Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1
1.1 ! misho 1: .\" Copyright (c) 2003-2011
! 2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
! 3: .\"
! 4: .\" Permission to use, copy, modify, and distribute this software for any
! 5: .\" purpose with or without fee is hereby granted, provided that the above
! 6: .\" copyright notice and this permission notice appear in all copies.
! 7: .\"
! 8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 16: .\"
! 17: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
! 18: .\"
! 19: .\" Standard preamble:
! 20: .\" ========================================================================
! 21: .de Sp \" Vertical space (when we can't use .PP)
! 22: .if t .sp .5v
! 23: .if n .sp
! 24: ..
! 25: .de Vb \" Begin verbatim text
! 26: .ft CW
! 27: .nf
! 28: .ne \\$1
! 29: ..
! 30: .de Ve \" End verbatim text
! 31: .ft R
! 32: .fi
! 33: ..
! 34: .\" Set up some character translations and predefined strings. \*(-- will
! 35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
! 36: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
! 37: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
! 38: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
! 39: .\" nothing in troff, for use with C<>.
! 40: .tr \(*W-
! 41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
! 42: .ie n \{\
! 43: . ds -- \(*W-
! 44: . ds PI pi
! 45: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
! 46: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
! 47: . ds L" ""
! 48: . ds R" ""
! 49: . ds C`
! 50: . ds C'
! 51: 'br\}
! 52: .el\{\
! 53: . ds -- \|\(em\|
! 54: . ds PI \(*p
! 55: . ds L" ``
! 56: . ds R" ''
! 57: 'br\}
! 58: .\"
! 59: .\" Escape single quotes in literal strings from groff's Unicode transform.
! 60: .ie \n(.g .ds Aq \(aq
! 61: .el .ds Aq '
! 62: .\"
! 63: .\" If the F register is turned on, we'll generate index entries on stderr for
! 64: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
! 65: .\" entries marked with X<> in POD. Of course, you'll have to process the
! 66: .\" output yourself in some meaningful fashion.
! 67: .ie \nF \{\
! 68: . de IX
! 69: . tm Index:\\$1\t\\n%\t"\\$2"
! 70: ..
! 71: . nr % 0
! 72: . rr F
! 73: .\}
! 74: .el \{\
! 75: . de IX
! 76: ..
! 77: .\}
! 78: .\"
! 79: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
! 80: .\" Fear. Run. Save yourself. No user-serviceable parts.
! 81: . \" fudge factors for nroff and troff
! 82: .if n \{\
! 83: . ds #H 0
! 84: . ds #V .8m
! 85: . ds #F .3m
! 86: . ds #[ \f1
! 87: . ds #] \fP
! 88: .\}
! 89: .if t \{\
! 90: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
! 91: . ds #V .6m
! 92: . ds #F 0
! 93: . ds #[ \&
! 94: . ds #] \&
! 95: .\}
! 96: . \" simple accents for nroff and troff
! 97: .if n \{\
! 98: . ds ' \&
! 99: . ds ` \&
! 100: . ds ^ \&
! 101: . ds , \&
! 102: . ds ~ ~
! 103: . ds /
! 104: .\}
! 105: .if t \{\
! 106: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
! 107: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
! 108: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
! 109: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
! 110: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
! 111: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
! 112: .\}
! 113: . \" troff and (daisy-wheel) nroff accents
! 114: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
! 115: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
! 116: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
! 117: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
! 118: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
! 119: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
! 120: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
! 121: .ds ae a\h'-(\w'a'u*4/10)'e
! 122: .ds Ae A\h'-(\w'A'u*4/10)'E
! 123: . \" corrections for vroff
! 124: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
! 125: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
! 126: . \" for low resolution devices (crt and lpr)
! 127: .if \n(.H>23 .if \n(.V>19 \
! 128: \{\
! 129: . ds : e
! 130: . ds 8 ss
! 131: . ds o a
! 132: . ds d- d\h'-1'\(ga
! 133: . ds D- D\h'-1'\(hy
! 134: . ds th \o'bp'
! 135: . ds Th \o'LP'
! 136: . ds ae ae
! 137: . ds Ae AE
! 138: .\}
! 139: .rm #[ #] #H #V #F C
! 140: .\" ========================================================================
! 141: .\"
! 142: .IX Title "SUDOERS.LDAP @mansectform@"
! 143: .TH SUDOERS.LDAP @mansectform@ "September 16, 2011" "1.8.3" "MAINTENANCE COMMANDS"
! 144: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
! 145: .\" way too many mistakes in technical documents.
