|
version 1.1.1.4, 2013/07/22 10:46:12
|
version 1.1.1.6, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! |
| .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in |
| .\" |
.\" |
| .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
|
Line 16
|
Line 16
|
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .TH "SUDOERS.LDAP" "8" "April 25, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" | .TH "SUDOERS.LDAP" "8" "February 7, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" |
| .nh |
.nh |
| .if n .ad l |
.if n .ad l |
| .SH "NAME" |
.SH "NAME" |
|
Line 138 It consists of the following attributes:
|
Line 138 It consists of the following attributes:
|
| .TP 6n |
.TP 6n |
| \fBsudoUser\fR |
\fBsudoUser\fR |
| A user name, user ID (prefixed with |
A user name, user ID (prefixed with |
| `#'), | \(oq#\(cq), |
| Unix group name or ID (prefixed with |
Unix group name or ID (prefixed with |
| `%' | \(oq%\(cq |
| or |
or |
| `%#' | \(oq%#\(cq |
| respectively), user netgroup (prefixed with |
respectively), user netgroup (prefixed with |
| `+'), | \(oq+\(cq), |
| or non-Unix group name or ID (prefixed with |
or non-Unix group name or ID (prefixed with |
| `%:' | \(oq%:\(cq |
| or |
or |
| `%:#' | \(oq%:#\(cq |
| respectively). |
respectively). |
| Non-Unix group support is only available when an appropriate |
Non-Unix group support is only available when an appropriate |
| \fIgroup_plugin\fR |
\fIgroup_plugin\fR |
|
Line 159 object.
|
Line 159 object.
|
| .TP 6n |
.TP 6n |
| \fBsudoHost\fR |
\fBsudoHost\fR |
| A host name, IP address, IP network, or host netgroup (prefixed with a |
A host name, IP address, IP network, or host netgroup (prefixed with a |
| `+'). | \(oq+\(cq). |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
| will match any host. |
will match any host. |
|
Line 168 will match any host.
|
Line 168 will match any host.
|
| A fully-qualified Unix command name with optional command line arguments, |
A fully-qualified Unix command name with optional command line arguments, |
| potentially including globbing characters (aka wild cards). |
potentially including globbing characters (aka wild cards). |
| If a command name is preceded by an exclamation point, |
If a command name is preceded by an exclamation point, |
| `\&!', | \(oq\&!\(cq, |
| the user will be prohibited from running that command. |
the user will be prohibited from running that command. |
| .sp |
.sp |
| The built-in command |
The built-in command |
| ``\fRsudoedit\fR'' | \(lq\fRsudoedit\fR\(rq |
| is used to permit a user to run |
is used to permit a user to run |
| \fBsudo\fR |
\fBsudo\fR |
| with the |
with the |
|
Line 181 option (or as
|
Line 181 option (or as
|
| \fBsudoedit\fR). |
\fBsudoedit\fR). |
| It may take command line arguments just as a normal command does. |
It may take command line arguments just as a normal command does. |
| Note that |
Note that |
| ``\fRsudoedit\fR'' | \(lq\fRsudoedit\fR\(rq |
| is a command built into |
is a command built into |
| \fBsudo\fR |
\fBsudo\fR |
| itself and must be specified in without a leading path. |
itself and must be specified in without a leading path. |
|
Line 197 This may be useful in situations where the user invoki
|
Line 197 This may be useful in situations where the user invoki
|
| has write access to the command or its parent directory. |
has write access to the command or its parent directory. |
| The following digest formats are supported: sha224, sha256, sha384 and sha512. |
The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| The digest name must be followed by a colon |
The digest name must be followed by a colon |
| (`:\&') | (\(oq:\&\(cq) |
| and then the actual digest, in either hex or base64 format. |
and then the actual digest, in either hex or base64 format. |
| For example, given the following value for sudoCommand: |
For example, given the following value for sudoCommand: |
| .RS |
|
| .nf |
.nf |
| .sp |
.sp |
| .RS 4n | .RS 10n |
| sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| .RE |
.RE |
| .fi |
.fi |
| |
.RS 6n |
| .sp |
.sp |
| The user may only run |
The user may only run |
| \fI/bin/ls\fR |
\fI/bin/ls\fR |
| if its sha224 digest matches the specified value. |
if its sha224 digest matches the specified value. |
| Command digests are only supported by version 1.8.7 or higher. |
Command digests are only supported by version 1.8.7 or higher. |
| .PP |
|
| .RE |
.RE |
| .PD 0 |
|
| .TP 6n |
.TP 6n |
| \fBsudoOption\fR |
\fBsudoOption\fR |
| Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
| specific to the |
specific to the |
| \fRsudoRole\fR |
\fRsudoRole\fR |
| in which it resides. |
in which it resides. |
| .PD |
|
| .TP 6n |
.TP 6n |
| \fBsudoRunAsUser\fR |
\fBsudoRunAsUser\fR |
| A user name or uid (prefixed with |
A user name or uid (prefixed with |
| `#') | \(oq#\(cq) |
| that commands may be run as or a Unix group (prefixed with a |
that commands may be run as or a Unix group (prefixed with a |
| `%') | \(oq%\(cq) |
| or user netgroup (prefixed with a |
or user netgroup (prefixed with a |
| `+') | \(oq+\(cq) |
| that contains a list of users that commands may be run as. |
that contains a list of users that commands may be run as. |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
|
Line 249 attribute instead.
