Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1

1.1     ! misho       1: .\" Copyright (c) 2003-2011
        !             2: .\"    Todd C. Miller <Todd.Miller@courtesan.com>
        !             3: .\" 
        !             4: .\" Permission to use, copy, modify, and distribute this software for any
        !             5: .\" purpose with or without fee is hereby granted, provided that the above
        !             6: .\" copyright notice and this permission notice appear in all copies.
        !             7: .\" 
        !             8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
        !             9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
        !            10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
        !            11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
        !            12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
        !            13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
        !            14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
        !            15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
        !            16: .\" 
        !            17: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
        !            18: .\"
        !            19: .\" Standard preamble:
        !            20: .\" ========================================================================
        !            21: .de Sp \" Vertical space (when we can't use .PP)
        !            22: .if t .sp .5v
        !            23: .if n .sp
        !            24: ..
        !            25: .de Vb \" Begin verbatim text
        !            26: .ft CW
        !            27: .nf
        !            28: .ne \\$1
        !            29: ..
        !            30: .de Ve \" End verbatim text
        !            31: .ft R
        !            32: .fi
        !            33: ..
        !            34: .\" Set up some character translations and predefined strings.  \*(-- will
        !            35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
        !            36: .\" double quote, and \*(R" will give a right double quote.  \*(C+ will
        !            37: .\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
        !            38: .\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
        !            39: .\" nothing in troff, for use with C<>.
        !            40: .tr \(*W-
        !            41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
        !            42: .ie n \{\
        !            43: .    ds -- \(*W-
        !            44: .    ds PI pi
        !            45: .    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
        !            46: .    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
        !            47: .    ds L" ""
        !            48: .    ds R" ""
        !            49: .    ds C` 
        !            50: .    ds C' 
        !            51: 'br\}
        !            52: .el\{\
        !            53: .    ds -- \|\(em\|
        !            54: .    ds PI \(*p
        !            55: .    ds L" ``
        !            56: .    ds R" ''
        !            57: 'br\}
        !            58: .\"
        !            59: .\" Escape single quotes in literal strings from groff's Unicode transform.
        !            60: .ie \n(.g .ds Aq \(aq
        !            61: .el       .ds Aq '
        !            62: .\"
        !            63: .\" If the F register is turned on, we'll generate index entries on stderr for
        !            64: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
        !            65: .\" entries marked with X<> in POD.  Of course, you'll have to process the
        !            66: .\" output yourself in some meaningful fashion.
        !            67: .ie \nF \{\
        !            68: .    de IX
        !            69: .    tm Index:\\$1\t\\n%\t"\\$2"
        !            70: ..
        !            71: .    nr % 0
        !            72: .    rr F
        !            73: .\}
        !            74: .el \{\
        !            75: .    de IX
        !            76: ..
        !            77: .\}
        !            78: .\"
        !            79: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
        !            80: .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
        !            81: .    \" fudge factors for nroff and troff
        !            82: .if n \{\
        !            83: .    ds #H 0
        !            84: .    ds #V .8m
        !            85: .    ds #F .3m
        !            86: .    ds #[ \f1
        !            87: .    ds #] \fP
        !            88: .\}
        !            89: .if t \{\
        !            90: .    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
        !            91: .    ds #V .6m
        !            92: .    ds #F 0
        !            93: .    ds #[ \&
        !            94: .    ds #] \&
        !            95: .\}
        !            96: .    \" simple accents for nroff and troff
        !            97: .if n \{\
        !            98: .    ds ' \&
        !            99: .    ds ` \&
        !           100: .    ds ^ \&
        !           101: .    ds , \&
        !           102: .    ds ~ ~
        !           103: .    ds /
        !           104: .\}
        !           105: .if t \{\
        !           106: .    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
        !           107: .    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
        !           108: .    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
        !           109: .    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
        !           110: .    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
        !           111: .    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
        !           112: .\}
        !           113: .    \" troff and (daisy-wheel) nroff accents
        !           114: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
        !           115: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
        !           116: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
        !           117: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
        !           118: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
        !           119: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
        !           120: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
        !           121: .ds ae a\h'-(\w'a'u*4/10)'e
        !           122: .ds Ae A\h'-(\w'A'u*4/10)'E
        !           123: .    \" corrections for vroff
        !           124: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
        !           125: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
        !           126: .    \" for low resolution devices (crt and lpr)
        !           127: .if \n(.H>23 .if \n(.V>19 \
        !           128: \{\
        !           129: .    ds : e
        !           130: .    ds 8 ss
        !           131: .    ds o a
        !           132: .    ds d- d\h'-1'\(ga
        !           133: .    ds D- D\h'-1'\(hy
        !           134: .    ds th \o'bp'
        !           135: .    ds Th \o'LP'
        !           136: .    ds ae ae
        !           137: .    ds Ae AE
        !           138: .\}
        !           139: .rm #[ #] #H #V #F C
        !           140: .\" ========================================================================
        !           141: .\"
        !           142: .IX Title "SUDOERS.LDAP @mansectform@"
        !           143: .TH SUDOERS.LDAP @mansectform@ "September 16, 2011" "1.8.3" "MAINTENANCE COMMANDS"
        !           144: .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
        !           145: .\" way too many mistakes in technical documents.
