version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.4, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
.\" Copyright (c) 2003-2011 | .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" Todd C. Miller <Todd.Miller@courtesan.com> | .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
.\" | .\" |
| .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" copyright notice and this permission notice appear in all copies. |
.\" copyright notice and this permission notice appear in all copies. |
.\" | .\" |
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
Line 13
|
Line 15
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
|
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) |
|
.\" |
.\" |
.\" Standard preamble: | .TH "SUDOERS.LDAP" "8" "April 25, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" |
.\" ======================================================================== | |
.de Sp \" Vertical space (when we can't use .PP) | |
.if t .sp .5v | |
.if n .sp | |
.. | |
.de Vb \" Begin verbatim text | |
.ft CW | |
.nf | |
.ne \\$1 | |
.. | |
.de Ve \" End verbatim text | |
.ft R | |
.fi | |
.. | |
.\" Set up some character translations and predefined strings. \*(-- will | |
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left | |
.\" double quote, and \*(R" will give a right double quote. \*(C+ will | |
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and | |
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, | |
.\" nothing in troff, for use with C<>. | |
.tr \(*W- | |
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' | |
.ie n \{\ | |
. ds -- \(*W- | |
. ds PI pi | |
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch | |
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch | |
. ds L" "" | |
. ds R" "" | |
. ds C` | |
. ds C' | |
'br\} | |
.el\{\ | |
. ds -- \|\(em\| | |
. ds PI \(*p | |
. ds L" `` | |
. ds R" '' | |
'br\} | |
.\" | |
.\" Escape single quotes in literal strings from groff's Unicode transform. | |
.ie \n(.g .ds Aq \(aq | |
.el .ds Aq ' | |
.\" | |
.\" If the F register is turned on, we'll generate index entries on stderr for | |
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index | |
.\" entries marked with X<> in POD. Of course, you'll have to process the | |
.\" output yourself in some meaningful fashion. | |
.ie \nF \{\ | |
. de IX | |
. tm Index:\\$1\t\\n%\t"\\$2" | |
.. | |
. nr % 0 | |
. rr F | |
.\} | |
.el \{\ | |
. de IX | |
.. | |
.\} | |
.\" | |
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). | |
.\" Fear. Run. Save yourself. No user-serviceable parts. | |
. \" fudge factors for nroff and troff | |
.if n \{\ | |
. ds #H 0 | |
. ds #V .8m | |
. ds #F .3m | |
. ds #[ \f1 | |
. ds #] \fP | |
.\} | |
.if t \{\ | |
. ds #H ((1u-(\\\\n(.fu%2u))*.13m) | |
. ds #V .6m | |
. ds #F 0 | |
. ds #[ \& | |
. ds #] \& | |
.\} | |
. \" simple accents for nroff and troff | |
.if n \{\ | |
. ds ' \& | |
. ds ` \& | |
. ds ^ \& | |
. ds , \& | |
. ds ~ ~ | |
. ds / | |
.\} | |
.if t \{\ | |
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" | |
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' | |
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' | |
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' | |
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' | |
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' | |
.\} | |
. \" troff and (daisy-wheel) nroff accents | |
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' | |
.ds 8 \h'\*(#H'\(*b\h'-\*(#H' | |
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] | |
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' | |
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' | |
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] | |
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] | |
.ds ae a\h'-(\w'a'u*4/10)'e | |
.ds Ae A\h'-(\w'A'u*4/10)'E | |
. \" corrections for vroff | |
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' | |
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' | |
. \" for low resolution devices (crt and lpr) | |
.if \n(.H>23 .if \n(.V>19 \ | |
\{\ | |
. ds : e | |
. ds 8 ss | |
. ds o a | |
. ds d- d\h'-1'\(ga | |
. ds D- D\h'-1'\(hy | |
. ds th \o'bp' | |
. ds Th \o'LP' | |
. ds ae ae | |
. ds Ae AE | |
.\} | |
.rm #[ #] #H #V #F C | |
.\" ======================================================================== | |
.\" | |
.IX Title "SUDOERS.LDAP @mansectform@" | |
.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS" | |
.\" For nroff, turn off justification. Always turn off hyphenation; it makes | |
.\" way too many mistakes in technical documents. | |
.if n .ad l | |
.nh |
.nh |
|
.if n .ad l |
.SH "NAME" |
.SH "NAME" |
sudoers.ldap \- sudo LDAP configuration | \fBsudoers.ldap\fR |
| \- sudo LDAP configuration |
.SH "DESCRIPTION" |
.SH "DESCRIPTION" |
.IX Header "DESCRIPTION" | In addition to the standard |
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured | \fIsudoers\fR |
via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR | file, |
| \fBsudo\fR |
| may be configured |
| via LDAP. |
| This can be especially useful for synchronizing |
| \fIsudoers\fR |
in a large, distributed environment. |
in a large, distributed environment. |
.PP |
.PP |
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: | Using LDAP for |
.IP "\(bu" 4 | \fIsudoers\fR |
\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When | has several benefits: |
\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation. | .TP 4n |
This makes it especially fast and particularly usable in \s-1LDAP\s0 | \fBo\fR |
environments. | \fBsudo\fR |
.IP "\(bu" 4 | no longer needs to read |
\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR. | \fIsudoers\fR |
It is not possible to load \s-1LDAP\s0 data into the server that does | in its entirety. |
| When LDAP is used, there are only two or three LDAP queries per invocation. |
| This makes it especially fast and particularly usable in LDAP environments. |
| .TP 4n |
| \fBo\fR |
| \fBsudo\fR |
| no longer exits if there is a typo in |
| \fIsudoers\fR. |
| It is not possible to load LDAP data into the server that does |
not conform to the sudoers schema, so proper syntax is guaranteed. |
not conform to the sudoers schema, so proper syntax is guaranteed. |
It is still possible to have typos in a user or host name, but |
It is still possible to have typos in a user or host name, but |
this will not prevent \fBsudo\fR from running. | this will not prevent |
.IP "\(bu" 4 | \fBsudo\fR |
| from running. |
| .TP 4n |
| \fBo\fR |
It is possible to specify per-entry options that override the global |
It is possible to specify per-entry options that override the global |
default options. \fI@sysconfdir@/sudoers\fR only supports default options and | default options. |
limited options associated with user/host/commands/aliases. The | \fI@sysconfdir@/sudoers\fR |
syntax is complicated and can be difficult for users to understand. | only supports default options and limited options associated with |
| user/host/commands/aliases. |
| The syntax is complicated and can be difficult for users to understand. |
Placing the options directly in the entry is more natural. |
Placing the options directly in the entry is more natural. |
.IP "\(bu" 4 | .TP 4n |
The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides | \fBo\fR |
locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file. | The |
Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary. | \fBvisudo\fR |
Because syntax is checked when the data is inserted into \s-1LDAP\s0, there | program is no longer needed. |
| \fBvisudo\fR |
| provides locking and syntax checking of the |
| \fI@sysconfdir@/sudoers\fR |
| file. |
| Since LDAP updates are atomic, locking is no longer necessary. |
| Because syntax is checked when the data is inserted into LDAP, there |
is no need for a specialized tool to check syntax. |
is no need for a specialized tool to check syntax. |
.PP |
.PP |
Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR | Another major difference between LDAP and file-based |
is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported. | \fIsudoers\fR |
| is that in LDAP, |
| \fBsudo\fR-specific |
| Aliases are not supported. |
.PP |
.PP |
For the most part, there is really no need for \fBsudo\fR\-specific | For the most part, there is really no need for |
Aliases. Unix groups or user netgroups can be used in place of | \fBsudo\fR-specific |
User_Aliases and Runas_Aliases. Host netgroups can be used in place | Aliases. |
of Host_Aliases. Since Unix groups and netgroups can also be stored | Unix groups, non-Unix groups (via the |
in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases. | \fIgroup_plugin\fR) |
| or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
| Host netgroups can be used in place of Host_Aliases. |
| Since groups and netgroups can also be stored in LDAP there is no real need for |
| \fBsudo\fR-specific |
| aliases. |
.PP |
.PP |
Cmnd_Aliases are not really required either since it is possible |
Cmnd_Aliases are not really required either since it is possible |
