embedaddon/sudo/doc/sudoers.ldap.man.in - diff

Return to sudoers.ldap.man.in CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc

Diff for /embedaddon/sudo/doc/sudoers.ldap.man.in between versions 1.1.1.3 and 1.1.1.4

version 1.1.1.3, 2012/10/09 09:29:52	version 1.1.1.4, 2013/07/22 10:46:12
Line 1	Line 1
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!	.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in	.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
.\"	.\"
.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>	.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
.\"	.\"
.\" Permission to use, copy, modify, and distribute this software for any	.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above	.\" purpose with or without fee is hereby granted, provided that the above
Line 16	Line 16
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"	.\"
.TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"	.TH "SUDOERS.LDAP" "8" "April 25, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh	.nh
.if n .ad l	.if n .ad l
.SH "NAME"	.SH "NAME"
Line 86 Aliases are not supported.	Line 86 Aliases are not supported.
For the most part, there is really no need for	For the most part, there is really no need for
\fBsudo\fR-specific	\fBsudo\fR-specific
Aliases.	Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and	Unix groups, non-Unix groups (via the
Runas_Aliases.	\fIgroup_plugin\fR)
	or user netgroups can be used in place of User_Aliases and Runas_Aliases.
Host netgroups can be used in place of Host_Aliases.	Host netgroups can be used in place of Host_Aliases.
Since Unix groups and netgroups can also be stored in LDAP there is no	Since groups and netgroups can also be stored in LDAP there is no real need for
real need for
\fBsudo\fR-specific	\fBsudo\fR-specific
aliases.	aliases.
.PP	.PP
Line 139 It consists of the following attributes:	Line 139 It consists of the following attributes:
\fBsudoUser\fR	\fBsudoUser\fR
A user name, user ID (prefixed with	A user name, user ID (prefixed with
`#'),	`#'),
Unix group (prefixed with	Unix group name or ID (prefixed with
`%'),	`%'
Unix group ID (prefixed with	or
`%#'),	`%#'
or user netgroup (prefixed with	respectively), user netgroup (prefixed with
`+').	`+'),
	or non-Unix group name or ID (prefixed with
	`%:'
	or
	`%:#'
	respectively).
	Non-Unix group support is only available when an appropriate
	\fIgroup_plugin\fR
	is defined in the global
	\fIdefaults\fR
	\fRsudoRole\fR
	object.
.TP 6n	.TP 6n
\fBsudoHost\fR	\fBsudoHost\fR
A host name, IP address, IP network, or host netgroup (prefixed with a	A host name, IP address, IP network, or host netgroup (prefixed with a
Line 154 The special value	Line 165 The special value
will match any host.	will match any host.
.TP 6n	.TP 6n
\fBsudoCommand\fR	\fBsudoCommand\fR
A Unix command with optional command line arguments, potentially	A fully-qualified Unix command name with optional command line arguments,
including globbing characters (aka wild cards).	potentially including globbing characters (aka wild cards).
	If a command name is preceded by an exclamation point,
	`\&!',
	the user will be prohibited from running that command.
	.sp
	The built-in command
	``\fRsudoedit\fR''
	is used to permit a user to run
	\fBsudo\fR
	with the
	\fB\-e\fR
	option (or as
	\fBsudoedit\fR).
	It may take command line arguments just as a normal command does.
	Note that
	``\fRsudoedit\fR''
	is a command built into
	\fBsudo\fR
	itself and must be specified in without a leading path.
	.sp
The special value	The special value
\fRALL\fR	\fRALL\fR
will match any command.	will match any command.
If a command is prefixed with an exclamation point	.sp
`\&!',	If a command name is prefixed with a SHA-2 digest, it will
the user will be prohibited from running that command.	only be allowed if the digest matches.
	This may be useful in situations where the user invoking
	\fBsudo\fR
	has write access to the command or its parent directory.
	The following digest formats are supported: sha224, sha256, sha384 and sha512.
	The digest name must be followed by a colon
	(`:\&')
	and then the actual digest, in either hex or base64 format.
	For example, given the following value for sudoCommand:
	.RS
	.nf
	.sp
	.RS 4n
	sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
	.RE
	.fi
	.sp
	The user may only run
	\fI/bin/ls\fR
	if its sha224 digest matches the specified value.
	Command digests are only supported by version 1.8.7 or higher.
	.PP
	.RE
	.PD 0
.TP 6n	.TP 6n
\fBsudoOption\fR	\fBsudoOption\fR
Identical in function to the global options described above, but	Identical in function to the global options described above, but
specific to the	specific to the
\fRsudoRole\fR	\fRsudoRole\fR
in which it resides.	in which it resides.
	.PD
.TP 6n	.TP 6n
\fBsudoRunAsUser\fR	\fBsudoRunAsUser\fR
A user name or uid (prefixed with	A user name or uid (prefixed with
Line 263 The	Line 317 The
\fRsudoOrder\fR	\fRsudoOrder\fR
attribute is an integer (or floating point value for LDAP servers	attribute is an integer (or floating point value for LDAP servers
that support it) that is used to sort the matching entries.	that support it) that is used to sort the matching entries.
This allows LDAP-based sudoers entries to more closely mimic the behaviour	This allows LDAP-based sudoers entries to more closely mimic the behavior
of the sudoers file, where the of the entries influences the result.	of the sudoers file, where the of the entries influences the result.
If multiple entries match, the entry with the highest	If multiple entries match, the entry with the highest
\fRsudoOrder\fR	\fRsudoOrder\fR
Line 321 to see if the user belongs to any of them.	Line 375 to see if the user belongs to any of them.
.PP	.PP
If timed entries are enabled with the	If timed entries are enabled with the
\fBSUDOERS_TIMED\fR	\fBSUDOERS_TIMED\fR
configuration directive, the LDAP queries include a subfilter that	configuration directive, the LDAP queries include a sub-filter that
limits retrieval to entries that satisfy the time constraints, if any.	limits retrieval to entries that satisfy the time constraints, if any.
.SS "Differences between LDAP and non-LDAP sudoers"	.SS "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled	There are some subtle differences in the way sudoers is handled
Line 426 section.	Line 480 section.
Sudo reads the	Sudo reads the
\fI@ldap_conf@\fR	\fI@ldap_conf@\fR
file for LDAP-specific configuration.	file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.	Typically, this file is shared between different LDAP-aware clients.
As such, most of the settings are not	As such, most of the settings are not
\fBsudo\fR-specific.	\fBsudo\fR-specific.
Note that	Note that
Line 437 itself and may support options that differ from those	Line 491 itself and may support options that differ from those
system's	system's
ldap.conf(@mansectsu@)	ldap.conf(@mansectsu@)
manual.	manual.
	The path to
	\fIldap.conf\fR
	may be overridden via the
	\fIldap_conf\fR
	plugin argument in
	sudo.conf(@mansectform@).
.PP	.PP
Also note that on systems using the OpenLDAP libraries, default	Also note that on systems using the OpenLDAP libraries, default
values specified in	values specified in
Line 452 as being supported by	Line 512 as being supported by
are honored.	are honored.
Configuration options are listed below in upper case but are parsed	Configuration options are listed below in upper case but are parsed
in a case-independent manner.	in a case-independent manner.
	.PP
	Long lines can be continued with a backslash
	(`\e')
	as the last character on the line.
	Note that leading white space is removed from the beginning of lines
	even when the continuation character is used.
.TP 6n	.TP 6n
\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR	\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
Specifies a whitespace-delimited list of one or more URIs describing	Specifies a white space-delimited list of one or more URIs describing
the LDAP server(s) to connect to.	the LDAP server(s) to connect to.
The	The
\fIprotocol\fR	\fIprotocol\fR
Line 492 If no	Line 558 If no
\fBURI\fR	\fBURI\fR
is specified, the	is specified, the
\fBHOST\fR	\fBHOST\fR
parameter specifies a whitespace-delimited list of LDAP servers to connect to.	parameter specifies a white space-delimited list of LDAP servers to connect to.
Each host may include an optional	Each host may include an optional
\fIport\fR	\fIport\fR
separated by a colon	separated by a colon
Line 589 A value of 1 results in a moderate amount of debugging	Line 655 A value of 1 results in a moderate amount of debugging
A value of 2 shows the results of the matches themselves.	A value of 2 shows the results of the matches themselves.
This parameter should not be set in a production environment as the	This parameter should not be set in a production environment as the
extra information is likely to confuse users.	extra information is likely to confuse users.
	.sp
	The
	\fBSUDOERS_DEBUG\fR
	parameter is deprecated and will be removed in a future release.
	The same information is now logged via the
	\fBsudo\fR
	debugging framework using the
	``ldap''
	subsystem at priorities
	\fIdiag\fR
	and
	\fIinfo\fR
	for
	\fIdebug_level\fR
	values 1 and 2 respectively.
	See the
	sudo.conf(@mansectform@)
	manual for details on how to configure
	\fBsudo\fR
	debugging.
.TP 6n	.TP 6n
\fBBINDDN\fR \fIDN\fR	\fBBINDDN\fR \fIDN\fR
The	The
Line 613 parameter specifies the identity, in the form of a Dis	Line 699 parameter specifies the identity, in the form of a Dis
to use when performing privileged LDAP operations, such as	to use when performing privileged LDAP operations, such as
\fIsudoers\fR	\fIsudoers\fR
queries.	queries.
The password corresponding	The password corresponding to the identity should be stored in the
to the identity should be stored in	or the path specified by the
	\fIldap_secret\fR
	plugin argument in
	sudo.conf(@mansectform@),
	which defaults to
\fI@ldap_secret@\fR.	\fI@ldap_secret@\fR.
If not specified, the	If no
	\fBROOTBINDDN\fR
	is specified, the
\fBBINDDN\fR	\fBBINDDN\fR
identity is used (if any).	identity is used (if any).
.TP 6n	.TP 6n
Line 929 sudoers = ldap	Line 1021 sudoers = ldap
.RE	.RE
.fi	.fi
.PP	.PP
To treat LDAP as authoratative and only use the local sudoers file	To treat LDAP as authoritative and only use the local sudoers file
if the user is not present in LDAP, use:	if the user is not present in LDAP, use:
.nf	.nf
.sp	.sp
Line 940 sudoers = ldap = auth, files	Line 1032 sudoers = ldap = auth, files
.PP	.PP
Note that in the above example, the	Note that in the above example, the
\fRauth\fR	\fRauth\fR
qualfier only affects user lookups; both LDAP and	qualifier only affects user lookups; both LDAP and
\fIsudoers\fR	\fIsudoers\fR
will be queried for	will be queried for
\fRDefaults\fR	\fRDefaults\fR
Line 1170 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'	Line 1262 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
.RE	.RE
.fi	.fi
.SH "SEE ALSO"	.SH "SEE ALSO"
ldap.conf(@mansectsu@),	ldap.conf(@mansectform@),
	sudo.conf(@mansectform@),
sudoers(@mansectsu@)	sudoers(@mansectsu@)
.SH "CAVEATS"	.SH "CAVEATS"
Note that there are differences in the way that LDAP-based	Note that there are differences in the way that LDAP-based

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1.1.3
changed lines
	Added in v.1.1.1.4