|
Line 246 attribute instead.
|
| .TP 6n |
.TP 6n |
| \fBsudoRunAsGroup\fR |
\fBsudoRunAsGroup\fR |
| A Unix group or gid (prefixed with |
A Unix group or gid (prefixed with |
| `#') | \(oq#\(cq) |
| that commands may be run as. |
that commands may be run as. |
| The special value |
The special value |
| \fRALL\fR |
\fRALL\fR |
|
Line 323 If multiple entries match, the entry with the highest
|
Line 320 If multiple entries match, the entry with the highest
|
| \fRsudoOrder\fR |
\fRsudoOrder\fR |
| attribute is chosen. |
attribute is chosen. |
| This corresponds to the |
This corresponds to the |
| ``last match'' | \(lqlast match\(rq |
| behavior of the sudoers file. |
behavior of the sudoers file. |
| If the |
If the |
| \fRsudoOrder\fR |
\fRsudoOrder\fR |
|
Line 513 are honored.
|
Line 510 are honored.
|
| Configuration options are listed below in upper case but are parsed |
Configuration options are listed below in upper case but are parsed |
| in a case-independent manner. |
in a case-independent manner. |
| .PP |
.PP |
| |
The pound sign |
| |
(\(oq#\(cq) |
| |
is used to indicate a comment. |
| |
Both the comment character and any text after it, up to the end of |
| |
the line, are ignored. |
| Long lines can be continued with a backslash |
Long lines can be continued with a backslash |
| (`\e') | (\(oq\e\(cq) |
| as the last character on the line. |
as the last character on the line. |
| Note that leading white space is removed from the beginning of lines |
Note that leading white space is removed from the beginning of lines |
| even when the continuation character is used. |
even when the continuation character is used. |
|
Line 562 parameter specifies a white space-delimited list of LD
|
Line 564 parameter specifies a white space-delimited list of LD
|
| Each host may include an optional |
Each host may include an optional |
| \fIport\fR |
\fIport\fR |
| separated by a colon |
separated by a colon |
| (`:\&'). | (\(oq:\&\(cq). |
| The |
The |
| \fBHOST\fR |
\fBHOST\fR |
| parameter is deprecated in favor of the |
parameter is deprecated in favor of the |
|
Line 638 form
|
Line 640 form
|
| \fRattribute=value\fR |
\fRattribute=value\fR |
| or |
or |
| \fR(&(attribute=value)(attribute2=value2))\fR. |
\fR(&(attribute=value)(attribute2=value2))\fR. |
| |
The default search filter is: |
| |
\fRobjectClass=sudoRole\fR. |
| |
If |
| |
\fIldap_filter\fR |
| |
is omitted, no search filter will be used. |
| .TP 6n |
.TP 6n |
| \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR |
| Whether or not to evaluate the |
Whether or not to evaluate the |
|
Line 662 parameter is deprecated and will be removed in a futur
|
Line 669 parameter is deprecated and will be removed in a futur
|
| The same information is now logged via the |
The same information is now logged via the |
| \fBsudo\fR |
\fBsudo\fR |
| debugging framework using the |
debugging framework using the |
| ``ldap'' | \(lqldap\(rq |
| subsystem at priorities |
subsystem at priorities |
| \fIdiag\fR |
\fIdiag\fR |
| and |
and |
|
Line 787 This option is only supported by the OpenLDAP librarie
|
Line 794 This option is only supported by the OpenLDAP librarie
|
| The path to a file containing the client certificate which can |
The path to a file containing the client certificate which can |
| be used to authenticate the client to the LDAP server. |
be used to authenticate the client to the LDAP server. |
| The certificate type depends on the LDAP libraries used. |
The certificate type depends on the LDAP libraries used. |
| .RS | .PP |
| | .RS 6n |
| | .PD 0 |
| .TP 6n |
.TP 6n |
| OpenLDAP: |
OpenLDAP: |
| \fRtls_cert /etc/ssl/client_cert.pem\fR |
\fRtls_cert /etc/ssl/client_cert.pem\fR |
| |
.PD |
| .TP 6n |
.TP 6n |
| Netscape-derived: |
Netscape-derived: |
| \fRtls_cert /var/ldap/cert7.db\fR |
\fRtls_cert /var/ldap/cert7.db\fR |
|
Line 802 contains both keys and certificates.
|
Line 812 contains both keys and certificates.