to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining | to have multiple users listed in a |
a Cmnd_Alias that is referenced by multiple users, one can create | \fRsudoRole\fR. |
a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users | Instead of defining a Cmnd_Alias that is referenced by multiple users, |
to it. | one can create a |
.SS "SUDOers \s-1LDAP\s0 container" | \fRsudoRole\fR |
.IX Subsection "SUDOers LDAP container" | that contains the commands and assign multiple users to it. |
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0 | .SS "SUDOers LDAP container" |
container. | The |
| \fIsudoers\fR |
| configuration is contained in the |
| \fRou=SUDOers\fR |
| LDAP container. |
.PP |
.PP |
Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container. | Sudo first looks for the |
If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the | \fRcn=default\fR |
same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In | entry in the SUDOers container. |
the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved | If found, the multi-valued |
in the environment for all users. | \fRsudoOption\fR |
| attribute is parsed in the same manner as a global |
| \fRDefaults\fR |
| line in |
| \fI@sysconfdir@/sudoers\fR. |
| In the following example, the |
| \fRSSH_AUTH_SOCK\fR |
| variable will be preserved in the environment for all users. |
| .nf |
| .sp |
| .RS 4n |
| dn: cn=defaults,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: defaults |
| description: Default sudoOption's go here |
| sudoOption: env_keep+=SSH_AUTH_SOCK |
| .RE |
| .fi |
.PP |
.PP |
.Vb 6 | The equivalent of a sudoer in LDAP is a |
\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com | \fRsudoRole\fR. |
\& objectClass: top | It consists of the following attributes: |
\& objectClass: sudoRole | .TP 6n |
\& cn: defaults | \fBsudoUser\fR |
\& description: Default sudoOption\*(Aqs go here | A user name, user ID (prefixed with |
\& sudoOption: env_keep+=SSH_AUTH_SOCK | `#'), |
.Ve | Unix group name or ID (prefixed with |
| `%' |
| or |
| `%#' |
| respectively), user netgroup (prefixed with |
| `+'), |
| or non-Unix group name or ID (prefixed with |
| `%:' |
| or |
| `%:#' |
| respectively). |
| Non-Unix group support is only available when an appropriate |
| \fIgroup_plugin\fR |
| is defined in the global |
| \fIdefaults\fR |
| \fRsudoRole\fR |
| object. |
| .TP 6n |
| \fBsudoHost\fR |
| A host name, IP address, IP network, or host netgroup (prefixed with a |
| `+'). |
| The special value |
| \fRALL\fR |
| will match any host. |
| .TP 6n |
| \fBsudoCommand\fR |
| A fully-qualified Unix command name with optional command line arguments, |
| potentially including globbing characters (aka wild cards). |
| If a command name is preceded by an exclamation point, |
| `\&!', |
| the user will be prohibited from running that command. |
| .sp |
| The built-in command |
| ``\fRsudoedit\fR'' |
| is used to permit a user to run |
| \fBsudo\fR |
| with the |
| \fB\-e\fR |
| option (or as |
| \fBsudoedit\fR). |
| It may take command line arguments just as a normal command does. |
| Note that |
| ``\fRsudoedit\fR'' |
| is a command built into |
| \fBsudo\fR |
| itself and must be specified in without a leading path. |
| .sp |
| The special value |
| \fRALL\fR |
| will match any command. |
| .sp |
| If a command name is prefixed with a SHA-2 digest, it will |
| only be allowed if the digest matches. |
| This may be useful in situations where the user invoking |
| \fBsudo\fR |
| has write access to the command or its parent directory. |
| The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| The digest name must be followed by a colon |
| (`:\&') |
| and then the actual digest, in either hex or base64 format. |
| For example, given the following value for sudoCommand: |
| .RS |
| .nf |
| .sp |
| .RS 4n |
| sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| .RE |
| .fi |
| .sp |
| The user may only run |
| \fI/bin/ls\fR |
| if its sha224 digest matches the specified value. |
| Command digests are only supported by version 1.8.7 or higher. |
.PP |
.PP |
The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of | .RE |
the following attributes: | .PD 0 |
.IP "\fBsudoUser\fR" 4 | .TP 6n |
.IX Item "sudoUser" | \fBsudoOption\fR |
A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with | |
\&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup | |
(prefixed with \f(CW\*(Aq+\*(Aq\fR). | |
.IP "\fBsudoHost\fR" 4 | |
.IX Item "sudoHost" | |
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed | |
with a \f(CW\*(Aq+\*(Aq\fR). | |
The special value \f(CW\*(C`ALL\*(C'\fR will match any host. | |
.IP "\fBsudoCommand\fR" 4 | |
.IX Item "sudoCommand" | |
A Unix command with optional command line arguments, potentially | |
including globbing characters (aka wild cards). | |
The special value \f(CW\*(C`ALL\*(C'\fR will match any command. | |
If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the | |
user will be prohibited from running that command. | |
.IP "\fBsudoOption\fR" 4 | |
.IX Item "sudoOption" | |
Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides. | specific to the |
.IP "\fBsudoRunAsUser\fR" 4 | \fRsudoRole\fR |
.IX Item "sudoRunAsUser" | in which it resides. |
A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run | .PD |
as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed | .TP 6n |
with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be | \fBsudoRunAsUser\fR |
run as. | A user name or uid (prefixed with |
The special value \f(CW\*(C`ALL\*(C'\fR will match any user. | `#') |
.Sp | that commands may be run as or a Unix group (prefixed with a |
The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions | `%') |
1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR | or user netgroup (prefixed with a |
| `+') |
| that contains a list of users that commands may be run as. |
| The special value |
| \fRALL\fR |
| will match any user. |
| .sp |
| The |
| \fRsudoRunAsUser\fR |
| attribute is only available in |
| \fBsudo\fR |
| versions |
| 1.7.0 and higher. |
| Older versions of |
| \fBsudo\fR |
| use the |
| \fRsudoRunAs\fR |
attribute instead. |
attribute instead. |
.IP "\fBsudoRunAsGroup\fR" 4 | .TP 6n |
.IX Item "sudoRunAsGroup" | \fBsudoRunAsGroup\fR |
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as. | A Unix group or gid (prefixed with |
The special value \f(CW\*(C`ALL\*(C'\fR will match any group. | `#') |
.Sp | that commands may be run as. |
The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions | The special value |
| \fRALL\fR |
| will match any group. |
| .sp |
| The |
| \fRsudoRunAsGroup\fR |
| attribute is only available in |
| \fBsudo\fR |
| versions |
1.7.0 and higher. |
1.7.0 and higher. |
.IP "\fBsudoNotBefore\fR" 4 | .TP 6n |
.IX Item "sudoNotBefore" | \fBsudoNotBefore\fR |
A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide | A timestamp in the form |
a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If | \fRyyyymmddHHMMSSZ\fR |
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used. | that can be used to provide a start date/time for when the |
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), | \fRsudoRole\fR |
not the local timezone. The minute and seconds portions are optional, | will be valid. |
but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). | If multiple |
.Sp | \fRsudoNotBefore\fR |
The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions | entries are present, the earliest is used. |
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR | Note that timestamps must be in Coordinated Universal Time (UTC), |
option in \fI@ldap_conf@\fR. | not the local timezone. |
.IP "\fBsudoNotAfter\fR" 4 | The minute and seconds portions are optional, but some LDAP servers |
.IX Item "sudoNotAfter" | require that they be present (contrary to the RFC). |
A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration | .sp |
date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If | The |
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used. | \fRsudoNotBefore\fR |
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), | attribute is only available in |
not the local timezone. The minute and seconds portions are optional, | \fBsudo\fR |
but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). | versions 1.7.5 and higher and must be explicitly enabled via the |
.Sp | \fBSUDOERS_TIMED\fR |
The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions | option in |
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR | \fI@ldap_conf@\fR. |
option in \fI@ldap_conf@\fR. | .TP 6n |
.IP "\fBsudoOrder\fR" 4 | \fBsudoNotAfter\fR |
.IX Item "sudoOrder" | A timestamp in the form |
The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no | \fRyyyymmddHHMMSSZ\fR |
inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or | that indicates an expiration date/time, after which the |
floating point value for \s-1LDAP\s0 servers that support it) that is used | \fRsudoRole\fR |
to sort the matching entries. This allows LDAP-based sudoers entries | will no longer be valid. |
to more closely mimic the behaviour of the sudoers file, where the | If multiple |
of the entries influences the result. If multiple entries match, | \fRsudoNotBefore\fR |
the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This | entries are present, the last one is used. |
corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If | Note that timestamps must be in Coordinated Universal Time (UTC), |
the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed. | not the local timezone. |
.Sp | The minute and seconds portions are optional, but some LDAP servers |
The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions | require that they be present (contrary to the RFC). |
1.7.5 and higher. | .sp |
| The |
| \fRsudoNotAfter\fR |
| attribute is only available in |
| \fBsudo\fR |
| versions |
| 1.7.5 and higher and must be explicitly enabled via the |
| \fBSUDOERS_TIMED\fR |
| option in |
| \fI@ldap_conf@\fR. |
| .TP 6n |
| \fBsudoOrder\fR |
| The |
| \fRsudoRole\fR |
| entries retrieved from the LDAP directory have no inherent order. |
| The |
| \fRsudoOrder\fR |
| attribute is an integer (or floating point value for LDAP servers |
| that support it) that is used to sort the matching entries. |
| This allows LDAP-based sudoers entries to more closely mimic the behavior |
| of the sudoers file, where the of the entries influences the result. |
| If multiple entries match, the entry with the highest |
| \fRsudoOrder\fR |
| attribute is chosen. |
| This corresponds to the |
| ``last match'' |
| behavior of the sudoers file. |
| If the |
| \fRsudoOrder\fR |
| attribute is not present, a value of 0 is assumed. |
| .sp |
| The |
| \fRsudoOrder\fR |
| attribute is only available in |
| \fBsudo\fR |
| versions 1.7.5 and higher. |
.PP |
.PP |
Each attribute listed above should contain a single value, but there |
Each attribute listed above should contain a single value, but there |
may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must | may be multiple instances of each attribute type. |
contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR. | A |
| \fRsudoRole\fR |
| must contain at least one |
| \fRsudoUser\fR, |
| \fRsudoHost\fR |
| and |
| \fRsudoCommand\fR. |
.PP |
.PP |
The following example allows users in group wheel to run any command |
The following example allows users in group wheel to run any command |
on any host via \fBsudo\fR: | on any host via |
| \fBsudo\fR: |
| .nf |
| .sp |
| .RS 4n |
| dn: cn=%wheel,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: %wheel |
| sudoUser: %wheel |
| sudoHost: ALL |
| sudoCommand: ALL |
| .RE |
| .fi |
| .SS "Anatomy of LDAP sudoers lookup" |
| When looking up a sudoer using LDAP there are only two or three |
| LDAP queries per invocation. |
| The first query is to parse the global options. |
| The second is to match against the user's name and the groups that |
| the user belongs to. |
| (The special |
| \fRALL\fR |
| tag is matched in this query too.) |
| If no match is returned for the user's name and groups, a third |
| query returns all entries containing user netgroups and checks |
| to see if the user belongs to any of them. |
.PP |
.PP |
.Vb 7 | If timed entries are enabled with the |
\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com | \fBSUDOERS_TIMED\fR |
\& objectClass: top | configuration directive, the LDAP queries include a sub-filter that |
\& objectClass: sudoRole | limits retrieval to entries that satisfy the time constraints, if any. |
\& cn: %wheel | .SS "Differences between LDAP and non-LDAP sudoers" |
\& sudoUser: %wheel | |
\& sudoHost: ALL | |
\& sudoCommand: ALL | |
.Ve | |
.SS "Anatomy of \s-1LDAP\s0 sudoers lookup" | |
.IX Subsection "Anatomy of LDAP sudoers lookup" | |
When looking up a sudoer using \s-1LDAP\s0 there are only two or three | |
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global | |
options. The second is to match against the user's name and the | |
groups that the user belongs to. (The special \s-1ALL\s0 tag is matched | |
in this query too.) If no match is returned for the user's name | |
and groups, a third query returns all entries containing user | |
netgroups and checks to see if the user belongs to any of them. | |
.PP | |
If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration | |
directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval | |
to entries that satisfy the time constraints, if any. | |
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" | |
.IX Subsection "Differences between LDAP and non-LDAP sudoers" | |
There are some subtle differences in the way sudoers is handled |
There are some subtle differences in the way sudoers is handled |
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, | once in LDAP. |
\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes | Probably the biggest is that according to the RFC, LDAP ordering |
and Entries are returned in any specific order. | is arbitrary and you cannot expect that Attributes and Entries are |
| returned in any specific order. |
.PP |
.PP |
The order in which different entries are applied can be controlled |
The order in which different entries are applied can be controlled |
using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee | using the |
the order of attributes within a specific entry. If there are | \fRsudoOrder\fR |
conflicting command rules in an entry, the negative takes precedence. | attribute, but there is no way to guarantee the order of attributes |
| within a specific entry. |
| If there are conflicting command rules in an entry, the negative |
| takes precedence. |
This is called paranoid behavior (not necessarily the most specific |
This is called paranoid behavior (not necessarily the most specific |
match). |
match). |
.PP |
.PP |
Here is an example: |
Here is an example: |
|
.nf |
|
.sp |
|
.RS 4n |
|
# /etc/sudoers: |
|
# Allow all commands except shell |
|
johnny ALL=(root) ALL,!/bin/sh |
|
# Always allows all commands because ALL is matched last |
|
puddles ALL=(root) !/bin/sh,ALL |
|
|
|
# LDAP equivalent of johnny |
|
# Allows all commands except shell |
|
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com |
|
objectClass: sudoRole |
|
objectClass: top |
|
cn: role1 |
|
sudoUser: johnny |
|
sudoHost: ALL |
|
sudoCommand: ALL |
|
sudoCommand: !/bin/sh |
|
|
|
# LDAP equivalent of puddles |
|
# Notice that even though ALL comes last, it still behaves like |
|
# role1 since the LDAP code assumes the more paranoid configuration |
|
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com |
|
objectClass: sudoRole |
|
objectClass: top |
|
cn: role2 |
|
sudoUser: puddles |
|
sudoHost: ALL |
|
sudoCommand: !/bin/sh |
|
sudoCommand: ALL |
|
.RE |
|
.fi |
.PP |
.PP |
.Vb 5 |
|
\& # /etc/sudoers: |
|
\& # Allow all commands except shell |
|
\& johnny ALL=(root) ALL,!/bin/sh |
|
\& # Always allows all commands because ALL is matched last |
|
\& puddles ALL=(root) !/bin/sh,ALL |
|
\& |
|
\& # LDAP equivalent of johnny |
|
\& # Allows all commands except shell |
|
\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com |
|
\& objectClass: sudoRole |
|
\& objectClass: top |
|
\& cn: role1 |
|
\& sudoUser: johnny |
|
\& sudoHost: ALL |
|
\& sudoCommand: ALL |
|
\& sudoCommand: !/bin/sh |
|
\& |
|
\& # LDAP equivalent of puddles |
|
\& # Notice that even though ALL comes last, it still behaves like |
|
\& # role1 since the LDAP code assumes the more paranoid configuration |
|
\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com |
|
\& objectClass: sudoRole |
|
\& objectClass: top |
|
\& cn: role2 |
|
\& sudoUser: puddles |
|
\& sudoHost: ALL |
|
\& sudoCommand: !/bin/sh |
|
\& sudoCommand: ALL |
|
.Ve |
|
.PP |
|
Another difference is that negations on the Host, User or Runas are |
Another difference is that negations on the Host, User or Runas are |
currently ignored. For example, the following attributes do not | currently ignored. |
behave the way one might expect. | For example, the following attributes do not behave the way one might expect. |
| .nf |
| .sp |
| .RS 4n |
| # does not match all but joe |
| # rather, does not match anyone |
| sudoUser: !joe |
| |
| # does not match all but joe |
| # rather, matches everyone including Joe |
| sudoUser: ALL |
| sudoUser: !joe |
| |
| # does not match all but web01 |
| # rather, matches all hosts including web01 |
| sudoHost: ALL |
| sudoHost: !web01 |
| .RE |
| .fi |
| .SS "Sudoers schema" |
| In order to use |
| \fBsudo\fR's |
| LDAP support, the |
| \fBsudo\fR |
| schema must be |
| installed on your LDAP server. |
| In addition, be sure to index the |
| \fRsudoUser\fR |
| attribute. |
.PP |
.PP |
.Vb 3 | Three versions of the schema: one for OpenLDAP servers |
\& # does not match all but joe | (\fIschema.OpenLDAP\fR), |
\& # rather, does not match anyone | one for Netscape-derived servers |
\& sudoUser: !joe | (\fIschema.iPlanet\fR), |
\& | and one for Microsoft Active Directory |
\& # does not match all but joe | (\fIschema.ActiveDirectory\fR) |
\& # rather, matches everyone including Joe | may be found in the |
\& sudoUser: ALL | \fBsudo\fR |
\& sudoUser: !joe | distribution. |
\& | |
\& # does not match all but web01 | |
\& # rather, matches all hosts including web01 | |
\& sudoHost: ALL | |
\& sudoHost: !web01 | |
.Ve | |
.SS "Sudoers Schema" | |
.IX Subsection "Sudoers Schema" | |
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be | |
installed on your \s-1LDAP\s0 server. In addition, be sure to index the | |
\&'sudoUser' attribute. | |
.PP |
.PP |
Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR), | The schema for |
one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for | \fBsudo\fR |
Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may | in OpenLDAP form is also included in the |
be found in the \fBsudo\fR distribution. | \fIEXAMPLES\fR |
.PP | |
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 | |
section. |
section. |
.SS "Configuring ldap.conf" |
.SS "Configuring ldap.conf" |
.IX Subsection "Configuring ldap.conf" | Sudo reads the |
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. | \fI@ldap_conf@\fR |
Typically, this file is shared amongst different LDAP-aware clients. | file for LDAP-specific configuration. |
As such, most of the settings are not \fBsudo\fR\-specific. Note that | Typically, this file is shared between different LDAP-aware clients. |
\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options | As such, most of the settings are not |
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual. | \fBsudo\fR-specific. |
| Note that |
| \fBsudo\fR |
| parses |
| \fI@ldap_conf@\fR |
| itself and may support options that differ from those described in the |
| system's |
| ldap.conf(@mansectsu@) |
| manual. |
| The path to |
| \fIldap.conf\fR |
| may be overridden via the |
| \fIldap_conf\fR |
| plugin argument in |
| sudo.conf(@mansectform@). |
.PP |
.PP |
Also note that on systems using the OpenLDAP libraries, default |
Also note that on systems using the OpenLDAP libraries, default |
values specified in \fI/etc/openldap/ldap.conf\fR or the user's | values specified in |
\&\fI.ldaprc\fR files are not used. | \fI/etc/openldap/ldap.conf\fR |
| or the user's |
| \fI.ldaprc\fR |
| files are not used. |
.PP |
.PP |
Only those options explicitly listed in \fI@ldap_conf@\fR as being | Only those options explicitly listed in |
supported by \fBsudo\fR are honored. Configuration options are listed | \fI@ldap_conf@\fR |
below in upper case but are parsed in a case-independent manner. | as being supported by |
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 | \fBsudo\fR |
.IX Item "URI ldap[s]://[hostname[:port]] ..." | are honored. |
Specifies a whitespace-delimited list of one or more URIs describing | Configuration options are listed below in upper case but are parsed |
the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either | in a case-independent manner. |
\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 | .PP |
(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port | Long lines can be continued with a backslash |
389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR | (`\e') |
is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR | as the last character on the line. |
lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple | Note that leading white space is removed from the beginning of lines |
entries. Only systems using the OpenSSL libraries support the | even when the continuation character is used. |
mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived | .TP 6n |
libraries used on most commercial versions of Unix are only capable | \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR |
of supporting one or the other. | Specifies a white space-delimited list of one or more URIs describing |
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 | the LDAP server(s) to connect to. |
.IX Item "HOST name[:port] ..." | The |
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a | \fIprotocol\fR |
whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host | may be either |
may include an optional \fIport\fR separated by a colon (':'). The | \fIldap\fR |
\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification | \fIldaps\fR, |
and is included for backwards compatibility. | the latter being for servers that support TLS (SSL) encryption. |
.IP "\fB\s-1PORT\s0\fR port_number" 4 | If no |
.IX Item "PORT port_number" | \fIport\fR |
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the | is specified, the default is port 389 for |
default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter | \fRldap://\fR |
does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used, | or port 636 for |
the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0 | \fRldaps://\fR. |
(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR | If no |
| \fIhostname\fR |
| is specified, |
| \fBsudo\fR |
| will connect to |
| \fIlocalhost\fR. |
| Multiple |
| \fBURI\fR |
| lines are treated identically to a |
| \fBURI\fR |
| line containing multiple entries. |
| Only systems using the OpenSSL libraries support the mixing of |
| \fRldap://\fR |
| and |
| \fRldaps://\fR |
| URIs. |
| Both the Netscape-derived and Tivoli LDAP libraries used on most commercial |
| versions of Unix are only capable of supporting one or the other. |
| .TP 6n |
| \fBHOST\fR \fIname[:port] ...\fR |
| If no |
| \fBURI\fR |
| is specified, the |
| \fBHOST\fR |
| parameter specifies a white space-delimited list of LDAP servers to connect to. |
| Each host may include an optional |
| \fIport\fR |
| separated by a colon |
| (`:\&'). |
| The |
| \fBHOST\fR |
| parameter is deprecated in favor of the |
| \fBURI\fR |
specification and is included for backwards compatibility. |
specification and is included for backwards compatibility. |
.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4 | .TP 6n |
.IX Item "BIND_TIMELIMIT seconds" | \fBPORT\fR \fIport_number\fR |
The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, | If no |
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or | \fBURI\fR |
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying | is specified, the |
| \fBPORT\fR |
| parameter specifies the default port to connect to on the LDAP server if a |
| \fBHOST\fR |
| parameter does not specify the port itself. |
| If no |
| \fBPORT\fR |
| parameter is used, the default is port 389 for LDAP and port 636 for LDAP |
| over TLS (SSL). |
| The |
| \fBPORT\fR |
| parameter is deprecated in favor of the |
| \fBURI\fR |
| specification and is included for backwards compatibility. |
| .TP 6n |
| \fBBIND_TIMELIMIT\fR \fIseconds\fR |
| The |
| \fBBIND_TIMELIMIT\fR |
| parameter specifies the amount of time, in seconds, to wait while trying |
| to connect to an LDAP server. |
| If multiple |
| \fBURI\fRs |
| or |
| \fBHOST\fRs |
| are specified, this is the amount of time to wait before trying |
the next one in the list. |
the next one in the list. |
.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4 | .TP 6n |
.IX Item "NETWORK_TIMEOUT seconds" | \fBNETWORK_TIMEOUT\fR \fIseconds\fR |
An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility. | An alias for |
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4 | \fBBIND_TIMELIMIT\fR |
.IX Item "TIMELIMIT seconds" | for OpenLDAP compatibility. |
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, | .TP 6n |
to wait for a response to an \s-1LDAP\s0 query. | \fBTIMELIMIT\fR \fIseconds\fR |
.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4 | The |
.IX Item "TIMEOUT seconds" | \fBTIMELIMIT\fR |
The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds, | parameter specifies the amount of time, in seconds, to wait for a |
to wait for a response from the various \s-1LDAP\s0 APIs. | response to an LDAP query. |
.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4 | .TP 6n |
.IX Item "SUDOERS_BASE base" | \fBTIMEOUT\fR \fIseconds\fR |
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically | The |
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain | \fBTIMEOUT\fR |
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, | parameter specifies the amount of time, in seconds, to wait for a |
in which case they are queried in the order specified. | response from the various LDAP APIs. |
.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4 | .TP 6n |
.IX Item "SUDOERS_SEARCH_FILTER ldap_filter" | \fBSUDOERS_BASE\fR \fIbase\fR |
An \s-1LDAP\s0 filter which is used to restrict the set of records returned | The base DN to use when performing |
when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the | \fBsudo\fR |
form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR. | LDAP queries. |
.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 | Typically this is of the form |
.IX Item "SUDOERS_TIMED on/true/yes/off/false/no" | \fRou=SUDOers,dc=example,dc=com\fR |
Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR | for the domain |
| \fRexample.com\fR. |
| Multiple |
| \fBSUDOERS_BASE\fR |
| lines may be specified, in which case they are queried in the order specified. |
| .TP 6n |
| \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR |
| An LDAP filter which is used to restrict the set of records returned |
| when performing a |
| \fBsudo\fR |
| LDAP query. |
| Typically, this is of the |
| form |
| \fRattribute=value\fR |
| or |
| \fR(&(attribute=value)(attribute2=value2))\fR. |
| .TP 6n |
| \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
| Whether or not to evaluate the |
| \fRsudoNotBefore\fR |
| and |
| \fRsudoNotAfter\fR |
attributes that implement time-dependent sudoers entries. |
attributes that implement time-dependent sudoers entries. |
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 | .TP 6n |
.IX Item "SUDOERS_DEBUG debug_level" | \fBSUDOERS_DEBUG\fR \fIdebug_level\fR |
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging | This sets the debug level for |
information is printed to the standard error. A value of 1 results | \fBsudo\fR |
in a moderate amount of debugging information. A value of 2 shows | LDAP queries. |
the results of the matches themselves. This parameter should not | Debugging information is printed to the standard error. |
be set in a production environment as the extra information is | A value of 1 results in a moderate amount of debugging information. |
likely to confuse users. | A value of 2 shows the results of the matches themselves. |
.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4 | This parameter should not be set in a production environment as the |
.IX Item "BINDDN DN" | extra information is likely to confuse users. |
The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a | .sp |
Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations. | The |
If not specified, \s-1LDAP\s0 operations are performed with an anonymous | \fBSUDOERS_DEBUG\fR |
identity. By default, most \s-1LDAP\s0 servers will allow anonymous access. | parameter is deprecated and will be removed in a future release. |
.IP "\fB\s-1BINDPW\s0\fR secret" 4 | The same information is now logged via the |
.IX Item "BINDPW secret" | \fBsudo\fR |
The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing | debugging framework using the |
\&\s-1LDAP\s0 operations. This is typically used in conjunction with the | ``ldap'' |
\&\fB\s-1BINDDN\s0\fR parameter. | subsystem at priorities |
.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4 | \fIdiag\fR |
.IX Item "ROOTBINDDN DN" | and |
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of | \fIinfo\fR |
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0 | for |
operations, such as \fIsudoers\fR queries. The password corresponding | \fIdebug_level\fR |
to the identity should be stored in \fI@ldap_secret@\fR. | values 1 and 2 respectively. |
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any). | See the |
.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4 | sudo.conf(@mansectform@) |
.IX Item "LDAP_VERSION number" | manual for details on how to configure |
The version of the \s-1LDAP\s0 protocol to use when connecting to the server. | \fBsudo\fR |
| debugging. |
| .TP 6n |
| \fBBINDDN\fR \fIDN\fR |
| The |
| \fBBINDDN\fR |
| parameter specifies the identity, in the form of a Distinguished Name (DN), |
| to use when performing LDAP operations. |
| If not specified, LDAP operations are performed with an anonymous identity. |
| By default, most LDAP servers will allow anonymous access. |
| .TP 6n |
| \fBBINDPW\fR \fIsecret\fR |
| The |
| \fBBINDPW\fR |
| parameter specifies the password to use when performing LDAP operations. |
| This is typically used in conjunction with the |
| \fBBINDDN\fR |
| parameter. |
| .TP 6n |
| \fBROOTBINDDN\fR \fIDN\fR |
| The |
| \fBROOTBINDDN\fR |
| parameter specifies the identity, in the form of a Distinguished Name (DN), |
| to use when performing privileged LDAP operations, such as |
| \fIsudoers\fR |
| queries. |
| The password corresponding to the identity should be stored in the |
| or the path specified by the |
| \fIldap_secret\fR |
| plugin argument in |
| sudo.conf(@mansectform@), |
| which defaults to |
| \fI@ldap_secret@\fR. |
| If no |
| \fBROOTBINDDN\fR |
| is specified, the |
| \fBBINDDN\fR |
| identity is used (if any). |
| .TP 6n |
| \fBLDAP_VERSION\fR \fInumber\fR |
| The version of the LDAP protocol to use when connecting to the server. |
The default value is protocol version 3. |
The default value is protocol version 3. |
.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4 | .TP 6n |
.IX Item "SSL on/true/yes/off/false/no" | \fBSSL\fR \fIon/true/yes/off/false/no\fR |
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0 | If the |
(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0 | \fBSSL\fR |
server. Typically, this involves connecting to the server on port | parameter is set to |
636 (ldaps). | \fRon\fR, |
.IP "\fB\s-1SSL\s0\fR start_tls" 4 | \fRtrue\fR |
.IX Item "SSL start_tls" | \fRor\fR |
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server | \fRyes\fR, |
connection is initiated normally and \s-1TLS\s0 encryption is begun before | TLS (SSL) encryption is always used when communicating with the LDAP server. |
the bind credentials are sent. This has the advantage of not | Typically, this involves connecting to the server on port 636 (ldaps). |
requiring a dedicated port for encrypted communications. This | .TP 6n |
parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR | \fBSSL\fR \fIstart_tls\fR |
extension, such as the OpenLDAP server. | If the |
.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4 | \fBSSL\fR |
.IX Item "TLS_CHECKPEER on/true/yes/off/false/no" | parameter is set to |
If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0 | \fRstart_tls\fR, |
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot | the LDAP server connection is initiated normally and TLS encryption is |
be verified (usually because it is signed by an unknown certificate | begun before the bind credentials are sent. |
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR | This has the advantage of not requiring a dedicated port for encrypted |
is disabled, no check is made. Note that disabling the check creates | communications. |
an opportunity for man-in-the-middle attacks since the server's | This parameter is only supported by LDAP servers that honor the |
identity will not be authenticated. If possible, the \s-1CA\s0's certificate | \fIstart_tls\fR |
should be installed locally so it can be verified. | extension, such as the OpenLDAP and Tivoli Directory servers. |
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 | .TP 6n |
.IX Item "TLS_CACERT file name" | \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR |
An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. | If enabled, |
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 | \fBTLS_CHECKPEER\fR |
.IX Item "TLS_CACERTFILE file name" | will cause the LDAP server's TLS certificated to be verified. |
| If the server's TLS certificate cannot be verified (usually because it |
| is signed by an unknown certificate authority), |
| \fBsudo\fR |
| will be unable to connect to it. |
| If |
| \fBTLS_CHECKPEER\fR |
| is disabled, no check is made. |
| Note that disabling the check creates an opportunity for man-in-the-middle |
| attacks since the server's identity will not be authenticated. |
| If possible, the CA's certificate should be installed locally so it can |
| be verified. |
| This option is not supported by the Tivoli Directory Server LDAP libraries. |
| .TP 6n |
| \fBTLS_CACERT\fR \fIfile name\fR |
| An alias for |
| \fBTLS_CACERTFILE\fR |
| for OpenLDAP compatibility. |
| .TP 6n |
| \fBTLS_CACERTFILE\fR \fIfile name\fR |
The path to a certificate authority bundle which contains the certificates |
The path to a certificate authority bundle which contains the certificates |
for all the Certificate Authorities the client knows to be valid, | for all the Certificate Authorities the client knows to be valid, e.g.\& |
e.g. \fI/etc/ssl/ca\-bundle.pem\fR. | \fI/etc/ssl/ca-bundle.pem\fR. |
This option is only supported by the OpenLDAP libraries. |
This option is only supported by the OpenLDAP libraries. |
Netscape-derived \s-1LDAP\s0 libraries use the same certificate | Netscape-derived LDAP libraries use the same certificate |
database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR). | database for CA and client certificates (see |
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4 | \fBTLS_CERT\fR). |
.IX Item "TLS_CACERTDIR directory" | .TP 6n |
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a | \fBTLS_CACERTDIR\fR \fIdirectory\fR |
directory containing individual Certificate Authority certificates, | Similar to |
e.g. \fI/etc/ssl/certs\fR. | \fBTLS_CACERTFILE\fR |
The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after | but instead of a file, it is a directory containing individual |
\&\fB\s-1TLS_CACERTFILE\s0\fR. | Certificate Authority certificates, e.g.\& |
| \fI/etc/ssl/certs\fR. |
| The directory specified by |
| \fBTLS_CACERTDIR\fR |
| is checked after |
| \fBTLS_CACERTFILE\fR. |
This option is only supported by the OpenLDAP libraries. |
This option is only supported by the OpenLDAP libraries. |
.IP "\fB\s-1TLS_CERT\s0\fR file name" 4 | .TP 6n |
.IX Item "TLS_CERT file name" | \fBTLS_CERT\fR \fIfile name\fR |
The path to a file containing the client certificate which can |
The path to a file containing the client certificate which can |