! 146: .if n .ad l
! 147: .nh
! 148: .SH "NAME"
! 149: sudoers.ldap \- sudo LDAP configuration
! 150: .SH "DESCRIPTION"
! 151: .IX Header "DESCRIPTION"
! 152: In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
! 153: via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
! 154: in a large, distributed environment.
! 155: .PP
! 156: Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
! 157: .IP "\(bu" 4
! 158: \&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
! 159: \&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
! 160: This makes it especially fast and particularly usable in \s-1LDAP\s0
! 161: environments.
! 162: .IP "\(bu" 4
! 163: \&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
! 164: It is not possible to load \s-1LDAP\s0 data into the server that does
! 165: not conform to the sudoers schema, so proper syntax is guaranteed.
! 166: It is still possible to have typos in a user or host name, but
! 167: this will not prevent \fBsudo\fR from running.
! 168: .IP "\(bu" 4
! 169: It is possible to specify per-entry options that override the global
! 170: default options. \fI@sysconfdir@/sudoers\fR only supports default options and
! 171: limited options associated with user/host/commands/aliases. The
! 172: syntax is complicated and can be difficult for users to understand.
! 173: Placing the options directly in the entry is more natural.
! 174: .IP "\(bu" 4
! 175: The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
! 176: locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
! 177: Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
! 178: Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
! 179: is no need for a specialized tool to check syntax.
! 180: .PP
! 181: Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
! 182: is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
! 183: .PP
! 184: For the most part, there is really no need for \fBsudo\fR\-specific
! 185: Aliases. Unix groups or user netgroups can be used in place of
! 186: User_Aliases and Runas_Aliases. Host netgroups can be used in place
! 187: of Host_Aliases. Since Unix groups and netgroups can also be stored
! 188: in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
! 189: .PP
! 190: Cmnd_Aliases are not really required either since it is possible
! 191: to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
! 192: a Cmnd_Alias that is referenced by multiple users, one can create
! 193: a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
! 194: to it.
! 195: .SS "SUDOers \s-1LDAP\s0 container"
! 196: .IX Subsection "SUDOers LDAP container"
! 197: The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
! 198: container.
! 199: .PP
! 200: Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
! 201: If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
! 202: same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
! 203: the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
! 204: in the environment for all users.
! 205: .PP
! 206: .Vb 6
! 207: \& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
! 208: \& objectClass: top
! 209: \& objectClass: sudoRole
! 210: \& cn: defaults
! 211: \& description: Default sudoOption\*(Aqs go here
! 212: \& sudoOption: env_keep+=SSH_AUTH_SOCK
! 213: .Ve
! 214: .PP
! 215: The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
! 216: the following attributes:
! 217: .IP "\fBsudoUser\fR" 4
! 218: .IX Item "sudoUser"
! 219: A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
! 220: a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
! 221: .IP "\fBsudoHost\fR" 4
! 222: .IX Item "sudoHost"
! 223: A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
! 224: with a \f(CW\*(Aq+\*(Aq\fR).
! 225: The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
! 226: .IP "\fBsudoCommand\fR" 4
! 227: .IX Item "sudoCommand"
! 228: A Unix command with optional command line arguments, potentially
! 229: including globbing characters (aka wild cards).
! 230: The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
! 231: If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
! 232: user will be prohibited from running that command.
! 233: .IP "\fBsudoOption\fR" 4
! 234: .IX Item "sudoOption"
! 235: Identical in function to the global options described above, but
! 236: specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
! 237: .IP "\fBsudoRunAsUser\fR" 4
! 238: .IX Item "sudoRunAsUser"
! 239: A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
! 240: as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
! 241: with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
! 242: run as.
! 243: The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
! 244: .Sp
! 245: The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
! 246: 1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
! 247: attribute instead.
! 248: .IP "\fBsudoRunAsGroup\fR" 4
! 249: .IX Item "sudoRunAsGroup"
! 250: A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
! 251: The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
! 252: .Sp
! 253: The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
! 254: 1.7.0 and higher.
! 255: .IP "\fBsudoNotBefore\fR" 4
! 256: .IX Item "sudoNotBefore"
! 257: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
! 258: a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
! 259: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
! 260: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
! 261: not the local timezone. The minute and seconds portions are optional,
! 262: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
! 263: .Sp
! 264: The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
! 265: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
! 266: option in \fI@ldap_conf@\fR.