        !           146: .if n .ad l
        !           147: .nh
        !           148: .SH "NAME"
        !           149: sudoers.ldap \- sudo LDAP configuration
        !           150: .SH "DESCRIPTION"
        !           151: .IX Header "DESCRIPTION"
        !           152: In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
        !           153: via \s-1LDAP\s0.  This can be especially useful for synchronizing \fIsudoers\fR
        !           154: in a large, distributed environment.
        !           155: .PP
        !           156: Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
        !           157: .IP "\(bu" 4
        !           158: \&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety.  When
        !           159: \&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
        !           160: This makes it especially fast and particularly usable in \s-1LDAP\s0
        !           161: environments.
        !           162: .IP "\(bu" 4
        !           163: \&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
        !           164: It is not possible to load \s-1LDAP\s0 data into the server that does
        !           165: not conform to the sudoers schema, so proper syntax is guaranteed.
        !           166: It is still possible to have typos in a user or host name, but
        !           167: this will not prevent \fBsudo\fR from running.
        !           168: .IP "\(bu" 4
        !           169: It is possible to specify per-entry options that override the global
        !           170: default options.  \fI@sysconfdir@/sudoers\fR only supports default options and
        !           171: limited options associated with user/host/commands/aliases.  The
        !           172: syntax is complicated and can be difficult for users to understand.
        !           173: Placing the options directly in the entry is more natural.
        !           174: .IP "\(bu" 4
        !           175: The \fBvisudo\fR program is no longer needed.  \fBvisudo\fR provides
        !           176: locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
        !           177: Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
        !           178: Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
        !           179: is no need for a specialized tool to check syntax.
        !           180: .PP
        !           181: Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
        !           182: is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
        !           183: .PP
        !           184: For the most part, there is really no need for \fBsudo\fR\-specific
        !           185: Aliases.  Unix groups or user netgroups can be used in place of
        !           186: User_Aliases and Runas_Aliases.  Host netgroups can be used in place
        !           187: of Host_Aliases.  Since Unix groups and netgroups can also be stored
        !           188: in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
        !           189: .PP
        !           190: Cmnd_Aliases are not really required either since it is possible
        !           191: to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR.  Instead of defining
        !           192: a Cmnd_Alias that is referenced by multiple users, one can create
        !           193: a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
        !           194: to it.
        !           195: .SS "SUDOers \s-1LDAP\s0 container"
        !           196: .IX Subsection "SUDOers LDAP container"
        !           197: The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
        !           198: container.
        !           199: .PP
        !           200: Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
        !           201: If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
        !           202: same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR.  In
        !           203: the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
        !           204: in the environment for all users.
        !           205: .PP
        !           206: .Vb 6
        !           207: \&    dn: cn=defaults,ou=SUDOers,dc=example,dc=com
        !           208: \&    objectClass: top
        !           209: \&    objectClass: sudoRole
        !           210: \&    cn: defaults
        !           211: \&    description: Default sudoOption\*(Aqs go here
        !           212: \&    sudoOption: env_keep+=SSH_AUTH_SOCK
        !           213: .Ve
        !           214: .PP
        !           215: The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR.  It consists of
        !           216: the following attributes:
        !           217: .IP "\fBsudoUser\fR" 4
        !           218: .IX Item "sudoUser"
        !           219: A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
        !           220: a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
        !           221: .IP "\fBsudoHost\fR" 4
        !           222: .IX Item "sudoHost"
        !           223: A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
        !           224: with a \f(CW\*(Aq+\*(Aq\fR).
        !           225: The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
        !           226: .IP "\fBsudoCommand\fR" 4
        !           227: .IX Item "sudoCommand"
        !           228: A Unix command with optional command line arguments, potentially
        !           229: including globbing characters (aka wild cards).
        !           230: The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
        !           231: If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
        !           232: user will be prohibited from running that command.
        !           233: .IP "\fBsudoOption\fR" 4
        !           234: .IX Item "sudoOption"
        !           235: Identical in function to the global options described above, but
        !           236: specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
        !           237: .IP "\fBsudoRunAsUser\fR" 4
        !           238: .IX Item "sudoRunAsUser"
        !           239: A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
        !           240: as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
        !           241: with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
        !           242: run as.
        !           243: The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
        !           244: .Sp
        !           245: The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
        !           246: 1.7.0 and higher.  Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
        !           247: attribute instead.
        !           248: .IP "\fBsudoRunAsGroup\fR" 4
        !           249: .IX Item "sudoRunAsGroup"
        !           250: A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
        !           251: The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
        !           252: .Sp
        !           253: The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
        !           254: 1.7.0 and higher.
        !           255: .IP "\fBsudoNotBefore\fR" 4
        !           256: .IX Item "sudoNotBefore"
        !           257: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
        !           258: a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid.  If
        !           259: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
        !           260: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
        !           261: not the local timezone.  The minute and seconds portions are optional,
        !           262: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
        !           263: .Sp
        !           264: The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
        !           265: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
        !           266: option in \fI@ldap_conf@\fR.
        !           267: .IP "\fBsudoNotAfter\fR" 4
        !           268: .IX Item "sudoNotAfter"
        !           269: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
        !           270: date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid.  If
        !           271: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
        !           272: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
        !           273: not the local timezone.  The minute and seconds portions are optional,
        !           274: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
        !           275: .Sp
        !           276: The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
        !           277: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
        !           278: option in \fI@ldap_conf@\fR.
        !           279: .IP "\fBsudoOrder\fR" 4
        !           280: .IX Item "sudoOrder"
        !           281: The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
        !           282: inherent order.  The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
        !           283: floating point value for \s-1LDAP\s0 servers that support it) that is used
        !           284: to sort the matching entries.  This allows LDAP-based sudoers entries
        !           285: to more closely mimic the behaviour of the sudoers file, where the
        !           286: of the entries influences the result.  If multiple entries match,
        !           287: the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen.  This
        !           288: corresponds to the \*(L"last match\*(R" behavior of the sudoers file.  If
        !           289: the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
        !           290: .Sp
        !           291: The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
        !           292: 1.7.5 and higher.
        !           293: .PP
        !           294: Each attribute listed above should contain a single value, but there
        !           295: may be multiple instances of each attribute type.  A \f(CW\*(C`sudoRole\*(C'\fR must
        !           296: contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
        !           297: .PP
        !           298: The following example allows users in group wheel to run any command
        !           299: on any host via \fBsudo\fR:
        !           300: .PP
        !           301: .Vb 7
        !           302: \&    dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
        !           303: \&    objectClass: top
        !           304: \&    objectClass: sudoRole
        !           305: \&    cn: %wheel
        !           306: \&    sudoUser: %wheel
        !           307: \&    sudoHost: ALL
        !           308: \&    sudoCommand: ALL
        !           309: .Ve
        !           310: .SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
        !           311: .IX Subsection "Anatomy of LDAP sudoers lookup"
        !           312: When looking up a sudoer using \s-1LDAP\s0 there are only two or three
        !           313: \&\s-1LDAP\s0 queries per invocation.  The first query is to parse the global
        !           314: options.  The second is to match against the user's name and the
        !           315: groups that the user belongs to.  (The special \s-1ALL\s0 tag is matched
        !           316: in this query too.)  If no match is returned for the user's name
        !           317: and groups, a third query returns all entries containing user
        !           318: netgroups and checks to see if the user belongs to any of them.
        !           319: .PP
        !           320: If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
        !           321: directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
        !           322: to entries that satisfy the time constraints, if any.
        !           323: .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
        !           324: .IX Subsection "Differences between LDAP and non-LDAP sudoers"
        !           325: There are some subtle differences in the way sudoers is handled
        !           326: once in \s-1LDAP\s0.  Probably the biggest is that according to the \s-1RFC\s0,
        !           327: \&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
        !           328: and Entries are returned in any specific order.
        !           329: .PP
        !           330: The order in which different entries are applied can be controlled
        !           331: using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
        !           332: the order of attributes within a specific entry.  If there are
        !           333: conflicting command rules in an entry, the negative takes precedence.
        !           334: This is called paranoid behavior (not necessarily the most specific
        !           335: match).
        !           336: .PP
        !           337: Here is an example:
        !           338: .PP
        !           339: .Vb 5
        !           340: \&    # /etc/sudoers:
        !           341: \&    # Allow all commands except shell
        !           342: \&    johnny  ALL=(root) ALL,!/bin/sh
        !           343: \&    # Always allows all commands because ALL is matched last
        !           344: \&    puddles ALL=(root) !/bin/sh,ALL
        !           345: \&
        !           346: \&    # LDAP equivalent of johnny
        !           347: \&    # Allows all commands except shell
        !           348: \&    dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
        !           349: \&    objectClass: sudoRole
        !           350: \&    objectClass: top
        !           351: \&    cn: role1
        !           352: \&    sudoUser: johnny
        !           353: \&    sudoHost: ALL
        !           354: \&    sudoCommand: ALL
        !           355: \&    sudoCommand: !/bin/sh
        !           356: \&
        !           357: \&    # LDAP equivalent of puddles
        !           358: \&    # Notice that even though ALL comes last, it still behaves like
        !           359: \&    # role1 since the LDAP code assumes the more paranoid configuration
        !           360: \&    dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
        !           361: \&    objectClass: sudoRole
        !           362: \&    objectClass: top
        !           363: \&    cn: role2
        !           364: \&    sudoUser: puddles
        !           365: \&    sudoHost: ALL
        !           366: \&    sudoCommand: !/bin/sh
        !           367: \&    sudoCommand: ALL
        !           368: .Ve
        !           369: .PP
        !           370: Another difference is that negations on the Host, User or Runas are
        !           371: currently ignored.  For example, the following attributes do not
        !           372: behave the way one might expect.
        !           373: .PP
        !           374: .Vb 3
        !           375: \&    # does not match all but joe
        !           376: \&    # rather, does not match anyone
        !           377: \&    sudoUser: !joe
        !           378: \&
        !           379: \&    # does not match all but joe
        !           380: \&    # rather, matches everyone including Joe
        !           381: \&    sudoUser: ALL
        !           382: \&    sudoUser: !joe
        !           383: \&
        !           384: \&    # does not match all but web01
        !           385: \&    # rather, matches all hosts including web01
        !           386: \&    sudoHost: ALL
        !           387: \&    sudoHost: !web01
        !           388: .Ve
        !           389: .SS "Sudoers Schema"
        !           390: .IX Subsection "Sudoers Schema"
        !           391: In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
        !           392: installed on your \s-1LDAP\s0 server.  In addition, be sure to index the
        !           393: \&'sudoUser' attribute.
        !           394: .PP
        !           395: Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
        !           396: one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
        !           397: Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
        !           398: be found in the \fBsudo\fR distribution.
        !           399: .PP
        !           400: The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
        !           401: section.
        !           402: .SS "Configuring ldap.conf"
        !           403: .IX Subsection "Configuring ldap.conf"
        !           404: Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
        !           405: Typically, this file is shared amongst different LDAP-aware clients.
        !           406: As such, most of the settings are not \fBsudo\fR\-specific.  Note that
        !           407: \&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
        !           408: that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
        !           409: .PP
        !           410: Also note that on systems using the OpenLDAP libraries, default
        !           411: values specified in \fI/etc/openldap/ldap.conf\fR or the user's
        !           412: \&\fI.ldaprc\fR files are not used.
        !           413: .PP
        !           414: Only those options explicitly listed in \fI@ldap_conf@\fR as being
        !           415: supported by \fBsudo\fR are honored.  Configuration options are listed
        !           416: below in upper case but are parsed in a case-independent manner.
        !           417: .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
        !           418: .IX Item "URI ldap[s]://[hostname[:port]] ..."
        !           419: Specifies a whitespace-delimited list of one or more URIs describing
        !           420: the \s-1LDAP\s0 server(s) to connect to.  The \fIprotocol\fR may be either
        !           421: \&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
        !           422: (\s-1SSL\s0) encryption.  If no \fIport\fR is specified, the default is port
        !           423: 389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR.  If no \fIhostname\fR
        !           424: is specified, \fBsudo\fR will connect to \fBlocalhost\fR.  Multiple \fB\s-1URI\s0\fR
        !           425: lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
        !           426: entries.  Only systems using the OpenSSL libraries support the
        !           427: mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.  The Netscape-derived
        !           428: libraries used on most commercial versions of Unix are only capable
        !           429: of supporting one or the other.
        !           430: .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
        !           431: .IX Item "HOST name[:port] ..."
        !           432: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
        !           433: whitespace-delimited list of \s-1LDAP\s0 servers to connect to.  Each host
        !           434: may include an optional \fIport\fR separated by a colon (':').  The
        !           435: \&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
        !           436: and is included for backwards compatibility.
        !           437: .IP "\fB\s-1PORT\s0\fR port_number" 4
        !           438: .IX Item "PORT port_number"
        !           439: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
        !           440: default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
        !           441: does not specify the port itself.  If no \fB\s-1PORT\s0\fR parameter is used,
        !           442: the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
        !           443: (\s-1SSL\s0).  The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
        !           444: specification and is included for backwards compatibility.
        !           445: .IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
        !           446: .IX Item "BIND_TIMELIMIT seconds"
        !           447: The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
        !           448: to wait while trying to connect to an \s-1LDAP\s0 server.  If multiple \fB\s-1URI\s0\fRs or
        !           449: \&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
        !           450: the next one in the list.
        !           451: .IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
        !           452: .IX Item "NETWORK_TIMEOUT seconds"
        !           453: An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
        !           454: .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
        !           455: .IX Item "TIMELIMIT seconds"
        !           456: The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
        !           457: to wait for a response to an \s-1LDAP\s0 query.
        !           458: .IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
        !           459: .IX Item "TIMEOUT seconds"
        !           460: The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
        !           461: to wait for a response from the various \s-1LDAP\s0 APIs.
        !           462: .IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
        !           463: .IX Item "SUDOERS_BASE base"
        !           464: The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries.  Typically
        !           465: this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
        !           466: \&\f(CW\*(C`example.com\*(C'\fR.  Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
        !           467: in which case they are queried in the order specified.
        !           468: .IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
        !           469: .IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
        !           470: An \s-1LDAP\s0 filter which is used to restrict the set of records returned
        !           471: when performing a \fBsudo\fR \s-1LDAP\s0 query.  Typically, this is of the
        !           472: form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
        !           473: .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
        !           474: .IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
        !           475: Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
        !           476: attributes that implement time-dependent sudoers entries.
        !           477: .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
        !           478: .IX Item "SUDOERS_DEBUG debug_level"
        !           479: This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries.  Debugging
        !           480: information is printed to the standard error.  A value of 1 results
        !           481: in a moderate amount of debugging information.  A value of 2 shows
        !           482: the results of the matches themselves.  This parameter should not
        !           483: be set in a production environment as the extra information is
        !           484: likely to confuse users.
        !           485: .IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
        !           486: .IX Item "BINDDN DN"
        !           487: The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
        !           488: Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
        !           489: If not specified, \s-1LDAP\s0 operations are performed with an anonymous
        !           490: identity.  By default, most \s-1LDAP\s0 servers will allow anonymous access.
        !           491: .IP "\fB\s-1BINDPW\s0\fR secret" 4
        !           492: .IX Item "BINDPW secret"
        !           493: The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
        !           494: \&\s-1LDAP\s0 operations.  This is typically used in conjunction with the
        !           495: \&\fB\s-1BINDDN\s0\fR parameter.
        !           496: .IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
        !           497: .IX Item "ROOTBINDDN DN"
        !           498: The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
        !           499: a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
        !           500: operations, such as \fIsudoers\fR queries.  The password corresponding
        !           501: to the identity should be stored in \fI@ldap_secret@\fR.
        !           502: If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
        !           503: .IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
        !           504: .IX Item "LDAP_VERSION number"
        !           505: The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
        !           506: The default value is protocol version 3.
        !           507: .IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
        !           508: .IX Item "SSL on/true/yes/off/false/no"
        !           509: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
        !           510: (\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
        !           511: server.  Typically, this involves connecting to the server on port
        !           512: 636 (ldaps).
        !           513: .IP "\fB\s-1SSL\s0\fR start_tls" 4
        !           514: .IX Item "SSL start_tls"
        !           515: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
        !           516: connection is initiated normally and \s-1TLS\s0 encryption is begun before
        !           517: the bind credentials are sent.  This has the advantage of not
        !           518: requiring a dedicated port for encrypted communications.  This
        !           519: parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
        !           520: extension, such as the OpenLDAP server.
        !           521: .IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
        !           522: .IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
        !           523: If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
        !           524: certificated to be verified.  If the server's \s-1TLS\s0 certificate cannot
        !           525: be verified (usually because it is signed by an unknown certificate
        !           526: authority), \fBsudo\fR will be unable to connect to it.  If \fB\s-1TLS_CHECKPEER\s0\fR
        !           527: is disabled, no check is made.  Note that disabling the check creates
        !           528: an opportunity for man-in-the-middle attacks since the server's
        !           529: identity will not be authenticated.  If possible, the \s-1CA\s0's certificate
        !           530: should be installed locally so it can be verified.
        !           531: .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
        !           532: .IX Item "TLS_CACERT file name"
        !           533: An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
        !           534: .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
        !           535: .IX Item "TLS_CACERTFILE file name"
        !           536: The path to a certificate authority bundle which contains the certificates
        !           537: for all the Certificate Authorities the client knows to be valid,
        !           538: e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
        !           539: This option is only supported by the OpenLDAP libraries.
        !           540: Netscape-derived \s-1LDAP\s0 libraries use the same certificate
        !           541: database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
        !           542: .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
        !           543: .IX Item "TLS_CACERTDIR directory"
        !           544: Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
        !           545: directory containing individual Certificate Authority certificates,
        !           546: e.g. \fI/etc/ssl/certs\fR.
        !           547: The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
        !           548: \&\fB\s-1TLS_CACERTFILE\s0\fR.
        !           549: This option is only supported by the OpenLDAP libraries.
        !           550: .IP "\fB\s-1TLS_CERT\s0\fR file name" 4
        !           551: .IX Item "TLS_CERT file name"
        !           552: The path to a file containing the client certificate which can
        !           553: be used to authenticate the client to the \s-1LDAP\s0 server.
        !           554: The certificate type depends on the \s-1LDAP\s0 libraries used.
        !           555: .Sp
        !           556: OpenLDAP:
        !           557:     \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
        !           558: .Sp
        !           559: Netscape-derived:
        !           560:     \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
        !           561: .Sp
        !           562: When using Netscape-derived libraries, this file may also contain
        !           563: Certificate Authority certificates.
        !           564: .IP "\fB\s-1TLS_KEY\s0\fR file name" 4
        !           565: .IX Item "TLS_KEY file name"
        !           566: The path to a file containing the private key which matches the
        !           567: certificate specified by \fB\s-1TLS_CERT\s0\fR.  The private key must not be
        !           568: password-protected.  The key type depends on the \s-1LDAP\s0 libraries
        !           569: used.
        !           570: .Sp
        !           571: OpenLDAP:
        !           572:     \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
        !           573: .Sp
        !           574: Netscape-derived:
        !           575:     \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
        !           576: .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
        !           577: .IX Item "TLS_RANDFILE file name"
        !           578: The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
        !           579: source for systems that lack a random device.  It is generally used
        !           580: in conjunction with \fIprngd\fR or \fIegd\fR.
        !           581: This option is only supported by the OpenLDAP libraries.
        !           582: .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
        !           583: .IX Item "TLS_CIPHERS cipher list"
        !           584: The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
        !           585: which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
        !           586: See the OpenSSL manual for a list of valid ciphers.
        !           587: This option is only supported by the OpenLDAP libraries.
        !           588: .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
        !           589: .IX Item "USE_SASL on/true/yes/off/false/no"
        !           590: Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
        !           591: .IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
        !           592: .IX Item "SASL_AUTH_ID identity"
        !           593: The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
        !           594: By default, \fBsudo\fR will use an anonymous connection.
        !           595: .IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
        !           596: .IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
        !           597: Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
        !           598: to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
        !           599: .IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
        !           600: .IX Item "ROOTSASL_AUTH_ID identity"
        !           601: The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
        !           602: .IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
        !           603: .IX Item "SASL_SECPROPS none/properties"
        !           604: \&\s-1SASL\s0 security properties or \fInone\fR for no properties.  See the
        !           605: \&\s-1SASL\s0 programmer's manual for details.
        !           606: .IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
        !           607: .IX Item "KRB5_CCNAME file name"
        !           608: The path to the Kerberos 5 credential cache to use when authenticating
        !           609: with the remote server.
        !           610: .IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
        !           611: .IX Item "DEREF never/searching/finding/always"
        !           612: How alias dereferencing is to be performed when searching.  See the
        !           613: \&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
        !           614: .PP
        !           615: See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
        !           616: .SS "Configuring nsswitch.conf"
        !           617: .IX Subsection "Configuring nsswitch.conf"
        !           618: Unless it is disabled at build time, \fBsudo\fR consults the Name
        !           619: Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
        !           620: search order.  Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
        !           621: uses this to determine the search order.  Note that \fBsudo\fR does
        !           622: not stop searching after the first match and later matches take
        !           623: precedence over earlier ones.
        !           624: .PP
        !           625: The following sources are recognized:
        !           626: .PP
        !           627: .Vb 2
        !           628: \&    files       read sudoers from F<@sysconfdir@/sudoers>
        !           629: \&    ldap        read sudoers from LDAP
        !           630: .Ve
        !           631: .PP
        !           632: In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
        !           633: search if the user was not found in the preceding source.
        !           634: .PP
        !           635: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
        !           636: exists), use:
        !           637: .PP
        !           638: .Vb 1
        !           639: \&    sudoers: ldap files
        !           640: .Ve
        !           641: .PP
        !           642: The local \fIsudoers\fR file can be ignored completely by using:
        !           643: .PP
        !           644: .Vb 1
        !           645: \&    sudoers: ldap
        !           646: .Ve
        !           647: .PP
        !           648: If the \fI@nsswitch_conf@\fR file is not present or there is no
        !           649: sudoers line, the following default is assumed:
        !           650: .PP
        !           651: .Vb 1
        !           652: \&    sudoers: files
        !           653: .Ve
        !           654: .PP
        !           655: Note that \fI@nsswitch_conf@\fR is supported even when the underlying
        !           656: operating system does not use an nsswitch.conf file.
        !           657: .SS "Configuring netsvc.conf"
        !           658: .IX Subsection "Configuring netsvc.conf"
        !           659: On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
        !           660: \&\fI@nsswitch_conf@\fR.  \fBsudo\fR simply treats \fInetsvc.conf\fR as a
        !           661: variant of \fInsswitch.conf\fR; information in the previous section
        !           662: unrelated to the file format itself still applies.
        !           663: .PP
        !           664: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
        !           665: exists), use:
        !           666: .PP
        !           667: .Vb 1
        !           668: \&    sudoers = ldap, files
        !           669: .Ve
        !           670: .PP
        !           671: The local \fIsudoers\fR file can be ignored completely by using:
        !           672: .PP
        !           673: .Vb 1
        !           674: \&    sudoers = ldap
        !           675: .Ve
        !           676: .PP
        !           677: To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
        !           678: if the user is not present in \s-1LDAP\s0, use:
        !           679: .PP
        !           680: .Vb 1
        !           681: \&    sudoers = ldap = auth, files
        !           682: .Ve
        !           683: .PP
        !           684: Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
        !           685: user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
        !           686: entries.
        !           687: .PP
        !           688: If the \fI@netsvc_conf@\fR file is not present or there is no
        !           689: sudoers line, the following default is assumed:
        !           690: .PP
        !           691: .Vb 1
        !           692: \&    sudoers = files
        !           693: .Ve
        !           694: .SH "FILES"
        !           695: .IX Header "FILES"
        !           696: .ie n .IP "\fI@ldap_conf@\fR" 24
        !           697: .el .IP "\fI@ldap_conf@\fR" 24
        !           698: .IX Item "@ldap_conf@"
        !           699: \&\s-1LDAP\s0 configuration file
        !           700: .ie n .IP "\fI@nsswitch_conf@\fR" 24
        !           701: .el .IP "\fI@nsswitch_conf@\fR" 24
        !           702: .IX Item "@nsswitch_conf@"
        !           703: determines sudoers source order
        !           704: .ie n .IP "\fI@netsvc_conf@\fR" 24
        !           705: .el .IP "\fI@netsvc_conf@\fR" 24
        !           706: .IX Item "@netsvc_conf@"
        !           707: determines sudoers source order on \s-1AIX\s0
        !           708: .SH "EXAMPLES"
        !           709: .IX Header "EXAMPLES"
        !           710: .SS "Example ldap.conf"
        !           711: .IX Subsection "Example ldap.conf"
        !           712: .Vb 10
        !           713: \&  # Either specify one or more URIs or one or more host:port pairs.
        !           714: \&  # If neither is specified sudo will default to localhost, port 389.
        !           715: \&  #
        !           716: \&  #host          ldapserver
        !           717: \&  #host          ldapserver1 ldapserver2:390
        !           718: \&  #
        !           719: \&  # Default port if host is specified without one, defaults to 389.
        !           720: \&  #port          389
        !           721: \&  #
        !           722: \&  # URI will override the host and port settings.
        !           723: \&  uri            ldap://ldapserver
        !           724: \&  #uri            ldaps://secureldapserver
        !           725: \&  #uri            ldaps://secureldapserver ldap://ldapserver
        !           726: \&  #
        !           727: \&  # The amount of time, in seconds, to wait while trying to connect to
        !           728: \&  # an LDAP server.
        !           729: \&  bind_timelimit 30
        !           730: \&  #
        !           731: \&  # The amount of time, in seconds, to wait while performing an LDAP query.
        !           732: \&  timelimit 30
        !           733: \&  #
        !           734: \&  # Must be set or sudo will ignore LDAP; may be specified multiple times.
        !           735: \&  sudoers_base   ou=SUDOers,dc=example,dc=com
        !           736: \&  #
        !           737: \&  # verbose sudoers matching from ldap
        !           738: \&  #sudoers_debug 2
        !           739: \&  #
        !           740: \&  # Enable support for time\-based entries in sudoers.
        !           741: \&  #sudoers_timed yes
        !           742: \&  #
        !           743: \&  # optional proxy credentials
        !           744: \&  #binddn        <who to search as>
        !           745: \&  #bindpw        <password>
        !           746: \&  #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
        !           747: \&  #
        !           748: \&  # LDAP protocol version, defaults to 3
        !           749: \&  #ldap_version 3
        !           750: \&  #
        !           751: \&  # Define if you want to use an encrypted LDAP connection.
        !           752: \&  # Typically, you must also set the port to 636 (ldaps).
        !           753: \&  #ssl on
        !           754: \&  #
        !           755: \&  # Define if you want to use port 389 and switch to
        !           756: \&  # encryption before the bind credentials are sent.
        !           757: \&  # Only supported by LDAP servers that support the start_tls
        !           758: \&  # extension such as OpenLDAP.
        !           759: \&  #ssl start_tls
        !           760: \&  #
        !           761: \&  # Additional TLS options follow that allow tweaking of the
        !           762: \&  # SSL/TLS connection.
        !           763: \&  #
        !           764: \&  #tls_checkpeer yes # verify server SSL certificate
        !           765: \&  #tls_checkpeer no  # ignore server SSL certificate
        !           766: \&  #
        !           767: \&  # If you enable tls_checkpeer, specify either tls_cacertfile
        !           768: \&  # or tls_cacertdir.  Only supported when using OpenLDAP.
        !           769: \&  #
        !           770: \&  #tls_cacertfile /etc/certs/trusted_signers.pem
        !           771: \&  #tls_cacertdir  /etc/certs
        !           772: \&  #
        !           773: \&  # For systems that don\*(Aqt have /dev/random
        !           774: \&  # use this along with PRNGD or EGD.pl to seed the
        !           775: \&  # random number pool to generate cryptographic session keys.
        !           776: \&  # Only supported when using OpenLDAP.
        !           777: \&  #
        !           778: \&  #tls_randfile /etc/egd\-pool
        !           779: \&  #
        !           780: \&  # You may restrict which ciphers are used.  Consult your SSL
        !           781: \&  # documentation for which options go here.
        !           782: \&  # Only supported when using OpenLDAP.
        !           783: \&  #
        !           784: \&  #tls_ciphers <cipher\-list>
        !           785: \&  #
        !           786: \&  # Sudo can provide a client certificate when communicating to
        !           787: \&  # the LDAP server.
        !           788: \&  # Tips:
        !           789: \&  #   * Enable both lines at the same time.
        !           790: \&  #   * Do not password protect the key file.
        !           791: \&  #   * Ensure the keyfile is only readable by root.
        !           792: \&  #
        !           793: \&  # For OpenLDAP:
        !           794: \&  #tls_cert /etc/certs/client_cert.pem
        !           795: \&  #tls_key  /etc/certs/client_key.pem
        !           796: \&  #
        !           797: \&  # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
        !           798: \&  # a directory, in which case the files in the directory must have the
        !           799: \&  # default names (e.g. cert8.db and key4.db), or the path to the cert
        !           800: \&  # and key files themselves.  However, a bug in version 5.0 of the LDAP
        !           801: \&  # SDK will prevent specific file names from working.  For this reason
        !           802: \&  # it is suggested that tls_cert and tls_key be set to a directory,
        !           803: \&  # not a file name.
        !           804: \&  #
        !           805: \&  # The certificate database specified by tls_cert may contain CA certs
        !           806: \&  # and/or the client\*(Aqs cert.  If the client\*(Aqs cert is included, tls_key
        !           807: \&  # should be specified as well.
        !           808: \&  # For backward compatibility, "sslpath" may be used in place of tls_cert.
        !           809: \&  #tls_cert /var/ldap
        !           810: \&  #tls_key /var/ldap
        !           811: \&  #
        !           812: \&  # If using SASL authentication for LDAP (OpenSSL)
        !           813: \&  # use_sasl yes
        !           814: \&  # sasl_auth_id <SASL user name>
        !           815: \&  # rootuse_sasl yes
        !           816: \&  # rootsasl_auth_id <SASL user name for root access>
        !           817: \&  # sasl_secprops none
        !           818: \&  # krb5_ccname /etc/.ldapcache
        !           819: .Ve
        !           820: .SS "Sudo schema for OpenLDAP"
        !           821: .IX Subsection "Sudo schema for OpenLDAP"
        !           822: The following schema, in OpenLDAP format, is included with \fBsudo\fR
        !           823: source and binary distributions as \fIschema.OpenLDAP\fR.  Simply copy
        !           824: it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
        !           825: proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
        !           826: .PP
        !           827: .Vb 6
        !           828: \& attributetype ( 1.3.6.1.4.1.15953.9.1.1
        !           829: \&    NAME \*(AqsudoUser\*(Aq
        !           830: \&    DESC \*(AqUser(s) who may  run sudo\*(Aq
        !           831: \&    EQUALITY caseExactIA5Match
        !           832: \&    SUBSTR caseExactIA5SubstringsMatch
        !           833: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           834: \&
        !           835: \& attributetype ( 1.3.6.1.4.1.15953.9.1.2
        !           836: \&    NAME \*(AqsudoHost\*(Aq
        !           837: \&    DESC \*(AqHost(s) who may run sudo\*(Aq
        !           838: \&    EQUALITY caseExactIA5Match
        !           839: \&    SUBSTR caseExactIA5SubstringsMatch
        !           840: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           841: \&
        !           842: \& attributetype ( 1.3.6.1.4.1.15953.9.1.3
        !           843: \&    NAME \*(AqsudoCommand\*(Aq
        !           844: \&    DESC \*(AqCommand(s) to be executed by sudo\*(Aq
        !           845: \&    EQUALITY caseExactIA5Match
        !           846: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           847: \&
        !           848: \& attributetype ( 1.3.6.1.4.1.15953.9.1.4
        !           849: \&    NAME \*(AqsudoRunAs\*(Aq
        !           850: \&    DESC \*(AqUser(s) impersonated by sudo\*(Aq
        !           851: \&    EQUALITY caseExactIA5Match
        !           852: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           853: \&
        !           854: \& attributetype ( 1.3.6.1.4.1.15953.9.1.5
        !           855: \&    NAME \*(AqsudoOption\*(Aq
        !           856: \&    DESC \*(AqOptions(s) followed by sudo\*(Aq
        !           857: \&    EQUALITY caseExactIA5Match
        !           858: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           859: \&
        !           860: \& attributetype ( 1.3.6.1.4.1.15953.9.1.6
        !           861: \&    NAME \*(AqsudoRunAsUser\*(Aq
        !           862: \&    DESC \*(AqUser(s) impersonated by sudo\*(Aq
        !           863: \&    EQUALITY caseExactIA5Match
        !           864: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           865: \&
        !           866: \& attributetype ( 1.3.6.1.4.1.15953.9.1.7
        !           867: \&    NAME \*(AqsudoRunAsGroup\*(Aq
        !           868: \&    DESC \*(AqGroup(s) impersonated by sudo\*(Aq
        !           869: \&    EQUALITY caseExactIA5Match
        !           870: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           871: \&
        !           872: \& attributetype ( 1.3.6.1.4.1.15953.9.1.8
        !           873: \&    NAME \*(AqsudoNotBefore\*(Aq
        !           874: \&    DESC \*(AqStart of time interval for which the entry is valid\*(Aq
        !           875: \&    EQUALITY generalizedTimeMatch
        !           876: \&    ORDERING generalizedTimeOrderingMatch
        !           877: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
        !           878: \&
        !           879: \& attributetype ( 1.3.6.1.4.1.15953.9.1.9
        !           880: \&    NAME \*(AqsudoNotAfter\*(Aq
        !           881: \&    DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
        !           882: \&    EQUALITY generalizedTimeMatch
        !           883: \&    ORDERING generalizedTimeOrderingMatch
        !           884: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
        !           885: \&
        !           886: \& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
        !           887: \&     NAME \*(AqsudoOrder\*(Aq
        !           888: \&     DESC \*(Aqan integer to order the sudoRole entries\*(Aq
        !           889: \&     EQUALITY integerMatch
        !           890: \&     ORDERING integerOrderingMatch
        !           891: \&     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
        !           892: \&
        !           893: \& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
        !           894: \&    DESC \*(AqSudoer Entries\*(Aq
        !           895: \&    MUST ( cn )
        !           896: \&    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
        !           897: \&          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
        !           898: \&          sudoOrder $ description )
        !           899: \&    )
        !           900: .Ve
        !           901: .SH "SEE ALSO"
        !           902: .IX Header "SEE ALSO"
        !           903: \&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
        !           904: .SH "CAVEATS"
        !           905: .IX Header "CAVEATS"
        !           906: Note that there are differences in the way that LDAP-based \fIsudoers\fR
        !           907: is parsed compared to file-based \fIsudoers\fR.  See the \*(L"Differences
        !           908: between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
        !           909: .SH "BUGS"
        !           910: .IX Header "BUGS"
        !           911: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
        !           912: at http://www.sudo.ws/sudo/bugs/
        !           913: .SH "SUPPORT"
        !           914: .IX Header "SUPPORT"
        !           915: Limited free support is available via the sudo-users mailing list,
        !           916: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
        !           917: search the archives.
        !           918: .SH "DISCLAIMER"
        !           919: .IX Header "DISCLAIMER"
        !           920: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
        !           921: including, but not limited to, the implied warranties of merchantability
        !           922: and fitness for a particular purpose are disclaimed.  See the \s-1LICENSE\s0
        !           923: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
        !           924: for complete details.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>