be used to authenticate the client to the \s-1LDAP\s0 server. | be used to authenticate the client to the LDAP server. |
The certificate type depends on the \s-1LDAP\s0 libraries used. | The certificate type depends on the LDAP libraries used. |
.Sp | .RS |
| .TP 6n |
OpenLDAP: |
OpenLDAP: |
\f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR | \fRtls_cert /etc/ssl/client_cert.pem\fR |
.Sp | .TP 6n |
Netscape-derived: |
Netscape-derived: |
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR | \fRtls_cert /var/ldap/cert7.db\fR |
.Sp | .TP 6n |
| Tivoli Directory Server: |
| Unused, the key database specified by |
| \fBTLS_KEY\fR |
| contains both keys and certificates. |
| .sp |
When using Netscape-derived libraries, this file may also contain |
When using Netscape-derived libraries, this file may also contain |
Certificate Authority certificates. |
Certificate Authority certificates. |
.IP "\fB\s-1TLS_KEY\s0\fR file name" 4 | .PP |
.IX Item "TLS_KEY file name" | .RE |
| .PD 0 |
| .TP 6n |
| \fBTLS_KEY\fR \fIfile name\fR |
The path to a file containing the private key which matches the |
The path to a file containing the private key which matches the |
certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be | certificate specified by |
password-protected. The key type depends on the \s-1LDAP\s0 libraries | \fBTLS_CERT\fR. |
used. | The private key must not be password-protected. |
.Sp | The key type depends on the LDAP libraries used. |
| .RS |
| .PD |
| .TP 6n |
OpenLDAP: |
OpenLDAP: |
\f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR | \fRtls_key /etc/ssl/client_key.pem\fR |
.Sp | .TP 6n |
Netscape-derived: |
Netscape-derived: |
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR | \fRtls_key /var/ldap/key3.db\fR |
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4 | .TP 6n |
.IX Item "TLS_RANDFILE file name" | Tivoli Directory Server: |
The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy | \fRtls_cert /usr/ldap/ldapkey.kdb\fR |
source for systems that lack a random device. It is generally used | .PD 0 |
in conjunction with \fIprngd\fR or \fIegd\fR. | .PP |
| .PD |
| When using Tivoli LDAP libraries, this file may also contain |
| Certificate Authority and client certificates and may be encrypted. |
| .PP |
| .RE |
| .PD 0 |
| .TP 6n |
| \fBTLS_KEYPW\fR \fIsecret\fR |
| The |
| \fBTLS_KEYPW\fR |
| contains the password used to decrypt the key database on clients |
| using the Tivoli Directory Server LDAP library. |
| If no |
| \fBTLS_KEYPW\fR |
| is specified, a |
| \fIstash file\fR |
| will be used if it exists. |
| The |
| \fIstash file\fR |
| must have the same path as the file specified by |
| \fBTLS_KEY\fR, |
| but use a |
| \fR.sth\fR |
| file extension instead of |
| \fR.kdb\fR, |
| e.g.\& |
| \fRldapkey.sth\fR. |
| The default |
| \fRldapkey.kdb\fR |
| that ships with Tivoli Directory Server is encrypted with the password |
| \fRssl_password\fR. |
| This option is only supported by the Tivoli LDAP libraries. |
| .PD |
| .TP 6n |
| \fBTLS_RANDFILE\fR \fIfile name\fR |
| The |
| \fBTLS_RANDFILE\fR |
| parameter specifies the path to an entropy source for systems that lack |
| a random device. |
| It is generally used in conjunction with |
| \fIprngd\fR |
| or |
| \fIegd\fR. |
This option is only supported by the OpenLDAP libraries. |
This option is only supported by the OpenLDAP libraries. |
.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4 | .TP 6n |
.IX Item "TLS_CIPHERS cipher list" | \fBTLS_CIPHERS\fR \fIcipher list\fR |
The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict | The |
which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. | \fBTLS_CIPHERS\fR |
See the OpenSSL manual for a list of valid ciphers. | parameter allows the administer to restrict which encryption algorithms |
This option is only supported by the OpenLDAP libraries. | may be used for TLS (SSL) connections. |
.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4 | See the OpenLDAP or Tivoli Directory Server manual for a list of valid |
.IX Item "USE_SASL on/true/yes/off/false/no" | ciphers. |
Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication. | This option is not supported by Netscape-derived libraries. |
.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4 | .TP 6n |
.IX Item "SASL_AUTH_ID identity" | \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR |
The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server. | Enable |
By default, \fBsudo\fR will use an anonymous connection. | \fBUSE_SASL\fR |
.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4 | for LDAP servers that support SASL authentication. |
.IX Item "ROOTUSE_SASL on/true/yes/off/false/no" | .TP 6n |
Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting | \fBSASL_AUTH_ID\fR \fIidentity\fR |
to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR. | The SASL user name to use when connecting to the LDAP server. |
.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4 | By default, |
.IX Item "ROOTSASL_AUTH_ID identity" | \fBsudo\fR |
The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled. | will use an anonymous connection. |
.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4 | .TP 6n |
.IX Item "SASL_SECPROPS none/properties" | \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR |
\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the | Enable |
\&\s-1SASL\s0 programmer's manual for details. | \fBROOTUSE_SASL\fR |
.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4 | to enable SASL authentication when connecting |
.IX Item "KRB5_CCNAME file name" | to an LDAP server from a privileged process, such as |
| \fBsudo\fR. |
| .TP 6n |
| \fBROOTSASL_AUTH_ID\fR \fIidentity\fR |
| The SASL user name to use when |
| \fBROOTUSE_SASL\fR |
| is enabled. |
| .TP 6n |
| \fBSASL_SECPROPS\fR \fInone/properties\fR |
| SASL security properties or |
| \fInone\fR |
| for no properties. |
| See the SASL programmer's manual for details. |
| .TP 6n |
| \fBKRB5_CCNAME\fR \fIfile name\fR |
The path to the Kerberos 5 credential cache to use when authenticating |
The path to the Kerberos 5 credential cache to use when authenticating |
with the remote server. |
with the remote server. |
.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4 | .TP 6n |
.IX Item "DEREF never/searching/finding/always" | \fBDEREF\fR \fInever/searching/finding/always\fR |
How alias dereferencing is to be performed when searching. See the | How alias dereferencing is to be performed when searching. |
\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option. | See the |
| ldap.conf(@mansectsu@) |
| manual for a full description of this option. |
.PP |
.PP |
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. | See the |
| \fIldap.conf\fR |
| entry in the |
| \fIEXAMPLES\fR |
| section. |
.SS "Configuring nsswitch.conf" |
.SS "Configuring nsswitch.conf" |
.IX Subsection "Configuring nsswitch.conf" | Unless it is disabled at build time, |
Unless it is disabled at build time, \fBsudo\fR consults the Name | \fBsudo\fR |
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR | consults the Name Service Switch file, |
search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and | \fI@nsswitch_conf@\fR, |
uses this to determine the search order. Note that \fBsudo\fR does | to specify the |
| \fIsudoers\fR |
| search order. |
| Sudo looks for a line beginning with |
| \fRsudoers\fR: |
| and uses this to determine the search order. |
| Note that |
| \fBsudo\fR |
| does |
not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
precedence over earlier ones. |
precedence over earlier ones. |
.PP |
|
The following sources are recognized: |
The following sources are recognized: |
|
.TP 10n |
|
files |
|
read sudoers from |
|
\fI@sysconfdir@/sudoers\fR |
|
.PD 0 |
|
.TP 10n |
|
ldap |
|
read sudoers from LDAP |
|
.PD |
.PP |
.PP |
.Vb 2 | In addition, the entry |
\& files read sudoers from F<@sysconfdir@/sudoers> | \fR[NOTFOUND=return]\fR |
\& ldap read sudoers from LDAP | will short-circuit the search if the user was not found in the |
.Ve | preceding source. |
.PP |
.PP |
In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the | To consult LDAP first followed by the local sudoers file (if it |
search if the user was not found in the preceding source. | |
.PP | |
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it | |
exists), use: |
exists), use: |
|
.nf |
|
.sp |
|
.RS 4n |
|
sudoers: ldap files |
|
.RE |
|
.fi |
.PP |
.PP |
.Vb 1 | The local |
\& sudoers: ldap files | \fIsudoers\fR |
.Ve | file can be ignored completely by using: |
| .nf |
| .sp |
| .RS 4n |
| sudoers: ldap |
| .RE |
| .fi |
.PP |
.PP |
The local \fIsudoers\fR file can be ignored completely by using: | If the |
| \fI@nsswitch_conf@\fR |
| file is not present or there is no sudoers line, the following |
| default is assumed: |
| .nf |
| .sp |
| .RS 4n |
| sudoers: files |
| .RE |
| .fi |
.PP |
.PP |
.Vb 1 | Note that |
\& sudoers: ldap | \fI@nsswitch_conf@\fR |
.Ve | is supported even when the underlying operating system does not use |
.PP | an nsswitch.conf file, except on AIX (see below). |
If the \fI@nsswitch_conf@\fR file is not present or there is no | |
