes/off/false/no
360: If the S�SS�SL�L parameter is set to on, true or yes, TLS (SSL)
361: encryption is always used when communicating with the LDAP server.
362: Typically, this involves connecting to the server on port 636
363: (ldaps).
364:
365: S�SS�SL�L start_tls
366: If the S�SS�SL�L parameter is set to start_tls, the LDAP server
367: connection is initiated normally and TLS encryption is begun before
368: the bind credentials are sent. This has the advantage of not
369: requiring a dedicated port for encrypted communications. This
370: parameter is only supported by LDAP servers that honor the
371: start_tls extension, such as the OpenLDAP server.
372:
373: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R on/true/yes/off/false/no
374: If enabled, T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R will cause the LDAP server's TLS
375: certificated to be verified. If the server's TLS certificate
376: cannot be verified (usually because it is signed by an unknown
377: certificate authority), s�su�ud�do�o will be unable to connect to it. If
378: T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R is disabled, no check is made. Note that disabling
379: the check creates an opportunity for man-in-the-middle attacks
380: since the server's identity will not be authenticated. If
381: possible, the CA's certificate should be installed locally so it
382: can be verified.
383:
384: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�T file name
385: An alias for T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E for OpenLDAP compatibility.
386:
387: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E file name
388: The path to a certificate authority bundle which contains the
389: certificates for all the Certificate Authorities the client knows
390: to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only
391: supported by the OpenLDAP libraries. Netscape-derived LDAP
392: libraries use the same certificate database for CA and client
393: certificates (see T�TL�LS�S_�_C�CE�ER�RT�T).
394:
395: T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R directory
396: Similar to T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E but instead of a file, it is a directory
397: containing individual Certificate Authority certificates, e.g.
398: _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�e_�r_�t_�s. The directory specified by T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R is
399: checked after T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E. This option is only supported by the
400: OpenLDAP libraries.
401:
402: T�TL�LS�S_�_C�CE�ER�RT�T file name
403: The path to a file containing the client certificate which can be
404: used to authenticate the client to the LDAP server. The
405: certificate type depends on the LDAP libraries used.
406:
407: OpenLDAP:
408: tls_cert /etc/ssl/client_cert.pem
409:
410: Netscape-derived:
411: tls_cert /var/ldap/cert7.db
412:
413: When using Netscape-derived libraries, this file may also contain
414: Certificate Authority certificates.
415:
416: T�TL�LS�S_�_K�KE�EY�Y file name
417: The path to a file containing the private key which matches the
418: certificate specified by T�TL�LS�S_�_C�CE�ER�RT�T. The private key must not be
419: password-protected. The key type depends on the LDAP libraries
420: used.
421:
422: OpenLDAP:
423: tls_key /etc/ssl/client_key.pem
424:
425: Netscape-derived:
426: tls_key /var/ldap/key3.db
427:
428: T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E file name
429: The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source
430: for systems that lack a random device. It is generally used in
431: conjunction with _�p_�r_�n_�g_�d or _�e_�g_�d. This option is only supported by
432: the OpenLDAP libraries.
433:
434: T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S cipher list
435: The T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S parameter allows the administer to restrict which
436: encryption algorithms may be used for TLS (SSL) connections. See
437: the OpenSSL manual for a list of valid ciphers. This option is
438: only supported by the OpenLDAP libraries.
439:
440: U�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
441: Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication.
442:
443: S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
444: The SASL user name to use when connecting to the LDAP server. By
445: default, s�su�ud�do�o will use an anonymous connection.
446:
447: R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
448: Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting
449: to an LDAP server from a privileged process, such as s�su�ud�do�o.
450:
451: R�RO�OO�OT�TS�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
452: The SASL user name to use when R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L is enabled.
453:
454: S�SA�AS�SL�L_�_S�SE�EC�CP�PR�RO�OP�PS�S none/properties
455: SASL security properties or _�n_�o_�n_�e for no properties. See the SASL
456: programmer's manual for details.
457:
458: K�KR�RB�B5�5_�_C�CC�CN�NA�AM�ME�E file name
459: The path to the Kerberos 5 credential cache to use when
460: authenticating with the remote server.
461:
462: D�DE�ER�RE�EF�F never/searching/finding/always
463: How alias dereferencing is to be performed when searching. See the
464: _�l_�d_�a_�p_�._�c_�o_�n_�f(4) manual for a full description of this option.
465:
466: See the ldap.conf entry in the EXAMPLES section.
467:
468: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ns�ss�sw�wi�it�tc�ch�h.�.c�co�on�nf�f
469: Unless it is disabled at build time, s�su�ud�do�o consults the Name Service
470: Switch file, _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, to specify the _�s_�u_�d_�o_�e_�r_�s search order.
471: Sudo looks for a line beginning with sudoers: and uses this to
472: determine the search order. Note that s�su�ud�do�o does not stop searching
473: after the first match and later matches take precedence over earlier
474: ones.
475:
476: The following sources are recognized:
477:
478: files read sudoers from F</etc/sudoers>
479: ldap read sudoers from LDAP
480:
481: In addition, the entry [NOTFOUND=return] will short-circuit the search
482: if the user was not found in the preceding source.
483:
484: To consult LDAP first followed by the local sudoers file (if it
485: exists), use:
486:
487: sudoers: ldap files
488:
489: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
490:
491: sudoers: ldap
492:
493: If the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f file is not present or there is no sudoers
494: line, the following default is assumed:
495:
496: sudoers: files
497:
498: Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying
499: operating system does not use an nsswitch.conf file.
500:
501: C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f
502: On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of
503: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of
504: _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the
505: file format itself still applies.
506:
507: To consult LDAP first followed by the local sudoers file (if it
508: exists), use:
509:
510: sudoers = ldap, files
511:
512: The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using:
513:
514: sudoers = ldap
515:
516: To treat LDAP as authoratative and only use the local sudoers file if
517: the user is not present in LDAP, use:
518:
519: sudoers = ldap = auth, files
520:
521: Note that in the above example, the auth qualfier only affects user
522: lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries.
523:
524: If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers
525: line, the following default is assumed:
526:
527: sudoers = files
528:
529: F�FI�IL�LE�ES�S
530: _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f LDAP configuration file
531:
532: _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f determines sudoers source order
533:
534: _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f determines sudoers source order on AIX
535:
536: E�EX�XA�AM�MP�PL�LE�ES�S
537: E�Ex�xa�am�mp�pl�le�e l�ld�da�ap�p.�.c�co�on�nf�f
538: # Either specify one or more URIs or one or more host:port pairs.
539: # If neither is specified sudo will default to localhost, port 389.
540: #
541: #host ldapserver
542: #host ldapserver1 ldapserver2:390
543: #
544: # Default port if host is specified without one, defaults to 389.
545: #port 389
546: #
547: # URI will override the host and port settings.
548: uri ldap://ldapserver
549: #uri ldaps://secureldapserver
550: #uri ldaps://secureldapserver ldap://ldapserver
551: #
552: # The amount of time, in seconds, to wait while trying to connect to
553: # an LDAP server.
554: bind_timelimit 30
555: #
556: # The amount of time, in seconds, to wait while performing an LDAP query.
557: timelimit 30
558: #
559: # Must be set or sudo will ignore LDAP; may be specified multiple times.
560: sudoers_base ou=SUDOers,dc=example,dc=com
561: #
562: # verbose sudoers matching from ldap
563: #sudoers_debug 2
564: #
565: # Enable support for time-based entries in sudoers.
566: #sudoers_timed yes
567: #
568: # optional proxy credentials
569: #binddn <who to search as>
570: #bindpw <password>
571: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
572: #
573: # LDAP protocol version, defaults to 3
574: #ldap_version 3
575: #
576: # Define if you want to use an encrypted LDAP connection.
577: # Typically, you must also set the port to 636 (ldaps).
578: #ssl on
579: #
580: # Define if you want to use port 389 and switch to
581: # encryption before the bind credentials are sent.
582: # Only supported by LDAP servers that support the start_tls
583: # extension such as OpenLDAP.
584: #ssl start_tls
585: #
586: # Additional TLS options follow that allow tweaking of the
587: # SSL/TLS connection.
588: #
589: #tls_checkpeer yes # verify server SSL certificate
590: #tls_checkpeer no # ignore server SSL certificate
591: #
592: # If you enable tls_checkpeer, specify either tls_cacertfile
593: # or tls_cacertdir. Only supported when using OpenLDAP.
594: #
595: #tls_cacertfile /etc/certs/trusted_signers.pem
596: #tls_cacertdir /etc/certs
597: #
598: # For systems that don't have /dev/random
599: # use this along with PRNGD or EGD.pl to seed the
600: # random number pool to generate cryptographic session keys.
601: # Only supported when using OpenLDAP.
602: #
603: #tls_randfile /etc/egd-pool
604: #
605: # You may restrict which ciphers are used. Consult your SSL
606: # documentation for which options go here.
607: # Only supported when using OpenLDAP.
608: #
609: #tls_ciphers <cipher-list>
610: #
611: # Sudo can provide a client certificate when communicating to
612: # the LDAP server.
613: # Tips:
614: # * Enable both lines at the same time.
615: # * Do not password protect the key file.
616: # * Ensure the keyfile is only readable by root.
617: #
618: # For OpenLDAP:
619: #tls_cert /etc/certs/client_cert.pem
620: #tls_key /etc/certs/client_key.pem
621: #
622: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
623: # a directory, in which case the files in the directory must have the
624: # default names (e.g. cert8.db and key4.db), or the path to the cert
625: # and key files themselves. However, a bug in version 5.0 of the LDAP
626: # SDK will prevent specific file names from working. For this reason
627: # it is suggested that tls_cert and tls_key be set to a directory,
628: # not a file name.
629: #
630: # The certificate database specified by tls_cert may contain CA certs
631: # and/or the client's cert. If the client's cert is included, tls_key
632: # should be specified as well.
633: # For backward compatibility, "sslpath" may be used in place of tls_cert.
634: #tls_cert /var/ldap
635: #tls_key /var/ldap
636: #
637: # If using SASL authentication for LDAP (OpenSSL)
638: # use_sasl yes
639: # sasl_auth_id <SASL user name>
640: # rootuse_sasl yes
641: # rootsasl_auth_id <SASL user name for root access>
642: # sasl_secprops none
643: # krb5_ccname /etc/.ldapcache
644:
645: S�Su�ud�do�o s�sc�ch�he�em�ma�a f�fo�or�r O�Op�pe�en�nL�LD�DA�AP�P
646: The following schema, in OpenLDAP format, is included with s�su�ud�do�o source
647: and binary distributions as _�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P. Simply copy it to the
648: schema directory (e.g. _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�s_�c_�h_�e_�m_�a), add the proper include
649: line in slapd.conf and restart s�sl�la�ap�pd�d.
650:
651: attributetype ( 1.3.6.1.4.1.15953.9.1.1
652: NAME 'sudoUser'
653: DESC 'User(s) who may run sudo'
654: EQUALITY caseExactIA5Match
655: SUBSTR caseExactIA5SubstringsMatch
656: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
657:
658: attributetype ( 1.3.6.1.4.1.15953.9.1.2
659: NAME 'sudoHost'
660: DESC 'Host(s) who may run sudo'
661: EQUALITY caseExactIA5Match
662: SUBSTR caseExactIA5SubstringsMatch
663: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
664:
665: attributetype ( 1.3.6.1.4.1.15953.9.1.3
666: NAME 'sudoCommand'
667: DESC 'Command(s) to be executed by sudo'
668: EQUALITY caseExactIA5Match
669: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
670:
671: attributetype ( 1.3.6.1.4.1.15953.9.1.4
672: NAME 'sudoRunAs'
673: DESC 'User(s) impersonated by sudo'
674: EQUALITY caseExactIA5Match
675: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
676:
677: attributetype ( 1.3.6.1.4.1.15953.9.1.5
678: NAME 'sudoOption'
679: DESC 'Options(s) followed by sudo'
680: EQUALITY caseExactIA5Match
681: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
682:
683: attributetype ( 1.3.6.1.4.1.15953.9.1.6
684: NAME 'sudoRunAsUser'
685: DESC 'User(s) impersonated by sudo'
686: EQUALITY caseExactIA5Match
687: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
688:
689: attributetype ( 1.3.6.1.4.1.15953.9.1.7
690: NAME 'sudoRunAsGroup'
691: DESC 'Group(s) impersonated by sudo'
692: EQUALITY caseExactIA5Match
693: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
694:
695: attributetype ( 1.3.6.1.4.1.15953.9.1.8
696: NAME 'sudoNotBefore'
697: DESC 'Start of time interval for which the entry is valid'
698: EQUALITY generalizedTimeMatch
699: ORDERING generalizedTimeOrderingMatch
700: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
701:
702: attributetype ( 1.3.6.1.4.1.15953.9.1.9
703: NAME 'sudoNotAfter'
704: DESC 'End of time interval for which the entry is valid'
705: EQUALITY generalizedTimeMatch
706: ORDERING generalizedTimeOrderingMatch
707: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
708:
709: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
710: NAME 'sudoOrder'
711: DESC 'an integer to order the sudoRole entries'
712: EQUALITY integerMatch
713: ORDERING integerOrderingMatch
714: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
715:
716: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
717: DESC 'Sudoer Entries'
718: MUST ( cn )
719: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
720: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
721: sudoOrder $ description )
722: )
723:
724: S�SE�EE�E A�AL�LS�SO�O
725: _�l_�d_�a_�p_�._�c_�o_�n_�f(4), _�s_�u_�d_�o_�e_�r_�s(4)
726:
727: C�CA�AV�VE�EA�AT�TS�S
728: Note that there are differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is
729: parsed compared to file-based _�s_�u_�d_�o_�e_�r_�s. See the "Differences between
730: LDAP and non-LDAP sudoers" section for more information.
731:
732: B�BU�UG�GS�S
733: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
734: http://www.sudo.ws/sudo/bugs/
735:
736: S�SU�UP�PP�PO�OR�RT�T
737: Limited free support is available via the sudo-users mailing list, see
738: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
739: the archives.
740:
741: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
742: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
743: including, but not limited to, the implied warranties of
744: merchantability and fitness for a particular purpose are disclaimed.
745: See the LICENSE file distributed with s�su�ud�do�o or
746: http://www.sudo.ws/sudo/license.html for complete details.
747:
748:
749:
750: 1.8.5 March 14, 2012 SUDOERS.LDAP(4)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc