Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1.1.2

1.1       misho       1: .\" Copyright (c) 2003-2011
                      2: .\"    Todd C. Miller <Todd.Miller@courtesan.com>
                      3: .\" 
                      4: .\" Permission to use, copy, modify, and distribute this software for any
                      5: .\" purpose with or without fee is hereby granted, provided that the above
                      6: .\" copyright notice and this permission notice appear in all copies.
                      7: .\" 
                      8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                      9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     16: .\" 
                     17: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
                     18: .\"
                     19: .\" Standard preamble:
                     20: .\" ========================================================================
                     21: .de Sp \" Vertical space (when we can't use .PP)
                     22: .if t .sp .5v
                     23: .if n .sp
                     24: ..
                     25: .de Vb \" Begin verbatim text
                     26: .ft CW
                     27: .nf
                     28: .ne \\$1
                     29: ..
                     30: .de Ve \" End verbatim text
                     31: .ft R
                     32: .fi
                     33: ..
                     34: .\" Set up some character translations and predefined strings.  \*(-- will
                     35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
                     36: .\" double quote, and \*(R" will give a right double quote.  \*(C+ will
                     37: .\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
                     38: .\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
                     39: .\" nothing in troff, for use with C<>.
                     40: .tr \(*W-
                     41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
                     42: .ie n \{\
                     43: .    ds -- \(*W-
                     44: .    ds PI pi
                     45: .    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
                     46: .    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
                     47: .    ds L" ""
                     48: .    ds R" ""
                     49: .    ds C` 
                     50: .    ds C' 
                     51: 'br\}
                     52: .el\{\
                     53: .    ds -- \|\(em\|
                     54: .    ds PI \(*p
                     55: .    ds L" ``
                     56: .    ds R" ''
                     57: 'br\}
                     58: .\"
                     59: .\" Escape single quotes in literal strings from groff's Unicode transform.
                     60: .ie \n(.g .ds Aq \(aq
                     61: .el       .ds Aq '
                     62: .\"
                     63: .\" If the F register is turned on, we'll generate index entries on stderr for
                     64: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
                     65: .\" entries marked with X<> in POD.  Of course, you'll have to process the
                     66: .\" output yourself in some meaningful fashion.
                     67: .ie \nF \{\
                     68: .    de IX
                     69: .    tm Index:\\$1\t\\n%\t"\\$2"
                     70: ..
                     71: .    nr % 0
                     72: .    rr F
                     73: .\}
                     74: .el \{\
                     75: .    de IX
                     76: ..
                     77: .\}
                     78: .\"
                     79: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
                     80: .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
                     81: .    \" fudge factors for nroff and troff
                     82: .if n \{\
                     83: .    ds #H 0
                     84: .    ds #V .8m
                     85: .    ds #F .3m
                     86: .    ds #[ \f1
                     87: .    ds #] \fP
                     88: .\}
                     89: .if t \{\
                     90: .    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
                     91: .    ds #V .6m
                     92: .    ds #F 0
                     93: .    ds #[ \&
                     94: .    ds #] \&
                     95: .\}
                     96: .    \" simple accents for nroff and troff
                     97: .if n \{\
                     98: .    ds ' \&
                     99: .    ds ` \&
                    100: .    ds ^ \&
                    101: .    ds , \&
                    102: .    ds ~ ~
                    103: .    ds /
                    104: .\}
                    105: .if t \{\
                    106: .    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
                    107: .    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
                    108: .    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
                    109: .    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
                    110: .    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
                    111: .    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
                    112: .\}
                    113: .    \" troff and (daisy-wheel) nroff accents
                    114: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
                    115: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
                    116: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
                    117: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
                    118: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
                    119: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
                    120: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
                    121: .ds ae a\h'-(\w'a'u*4/10)'e
                    122: .ds Ae A\h'-(\w'A'u*4/10)'E
                    123: .    \" corrections for vroff
                    124: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
                    125: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
                    126: .    \" for low resolution devices (crt and lpr)
                    127: .if \n(.H>23 .if \n(.V>19 \
                    128: \{\
                    129: .    ds : e
                    130: .    ds 8 ss
                    131: .    ds o a
                    132: .    ds d- d\h'-1'\(ga
                    133: .    ds D- D\h'-1'\(hy
                    134: .    ds th \o'bp'
                    135: .    ds Th \o'LP'
                    136: .    ds ae ae
                    137: .    ds Ae AE
                    138: .\}
                    139: .rm #[ #] #H #V #F C
                    140: .\" ========================================================================
                    141: .\"
                    142: .IX Title "SUDOERS.LDAP @mansectform@"
1.1.1.2 ! misho     143: .TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
1.1       misho     144: .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
                    145: .\" way too many mistakes in technical documents.
                    146: .if n .ad l
                    147: .nh
                    148: .SH "NAME"
                    149: sudoers.ldap \- sudo LDAP configuration
                    150: .SH "DESCRIPTION"
                    151: .IX Header "DESCRIPTION"
                    152: In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
                    153: via \s-1LDAP\s0.  This can be especially useful for synchronizing \fIsudoers\fR
                    154: in a large, distributed environment.
