|
version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.6, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
| .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
| .\" |
.\" |
| .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
|
Line 16
|
Line 16
|
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" | .TH "SUDOERS.LDAP" "8" "February 7, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" |
| .nh |
.nh |
| .if n .ad l |
.if n .ad l |
| .SH "NAME" |
.SH "NAME" |
|
Line 86 Aliases are not supported.
|
Line 86 Aliases are not supported.
|
| For the most part, there is really no need for |
For the most part, there is really no need for |
| \fBsudo\fR-specific |
\fBsudo\fR-specific |
| Aliases. |
Aliases. |
| Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups, non-Unix groups (via the |
| Runas_Aliases. | \fIgroup_plugin\fR) |
| | or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
| Host netgroups can be used in place of Host_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
| Since Unix groups and netgroups can also be stored in LDAP there is no | Since groups and netgroups can also be stored in LDAP there is no real need for |
| real need for | |
| \fBsudo\fR-specific |
\fBsudo\fR-specific |
| aliases. |
aliases. |
| .PP |
.PP |
|
Line 138 It consists of the following attributes:
|
Line 138 It consists of the following attributes:
|
| .TP 6n |
.TP 6n |
| \fBsudoUser\fR |
\fBsudoUser\fR |
| A user name, user ID (prefixed with |
A user name, user ID (prefixed with |
| `#'), | \(oq#\(cq), |
| Unix group (prefixed with | Unix group name or ID (prefixed with |
| `%'), | \(oq%\(cq |
| Unix group ID (prefixed with | or |
| `%#'), | \(oq%#\(cq |
| or user netgroup (prefixed with | respectively), user netgroup (prefixed with |
| `+'). | \(oq+\(cq), |
| | or non-Unix group name or ID (prefixed with |
| | \(oq%:\(cq |
| | or |
| | \(oq%:#\(cq |
| | respectively). |
| | Non-Unix group support is only available when an appropriate |
| | \fIgroup_plugin\fR |
| | is defined in the global |
| | \fIdefaults\fR |
| | \fRsudoRole\fR |
| | object. |
| .TP 6n |
.TP 6n |
| \fBsudoHost\fR |
\fBsudoHost\fR |
| A host name, IP address, IP network, or host netgroup (prefixed with a |
A host name, IP address, IP network, or host netgroup (prefixed with a |
| `+'). | \(oq+\(cq). |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
| will match any host. |
will match any host. |
| .TP 6n |
.TP 6n |
| \fBsudoCommand\fR |
\fBsudoCommand\fR |
| A Unix command with optional command line arguments, potentially | A fully-qualified Unix command name with optional command line arguments, |
| including globbing characters (aka wild cards). | potentially including globbing characters (aka wild cards). |
| | If a command name is preceded by an exclamation point, |
| | \(oq\&!\(cq, |
| | the user will be prohibited from running that command. |
| | .sp |
| | The built-in command |
| | \(lq\fRsudoedit\fR\(rq |
| | is used to permit a user to run |
| | \fBsudo\fR |
| | with the |
| | \fB\-e\fR |
| | option (or as |
| | \fBsudoedit\fR). |
| | It may take command line arguments just as a normal command does. |
| | Note that |
| | \(lq\fRsudoedit\fR\(rq |
| | is a command built into |
| | \fBsudo\fR |
| | itself and must be specified in without a leading path. |
| | .sp |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
| will match any command. |
will match any command. |
| If a command is prefixed with an exclamation point | .sp |
| `\&!', | If a command name is prefixed with a SHA-2 digest, it will |
| the user will be prohibited from running that command. | only be allowed if the digest matches. |
| | This may be useful in situations where the user invoking |
| | \fBsudo\fR |
| | has write access to the command or its parent directory. |
| | The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| | The digest name must be followed by a colon |
| | (\(oq:\&\(cq) |
| | and then the actual digest, in either hex or base64 format. |
| | For example, given the following value for sudoCommand: |
| | .nf |
| | .sp |
| | .RS 10n |
| | sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| | .RE |
| | .fi |
| | .RS 6n |
| | .sp |
| | The user may only run |
| | \fI/bin/ls\fR |
| | if its sha224 digest matches the specified value. |
| | Command digests are only supported by version 1.8.7 or higher. |
| | .RE |
| .TP 6n |
.TP 6n |
| \fBsudoOption\fR |
\fBsudoOption\fR |
| Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
|
Line 171 in which it resides.
|
Line 222 in which it resides.
|
| .TP 6n |
.TP 6n |
| \fBsudoRunAsUser\fR |
\fBsudoRunAsUser\fR |
| A user name or uid (prefixed with |
A user name or uid (prefixed with |
| `#') | \(oq#\(cq) |
| that commands may be run as or a Unix group (prefixed with a |
that commands may be run as or a Unix group (prefixed with a |
| `%') | \(oq%\(cq) |
| or user netgroup (prefixed with a |
or user netgroup (prefixed with a |
| `+') | \(oq+\(cq) |
| that contains a list of users that commands may be run as. |
that contains a list of users that commands may be run as. |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
|
Line 195 attribute instead.
|
Line 246 attribute instead.
|
| .TP 6n |
.TP 6n |
| \fBsudoRunAsGroup\fR |
\fBsudoRunAsGroup\fR |
| A Unix group or gid (prefixed with |
A Unix group or gid (prefixed with |
| `#') | \(oq#\(cq) |
| that commands may be run as. |
that commands may be run as. |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
|
Line 263 The
|
Line 314 The
|
| \fRsudoOrder\fR |
\fRsudoOrder\fR |
| attribute is an integer (or floating point value for LDAP servers |
attribute is an integer (or floating point value for LDAP servers |
| that support it) that is used to sort the matching entries. |
that support it) that is used to sort the matching entries. |
| This allows LDAP-based sudoers entries to more closely mimic the behaviour | This allows LDAP-based sudoers entries to more closely mimic the behavior |
| of the sudoers file, where the of the entries influences the result. |
of the sudoers file, where the of the entries influences the result. |
| If multiple entries match, the entry with the highest |
If multiple entries match, the entry with the highest |
| \fRsudoOrder\fR |
\fRsudoOrder\fR |
| attribute is chosen. |
attribute is chosen. |
| This corresponds to the |
This corresponds to the |
| ``last match'' | \(lqlast match\(rq |
| behavior of the sudoers file. |
behavior of the sudoers file. |
| If the |
If the |
| \fRsudoOrder\fR |
\fRsudoOrder\fR |
|
Line 321 to see if the user belongs to any of them.
|
Line 372 to see if the user belongs to any of them.
|
| .PP |
.PP |
| If timed entries are enabled with the |
If timed entries are enabled with the |
| \fBSUDOERS_TIMED\fR |
\fBSUDOERS_TIMED\fR |
| configuration directive, the LDAP queries include a subfilter that | configuration directive, the LDAP queries include a sub-filter that |
| limits retrieval to entries that satisfy the time constraints, if any. |
limits retrieval to entries that satisfy the time constraints, if any. |
| .SS "Differences between LDAP and non-LDAP sudoers" |
.SS "Differences between LDAP and non-LDAP sudoers" |
| There are some subtle differences in the way sudoers is handled |
There are some subtle differences in the way sudoers is handled |
|
Line 426 section.
|
Line 477 section.
|
| Sudo reads the |
Sudo reads the |
| \fI@ldap_conf@\fR |
\fI@ldap_conf@\fR |
| file for LDAP-specific configuration. |
file for LDAP-specific configuration. |
| Typically, this file is shared amongst different LDAP-aware clients. | Typically, this file is shared between different LDAP-aware clients. |
| As such, most of the settings are not |
As such, most of the settings are not |
| \fBsudo\fR-specific. |
\fBsudo\fR-specific. |
| Note that |
Note that |
|
Line 437 itself and may support options that differ from those
|
Line 488 itself and may support options that differ from those
|
| system's |
system's |
| ldap.conf(@mansectsu@) |
ldap.conf(@mansectsu@) |
| manual. |
manual. |
| |
The path to |
| |
\fIldap.conf\fR |
| |
may be overridden via the |
| |
\fIldap_conf\fR |
| |
plugin argument in |
| |
sudo.conf(@mansectform@). |
| .PP |
.PP |
| Also note that on systems using the OpenLDAP libraries, default |
Also note that on systems using the OpenLDAP libraries, default |
| values specified in |
values specified in |
|
Line 452 as being supported by
|
Line 509 as being supported by
|
| are honored. |
are honored. |
| Configuration options are listed below in upper case but are parsed |
Configuration options are listed below in upper case but are parsed |
| in a case-independent manner. |
in a case-independent manner. |
| |
.PP |
| |
The pound sign |
| |
(\(oq#\(cq) |
| |
is used to indicate a comment. |
| |
Both the comment character and any text after it, up to the end of |
| |
the line, are ignored. |
| |
Long lines can be continued with a backslash |
| |
(\(oq\e\(cq) |
| |
as the last character on the line. |
| |
Note that leading white space is removed from the beginning of lines |
| |
even when the continuation character is used. |
| .TP 6n |
.TP 6n |
| \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR |
\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR |
| Specifies a whitespace-delimited list of one or more URIs describing | Specifies a white space-delimited list of one or more URIs describing |
| the LDAP server(s) to connect to. |
the LDAP server(s) to connect to. |
| The |
The |
| \fIprotocol\fR |
\fIprotocol\fR |
|
Line 492 If no
|
Line 560 If no
|
| \fBURI\fR |
\fBURI\fR |
| is specified, the |
is specified, the |
| \fBHOST\fR |
\fBHOST\fR |
| parameter specifies a whitespace-delimited list of LDAP servers to connect to. | parameter specifies a white space-delimited list of LDAP servers to connect to. |
| Each host may include an optional |
Each host may include an optional |
| \fIport\fR |
\fIport\fR |
| separated by a colon |
separated by a colon |
| (`:\&'). | (\(oq:\&\(cq). |
| The |
The |
| \fBHOST\fR |
\fBHOST\fR |
| parameter is deprecated in favor of the |
parameter is deprecated in favor of the |
|
Line 572 form
|
Line 640 form
|
| \fRattribute=value\fR |
\fRattribute=value\fR |
| or |
or |
| \fR(&(attribute=value)(attribute2=value2))\fR. |
\fR(&(attribute=value)(attribute2=value2))\fR. |
| |
The default search filter is: |
| |
\fRobjectClass=sudoRole\fR. |
| |
If |
| |
\fIldap_filter\fR |
| |
is omitted, no search filter will be used. |
| .TP 6n |
.TP 6n |
| \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
| Whether or not to evaluate the |
Whether or not to evaluate the |
|
Line 589 A value of 1 results in a moderate amount of debugging
|
Line 662 A value of 1 results in a moderate amount of debugging
|
| A value of 2 shows the results of the matches themselves. |
A value of 2 shows the results of the matches themselves. |
| This parameter should not be set in a production environment as the |
This parameter should not be set in a production environment as the |
| extra information is likely to confuse users. |
extra information is likely to confuse users. |
| |
.sp |
| |
The |
| |
\fBSUDOERS_DEBUG\fR |
| |
parameter is deprecated and will be removed in a future release. |
| |
The same information is now logged via the |