! 267: .IP "\fBsudoNotAfter\fR" 4
! 268: .IX Item "sudoNotAfter"
! 269: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
! 270: date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
! 271: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
! 272: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
! 273: not the local timezone. The minute and seconds portions are optional,
! 274: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
! 275: .Sp
! 276: The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
! 277: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
! 278: option in \fI@ldap_conf@\fR.
! 279: .IP "\fBsudoOrder\fR" 4
! 280: .IX Item "sudoOrder"
! 281: The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
! 282: inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
! 283: floating point value for \s-1LDAP\s0 servers that support it) that is used
! 284: to sort the matching entries. This allows LDAP-based sudoers entries
! 285: to more closely mimic the behaviour of the sudoers file, where the
! 286: of the entries influences the result. If multiple entries match,
! 287: the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
! 288: corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
! 289: the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
! 290: .Sp
! 291: The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
! 292: 1.7.5 and higher.
! 293: .PP
! 294: Each attribute listed above should contain a single value, but there
! 295: may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
! 296: contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
! 297: .PP
! 298: The following example allows users in group wheel to run any command
! 299: on any host via \fBsudo\fR:
! 300: .PP
! 301: .Vb 7
! 302: \& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
! 303: \& objectClass: top
! 304: \& objectClass: sudoRole
! 305: \& cn: %wheel
! 306: \& sudoUser: %wheel
! 307: \& sudoHost: ALL
! 308: \& sudoCommand: ALL
! 309: .Ve
! 310: .SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
! 311: .IX Subsection "Anatomy of LDAP sudoers lookup"
! 312: When looking up a sudoer using \s-1LDAP\s0 there are only two or three
! 313: \&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
! 314: options. The second is to match against the user's name and the
! 315: groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
! 316: in this query too.) If no match is returned for the user's name
! 317: and groups, a third query returns all entries containing user
! 318: netgroups and checks to see if the user belongs to any of them.
! 319: .PP
! 320: If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
! 321: directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
! 322: to entries that satisfy the time constraints, if any.
! 323: .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
! 324: .IX Subsection "Differences between LDAP and non-LDAP sudoers"
! 325: There are some subtle differences in the way sudoers is handled
! 326: once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
! 327: \&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
! 328: and Entries are returned in any specific order.
! 329: .PP
! 330: The order in which different entries are applied can be controlled
! 331: using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
! 332: the order of attributes within a specific entry. If there are
! 333: conflicting command rules in an entry, the negative takes precedence.
! 334: This is called paranoid behavior (not necessarily the most specific
! 335: match).
! 336: .PP
! 337: Here is an example:
! 338: .PP
! 339: .Vb 5
! 340: \& # /etc/sudoers:
! 341: \& # Allow all commands except shell
! 342: \& johnny ALL=(root) ALL,!/bin/sh
! 343: \& # Always allows all commands because ALL is matched last
! 344: \& puddles ALL=(root) !/bin/sh,ALL
! 345: \&
! 346: \& # LDAP equivalent of johnny
! 347: \& # Allows all commands except shell
! 348: \& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
! 349: \& objectClass: sudoRole
! 350: \& objectClass: top
! 351: \& cn: role1
! 352: \& sudoUser: johnny
! 353: \& sudoHost: ALL
! 354: \& sudoCommand: ALL
! 355: \& sudoCommand: !/bin/sh
! 356: \&
! 357: \& # LDAP equivalent of puddles
! 358: \& # Notice that even though ALL comes last, it still behaves like
! 359: \& # role1 since the LDAP code assumes the more paranoid configuration
! 360: \& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
! 361: \& objectClass: sudoRole
! 362: \& objectClass: top
! 363: \& cn: role2
! 364: \& sudoUser: puddles
! 365: \& sudoHost: ALL
! 366: \& sudoCommand: !/bin/sh
! 367: \& sudoCommand: ALL
! 368: .Ve
! 369: .PP
! 370: Another difference is that negations on the Host, User or Runas are
! 371: currently ignored. For example, the following attributes do not
! 372: behave the way one might expect.
! 373: .PP
! 374: .Vb 3
! 375: \& # does not match all but joe
! 376: \& # rather, does not match anyone
! 377: \& sudoUser: !joe
! 378: \&
! 379: \& # does not match all but joe
! 380: \& # rather, matches everyone including Joe
! 381: \& sudoUser: ALL
! 382: \& sudoUser: !joe
! 383: \&
! 384: \& # does not match all but web01
! 385: \& # rather, matches all hosts including web01
! 386: \& sudoHost: ALL
! 387: \& sudoHost: !web01
! 388: .Ve
! 389: .SS "Sudoers Schema"
! 390: .IX Subsection "Sudoers Schema"
! 391: In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
! 392: installed on your \s-1LDAP\s0 server. In addition, be sure to index the
! 393: \&'sudoUser' attribute.
! 394: .PP
! 395: Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
! 396: one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
! 397: Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
! 398: be found in the \fBsudo\fR distribution.
! 399: .PP
! 400: The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
! 401: section.
! 402: .SS "Configuring ldap.conf"
! 403: .IX Subsection "Configuring ldap.conf"
! 404: Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
! 405: Typically, this file is shared amongst different LDAP-aware clients.
! 406: As such, most of the settings are not \fBsudo\fR\-specific. Note that
! 407: \&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
! 408: that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
! 409: .PP
! 410: Also note that on systems using the OpenLDAP libraries, default
! 411: values specified in \fI/etc/openldap/ldap.conf\fR or the user's
! 412: \&\fI.ldaprc\fR files are not used.
! 413: .PP
! 414: Only those options explicitly listed in \fI@ldap_conf@\fR as being
! 415: supported by \fBsudo\fR are honored. Configuration options are listed
! 416: below in upper case but are parsed in a case-independent manner.
! 417: .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
! 418: .IX Item "URI ldap[s]://[hostname[:port]] ..."
! 419: Specifies a whitespace-delimited list of one or more URIs describing
! 420: the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
! 421: \&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
! 422: (\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
! 423: 389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
! 424: is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
! 425: lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
! 426: entries. Only systems using the OpenSSL libraries support the
! 427: mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
! 428: libraries used on most commercial versions of Unix are only capable
! 429: of supporting one or the other.
! 430: .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
! 431: .IX Item "HOST name[:port] ..."
! 432: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
! 433: whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
! 434: may include an optional \fIport\fR separated by a colon (':'). The
! 435: \&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
! 436: and is included for backwards compatibility.
! 437: .IP "\fB\s-1PORT\s0\fR port_number" 4
! 438: .IX Item "PORT port_number"
! 439: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
! 440: default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
! 441: does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
! 442: the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
! 443: (\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
! 444: specification and is included for backwards compatibility.
! 445: .IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
! 446: .IX Item "BIND_TIMELIMIT seconds"
! 447: The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
! 448: to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
! 449: \&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
! 450: the next one in the list.
! 451: .IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
! 452: .IX Item "NETWORK_TIMEOUT seconds"
! 453: An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
! 454: .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
! 455: .IX Item "TIMELIMIT seconds"
! 456: The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
! 457: to wait for a response to an \s-1LDAP\s0 query.
! 458: .IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
! 459: .IX Item "TIMEOUT seconds"
! 460: The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
! 461: to wait for a response from the various \s-1LDAP\s0 APIs.
! 462: .IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
! 463: .IX Item "SUDOERS_BASE base"
! 464: The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
! 465: this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
! 466: \&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
! 467: in which case they are queried in the order specified.
! 468: .IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
! 469: .IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
! 470: An \s-1LDAP\s0 filter which is used to restrict the set of records returned
! 471: when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
! 472: form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
! 473: .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
! 474: .IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
! 475: Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
! 476: attributes that implement time-dependent sudoers entries.
! 477: .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
! 478: .IX Item "SUDOERS_DEBUG debug_level"
! 479: This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
! 480: information is printed to the standard error. A value of 1 results
! 481: in a moderate amount of debugging information. A value of 2 shows
! 482: the results of the matches themselves. This parameter should not
! 483: be set in a production environment as the extra information is
! 484: likely to confuse users.
! 485: .IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
! 486: .IX Item "BINDDN DN"
! 487: The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
! 488: Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
! 489: If not specified, \s-1LDAP\s0 operations are performed with an anonymous
! 490: identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
! 491: .IP "\fB\s-1BINDPW\s0\fR secret" 4
! 492: .IX Item "BINDPW secret"
! 493: The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
! 494: \&\s-1LDAP\s0 operations. This is typically used in conjunction with the
! 495: \&\fB\s-1BINDDN\s0\fR parameter.
! 496: .IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
! 497: .IX Item "ROOTBINDDN DN"
! 498: The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
! 499: a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
! 500: operations, such as \fIsudoers\fR queries. The password corresponding
! 501: to the identity should be stored in \fI@ldap_secret@\fR.
! 502: If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
! 503: .IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
! 504: .IX Item "LDAP_VERSION number"
! 505: The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
! 506: The default value is protocol version 3.
! 507: .IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
! 508: .IX Item "SSL on/true/yes/off/false/no"
! 509: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
! 510: (\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
! 511: server. Typically, this involves connecting to the server on port
! 512: 636 (ldaps).
! 513: .IP "\fB\s-1SSL\s0\fR start_tls" 4
! 514: .IX Item "SSL start_tls"
! 515: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
! 516: connection is initiated normally and \s-1TLS\s0 encryption is begun before
! 517: the bind credentials are sent. This has the advantage of not
! 518: requiring a dedicated port for encrypted communications. This
! 519: parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
! 520: extension, such as the OpenLDAP server.
! 521: .IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
! 522: .IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
! 523: If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
! 524: certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
! 525: be verified (usually because it is signed by an unknown certificate
! 526: authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
! 527: is disabled, no check is made. Note that disabling the check creates
! 528: an opportunity for man-in-the-middle attacks since the server's
! 529: identity will not be authenticated. If possible, the \s-1CA\s0's certificate
! 530: should be installed locally so it can be verified.
! 531: .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
! 532: .IX Item "TLS_CACERT file name"
! 533: An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
! 534: .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
! 535: .IX Item "TLS_CACERTFILE file name"
! 536: The path to a certificate authority bundle which contains the certificates
! 537: for all the Certificate Authorities the client knows to be valid,
! 538: e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
! 539: This option is only supported by the OpenLDAP libraries.
! 540: Netscape-derived \s-1LDAP\s0 libraries use the same certificate
! 541: database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
! 542: .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
! 543: .IX Item "TLS_CACERTDIR directory"
! 544: Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
! 545: directory containing individual Certificate Authority certificates,
! 546: e.g. \fI/etc/ssl/certs\fR.
! 547: The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
! 548: \&\fB\s-1TLS_CACERTFILE\s0\fR.
! 549: This option is only supported by the OpenLDAP libraries.
! 550: .IP "\fB\s-1TLS_CERT\s0\fR file name" 4
! 551: .IX Item "TLS_CERT file name"
! 552: The path to a file containing the client certificate which can
! 553: be used to authenticate the client to the \s-1LDAP\s0 server.
! 554: The certificate type depends on the \s-1LDAP\s0 libraries used.
! 555: .Sp
! 556: OpenLDAP:
! 557: \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
! 558: .Sp
! 559: Netscape-derived:
! 560: \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
! 561: .Sp
! 562: When using Netscape-derived libraries, this file may also contain
! 563: Certificate Authority certificates.
! 564: .IP "\fB\s-1TLS_KEY\s0\fR file name" 4
! 565: .IX Item "TLS_KEY file name"
! 566: The path to a file containing the private key which matches the
! 567: certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
! 568: password-protected. The key type depends on the \s-1LDAP\s0 libraries
! 569: used.
! 570: .Sp
! 571: OpenLDAP:
! 572: \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
! 573: .Sp
! 574: Netscape-derived:
! 575: \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
! 576: .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
! 577: .IX Item "TLS_RANDFILE file name"
! 578: The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
! 579: source for systems that lack a random device. It is generally used
! 580: in conjunction with \fIprngd\fR or \fIegd\fR.
! 581: This option is only supported by the OpenLDAP libraries.
! 582: .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
! 583: .IX Item "TLS_CIPHERS cipher list"
! 584: The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
! 585: which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
! 586: See the OpenSSL manual for a list of valid ciphers.
! 587: This option is only supported by the OpenLDAP libraries.
! 588: .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
! 589: .IX Item "USE_SASL on/true/yes/off/false/no"
! 590: Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
! 591: .IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
! 592: .IX Item "SASL_AUTH_ID identity"
! 593: The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
! 594: By default, \fBsudo\fR will use an anonymous connection.
! 595: .IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
! 596: .IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
! 597: Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
! 598: to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
! 599: .IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
! 600: .IX Item "ROOTSASL_AUTH_ID identity"
! 601: The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
! 602: .IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
! 603: .IX Item "SASL_SECPROPS none/properties"
! 604: \&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
! 605: \&\s-1SASL\s0 programmer's manual for details.
! 606: .IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
! 607: .IX Item "KRB5_CCNAME file name"
! 608: The path to the Kerberos 5 credential cache to use when authenticating
! 609: with the remote server.
! 610: .IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
! 611: .IX Item "DEREF never/searching/finding/always"
! 612: How alias dereferencing is to be performed when searching. See the
! 613: \&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
! 614: .PP
! 615: See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
! 616: .SS "Configuring nsswitch.conf"
! 617: .IX Subsection "Configuring nsswitch.conf"
! 618: Unless it is disabled at build time, \fBsudo\fR consults the Name
! 619: Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
! 620: search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
! 621: uses this to determine the search order. Note that \fBsudo\fR does
! 622: not stop searching after the first match and later matches take
! 623: precedence over earlier ones.
! 624: .PP
! 625: The following sources are recognized:
! 626: .PP
! 627: .Vb 2
! 628: \& files read sudoers from F<@sysconfdir@/sudoers>
! 629: \& ldap read sudoers from LDAP
! 630: .Ve
! 631: .PP
! 632: In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
! 633: search if the user was not found in the preceding source.
! 634: .PP
! 635: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
! 636: exists), use:
! 637: .PP
! 638: .Vb 1
! 639: \& sudoers: ldap files
! 640: .Ve
! 641: .PP
! 642: The local \fIsudoers\fR file can be ignored completely by using:
! 643: .PP
! 644: .Vb 1
! 645: \& sudoers: ldap
! 646: .Ve
! 647: .PP
! 648: If the \fI@nsswitch_conf@\fR file is not present or there is no
! 649: sudoers line, the following default is assumed:
! 650: .PP
! 651: .Vb 1
! 652: \& sudoers: files
! 653: .Ve
! 654: .PP
! 655: Note that \fI@nsswitch_conf@\fR is supported even when the underlying
! 656: operating system does not use an nsswitch.conf file.
! 657: .SS "Configuring netsvc.conf"
! 658: .IX Subsection "Configuring netsvc.conf"
! 659: On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
! 660: \&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
! 661: variant of \fInsswitch.conf\fR; information in the previous section
! 662: unrelated to the file format itself still applies.
! 663: .PP
! 664: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
! 665: exists), use:
! 666: .PP
! 667: .Vb 1
! 668: \& sudoers = ldap, files
! 669: .Ve
! 670: .PP
! 671: The local \fIsudoers\fR file can be ignored completely by using:
! 672: .PP
! 673: .Vb 1
! 674: \& sudoers = ldap
! 675: .Ve
! 676: .PP
! 677: To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
! 678: if the user is not present in \s-1LDAP\s0, use:
! 679: .PP
! 680: .Vb 1
! 681: \& sudoers = ldap = auth, files
! 682: .Ve
! 683: .PP
! 684: Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
! 685: user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
! 686: entries.
! 687: .PP
! 688: If the \fI@netsvc_conf@\fR file is not present or there is no
! 689: sudoers line, the following default is assumed:
! 690: .PP
! 691: .Vb 1
! 692: \& sudoers = files
! 693: .Ve
! 694: .SH "FILES"
! 695: .IX Header "FILES"
! 696: .ie n .IP "\fI@ldap_conf@\fR" 24
! 697: .el .IP "\fI@ldap_conf@\fR" 24
! 698: .IX Item "@ldap_conf@"
! 699: \&\s-1LDAP\s0 configuration file
! 700: .ie n .IP "\fI@nsswitch_conf@\fR" 24
! 701: .el .IP "\fI@nsswitch_conf@\fR" 24
! 702: .IX Item "@nsswitch_conf@"
! 703: determines sudoers source order
! 704: .ie n .IP "\fI@netsvc_conf@\fR" 24
! 705: .el .IP "\fI@netsvc_conf@\fR" 24
! 706: .IX Item "@netsvc_conf@"
! 707: determines sudoers source order on \s-1AIX\s0
! 708: .SH "EXAMPLES"
! 709: .IX Header "EXAMPLES"
! 710: .SS "Example ldap.conf"
! 711: .IX Subsection "Example ldap.conf"
! 712: .Vb 10
! 713: \& # Either specify one or more URIs or one or more host:port pairs.
! 714: \& # If neither is specified sudo will default to localhost, port 389.
! 715: \& #
! 716: \& #host ldapserver
! 717: \& #host ldapserver1 ldapserver2:390
! 718: \& #
! 719: \& # Default port if host is specified without one, defaults to 389.
! 720: \& #port 389
! 721: \& #
! 722: \& # URI will override the host and port settings.
! 723: \& uri ldap://ldapserver
! 724: \& #uri ldaps://secureldapserver
! 725: \& #uri ldaps://secureldapserver ldap://ldapserver
! 726: \& #
! 727: \& # The amount of time, in seconds, to wait while trying to connect to
! 728: \& # an LDAP server.
! 729: \& bind_timelimit 30
! 730: \& #
! 731: \& # The amount of time, in seconds, to wait while performing an LDAP query.
! 732: \& timelimit 30
! 733: \& #
! 734: \& # Must be set or sudo will ignore LDAP; may be specified multiple times.
! 735: \& sudoers_base ou=SUDOers,dc=example,dc=com
! 736: \& #
! 737: \& # verbose sudoers matching from ldap
! 738: \& #sudoers_debug 2
! 739: \& #
! 740: \& # Enable support for time\-based entries in sudoers.
! 741: \& #sudoers_timed yes
! 742: \& #
! 743: \& # optional proxy credentials
! 744: \& #binddn <who to search as>
! 745: \& #bindpw <password>
! 746: \& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
! 747: \& #
! 748: \& # LDAP protocol version, defaults to 3
! 749: \& #ldap_version 3
! 750: \& #
! 751: \& # Define if you want to use an encrypted LDAP connection.
! 752: \& # Typically, you must also set the port to 636 (ldaps).
! 753: \& #ssl on
! 754: \& #
! 755: \& # Define if you want to use port 389 and switch to
! 756: \& # encryption before the bind credentials are sent.
! 757: \& # Only supported by LDAP servers that support the start_tls
! 758: \& # extension such as OpenLDAP.
! 759: \& #ssl start_tls
! 760: \& #
! 761: \& # Additional TLS options follow that allow tweaking of the
! 762: \& # SSL/TLS connection.
! 763: \& #
! 764: \& #tls_checkpeer yes # verify server SSL certificate
! 765: \& #tls_checkpeer no # ignore server SSL certificate
! 766: \& #
! 767: \& # If you enable tls_checkpeer, specify either tls_cacertfile
! 768: \& # or tls_cacertdir. Only supported when using OpenLDAP.
! 769: \& #
! 770: \& #tls_cacertfile /etc/certs/trusted_signers.pem
! 771: \& #tls_cacertdir /etc/certs
! 772: \& #
! 773: \& # For systems that don\*(Aqt have /dev/random
! 774: \& # use this along with PRNGD or EGD.pl to seed the
! 775: \& # random number pool to generate cryptographic session keys.
! 776: \& # Only supported when using OpenLDAP.
! 777: \& #
! 778: \& #tls_randfile /etc/egd\-pool
! 779: \& #
! 780: \& # You may restrict which ciphers are used. Consult your SSL
! 781: \& # documentation for which options go here.
! 782: \& # Only supported when using OpenLDAP.
! 783: \& #
! 784: \& #tls_ciphers <cipher\-list>
! 785: \& #
! 786: \& # Sudo can provide a client certificate when communicating to
! 787: \& # the LDAP server.
! 788: \& # Tips:
! 789: \& # * Enable both lines at the same time.
! 790: \& # * Do not password protect the key file.
! 791: \& # * Ensure the keyfile is only readable by root.
! 792: \& #
! 793: \& # For OpenLDAP:
! 794: \& #tls_cert /etc/certs/client_cert.pem
! 795: \& #tls_key /etc/certs/client_key.pem
! 796: \& #
! 797: \& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
! 798: \& # a directory, in which case the files in the directory must have the
! 799: \& # default names (e.g. cert8.db and key4.db), or the path to the cert
! 800: \& # and key files themselves. However, a bug in version 5.0 of the LDAP
! 801: \& # SDK will prevent specific file names from working. For this reason
! 802: \& # it is suggested that tls_cert and tls_key be set to a directory,
! 803: \& # not a file name.
! 804: \& #
! 805: \& # The certificate database specified by tls_cert may contain CA certs
! 806: \& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
! 807: \& # should be specified as well.
! 808: \& # For backward compatibility, "sslpath" may be used in place of tls_cert.
! 809: \& #tls_cert /var/ldap
! 810: \& #tls_key /var/ldap
! 811: \& #
! 812: \& # If using SASL authentication for LDAP (OpenSSL)
! 813: \& # use_sasl yes
! 814: \& # sasl_auth_id <SASL user name>
! 815: \& # rootuse_sasl yes
! 816: \& # rootsasl_auth_id <SASL user name for root access>
! 817: \& # sasl_secprops none
! 818: \& # krb5_ccname /etc/.ldapcache
! 819: .Ve
! 820: .SS "Sudo schema for OpenLDAP"
! 821: .IX Subsection "Sudo schema for OpenLDAP"
! 822: The following schema, in OpenLDAP format, is included with \fBsudo\fR
! 823: source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
! 824: it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
! 825: proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
! 826: .PP
! 827: .Vb 6
! 828: \& attributetype ( 1.3.6.1.4.1.15953.9.1.1
! 829: \& NAME \*(AqsudoUser\*(Aq
! 830: \& DESC \*(AqUser(s) who may run sudo\*(Aq
! 831: \& EQUALITY caseExactIA5Match
! 832: \& SUBSTR caseExactIA5SubstringsMatch
! 833: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 834: \&
! 835: \& attributetype ( 1.3.6.1.4.1.15953.9.1.2
! 836: \& NAME \*(AqsudoHost\*(Aq
! 837: \& DESC \*(AqHost(s) who may run sudo\*(Aq
! 838: \& EQUALITY caseExactIA5Match
! 839: \& SUBSTR caseExactIA5SubstringsMatch
! 840: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 841: \&
! 842: \& attributetype ( 1.3.6.1.4.1.15953.9.1.3
! 843: \& NAME \*(AqsudoCommand\*(Aq
! 844: \& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
! 845: \& EQUALITY caseExactIA5Match
! 846: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 847: \&
! 848: \& attributetype ( 1.3.6.1.4.1.15953.9.1.4
! 849: \& NAME \*(AqsudoRunAs\*(Aq
! 850: \& DESC \*(AqUser(s) impersonated by sudo\*(Aq
! 851: \& EQUALITY caseExactIA5Match
! 852: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 853: \&
! 854: \& attributetype ( 1.3.6.1.4.1.15953.9.1.5
! 855: \& NAME \*(AqsudoOption\*(Aq
! 856: \& DESC \*(AqOptions(s) followed by sudo\*(Aq
! 857: \& EQUALITY caseExactIA5Match
! 858: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 859: \&
! 860: \& attributetype ( 1.3.6.1.4.1.15953.9.1.6
! 861: \& NAME \*(AqsudoRunAsUser\*(Aq
! 862: \& DESC \*(AqUser(s) impersonated by sudo\*(Aq
! 863: \& EQUALITY caseExactIA5Match
! 864: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 865: \&
! 866: \& attributetype ( 1.3.6.1.4.1.15953.9.1.7
! 867: \& NAME \*(AqsudoRunAsGroup\*(Aq
! 868: \& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
! 869: \& EQUALITY caseExactIA5Match
! 870: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 871: \&
! 872: \& attributetype ( 1.3.6.1.4.1.15953.9.1.8
! 873: \& NAME \*(AqsudoNotBefore\*(Aq
! 874: \& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
! 875: \& EQUALITY generalizedTimeMatch
! 876: \& ORDERING generalizedTimeOrderingMatch
! 877: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 878: \&
! 879: \& attributetype ( 1.3.6.1.4.1.15953.9.1.9
! 880: \& NAME \*(AqsudoNotAfter\*(Aq
! 881: \& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
! 882: \& EQUALITY generalizedTimeMatch
! 883: \& ORDERING generalizedTimeOrderingMatch
! 884: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 885: \&
! 886: \& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
! 887: \& NAME \*(AqsudoOrder\*(Aq
! 888: \& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
! 889: \& EQUALITY integerMatch
! 890: \& ORDERING integerOrderingMatch
! 891: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
! 892: \&
! 893: \& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
! 894: \& DESC \*(AqSudoer Entries\*(Aq
! 895: \& MUST ( cn )
! 896: \& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
! 897: \& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
! 898: \& sudoOrder $ description )
! 899: \& )
! 900: .Ve
! 901: .SH "SEE ALSO"
! 902: .IX Header "SEE ALSO"
! 903: \&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
! 904: .SH "CAVEATS"
! 905: .IX Header "CAVEATS"
! 906: Note that there are differences in the way that LDAP-based \fIsudoers\fR
! 907: is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
! 908: between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
! 909: .SH "BUGS"
! 910: .IX Header "BUGS"
! 911: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
! 912: at http://www.sudo.ws/sudo/bugs/
! 913: .SH "SUPPORT"
! 914: .IX Header "SUPPORT"
! 915: Limited free support is available via the sudo-users mailing list,
! 916: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
! 917: search the archives.
! 918: .SH "DISCLAIMER"
! 919: .IX Header "DISCLAIMER"
! 920: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
! 921: including, but not limited to, the implied warranties of merchantability
! 922: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
! 923: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
! 924: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>