sudoers line, the following default is assumed: | |
.PP | |
.Vb 1 | |
\& sudoers: files | |
.Ve | |
.PP | |
Note that \fI@nsswitch_conf@\fR is supported even when the underlying | |
operating system does not use an nsswitch.conf file. | |
.SS "Configuring netsvc.conf" |
.SS "Configuring netsvc.conf" |
.IX Subsection "Configuring netsvc.conf" | On AIX systems, the |
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of | \fI@netsvc_conf@\fR |
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a | file is consulted instead of |
variant of \fInsswitch.conf\fR; information in the previous section | \fI@nsswitch_conf@\fR. |
unrelated to the file format itself still applies. | \fBsudo\fR |
| simply treats |
| \fInetsvc.conf\fR |
| as a variant of |
| \fInsswitch.conf\fR; |
| information in the previous section unrelated to the file format |
| itself still applies. |
.PP |
.PP |
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it | To consult LDAP first followed by the local sudoers file (if it |
exists), use: |
exists), use: |
|
.nf |
|
.sp |
|
.RS 4n |
|
sudoers = ldap, files |
|
.RE |
|
.fi |
.PP |
.PP |
.Vb 1 | The local |
\& sudoers = ldap, files | \fIsudoers\fR |
.Ve | file can be ignored completely by using: |
| .nf |
| .sp |
| .RS 4n |
| sudoers = ldap |
| .RE |
| .fi |
.PP |
.PP |
The local \fIsudoers\fR file can be ignored completely by using: | To treat LDAP as authoritative and only use the local sudoers file |
| if the user is not present in LDAP, use: |
| .nf |
| .sp |
| .RS 4n |
| sudoers = ldap = auth, files |
| .RE |
| .fi |
.PP |
.PP |
.Vb 1 | Note that in the above example, the |
\& sudoers = ldap | \fRauth\fR |
.Ve | qualifier only affects user lookups; both LDAP and |
.PP | \fIsudoers\fR |
To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file | will be queried for |
if the user is not present in \s-1LDAP\s0, use: | \fRDefaults\fR |
.PP | |
.Vb 1 | |
\& sudoers = ldap = auth, files | |
.Ve | |
.PP | |
Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects | |
user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR | |
entries. |
entries. |
.PP |
.PP |
If the \fI@netsvc_conf@\fR file is not present or there is no | If the |
sudoers line, the following default is assumed: | \fI@netsvc_conf@\fR |
.PP | file is not present or there is no sudoers line, the following |
.Vb 1 | default is assumed: |
\& sudoers = files | .nf |
.Ve | .sp |
| .RS 4n |
| sudoers = files |
| .RE |
| .fi |
.SH "FILES" |
.SH "FILES" |
.IX Header "FILES" | .TP 26n |
.ie n .IP "\fI@ldap_conf@\fR" 24 | \fI@ldap_conf@\fR |
.el .IP "\fI@ldap_conf@\fR" 24 | LDAP configuration file |
.IX Item "@ldap_conf@" | .TP 26n |
\&\s-1LDAP\s0 configuration file | \fI@nsswitch_conf@\fR |
.ie n .IP "\fI@nsswitch_conf@\fR" 24 | |
.el .IP "\fI@nsswitch_conf@\fR" 24 | |
.IX Item "@nsswitch_conf@" | |
determines sudoers source order |
determines sudoers source order |
.ie n .IP "\fI@netsvc_conf@\fR" 24 | .TP 26n |
.el .IP "\fI@netsvc_conf@\fR" 24 | \fI@netsvc_conf@\fR |
.IX Item "@netsvc_conf@" | determines sudoers source order on AIX |
determines sudoers source order on \s-1AIX\s0 | |
.SH "EXAMPLES" |
.SH "EXAMPLES" |
.IX Header "EXAMPLES" |
|
.SS "Example ldap.conf" |
.SS "Example ldap.conf" |
.IX Subsection "Example ldap.conf" | .nf |
.Vb 10 | .RS 2n |
\& # Either specify one or more URIs or one or more host:port pairs. | # Either specify one or more URIs or one or more host:port pairs. |
\& # If neither is specified sudo will default to localhost, port 389. | # If neither is specified sudo will default to localhost, port 389. |
\& # | # |
\& #host ldapserver | #host ldapserver |
\& #host ldapserver1 ldapserver2:390 | #host ldapserver1 ldapserver2:390 |
\& # | # |
\& # Default port if host is specified without one, defaults to 389. | # Default port if host is specified without one, defaults to 389. |
\& #port 389 | #port 389 |
\& # | # |
\& # URI will override the host and port settings. | # URI will override the host and port settings. |
\& uri ldap://ldapserver | uri ldap://ldapserver |
\& #uri ldaps://secureldapserver | #uri ldaps://secureldapserver |
\& #uri ldaps://secureldapserver ldap://ldapserver | #uri ldaps://secureldapserver ldap://ldapserver |
\& # | # |
\& # The amount of time, in seconds, to wait while trying to connect to | # The amount of time, in seconds, to wait while trying to connect to |
\& # an LDAP server. | # an LDAP server. |
\& bind_timelimit 30 | bind_timelimit 30 |
\& # | # |
\& # The amount of time, in seconds, to wait while performing an LDAP query. | # The amount of time, in seconds, to wait while performing an LDAP query. |
\& timelimit 30 | timelimit 30 |
\& # | # |
\& # Must be set or sudo will ignore LDAP; may be specified multiple times. | # Must be set or sudo will ignore LDAP; may be specified multiple times. |
\& sudoers_base ou=SUDOers,dc=example,dc=com | sudoers_base ou=SUDOers,dc=example,dc=com |
\& # | # |
\& # verbose sudoers matching from ldap | # verbose sudoers matching from ldap |
\& #sudoers_debug 2 | #sudoers_debug 2 |
\& # | # |
\& # Enable support for time\-based entries in sudoers. | # Enable support for time-based entries in sudoers. |
\& #sudoers_timed yes | #sudoers_timed yes |
\& # | # |
\& # optional proxy credentials | # optional proxy credentials |
\& #binddn <who to search as> | #binddn <who to search as> |
\& #bindpw <password> | #bindpw <password> |
\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> | #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> |
\& # | # |
\& # LDAP protocol version, defaults to 3 | # LDAP protocol version, defaults to 3 |
\& #ldap_version 3 | #ldap_version 3 |
\& # | # |
\& # Define if you want to use an encrypted LDAP connection. | # Define if you want to use an encrypted LDAP connection. |
\& # Typically, you must also set the port to 636 (ldaps). | # Typically, you must also set the port to 636 (ldaps). |
\& #ssl on | #ssl on |
\& # | # |
\& # Define if you want to use port 389 and switch to | # Define if you want to use port 389 and switch to |
\& # encryption before the bind credentials are sent. | # encryption before the bind credentials are sent. |
\& # Only supported by LDAP servers that support the start_tls | # Only supported by LDAP servers that support the start_tls |
\& # extension such as OpenLDAP. | # extension such as OpenLDAP. |
\& #ssl start_tls | #ssl start_tls |
\& # | # |
\& # Additional TLS options follow that allow tweaking of the | # Additional TLS options follow that allow tweaking of the |
\& # SSL/TLS connection. | # SSL/TLS connection. |
\& # | # |
\& #tls_checkpeer yes # verify server SSL certificate | #tls_checkpeer yes # verify server SSL certificate |
\& #tls_checkpeer no # ignore server SSL certificate | #tls_checkpeer no # ignore server SSL certificate |
\& # | # |
\& # If you enable tls_checkpeer, specify either tls_cacertfile | # If you enable tls_checkpeer, specify either tls_cacertfile |
\& # or tls_cacertdir. Only supported when using OpenLDAP. | # or tls_cacertdir. Only supported when using OpenLDAP. |
\& # | # |
\& #tls_cacertfile /etc/certs/trusted_signers.pem | #tls_cacertfile /etc/certs/trusted_signers.pem |
\& #tls_cacertdir /etc/certs | #tls_cacertdir /etc/certs |
\& # | # |
\& # For systems that don\*(Aqt have /dev/random | # For systems that don't have /dev/random |
\& # use this along with PRNGD or EGD.pl to seed the | # use this along with PRNGD or EGD.pl to seed the |
\& # random number pool to generate cryptographic session keys. | # random number pool to generate cryptographic session keys. |
\& # Only supported when using OpenLDAP. | # Only supported when using OpenLDAP. |
\& # | # |
\& #tls_randfile /etc/egd\-pool | #tls_randfile /etc/egd-pool |
\& # | # |
\& # You may restrict which ciphers are used. Consult your SSL | # You may restrict which ciphers are used. Consult your SSL |
\& # documentation for which options go here. | # documentation for which options go here. |
\& # Only supported when using OpenLDAP. | # Only supported when using OpenLDAP. |
\& # | # |
\& #tls_ciphers <cipher\-list> | #tls_ciphers <cipher-list> |
\& # | # |
\& # Sudo can provide a client certificate when communicating to | # Sudo can provide a client certificate when communicating to |
\& # the LDAP server. | # the LDAP server. |
\& # Tips: | # Tips: |
\& # * Enable both lines at the same time. | # * Enable both lines at the same time. |
\& # * Do not password protect the key file. | # * Do not password protect the key file. |
\& # * Ensure the keyfile is only readable by root. | # * Ensure the keyfile is only readable by root. |
\& # | # |
\& # For OpenLDAP: | # For OpenLDAP: |
\& #tls_cert /etc/certs/client_cert.pem | #tls_cert /etc/certs/client_cert.pem |
\& #tls_key /etc/certs/client_key.pem | #tls_key /etc/certs/client_key.pem |
\& # | # |
\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either | # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either |
\& # a directory, in which case the files in the directory must have the | # a directory, in which case the files in the directory must have the |
\& # default names (e.g. cert8.db and key4.db), or the path to the cert | # default names (e.g. cert8.db and key4.db), or the path to the cert |
\& # and key files themselves. However, a bug in version 5.0 of the LDAP | # and key files themselves. However, a bug in version 5.0 of the LDAP |
\& # SDK will prevent specific file names from working. For this reason | # SDK will prevent specific file names from working. For this reason |
\& # it is suggested that tls_cert and tls_key be set to a directory, | # it is suggested that tls_cert and tls_key be set to a directory, |
\& # not a file name. | # not a file name. |
\& # | # |
\& # The certificate database specified by tls_cert may contain CA certs | # The certificate database specified by tls_cert may contain CA certs |
\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key | # and/or the client's cert. If the client's cert is included, tls_key |
\& # should be specified as well. | # should be specified as well. |
\& # For backward compatibility, "sslpath" may be used in place of tls_cert. | # For backward compatibility, "sslpath" may be used in place of tls_cert. |
\& #tls_cert /var/ldap | #tls_cert /var/ldap |
\& #tls_key /var/ldap | #tls_key /var/ldap |
\& # | # |
\& # If using SASL authentication for LDAP (OpenSSL) | # If using SASL authentication for LDAP (OpenSSL) |
\& # use_sasl yes | # use_sasl yes |
\& # sasl_auth_id <SASL user name> | # sasl_auth_id <SASL user name> |
\& # rootuse_sasl yes | # rootuse_sasl yes |
\& # rootsasl_auth_id <SASL user name for root access> | # rootsasl_auth_id <SASL user name for root access> |
\& # sasl_secprops none | # sasl_secprops none |
\& # krb5_ccname /etc/.ldapcache | # krb5_ccname /etc/.ldapcache |
.Ve | .RE |
| .fi |
.SS "Sudo schema for OpenLDAP" |
.SS "Sudo schema for OpenLDAP" |
.IX Subsection "Sudo schema for OpenLDAP" | The following schema, in OpenLDAP format, is included with |
The following schema, in OpenLDAP format, is included with \fBsudo\fR | \fBsudo\fR |
source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy | source and binary distributions as |
it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the | \fIschema.OpenLDAP\fR. |
proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. | Simply copy |
.PP | it to the schema directory (e.g.\& |
.Vb 6 | \fI/etc/openldap/schema\fR), |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 | add the proper |
\& NAME \*(AqsudoUser\*(Aq | \fRinclude\fR |
\& DESC \*(AqUser(s) who may run sudo\*(Aq | line in |
\& EQUALITY caseExactIA5Match | \fIslapd.conf\fR |
\& SUBSTR caseExactIA5SubstringsMatch | and restart |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | \fBslapd\fR. |
\& | .nf |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 | .sp |
\& NAME \*(AqsudoHost\*(Aq | .RS 2n |
\& DESC \*(AqHost(s) who may run sudo\*(Aq | attributetype ( 1.3.6.1.4.1.15953.9.1.1 |
\& EQUALITY caseExactIA5Match | NAME 'sudoUser' |
\& SUBSTR caseExactIA5SubstringsMatch | DESC 'User(s) who may run sudo' |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | EQUALITY caseExactIA5Match |
\& | SUBSTR caseExactIA5SubstringsMatch |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& NAME \*(AqsudoCommand\*(Aq | |
\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq | attributetype ( 1.3.6.1.4.1.15953.9.1.2 |
\& EQUALITY caseExactIA5Match | NAME 'sudoHost' |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | DESC 'Host(s) who may run sudo' |
\& | EQUALITY caseExactIA5Match |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 | SUBSTR caseExactIA5SubstringsMatch |
\& NAME \*(AqsudoRunAs\*(Aq | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq | |
\& EQUALITY caseExactIA5Match | attributetype ( 1.3.6.1.4.1.15953.9.1.3 |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | NAME 'sudoCommand' |
\& | DESC 'Command(s) to be executed by sudo' |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 | EQUALITY caseExactIA5Match |
\& NAME \*(AqsudoOption\*(Aq | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& DESC \*(AqOptions(s) followed by sudo\*(Aq | |
\& EQUALITY caseExactIA5Match | attributetype ( 1.3.6.1.4.1.15953.9.1.4 |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | NAME 'sudoRunAs' |
\& | DESC 'User(s) impersonated by sudo' |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 | EQUALITY caseExactIA5Match |
\& NAME \*(AqsudoRunAsUser\*(Aq | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq | |
\& EQUALITY caseExactIA5Match | attributetype ( 1.3.6.1.4.1.15953.9.1.5 |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | NAME 'sudoOption' |
\& | DESC 'Options(s) followed by sudo' |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 | EQUALITY caseExactIA5Match |
\& NAME \*(AqsudoRunAsGroup\*(Aq | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq | |
\& EQUALITY caseExactIA5Match | attributetype ( 1.3.6.1.4.1.15953.9.1.6 |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | NAME 'sudoRunAsUser' |
\& | DESC 'User(s) impersonated by sudo' |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.8 | EQUALITY caseExactIA5Match |
\& NAME \*(AqsudoNotBefore\*(Aq | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq | |
\& EQUALITY generalizedTimeMatch | attributetype ( 1.3.6.1.4.1.15953.9.1.7 |
\& ORDERING generalizedTimeOrderingMatch | NAME 'sudoRunAsGroup' |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) | DESC 'Group(s) impersonated by sudo' |
\& | EQUALITY caseExactIA5Match |
\& attributetype ( 1.3.6.1.4.1.15953.9.1.9 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
\& NAME \*(AqsudoNotAfter\*(Aq | |
\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq | attributetype ( 1.3.6.1.4.1.15953.9.1.8 |
\& EQUALITY generalizedTimeMatch | NAME 'sudoNotBefore' |
\& ORDERING generalizedTimeOrderingMatch | DESC 'Start of time interval for which the entry is valid' |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) | EQUALITY generalizedTimeMatch |
\& | ORDERING generalizedTimeOrderingMatch |
\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
\& NAME \*(AqsudoOrder\*(Aq | |
\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq | attributetype ( 1.3.6.1.4.1.15953.9.1.9 |
\& EQUALITY integerMatch | NAME 'sudoNotAfter' |
\& ORDERING integerOrderingMatch | DESC 'End of time interval for which the entry is valid' |
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) | EQUALITY generalizedTimeMatch |
\& | ORDERING generalizedTimeOrderingMatch |
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) |
\& DESC \*(AqSudoer Entries\*(Aq | |
\& MUST ( cn ) | attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 |
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ | NAME 'sudoOrder' |
\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ | DESC 'an integer to order the sudoRole entries' |
\& sudoOrder $ description ) | EQUALITY integerMatch |
\& ) | ORDERING integerOrderingMatch |
.Ve | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) |
| |
| objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL |
| DESC 'Sudoer Entries' |
| MUST ( cn ) |
| MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
| sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ |
| sudoOrder $ description ) |
| ) |
| .RE |
| .fi |
.SH "SEE ALSO" |
.SH "SEE ALSO" |
.IX Header "SEE ALSO" | ldap.conf(@mansectform@), |
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@) | sudo.conf(@mansectform@), |
| sudoers(@mansectsu@) |
.SH "CAVEATS" |
.SH "CAVEATS" |
.IX Header "CAVEATS" | Note that there are differences in the way that LDAP-based |
Note that there are differences in the way that LDAP-based \fIsudoers\fR | \fIsudoers\fR |
is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences | is parsed compared to file-based |
between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information. | \fIsudoers\fR. |
| See the |
| \fIDifferences between LDAP and non-LDAP sudoers\fR |
| section for more information. |
.SH "BUGS" |
.SH "BUGS" |
.IX Header "BUGS" | If you feel you have found a bug in |
If you feel you have found a bug in \fBsudo\fR, please submit a bug report | \fBsudo\fR, |
at http://www.sudo.ws/sudo/bugs/ | please submit a bug report at http://www.sudo.ws/sudo/bugs/ |
.SH "SUPPORT" |
.SH "SUPPORT" |
.IX Header "SUPPORT" |
|
Limited free support is available via the sudo-users mailing list, |
Limited free support is available via the sudo-users mailing list, |
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or | see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or |
search the archives. |
search the archives. |
.SH "DISCLAIMER" |
.SH "DISCLAIMER" |
.IX Header "DISCLAIMER" | \fBsudo\fR |
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, | is provided |
including, but not limited to, the implied warranties of merchantability | ``AS IS'' |
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 | and any express or implied warranties, including, but not limited |
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html | to, the implied warranties of merchantability and fitness for a |
for complete details. | particular purpose are disclaimed. |
| See the LICENSE file distributed with |
| \fBsudo\fR |
| or http://www.sudo.ws/sudo/license.html for complete details. |