| |
\fBsudo\fR |
| |
debugging framework using the |
| |
\(lqldap\(rq |
| |
subsystem at priorities |
| |
\fIdiag\fR |
| |
and |
| |
\fIinfo\fR |
| |
for |
| |
\fIdebug_level\fR |
| |
values 1 and 2 respectively. |
| |
See the |
| |
sudo.conf(@mansectform@) |
| |
manual for details on how to configure |
| |
\fBsudo\fR |
| |
debugging. |
| .TP 6n |
.TP 6n |
| \fBBINDDN\fR \fIDN\fR |
\fBBINDDN\fR \fIDN\fR |
| The |
The |
|
Line 613 parameter specifies the identity, in the form of a Dis
|
Line 706 parameter specifies the identity, in the form of a Dis
|
| to use when performing privileged LDAP operations, such as |
to use when performing privileged LDAP operations, such as |
| \fIsudoers\fR |
\fIsudoers\fR |
| queries. |
queries. |
| The password corresponding | The password corresponding to the identity should be stored in the |
| to the identity should be stored in | or the path specified by the |
| | \fIldap_secret\fR |
| | plugin argument in |
| | sudo.conf(@mansectform@), |
| | which defaults to |
| \fI@ldap_secret@\fR. |
\fI@ldap_secret@\fR. |
| If not specified, the | If no |
| | \fBROOTBINDDN\fR |
| | is specified, the |
| \fBBINDDN\fR |
\fBBINDDN\fR |
| identity is used (if any). |
identity is used (if any). |
| .TP 6n |
.TP 6n |
|
Line 695 This option is only supported by the OpenLDAP librarie
|
Line 794 This option is only supported by the OpenLDAP librarie
|
| The path to a file containing the client certificate which can |
The path to a file containing the client certificate which can |
| be used to authenticate the client to the LDAP server. |
be used to authenticate the client to the LDAP server. |
| The certificate type depends on the LDAP libraries used. |
The certificate type depends on the LDAP libraries used. |
| .RS | .PP |
| | .RS 6n |
| | .PD 0 |
| .TP 6n |
.TP 6n |
| OpenLDAP: |
OpenLDAP: |
| \fRtls_cert /etc/ssl/client_cert.pem\fR |
\fRtls_cert /etc/ssl/client_cert.pem\fR |
| |
.PD |
| .TP 6n |
.TP 6n |
| Netscape-derived: |
Netscape-derived: |
| \fRtls_cert /var/ldap/cert7.db\fR |
\fRtls_cert /var/ldap/cert7.db\fR |
|
Line 710 contains both keys and certificates.
|
Line 812 contains both keys and certificates.
|
| .sp |
.sp |
| When using Netscape-derived libraries, this file may also contain |
When using Netscape-derived libraries, this file may also contain |
| Certificate Authority certificates. |
Certificate Authority certificates. |
| |
.PD 0 |
| .PP |
.PP |
| .RE |
.RE |
| .PD 0 | .PD |
| .TP 6n |
.TP 6n |
| \fBTLS_KEY\fR \fIfile name\fR |
\fBTLS_KEY\fR \fIfile name\fR |
| The path to a file containing the private key which matches the |
The path to a file containing the private key which matches the |
|
Line 720 certificate specified by
|
Line 823 certificate specified by
|
| \fBTLS_CERT\fR. |
\fBTLS_CERT\fR. |
| The private key must not be password-protected. |
The private key must not be password-protected. |
| The key type depends on the LDAP libraries used. |
The key type depends on the LDAP libraries used. |
| .RS | .PP |
| .PD | .RS 6n |
| | .PD 0 |
| .TP 6n |
.TP 6n |
| OpenLDAP: |
OpenLDAP: |
| \fRtls_key /etc/ssl/client_key.pem\fR |
\fRtls_key /etc/ssl/client_key.pem\fR |
| |
.PD |
| .TP 6n |
.TP 6n |
| Netscape-derived: |
Netscape-derived: |
| \fRtls_key /var/ldap/key3.db\fR |
\fRtls_key /var/ldap/key3.db\fR |
| .TP 6n |
.TP 6n |
| Tivoli Directory Server: |
Tivoli Directory Server: |
| \fRtls_cert /usr/ldap/ldapkey.kdb\fR | \fRtls_key /usr/ldap/ldapkey.kdb\fR |
| .PD 0 |
.PD 0 |
| .PP |
.PP |
| .PD |
|
| When using Tivoli LDAP libraries, this file may also contain |
When using Tivoli LDAP libraries, this file may also contain |
| Certificate Authority and client certificates and may be encrypted. |
Certificate Authority and client certificates and may be encrypted. |
| .PP |
|
| .RE |
.RE |
| .PD 0 | .PD |
| .TP 6n |
.TP 6n |
| \fBTLS_KEYPW\fR \fIsecret\fR |
\fBTLS_KEYPW\fR \fIsecret\fR |
| The |
The |
| \fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
| contains the password used to decrypt the key database on clients |
contains the password used to decrypt the key database on clients |
| using the Tivoli Directory Server LDAP library. |
using the Tivoli Directory Server LDAP library. |
| |
This should be a simple string without quotes. |
| |
The password may not include the comment character |
| |
(\(oq#\(cq) |
| |
and escaping of special characters with a backslash |
| |
(\(oq\e\(cq) |
| |
is not supported. |
| |
If this option is used, |
| |
\fI@ldap_conf@\fR |
| |
must not be world-readable to avoid exposing the password. |
| |
Alternately, a |
| |
\fIstash file\fR |
| |
can be used to store the password in encrypted form (see below). |
| |
.sp |
| If no |
If no |
| \fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
| is specified, a |
is specified, a |
|
Line 764 The default
|
Line 880 The default
|
| \fRldapkey.kdb\fR |
\fRldapkey.kdb\fR |
| that ships with Tivoli Directory Server is encrypted with the password |
that ships with Tivoli Directory Server is encrypted with the password |
| \fRssl_password\fR. |
\fRssl_password\fR. |
| |
The |
| |
\fIgsk8capicmd\fR |
| |
utility can be used to manage the key database and create a |
| |
\fIstash file\fR. |
| This option is only supported by the Tivoli LDAP libraries. |
This option is only supported by the Tivoli LDAP libraries. |
| .PD |
|
| .TP 6n |
.TP 6n |
| \fBTLS_RANDFILE\fR \fIfile name\fR |
\fBTLS_RANDFILE\fR \fIfile name\fR |
| The |
The |
|
Line 848 does
|
Line 967 does
|
| not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
| precedence over earlier ones. |
precedence over earlier ones. |
| The following sources are recognized: |
The following sources are recognized: |
| |
.PP |
| |
.RS 4n |
| |
.PD 0 |
| .TP 10n |
.TP 10n |
| files |
files |
| read sudoers from |
read sudoers from |
| \fI@sysconfdir@/sudoers\fR |
\fI@sysconfdir@/sudoers\fR |
| .PD 0 |
|
| .TP 10n |
.TP 10n |
| ldap |
ldap |
| read sudoers from LDAP |
read sudoers from LDAP |
| |
.RE |
| .PD |
.PD |
| .PP |
.PP |
| In addition, the entry |
In addition, the entry |
|
Line 929 sudoers = ldap
|
Line 1051 sudoers = ldap
|
| .RE |
.RE |
| .fi |
.fi |
| .PP |
.PP |
| To treat LDAP as authoratative and only use the local sudoers file | To treat LDAP as authoritative and only use the local sudoers file |
| if the user is not present in LDAP, use: |
if the user is not present in LDAP, use: |
| .nf |
.nf |
| .sp |
.sp |
|
Line 940 sudoers = ldap = auth, files
|
Line 1062 sudoers = ldap = auth, files
|
| .PP |
.PP |
| Note that in the above example, the |
Note that in the above example, the |
| \fRauth\fR |
\fRauth\fR |
| qualfier only affects user lookups; both LDAP and | qualifier only affects user lookups; both LDAP and |
| \fIsudoers\fR |
\fIsudoers\fR |
| will be queried for |
will be queried for |
| \fRDefaults\fR |
\fRDefaults\fR |
|
Line 1170 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
Line 1292 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
| .RE |
.RE |
| .fi |
.fi |
| .SH "SEE ALSO" |
.SH "SEE ALSO" |
| ldap.conf(@mansectsu@), | ldap.conf(@mansectform@), |
| | sudo.conf(@mansectform@), |
| sudoers(@mansectsu@) |
sudoers(@mansectsu@) |
| .SH "CAVEATS" |
.SH "CAVEATS" |
| Note that there are differences in the way that LDAP-based |
Note that there are differences in the way that LDAP-based |
|
Line 1191 search the archives.
|
Line 1314 search the archives.
|
| .SH "DISCLAIMER" |
.SH "DISCLAIMER" |
| \fBsudo\fR |
\fBsudo\fR |
| is provided |
is provided |
| ``AS IS'' | \(lqAS IS\(rq |
| and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
| to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
| particular purpose are disclaimed. |
particular purpose are disclaimed. |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.man.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc