version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
.\" |
.\" |
.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
Line 16
|
Line 16
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" | .TH "SUDOERS.LDAP" "8" "February 7, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" |
.nh |
.nh |
.if n .ad l |
.if n .ad l |
.SH "NAME" |
.SH "NAME" |
Line 86 Aliases are not supported.
|
Line 86 Aliases are not supported.
|
For the most part, there is really no need for |
For the most part, there is really no need for |
\fBsudo\fR-specific |
\fBsudo\fR-specific |
Aliases. |
Aliases. |
Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups, non-Unix groups (via the |
Runas_Aliases. | \fIgroup_plugin\fR) |
| or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Since Unix groups and netgroups can also be stored in LDAP there is no | Since groups and netgroups can also be stored in LDAP there is no real need for |
real need for | |
\fBsudo\fR-specific |
\fBsudo\fR-specific |
aliases. |
aliases. |
.PP |
.PP |
Line 138 It consists of the following attributes:
|
Line 138 It consists of the following attributes:
|
.TP 6n |
.TP 6n |
\fBsudoUser\fR |
\fBsudoUser\fR |
A user name, user ID (prefixed with |
A user name, user ID (prefixed with |
`#'), | \(oq#\(cq), |
Unix group (prefixed with | Unix group name or ID (prefixed with |
`%'), | \(oq%\(cq |
Unix group ID (prefixed with | or |
`%#'), | \(oq%#\(cq |
or user netgroup (prefixed with | respectively), user netgroup (prefixed with |
`+'). | \(oq+\(cq), |
| or non-Unix group name or ID (prefixed with |
| \(oq%:\(cq |
| or |
| \(oq%:#\(cq |
| respectively). |
| Non-Unix group support is only available when an appropriate |
| \fIgroup_plugin\fR |
| is defined in the global |
| \fIdefaults\fR |
| \fRsudoRole\fR |
| object. |
.TP 6n |
.TP 6n |
\fBsudoHost\fR |
\fBsudoHost\fR |
A host name, IP address, IP network, or host netgroup (prefixed with a |
A host name, IP address, IP network, or host netgroup (prefixed with a |
`+'). | \(oq+\(cq). |
The special value |
The special value |
\fRALL\fR |
\fRALL\fR |
will match any host. |
will match any host. |
.TP 6n |
.TP 6n |
\fBsudoCommand\fR |
\fBsudoCommand\fR |
A Unix command with optional command line arguments, potentially | A fully-qualified Unix command name with optional command line arguments, |
including globbing characters (aka wild cards). | potentially including globbing characters (aka wild cards). |
| If a command name is preceded by an exclamation point, |
| \(oq\&!\(cq, |
| the user will be prohibited from running that command. |
| .sp |
| The built-in command |
| \(lq\fRsudoedit\fR\(rq |
| is used to permit a user to run |
| \fBsudo\fR |
| with the |
| \fB\-e\fR |
| option (or as |
| \fBsudoedit\fR). |
| It may take command line arguments just as a normal command does. |
| Note that |
| \(lq\fRsudoedit\fR\(rq |
| is a command built into |
| \fBsudo\fR |
| itself and must be specified in without a leading path. |
| .sp |
The special value |
The special value |
\fRALL\fR |
\fRALL\fR |
will match any command. |
will match any command. |
If a command is prefixed with an exclamation point | .sp |
`\&!', | If a command name is prefixed with a SHA-2 digest, it will |
the user will be prohibited from running that command. | only be allowed if the digest matches. |
| This may be useful in situations where the user invoking |
| \fBsudo\fR |
| has write access to the command or its parent directory. |
| The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| The digest name must be followed by a colon |
| (\(oq:\&\(cq) |
| and then the actual digest, in either hex or base64 format. |
| For example, given the following value for sudoCommand: |
| .nf |
| .sp |
| .RS 10n |
| sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| .RE |
| .fi |
| .RS 6n |
| .sp |
| The user may only run |
| \fI/bin/ls\fR |
| if its sha224 digest matches the specified value. |
| Command digests are only supported by version 1.8.7 or higher. |
| .RE |
.TP 6n |
.TP 6n |
\fBsudoOption\fR |
\fBsudoOption\fR |
Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
Line 171 in which it resides.
|
Line 222 in which it resides.
|
.TP 6n |
.TP 6n |
\fBsudoRunAsUser\fR |
\fBsudoRunAsUser\fR |
A user name or uid (prefixed with |
A user name or uid (prefixed with |
`#') | \(oq#\(cq) |
that commands may be run as or a Unix group (prefixed with a |
that commands may be run as or a Unix group (prefixed with a |
`%') | \(oq%\(cq) |
or user netgroup (prefixed with a |
or user netgroup (prefixed with a |
`+') | \(oq+\(cq) |
that contains a list of users that commands may be run as. |
that contains a list of users that commands may be run as. |
The special value |
The special value |
\fRALL\fR |
\fRALL\fR |
Line 195 attribute instead.
|
Line 246 attribute instead.
|
.TP 6n |
.TP 6n |
\fBsudoRunAsGroup\fR |
\fBsudoRunAsGroup\fR |
A Unix group or gid (prefixed with |
A Unix group or gid (prefixed with |
`#') | \(oq#\(cq) |
that commands may be run as. |
that commands may be run as. |
The special value |
The special value |
\fRALL\fR |
\fRALL\fR |
Line 263 The
|
Line 314 The
|
\fRsudoOrder\fR |
\fRsudoOrder\fR |
attribute is an integer (or floating point value for LDAP servers |
attribute is an integer (or floating point value for LDAP servers |
that support it) that is used to sort the matching entries. |
that support it) that is used to sort the matching entries. |
This allows LDAP-based sudoers entries to more closely mimic the behaviour | This allows LDAP-based sudoers entries to more closely mimic the behavior |
of the sudoers file, where the of the entries influences the result. |
of the sudoers file, where the of the entries influences the result. |
If multiple entries match, the entry with the highest |
If multiple entries match, the entry with the highest |
\fRsudoOrder\fR |
\fRsudoOrder\fR |
attribute is chosen. |
attribute is chosen. |
This corresponds to the |
This corresponds to the |
``last match'' | \(lqlast match\(rq |
behavior of the sudoers file. |
behavior of the sudoers file. |
If the |
If the |
\fRsudoOrder\fR |
\fRsudoOrder\fR |
Line 321 to see if the user belongs to any of them.
|
Line 372 to see if the user belongs to any of them.
|
.PP |
.PP |
If timed entries are enabled with the |
If timed entries are enabled with the |
\fBSUDOERS_TIMED\fR |
\fBSUDOERS_TIMED\fR |
configuration directive, the LDAP queries include a subfilter that | configuration directive, the LDAP queries include a sub-filter that |
limits retrieval to entries that satisfy the time constraints, if any. |
limits retrieval to entries that satisfy the time constraints, if any. |
.SS "Differences between LDAP and non-LDAP sudoers" |
.SS "Differences between LDAP and non-LDAP sudoers" |
There are some subtle differences in the way sudoers is handled |
There are some subtle differences in the way sudoers is handled |
Line 426 section.
|
Line 477 section.
|
Sudo reads the |
Sudo reads the |
\fI@ldap_conf@\fR |
\fI@ldap_conf@\fR |
file for LDAP-specific configuration. |
file for LDAP-specific configuration. |
Typically, this file is shared amongst different LDAP-aware clients. | Typically, this file is shared between different LDAP-aware clients. |
As such, most of the settings are not |
As such, most of the settings are not |
\fBsudo\fR-specific. |
\fBsudo\fR-specific. |
Note that |
Note that |
Line 437 itself and may support options that differ from those
|
Line 488 itself and may support options that differ from those
|
system's |
system's |
ldap.conf(@mansectsu@) |
ldap.conf(@mansectsu@) |
manual. |
manual. |
|
The path to |
|
\fIldap.conf\fR |
|
may be overridden via the |
|
\fIldap_conf\fR |
|
plugin argument in |
|
sudo.conf(@mansectform@). |
.PP |
.PP |
Also note that on systems using the OpenLDAP libraries, default |
Also note that on systems using the OpenLDAP libraries, default |
values specified in |
values specified in |
Line 452 as being supported by
|
Line 509 as being supported by
|
are honored. |
are honored. |
Configuration options are listed below in upper case but are parsed |
Configuration options are listed below in upper case but are parsed |
in a case-independent manner. |
in a case-independent manner. |
|
.PP |
|
The pound sign |
|
(\(oq#\(cq) |
|
is used to indicate a comment. |
|
Both the comment character and any text after it, up to the end of |
|
the line, are ignored. |
|
Long lines can be continued with a backslash |
|
(\(oq\e\(cq) |
|
as the last character on the line. |
|
Note that leading white space is removed from the beginning of lines |
|
even when the continuation character is used. |
.TP 6n |
.TP 6n |
\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR |
\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR |
Specifies a whitespace-delimited list of one or more URIs describing | Specifies a white space-delimited list of one or more URIs describing |
the LDAP server(s) to connect to. |
the LDAP server(s) to connect to. |
The |
The |
\fIprotocol\fR |
\fIprotocol\fR |
Line 492 If no
|
Line 560 If no
|
\fBURI\fR |
\fBURI\fR |
is specified, the |
is specified, the |
\fBHOST\fR |
\fBHOST\fR |
parameter specifies a whitespace-delimited list of LDAP servers to connect to. | parameter specifies a white space-delimited list of LDAP servers to connect to. |
Each host may include an optional |
Each host may include an optional |
\fIport\fR |
\fIport\fR |
separated by a colon |
separated by a colon |
(`:\&'). | (\(oq:\&\(cq). |
The |
The |
\fBHOST\fR |
\fBHOST\fR |
parameter is deprecated in favor of the |
parameter is deprecated in favor of the |
Line 572 form
|
Line 640 form
|
\fRattribute=value\fR |
\fRattribute=value\fR |
or |
or |
\fR(&(attribute=value)(attribute2=value2))\fR. |
\fR(&(attribute=value)(attribute2=value2))\fR. |
|
The default search filter is: |
|
\fRobjectClass=sudoRole\fR. |
|
If |
|
\fIldap_filter\fR |
|
is omitted, no search filter will be used. |
.TP 6n |
.TP 6n |
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
Whether or not to evaluate the |
Whether or not to evaluate the |
Line 589 A value of 1 results in a moderate amount of debugging
|
Line 662 A value of 1 results in a moderate amount of debugging
|
A value of 2 shows the results of the matches themselves. |
A value of 2 shows the results of the matches themselves. |
This parameter should not be set in a production environment as the |
This parameter should not be set in a production environment as the |
extra information is likely to confuse users. |
extra information is likely to confuse users. |
|
.sp |
|
The |
|
\fBSUDOERS_DEBUG\fR |
|
parameter is deprecated and will be removed in a future release. |
|
The same information is now logged via the |
|
\fBsudo\fR |
|
debugging framework using the |
|
\(lqldap\(rq |
|
subsystem at priorities |
|
\fIdiag\fR |
|
and |
|
\fIinfo\fR |
|
for |
|
\fIdebug_level\fR |
|
values 1 and 2 respectively. |
|
See the |
|
sudo.conf(@mansectform@) |
|
manual for details on how to configure |
|
\fBsudo\fR |
|
debugging. |
.TP 6n |
.TP 6n |
\fBBINDDN\fR \fIDN\fR |
\fBBINDDN\fR \fIDN\fR |
The |
The |
Line 613 parameter specifies the identity, in the form of a Dis
|
Line 706 parameter specifies the identity, in the form of a Dis
|
to use when performing privileged LDAP operations, such as |
to use when performing privileged LDAP operations, such as |
\fIsudoers\fR |
\fIsudoers\fR |
queries. |
queries. |
The password corresponding | The password corresponding to the identity should be stored in the |
to the identity should be stored in | or the path specified by the |
| \fIldap_secret\fR |
| plugin argument in |
| sudo.conf(@mansectform@), |
| which defaults to |
\fI@ldap_secret@\fR. |
\fI@ldap_secret@\fR. |
If not specified, the | If no |
| \fBROOTBINDDN\fR |
| is specified, the |
\fBBINDDN\fR |
\fBBINDDN\fR |
identity is used (if any). |
identity is used (if any). |
.TP 6n |
.TP 6n |
Line 695 This option is only supported by the OpenLDAP librarie
|
Line 794 This option is only supported by the OpenLDAP librarie
|
The path to a file containing the client certificate which can |
The path to a file containing the client certificate which can |
be used to authenticate the client to the LDAP server. |
be used to authenticate the client to the LDAP server. |
The certificate type depends on the LDAP libraries used. |
The certificate type depends on the LDAP libraries used. |
.RS | .PP |
| .RS 6n |
| .PD 0 |
.TP 6n |
.TP 6n |
OpenLDAP: |
OpenLDAP: |
\fRtls_cert /etc/ssl/client_cert.pem\fR |
\fRtls_cert /etc/ssl/client_cert.pem\fR |
|
.PD |
.TP 6n |
.TP 6n |
Netscape-derived: |
Netscape-derived: |
\fRtls_cert /var/ldap/cert7.db\fR |
\fRtls_cert /var/ldap/cert7.db\fR |
Line 710 contains both keys and certificates.
|
Line 812 contains both keys and certificates.
|
.sp |
.sp |
When using Netscape-derived libraries, this file may also contain |
When using Netscape-derived libraries, this file may also contain |
Certificate Authority certificates. |
Certificate Authority certificates. |
|
.PD 0 |
.PP |
.PP |
.RE |
.RE |
.PD 0 | .PD |
.TP 6n |
.TP 6n |
\fBTLS_KEY\fR \fIfile name\fR |
\fBTLS_KEY\fR \fIfile name\fR |
The path to a file containing the private key which matches the |
The path to a file containing the private key which matches the |
Line 720 certificate specified by
|
Line 823 certificate specified by
|
\fBTLS_CERT\fR. |
\fBTLS_CERT\fR. |
The private key must not be password-protected. |
The private key must not be password-protected. |
The key type depends on the LDAP libraries used. |
The key type depends on the LDAP libraries used. |
.RS | .PP |
.PD | .RS 6n |
| .PD 0 |
.TP 6n |
.TP 6n |
OpenLDAP: |
OpenLDAP: |
\fRtls_key /etc/ssl/client_key.pem\fR |
\fRtls_key /etc/ssl/client_key.pem\fR |
|
.PD |
.TP 6n |
.TP 6n |
Netscape-derived: |
Netscape-derived: |
\fRtls_key /var/ldap/key3.db\fR |
\fRtls_key /var/ldap/key3.db\fR |
.TP 6n |
.TP 6n |
Tivoli Directory Server: |
Tivoli Directory Server: |
\fRtls_cert /usr/ldap/ldapkey.kdb\fR | \fRtls_key /usr/ldap/ldapkey.kdb\fR |
.PD 0 |
.PD 0 |
.PP |
.PP |
.PD |
|
When using Tivoli LDAP libraries, this file may also contain |
When using Tivoli LDAP libraries, this file may also contain |
Certificate Authority and client certificates and may be encrypted. |
Certificate Authority and client certificates and may be encrypted. |
.PP |
|
.RE |
.RE |
.PD 0 | .PD |
.TP 6n |
.TP 6n |
\fBTLS_KEYPW\fR \fIsecret\fR |
\fBTLS_KEYPW\fR \fIsecret\fR |
The |
The |
\fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
contains the password used to decrypt the key database on clients |
contains the password used to decrypt the key database on clients |
using the Tivoli Directory Server LDAP library. |
using the Tivoli Directory Server LDAP library. |
|
This should be a simple string without quotes. |
|
The password may not include the comment character |
|
(\(oq#\(cq) |
|
and escaping of special characters with a backslash |
|
(\(oq\e\(cq) |
|
is not supported. |
|
If this option is used, |
|
\fI@ldap_conf@\fR |
|
must not be world-readable to avoid exposing the password. |
|
Alternately, a |
|
\fIstash file\fR |
|
can be used to store the password in encrypted form (see below). |
|
.sp |
If no |
If no |
\fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
is specified, a |
is specified, a |
Line 764 The default
|
Line 880 The default
|
\fRldapkey.kdb\fR |
\fRldapkey.kdb\fR |
that ships with Tivoli Directory Server is encrypted with the password |
that ships with Tivoli Directory Server is encrypted with the password |
\fRssl_password\fR. |
\fRssl_password\fR. |
|
The |
|
\fIgsk8capicmd\fR |
|
utility can be used to manage the key database and create a |
|
\fIstash file\fR. |
This option is only supported by the Tivoli LDAP libraries. |
This option is only supported by the Tivoli LDAP libraries. |
.PD |
|
.TP 6n |
.TP 6n |
\fBTLS_RANDFILE\fR \fIfile name\fR |
\fBTLS_RANDFILE\fR \fIfile name\fR |
The |
The |
Line 848 does
|
Line 967 does
|
not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
precedence over earlier ones. |
precedence over earlier ones. |
The following sources are recognized: |
The following sources are recognized: |
|
.PP |
|
.RS 4n |
|
.PD 0 |
.TP 10n |
.TP 10n |
files |
files |
read sudoers from |
read sudoers from |
\fI@sysconfdir@/sudoers\fR |
\fI@sysconfdir@/sudoers\fR |
.PD 0 |
|
.TP 10n |
.TP 10n |
ldap |
ldap |
read sudoers from LDAP |
read sudoers from LDAP |
|
.RE |
.PD |
.PD |
.PP |
.PP |
In addition, the entry |
In addition, the entry |
Line 929 sudoers = ldap
|
Line 1051 sudoers = ldap
|
.RE |
.RE |
.fi |
.fi |
.PP |
.PP |
To treat LDAP as authoratative and only use the local sudoers file | To treat LDAP as authoritative and only use the local sudoers file |
if the user is not present in LDAP, use: |
if the user is not present in LDAP, use: |
.nf |
.nf |
.sp |
.sp |
Line 940 sudoers = ldap = auth, files
|
Line 1062 sudoers = ldap = auth, files
|
.PP |
.PP |
Note that in the above example, the |
Note that in the above example, the |
\fRauth\fR |
\fRauth\fR |
qualfier only affects user lookups; both LDAP and | qualifier only affects user lookups; both LDAP and |
\fIsudoers\fR |
\fIsudoers\fR |
will be queried for |
will be queried for |
\fRDefaults\fR |
\fRDefaults\fR |
Line 1170 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
Line 1292 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
.RE |
.RE |
.fi |
.fi |
.SH "SEE ALSO" |
.SH "SEE ALSO" |
ldap.conf(@mansectsu@), | ldap.conf(@mansectform@), |
| sudo.conf(@mansectform@), |
sudoers(@mansectsu@) |
sudoers(@mansectsu@) |
.SH "CAVEATS" |
.SH "CAVEATS" |
Note that there are differences in the way that LDAP-based |
Note that there are differences in the way that LDAP-based |
Line 1191 search the archives.
|
Line 1314 search the archives.
|
.SH "DISCLAIMER" |
.SH "DISCLAIMER" |
\fBsudo\fR |
\fBsudo\fR |
is provided |
is provided |
``AS IS'' | \(lqAS IS\(rq |
and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
particular purpose are disclaimed. |
particular purpose are disclaimed. |