                    155: .PP
                    156: Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
                    157: .IP "\(bu" 4
                    158: \&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety.  When
                    159: \&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
                    160: This makes it especially fast and particularly usable in \s-1LDAP\s0
                    161: environments.
                    162: .IP "\(bu" 4
                    163: \&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
                    164: It is not possible to load \s-1LDAP\s0 data into the server that does
                    165: not conform to the sudoers schema, so proper syntax is guaranteed.
                    166: It is still possible to have typos in a user or host name, but
                    167: this will not prevent \fBsudo\fR from running.
                    168: .IP "\(bu" 4
                    169: It is possible to specify per-entry options that override the global
                    170: default options.  \fI@sysconfdir@/sudoers\fR only supports default options and
                    171: limited options associated with user/host/commands/aliases.  The
                    172: syntax is complicated and can be difficult for users to understand.
                    173: Placing the options directly in the entry is more natural.
                    174: .IP "\(bu" 4
                    175: The \fBvisudo\fR program is no longer needed.  \fBvisudo\fR provides
                    176: locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
                    177: Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
                    178: Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
                    179: is no need for a specialized tool to check syntax.
                    180: .PP
                    181: Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
                    182: is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
                    183: .PP
                    184: For the most part, there is really no need for \fBsudo\fR\-specific
                    185: Aliases.  Unix groups or user netgroups can be used in place of
                    186: User_Aliases and Runas_Aliases.  Host netgroups can be used in place
                    187: of Host_Aliases.  Since Unix groups and netgroups can also be stored
                    188: in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
                    189: .PP
                    190: Cmnd_Aliases are not really required either since it is possible
                    191: to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR.  Instead of defining
                    192: a Cmnd_Alias that is referenced by multiple users, one can create
                    193: a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
                    194: to it.
                    195: .SS "SUDOers \s-1LDAP\s0 container"
                    196: .IX Subsection "SUDOers LDAP container"
                    197: The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
                    198: container.
                    199: .PP
                    200: Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
                    201: If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
                    202: same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR.  In
                    203: the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
                    204: in the environment for all users.
                    205: .PP
                    206: .Vb 6
                    207: \&    dn: cn=defaults,ou=SUDOers,dc=example,dc=com
                    208: \&    objectClass: top
                    209: \&    objectClass: sudoRole
                    210: \&    cn: defaults
                    211: \&    description: Default sudoOption\*(Aqs go here
                    212: \&    sudoOption: env_keep+=SSH_AUTH_SOCK
                    213: .Ve
                    214: .PP
                    215: The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR.  It consists of
                    216: the following attributes:
                    217: .IP "\fBsudoUser\fR" 4
                    218: .IX Item "sudoUser"
1.1.1.2 ! misho     219: A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
        !           220: \&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup
        !           221: (prefixed with \f(CW\*(Aq+\*(Aq\fR).
1.1       misho     222: .IP "\fBsudoHost\fR" 4
                    223: .IX Item "sudoHost"
                    224: A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
                    225: with a \f(CW\*(Aq+\*(Aq\fR).
                    226: The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
                    227: .IP "\fBsudoCommand\fR" 4
                    228: .IX Item "sudoCommand"
                    229: A Unix command with optional command line arguments, potentially
                    230: including globbing characters (aka wild cards).
                    231: The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
                    232: If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
                    233: user will be prohibited from running that command.
                    234: .IP "\fBsudoOption\fR" 4
                    235: .IX Item "sudoOption"
                    236: Identical in function to the global options described above, but
                    237: specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
                    238: .IP "\fBsudoRunAsUser\fR" 4
                    239: .IX Item "sudoRunAsUser"
                    240: A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
                    241: as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
                    242: with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
                    243: run as.
                    244: The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
                    245: .Sp
                    246: The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
                    247: 1.7.0 and higher.  Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
                    248: attribute instead.
                    249: .IP "\fBsudoRunAsGroup\fR" 4
                    250: .IX Item "sudoRunAsGroup"
                    251: A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
                    252: The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
                    253: .Sp
                    254: The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
                    255: 1.7.0 and higher.
                    256: .IP "\fBsudoNotBefore\fR" 4
                    257: .IX Item "sudoNotBefore"
                    258: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
                    259: a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid.  If
                    260: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
                    261: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
                    262: not the local timezone.  The minute and seconds portions are optional,
                    263: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
                    264: .Sp
                    265: The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
                    266: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
                    267: option in \fI@ldap_conf@\fR.
                    268: .IP "\fBsudoNotAfter\fR" 4
                    269: .IX Item "sudoNotAfter"
                    270: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
                    271: date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid.  If
                    272: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
                    273: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
                    274: not the local timezone.  The minute and seconds portions are optional,
                    275: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
                    276: .Sp
                    277: The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
                    278: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
                    279: option in \fI@ldap_conf@\fR.
                    280: .IP "\fBsudoOrder\fR" 4
                    281: .IX Item "sudoOrder"
                    282: The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
                    283: inherent order.  The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
                    284: floating point value for \s-1LDAP\s0 servers that support it) that is used
                    285: to sort the matching entries.  This allows LDAP-based sudoers entries
                    286: to more closely mimic the behaviour of the sudoers file, where the
                    287: of the entries influences the result.  If multiple entries match,
                    288: the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen.  This
                    289: corresponds to the \*(L"last match\*(R" behavior of the sudoers file.  If
                    290: the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
                    291: .Sp
                    292: The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
                    293: 1.7.5 and higher.
                    294: .PP
                    295: Each attribute listed above should contain a single value, but there
                    296: may be multiple instances of each attribute type.  A \f(CW\*(C`sudoRole\*(C'\fR must
                    297: contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
                    298: .PP
                    299: The following example allows users in group wheel to run any command
                    300: on any host via \fBsudo\fR:
                    301: .PP
                    302: .Vb 7
                    303: \&    dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
                    304: \&    objectClass: top
                    305: \&    objectClass: sudoRole
                    306: \&    cn: %wheel
                    307: \&    sudoUser: %wheel
                    308: \&    sudoHost: ALL
                    309: \&    sudoCommand: ALL
                    310: .Ve
                    311: .SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
                    312: .IX Subsection "Anatomy of LDAP sudoers lookup"
                    313: When looking up a sudoer using \s-1LDAP\s0 there are only two or three
                    314: \&\s-1LDAP\s0 queries per invocation.  The first query is to parse the global
                    315: options.  The second is to match against the user's name and the
                    316: groups that the user belongs to.  (The special \s-1ALL\s0 tag is matched
                    317: in this query too.)  If no match is returned for the user's name
                    318: and groups, a third query returns all entries containing user
                    319: netgroups and checks to see if the user belongs to any of them.
                    320: .PP
                    321: If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
                    322: directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
                    323: to entries that satisfy the time constraints, if any.
                    324: .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
                    325: .IX Subsection "Differences between LDAP and non-LDAP sudoers"
                    326: There are some subtle differences in the way sudoers is handled
                    327: once in \s-1LDAP\s0.  Probably the biggest is that according to the \s-1RFC\s0,
                    328: \&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
                    329: and Entries are returned in any specific order.
                    330: .PP
                    331: The order in which different entries are applied can be controlled
                    332: using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
                    333: the order of attributes within a specific entry.  If there are
                    334: conflicting command rules in an entry, the negative takes precedence.
                    335: This is called paranoid behavior (not necessarily the most specific
                    336: match).
                    337: .PP
                    338: Here is an example:
                    339: .PP
                    340: .Vb 5
                    341: \&    # /etc/sudoers:
                    342: \&    # Allow all commands except shell
                    343: \&    johnny  ALL=(root) ALL,!/bin/sh
                    344: \&    # Always allows all commands because ALL is matched last
                    345: \&    puddles ALL=(root) !/bin/sh,ALL
                    346: \&
                    347: \&    # LDAP equivalent of johnny
                    348: \&    # Allows all commands except shell
                    349: \&    dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
                    350: \&    objectClass: sudoRole
                    351: \&    objectClass: top
                    352: \&    cn: role1
                    353: \&    sudoUser: johnny
                    354: \&    sudoHost: ALL
                    355: \&    sudoCommand: ALL
                    356: \&    sudoCommand: !/bin/sh
                    357: \&
                    358: \&    # LDAP equivalent of puddles
                    359: \&    # Notice that even though ALL comes last, it still behaves like
                    360: \&    # role1 since the LDAP code assumes the more paranoid configuration
                    361: \&    dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
                    362: \&    objectClass: sudoRole
                    363: \&    objectClass: top
                    364: \&    cn: role2
                    365: \&    sudoUser: puddles
                    366: \&    sudoHost: ALL
                    367: \&    sudoCommand: !/bin/sh
                    368: \&    sudoCommand: ALL
                    369: .Ve
                    370: .PP
                    371: Another difference is that negations on the Host, User or Runas are
                    372: currently ignored.  For example, the following attributes do not
                    373: behave the way one might expect.
                    374: .PP
                    375: .Vb 3
                    376: \&    # does not match all but joe
                    377: \&    # rather, does not match anyone
                    378: \&    sudoUser: !joe
                    379: \&
                    380: \&    # does not match all but joe
                    381: \&    # rather, matches everyone including Joe
                    382: \&    sudoUser: ALL
                    383: \&    sudoUser: !joe
                    384: \&
                    385: \&    # does not match all but web01
                    386: \&    # rather, matches all hosts including web01
                    387: \&    sudoHost: ALL
                    388: \&    sudoHost: !web01
                    389: .Ve
                    390: .SS "Sudoers Schema"
                    391: .IX Subsection "Sudoers Schema"
                    392: In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
                    393: installed on your \s-1LDAP\s0 server.  In addition, be sure to index the
                    394: \&'sudoUser' attribute.
                    395: .PP
                    396: Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
                    397: one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
                    398: Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
                    399: be found in the \fBsudo\fR distribution.
                    400: .PP
                    401: The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
                    402: section.
                    403: .SS "Configuring ldap.conf"
                    404: .IX Subsection "Configuring ldap.conf"
                    405: Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
                    406: Typically, this file is shared amongst different LDAP-aware clients.
                    407: As such, most of the settings are not \fBsudo\fR\-specific.  Note that
                    408: \&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
                    409: that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
                    410: .PP
                    411: Also note that on systems using the OpenLDAP libraries, default
                    412: values specified in \fI/etc/openldap/ldap.conf\fR or the user's
                    413: \&\fI.ldaprc\fR files are not used.
                    414: .PP
                    415: Only those options explicitly listed in \fI@ldap_conf@\fR as being
                    416: supported by \fBsudo\fR are honored.  Configuration options are listed
                    417: below in upper case but are parsed in a case-independent manner.
                    418: .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
                    419: .IX Item "URI ldap[s]://[hostname[:port]] ..."
                    420: Specifies a whitespace-delimited list of one or more URIs describing
                    421: the \s-1LDAP\s0 server(s) to connect to.  The \fIprotocol\fR may be either
                    422: \&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
                    423: (\s-1SSL\s0) encryption.  If no \fIport\fR is specified, the default is port
                    424: 389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR.  If no \fIhostname\fR
                    425: is specified, \fBsudo\fR will connect to \fBlocalhost\fR.  Multiple \fB\s-1URI\s0\fR
                    426: lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
                    427: entries.  Only systems using the OpenSSL libraries support the
                    428: mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.  The Netscape-derived
                    429: libraries used on most commercial versions of Unix are only capable
                    430: of supporting one or the other.
                    431: .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
                    432: .IX Item "HOST name[:port] ..."
                    433: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
                    434: whitespace-delimited list of \s-1LDAP\s0 servers to connect to.  Each host
                    435: may include an optional \fIport\fR separated by a colon (':').  The
                    436: \&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
                    437: and is included for backwards compatibility.
                    438: .IP "\fB\s-1PORT\s0\fR port_number" 4
                    439: .IX Item "PORT port_number"
                    440: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
                    441: default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
                    442: does not specify the port itself.  If no \fB\s-1PORT\s0\fR parameter is used,
                    443: the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
                    444: (\s-1SSL\s0).  The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
                    445: specification and is included for backwards compatibility.
                    446: .IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
                    447: .IX Item "BIND_TIMELIMIT seconds"
                    448: The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
                    449: to wait while trying to connect to an \s-1LDAP\s0 server.  If multiple \fB\s-1URI\s0\fRs or
                    450: \&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
                    451: the next one in the list.
                    452: .IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
                    453: .IX Item "NETWORK_TIMEOUT seconds"
                    454: An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
                    455: .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
                    456: .IX Item "TIMELIMIT seconds"
                    457: The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
                    458: to wait for a response to an \s-1LDAP\s0 query.
                    459: .IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
                    460: .IX Item "TIMEOUT seconds"
                    461: The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
                    462: to wait for a response from the various \s-1LDAP\s0 APIs.
                    463: .IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
                    464: .IX Item "SUDOERS_BASE base"
                    465: The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries.  Typically
                    466: this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
                    467: \&\f(CW\*(C`example.com\*(C'\fR.  Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
                    468: in which case they are queried in the order specified.
                    469: .IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
                    470: .IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
                    471: An \s-1LDAP\s0 filter which is used to restrict the set of records returned
                    472: when performing a \fBsudo\fR \s-1LDAP\s0 query.  Typically, this is of the
                    473: form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
                    474: .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
                    475: .IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
                    476: Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
                    477: attributes that implement time-dependent sudoers entries.
                    478: .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
                    479: .IX Item "SUDOERS_DEBUG debug_level"
                    480: This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries.  Debugging
                    481: information is printed to the standard error.  A value of 1 results
                    482: in a moderate amount of debugging information.  A value of 2 shows
                    483: the results of the matches themselves.  This parameter should not
                    484: be set in a production environment as the extra information is
                    485: likely to confuse users.
                    486: .IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
                    487: .IX Item "BINDDN DN"
                    488: The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
                    489: Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
                    490: If not specified, \s-1LDAP\s0 operations are performed with an anonymous
                    491: identity.  By default, most \s-1LDAP\s0 servers will allow anonymous access.
                    492: .IP "\fB\s-1BINDPW\s0\fR secret" 4
                    493: .IX Item "BINDPW secret"
                    494: The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
                    495: \&\s-1LDAP\s0 operations.  This is typically used in conjunction with the
                    496: \&\fB\s-1BINDDN\s0\fR parameter.
                    497: .IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
                    498: .IX Item "ROOTBINDDN DN"
                    499: The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
                    500: a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
                    501: operations, such as \fIsudoers\fR queries.  The password corresponding
                    502: to the identity should be stored in \fI@ldap_secret@\fR.
                    503: If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
                    504: .IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
                    505: .IX Item "LDAP_VERSION number"
                    506: The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
                    507: The default value is protocol version 3.
                    508: .IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
                    509: .IX Item "SSL on/true/yes/off/false/no"
                    510: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
                    511: (\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
                    512: server.  Typically, this involves connecting to the server on port
                    513: 636 (ldaps).
                    514: .IP "\fB\s-1SSL\s0\fR start_tls" 4
                    515: .IX Item "SSL start_tls"
                    516: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
                    517: connection is initiated normally and \s-1TLS\s0 encryption is begun before
                    518: the bind credentials are sent.  This has the advantage of not
                    519: requiring a dedicated port for encrypted communications.  This
                    520: parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
                    521: extension, such as the OpenLDAP server.
                    522: .IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
                    523: .IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
                    524: If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
                    525: certificated to be verified.  If the server's \s-1TLS\s0 certificate cannot
                    526: be verified (usually because it is signed by an unknown certificate
                    527: authority), \fBsudo\fR will be unable to connect to it.  If \fB\s-1TLS_CHECKPEER\s0\fR
                    528: is disabled, no check is made.  Note that disabling the check creates
                    529: an opportunity for man-in-the-middle attacks since the server's
                    530: identity will not be authenticated.  If possible, the \s-1CA\s0's certificate
                    531: should be installed locally so it can be verified.
                    532: .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
                    533: .IX Item "TLS_CACERT file name"
                    534: An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
                    535: .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
                    536: .IX Item "TLS_CACERTFILE file name"
                    537: The path to a certificate authority bundle which contains the certificates
                    538: for all the Certificate Authorities the client knows to be valid,
                    539: e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
                    540: This option is only supported by the OpenLDAP libraries.
                    541: Netscape-derived \s-1LDAP\s0 libraries use the same certificate
                    542: database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
                    543: .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
                    544: .IX Item "TLS_CACERTDIR directory"
                    545: Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
                    546: directory containing individual Certificate Authority certificates,
                    547: e.g. \fI/etc/ssl/certs\fR.
                    548: The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
                    549: \&\fB\s-1TLS_CACERTFILE\s0\fR.
                    550: This option is only supported by the OpenLDAP libraries.
                    551: .IP "\fB\s-1TLS_CERT\s0\fR file name" 4
                    552: .IX Item "TLS_CERT file name"
                    553: The path to a file containing the client certificate which can
                    554: be used to authenticate the client to the \s-1LDAP\s0 server.
                    555: The certificate type depends on the \s-1LDAP\s0 libraries used.
                    556: .Sp
                    557: OpenLDAP:
                    558:     \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
                    559: .Sp
                    560: Netscape-derived:
                    561:     \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
                    562: .Sp
                    563: When using Netscape-derived libraries, this file may also contain
                    564: Certificate Authority certificates.
                    565: .IP "\fB\s-1TLS_KEY\s0\fR file name" 4
                    566: .IX Item "TLS_KEY file name"
                    567: The path to a file containing the private key which matches the
                    568: certificate specified by \fB\s-1TLS_CERT\s0\fR.  The private key must not be
                    569: password-protected.  The key type depends on the \s-1LDAP\s0 libraries
                    570: used.
                    571: .Sp
                    572: OpenLDAP:
                    573:     \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
                    574: .Sp
                    575: Netscape-derived:
                    576:     \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
                    577: .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
                    578: .IX Item "TLS_RANDFILE file name"
                    579: The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
                    580: source for systems that lack a random device.  It is generally used
                    581: in conjunction with \fIprngd\fR or \fIegd\fR.
                    582: This option is only supported by the OpenLDAP libraries.
                    583: .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
                    584: .IX Item "TLS_CIPHERS cipher list"
                    585: The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
                    586: which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
                    587: See the OpenSSL manual for a list of valid ciphers.
                    588: This option is only supported by the OpenLDAP libraries.
                    589: .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
                    590: .IX Item "USE_SASL on/true/yes/off/false/no"
                    591: Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
                    592: .IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
                    593: .IX Item "SASL_AUTH_ID identity"
                    594: The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
                    595: By default, \fBsudo\fR will use an anonymous connection.
                    596: .IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
                    597: .IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
                    598: Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
                    599: to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
                    600: .IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
                    601: .IX Item "ROOTSASL_AUTH_ID identity"
                    602: The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
                    603: .IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
                    604: .IX Item "SASL_SECPROPS none/properties"
                    605: \&\s-1SASL\s0 security properties or \fInone\fR for no properties.  See the
                    606: \&\s-1SASL\s0 programmer's manual for details.
                    607: .IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
                    608: .IX Item "KRB5_CCNAME file name"
                    609: The path to the Kerberos 5 credential cache to use when authenticating
                    610: with the remote server.
                    611: .IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
                    612: .IX Item "DEREF never/searching/finding/always"
                    613: How alias dereferencing is to be performed when searching.  See the
                    614: \&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
                    615: .PP
                    616: See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
                    617: .SS "Configuring nsswitch.conf"
                    618: .IX Subsection "Configuring nsswitch.conf"
                    619: Unless it is disabled at build time, \fBsudo\fR consults the Name
                    620: Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
                    621: search order.  Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
                    622: uses this to determine the search order.  Note that \fBsudo\fR does
                    623: not stop searching after the first match and later matches take
                    624: precedence over earlier ones.
                    625: .PP
                    626: The following sources are recognized:
                    627: .PP
                    628: .Vb 2
                    629: \&    files       read sudoers from F<@sysconfdir@/sudoers>
                    630: \&    ldap        read sudoers from LDAP
                    631: .Ve
                    632: .PP
                    633: In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
                    634: search if the user was not found in the preceding source.
                    635: .PP
                    636: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
                    637: exists), use:
                    638: .PP
                    639: .Vb 1
                    640: \&    sudoers: ldap files
                    641: .Ve
                    642: .PP
                    643: The local \fIsudoers\fR file can be ignored completely by using:
                    644: .PP
                    645: .Vb 1
                    646: \&    sudoers: ldap
                    647: .Ve
                    648: .PP
                    649: If the \fI@nsswitch_conf@\fR file is not present or there is no
                    650: sudoers line, the following default is assumed:
                    651: .PP
                    652: .Vb 1
                    653: \&    sudoers: files
                    654: .Ve
                    655: .PP
                    656: Note that \fI@nsswitch_conf@\fR is supported even when the underlying
                    657: operating system does not use an nsswitch.conf file.
                    658: .SS "Configuring netsvc.conf"
                    659: .IX Subsection "Configuring netsvc.conf"
                    660: On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
                    661: \&\fI@nsswitch_conf@\fR.  \fBsudo\fR simply treats \fInetsvc.conf\fR as a
                    662: variant of \fInsswitch.conf\fR; information in the previous section
                    663: unrelated to the file format itself still applies.
                    664: .PP
                    665: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
                    666: exists), use:
                    667: .PP
                    668: .Vb 1
                    669: \&    sudoers = ldap, files
                    670: .Ve
                    671: .PP
                    672: The local \fIsudoers\fR file can be ignored completely by using:
                    673: .PP
                    674: .Vb 1
                    675: \&    sudoers = ldap
                    676: .Ve
                    677: .PP
                    678: To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
                    679: if the user is not present in \s-1LDAP\s0, use:
                    680: .PP
                    681: .Vb 1
                    682: \&    sudoers = ldap = auth, files
                    683: .Ve
                    684: .PP
                    685: Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
                    686: user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
                    687: entries.
                    688: .PP
                    689: If the \fI@netsvc_conf@\fR file is not present or there is no
                    690: sudoers line, the following default is assumed:
                    691: .PP
                    692: .Vb 1
                    693: \&    sudoers = files
                    694: .Ve
                    695: .SH "FILES"
                    696: .IX Header "FILES"
                    697: .ie n .IP "\fI@ldap_conf@\fR" 24
                    698: .el .IP "\fI@ldap_conf@\fR" 24
                    699: .IX Item "@ldap_conf@"
                    700: \&\s-1LDAP\s0 configuration file
                    701: .ie n .IP "\fI@nsswitch_conf@\fR" 24
                    702: .el .IP "\fI@nsswitch_conf@\fR" 24
                    703: .IX Item "@nsswitch_conf@"
                    704: determines sudoers source order
                    705: .ie n .IP "\fI@netsvc_conf@\fR" 24
                    706: .el .IP "\fI@netsvc_conf@\fR" 24
                    707: .IX Item "@netsvc_conf@"
                    708: determines sudoers source order on \s-1AIX\s0
                    709: .SH "EXAMPLES"
                    710: .IX Header "EXAMPLES"
                    711: .SS "Example ldap.conf"
                    712: .IX Subsection "Example ldap.conf"
                    713: .Vb 10
                    714: \&  # Either specify one or more URIs or one or more host:port pairs.
                    715: \&  # If neither is specified sudo will default to localhost, port 389.
                    716: \&  #
                    717: \&  #host          ldapserver
                    718: \&  #host          ldapserver1 ldapserver2:390
                    719: \&  #
                    720: \&  # Default port if host is specified without one, defaults to 389.
                    721: \&  #port          389
                    722: \&  #
                    723: \&  # URI will override the host and port settings.
                    724: \&  uri            ldap://ldapserver
                    725: \&  #uri            ldaps://secureldapserver
                    726: \&  #uri            ldaps://secureldapserver ldap://ldapserver
                    727: \&  #
                    728: \&  # The amount of time, in seconds, to wait while trying to connect to
                    729: \&  # an LDAP server.
                    730: \&  bind_timelimit 30
                    731: \&  #
                    732: \&  # The amount of time, in seconds, to wait while performing an LDAP query.
                    733: \&  timelimit 30
                    734: \&  #
                    735: \&  # Must be set or sudo will ignore LDAP; may be specified multiple times.
                    736: \&  sudoers_base   ou=SUDOers,dc=example,dc=com
                    737: \&  #
                    738: \&  # verbose sudoers matching from ldap
                    739: \&  #sudoers_debug 2
                    740: \&  #
                    741: \&  # Enable support for time\-based entries in sudoers.
                    742: \&  #sudoers_timed yes
                    743: \&  #
                    744: \&  # optional proxy credentials
                    745: \&  #binddn        <who to search as>
                    746: \&  #bindpw        <password>
                    747: \&  #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
                    748: \&  #
                    749: \&  # LDAP protocol version, defaults to 3
                    750: \&  #ldap_version 3
                    751: \&  #
                    752: \&  # Define if you want to use an encrypted LDAP connection.
                    753: \&  # Typically, you must also set the port to 636 (ldaps).
                    754: \&  #ssl on
                    755: \&  #
                    756: \&  # Define if you want to use port 389 and switch to
                    757: \&  # encryption before the bind credentials are sent.
                    758: \&  # Only supported by LDAP servers that support the start_tls
                    759: \&  # extension such as OpenLDAP.
                    760: \&  #ssl start_tls
                    761: \&  #
                    762: \&  # Additional TLS options follow that allow tweaking of the
                    763: \&  # SSL/TLS connection.
                    764: \&  #
                    765: \&  #tls_checkpeer yes # verify server SSL certificate
                    766: \&  #tls_checkpeer no  # ignore server SSL certificate
                    767: \&  #
                    768: \&  # If you enable tls_checkpeer, specify either tls_cacertfile
                    769: \&  # or tls_cacertdir.  Only supported when using OpenLDAP.
                    770: \&  #
                    771: \&  #tls_cacertfile /etc/certs/trusted_signers.pem
                    772: \&  #tls_cacertdir  /etc/certs
                    773: \&  #
                    774: \&  # For systems that don\*(Aqt have /dev/random
                    775: \&  # use this along with PRNGD or EGD.pl to seed the
                    776: \&  # random number pool to generate cryptographic session keys.
                    777: \&  # Only supported when using OpenLDAP.
                    778: \&  #
                    779: \&  #tls_randfile /etc/egd\-pool
                    780: \&  #
                    781: \&  # You may restrict which ciphers are used.  Consult your SSL
                    782: \&  # documentation for which options go here.
                    783: \&  # Only supported when using OpenLDAP.
                    784: \&  #
                    785: \&  #tls_ciphers <cipher\-list>
                    786: \&  #
                    787: \&  # Sudo can provide a client certificate when communicating to
                    788: \&  # the LDAP server.
                    789: \&  # Tips:
                    790: \&  #   * Enable both lines at the same time.
                    791: \&  #   * Do not password protect the key file.
                    792: \&  #   * Ensure the keyfile is only readable by root.
                    793: \&  #
                    794: \&  # For OpenLDAP:
                    795: \&  #tls_cert /etc/certs/client_cert.pem
                    796: \&  #tls_key  /etc/certs/client_key.pem
                    797: \&  #
                    798: \&  # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
                    799: \&  # a directory, in which case the files in the directory must have the
                    800: \&  # default names (e.g. cert8.db and key4.db), or the path to the cert
                    801: \&  # and key files themselves.  However, a bug in version 5.0 of the LDAP
                    802: \&  # SDK will prevent specific file names from working.  For this reason
                    803: \&  # it is suggested that tls_cert and tls_key be set to a directory,
                    804: \&  # not a file name.
                    805: \&  #
                    806: \&  # The certificate database specified by tls_cert may contain CA certs
                    807: \&  # and/or the client\*(Aqs cert.  If the client\*(Aqs cert is included, tls_key
                    808: \&  # should be specified as well.
                    809: \&  # For backward compatibility, "sslpath" may be used in place of tls_cert.
                    810: \&  #tls_cert /var/ldap
                    811: \&  #tls_key /var/ldap
                    812: \&  #
                    813: \&  # If using SASL authentication for LDAP (OpenSSL)
                    814: \&  # use_sasl yes
                    815: \&  # sasl_auth_id <SASL user name>
                    816: \&  # rootuse_sasl yes
                    817: \&  # rootsasl_auth_id <SASL user name for root access>
                    818: \&  # sasl_secprops none
                    819: \&  # krb5_ccname /etc/.ldapcache
                    820: .Ve
                    821: .SS "Sudo schema for OpenLDAP"
                    822: .IX Subsection "Sudo schema for OpenLDAP"
                    823: The following schema, in OpenLDAP format, is included with \fBsudo\fR
                    824: source and binary distributions as \fIschema.OpenLDAP\fR.  Simply copy
                    825: it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
                    826: proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
                    827: .PP
                    828: .Vb 6
                    829: \& attributetype ( 1.3.6.1.4.1.15953.9.1.1
                    830: \&    NAME \*(AqsudoUser\*(Aq
                    831: \&    DESC \*(AqUser(s) who may  run sudo\*(Aq
                    832: \&    EQUALITY caseExactIA5Match
                    833: \&    SUBSTR caseExactIA5SubstringsMatch
                    834: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    835: \&
                    836: \& attributetype ( 1.3.6.1.4.1.15953.9.1.2
                    837: \&    NAME \*(AqsudoHost\*(Aq
                    838: \&    DESC \*(AqHost(s) who may run sudo\*(Aq
                    839: \&    EQUALITY caseExactIA5Match
                    840: \&    SUBSTR caseExactIA5SubstringsMatch
                    841: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    842: \&
                    843: \& attributetype ( 1.3.6.1.4.1.15953.9.1.3
                    844: \&    NAME \*(AqsudoCommand\*(Aq
                    845: \&    DESC \*(AqCommand(s) to be executed by sudo\*(Aq
                    846: \&    EQUALITY caseExactIA5Match
                    847: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    848: \&
                    849: \& attributetype ( 1.3.6.1.4.1.15953.9.1.4
                    850: \&    NAME \*(AqsudoRunAs\*(Aq
                    851: \&    DESC \*(AqUser(s) impersonated by sudo\*(Aq
                    852: \&    EQUALITY caseExactIA5Match
                    853: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    854: \&
                    855: \& attributetype ( 1.3.6.1.4.1.15953.9.1.5
                    856: \&    NAME \*(AqsudoOption\*(Aq
                    857: \&    DESC \*(AqOptions(s) followed by sudo\*(Aq
                    858: \&    EQUALITY caseExactIA5Match
                    859: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    860: \&
                    861: \& attributetype ( 1.3.6.1.4.1.15953.9.1.6
                    862: \&    NAME \*(AqsudoRunAsUser\*(Aq
                    863: \&    DESC \*(AqUser(s) impersonated by sudo\*(Aq
                    864: \&    EQUALITY caseExactIA5Match
                    865: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    866: \&
                    867: \& attributetype ( 1.3.6.1.4.1.15953.9.1.7
                    868: \&    NAME \*(AqsudoRunAsGroup\*(Aq
                    869: \&    DESC \*(AqGroup(s) impersonated by sudo\*(Aq
                    870: \&    EQUALITY caseExactIA5Match
                    871: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    872: \&
                    873: \& attributetype ( 1.3.6.1.4.1.15953.9.1.8
                    874: \&    NAME \*(AqsudoNotBefore\*(Aq
                    875: \&    DESC \*(AqStart of time interval for which the entry is valid\*(Aq
                    876: \&    EQUALITY generalizedTimeMatch
                    877: \&    ORDERING generalizedTimeOrderingMatch
                    878: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                    879: \&
                    880: \& attributetype ( 1.3.6.1.4.1.15953.9.1.9
                    881: \&    NAME \*(AqsudoNotAfter\*(Aq
                    882: \&    DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
                    883: \&    EQUALITY generalizedTimeMatch
                    884: \&    ORDERING generalizedTimeOrderingMatch
                    885: \&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                    886: \&
                    887: \& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
                    888: \&     NAME \*(AqsudoOrder\*(Aq
                    889: \&     DESC \*(Aqan integer to order the sudoRole entries\*(Aq
                    890: \&     EQUALITY integerMatch
                    891: \&     ORDERING integerOrderingMatch
                    892: \&     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
                    893: \&
                    894: \& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
                    895: \&    DESC \*(AqSudoer Entries\*(Aq
                    896: \&    MUST ( cn )
                    897: \&    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
                    898: \&          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
                    899: \&          sudoOrder $ description )
                    900: \&    )
                    901: .Ve
                    902: .SH "SEE ALSO"
                    903: .IX Header "SEE ALSO"
                    904: \&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
                    905: .SH "CAVEATS"
                    906: .IX Header "CAVEATS"
                    907: Note that there are differences in the way that LDAP-based \fIsudoers\fR
                    908: is parsed compared to file-based \fIsudoers\fR.  See the \*(L"Differences
                    909: between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
                    910: .SH "BUGS"
                    911: .IX Header "BUGS"
                    912: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
                    913: at http://www.sudo.ws/sudo/bugs/
                    914: .SH "SUPPORT"
                    915: .IX Header "SUPPORT"
                    916: Limited free support is available via the sudo-users mailing list,
                    917: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
                    918: search the archives.
                    919: .SH "DISCLAIMER"
                    920: .IX Header "DISCLAIMER"
                    921: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
                    922: including, but not limited to, the implied warranties of merchantability
                    923: and fitness for a particular purpose are disclaimed.  See the \s-1LICENSE\s0
                    924: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
                    925: for complete details.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>