|
| .sp |
.sp |
| When using Netscape-derived libraries, this file may also contain |
When using Netscape-derived libraries, this file may also contain |
| Certificate Authority certificates. |
Certificate Authority certificates. |
| |
.PD 0 |
| .PP |
.PP |
| .RE |
.RE |
| .PD 0 | .PD |
| .TP 6n |
.TP 6n |
| \fBTLS_KEY\fR \fIfile name\fR |
\fBTLS_KEY\fR \fIfile name\fR |
| The path to a file containing the private key which matches the |
The path to a file containing the private key which matches the |
|
Line 812 certificate specified by
|
Line 823 certificate specified by
|
| \fBTLS_CERT\fR. |
\fBTLS_CERT\fR. |
| The private key must not be password-protected. |
The private key must not be password-protected. |
| The key type depends on the LDAP libraries used. |
The key type depends on the LDAP libraries used. |
| .RS | .PP |
| .PD | .RS 6n |
| | .PD 0 |
| .TP 6n |
.TP 6n |
| OpenLDAP: |
OpenLDAP: |
| \fRtls_key /etc/ssl/client_key.pem\fR |
\fRtls_key /etc/ssl/client_key.pem\fR |
| |
.PD |
| .TP 6n |
.TP 6n |
| Netscape-derived: |
Netscape-derived: |
| \fRtls_key /var/ldap/key3.db\fR |
\fRtls_key /var/ldap/key3.db\fR |
| .TP 6n |
.TP 6n |
| Tivoli Directory Server: |
Tivoli Directory Server: |
| \fRtls_cert /usr/ldap/ldapkey.kdb\fR | \fRtls_key /usr/ldap/ldapkey.kdb\fR |
| .PD 0 |
.PD 0 |
| .PP |
.PP |
| .PD |
|
| When using Tivoli LDAP libraries, this file may also contain |
When using Tivoli LDAP libraries, this file may also contain |
| Certificate Authority and client certificates and may be encrypted. |
Certificate Authority and client certificates and may be encrypted. |
| .PP |
|
| .RE |
.RE |
| .PD 0 | .PD |
| .TP 6n |
.TP 6n |
| \fBTLS_KEYPW\fR \fIsecret\fR |
\fBTLS_KEYPW\fR \fIsecret\fR |
| The |
The |
| \fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
| contains the password used to decrypt the key database on clients |
contains the password used to decrypt the key database on clients |
| using the Tivoli Directory Server LDAP library. |
using the Tivoli Directory Server LDAP library. |
| |
This should be a simple string without quotes. |
| |
The password may not include the comment character |
| |
(\(oq#\(cq) |
| |
and escaping of special characters with a backslash |
| |
(\(oq\e\(cq) |
| |
is not supported. |
| |
If this option is used, |
| |
\fI@ldap_conf@\fR |
| |
must not be world-readable to avoid exposing the password. |
| |
Alternately, a |
| |
\fIstash file\fR |
| |
can be used to store the password in encrypted form (see below). |
| |
.sp |
| If no |
If no |
| \fBTLS_KEYPW\fR |
\fBTLS_KEYPW\fR |
| is specified, a |
is specified, a |
|
Line 856 The default
|
Line 880 The default
|
| \fRldapkey.kdb\fR |
\fRldapkey.kdb\fR |
| that ships with Tivoli Directory Server is encrypted with the password |
that ships with Tivoli Directory Server is encrypted with the password |
| \fRssl_password\fR. |
\fRssl_password\fR. |
| |
The |
| |
\fIgsk8capicmd\fR |
| |
utility can be used to manage the key database and create a |
| |
\fIstash file\fR. |
| This option is only supported by the Tivoli LDAP libraries. |
This option is only supported by the Tivoli LDAP libraries. |
| .PD |
|
| .TP 6n |
.TP 6n |
| \fBTLS_RANDFILE\fR \fIfile name\fR |
\fBTLS_RANDFILE\fR \fIfile name\fR |
| The |
The |
|
Line 940 does
|
Line 967 does
|
| not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
| precedence over earlier ones. |
precedence over earlier ones. |
| The following sources are recognized: |
The following sources are recognized: |
| |
.PP |
| |
.RS 4n |
| |
.PD 0 |
| .TP 10n |
.TP 10n |
| files |
files |
| read sudoers from |
read sudoers from |
| \fI@sysconfdir@/sudoers\fR |
\fI@sysconfdir@/sudoers\fR |
| .PD 0 |
|
| .TP 10n |
.TP 10n |
| ldap |
ldap |
| read sudoers from LDAP |
read sudoers from LDAP |
| |
.RE |
| .PD |
.PD |
| .PP |
.PP |
| In addition, the entry |
In addition, the entry |
|
Line 1284 search the archives.
|
Line 1314 search the archives.
|
| .SH "DISCLAIMER" |
.SH "DISCLAIMER" |
| \fBsudo\fR |
\fBsudo\fR |
| is provided |
is provided |
| ``AS IS'' | \(lqAS IS\(rq |
| and any express or implied warranties, including, but not limited |
and any express or implied warranties, including, but not limited |
| to, the implied warranties of merchantability and fitness for a |
to, the implied warranties of merchantability and fitness for a |
| particular purpose are disclaimed. |
particular purpose are disclaimed. |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.man.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc