Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1.1.2
1.1 misho 1: .\" Copyright (c) 2003-2011
2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
18: .\"
19: .\" Standard preamble:
20: .\" ========================================================================
21: .de Sp \" Vertical space (when we can't use .PP)
22: .if t .sp .5v
23: .if n .sp
24: ..
25: .de Vb \" Begin verbatim text
26: .ft CW
27: .nf
28: .ne \\$1
29: ..
30: .de Ve \" End verbatim text
31: .ft R
32: .fi
33: ..
34: .\" Set up some character translations and predefined strings. \*(-- will
35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
37: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
38: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
39: .\" nothing in troff, for use with C<>.
40: .tr \(*W-
41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
42: .ie n \{\
43: . ds -- \(*W-
44: . ds PI pi
45: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47: . ds L" ""
48: . ds R" ""
49: . ds C`
50: . ds C'
51: 'br\}
52: .el\{\
53: . ds -- \|\(em\|
54: . ds PI \(*p
55: . ds L" ``
56: . ds R" ''
57: 'br\}
58: .\"
59: .\" Escape single quotes in literal strings from groff's Unicode transform.
60: .ie \n(.g .ds Aq \(aq
61: .el .ds Aq '
62: .\"
63: .\" If the F register is turned on, we'll generate index entries on stderr for
64: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
65: .\" entries marked with X<> in POD. Of course, you'll have to process the
66: .\" output yourself in some meaningful fashion.
67: .ie \nF \{\
68: . de IX
69: . tm Index:\\$1\t\\n%\t"\\$2"
70: ..
71: . nr % 0
72: . rr F
73: .\}
74: .el \{\
75: . de IX
76: ..
77: .\}
78: .\"
79: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
80: .\" Fear. Run. Save yourself. No user-serviceable parts.
81: . \" fudge factors for nroff and troff
82: .if n \{\
83: . ds #H 0
84: . ds #V .8m
85: . ds #F .3m
86: . ds #[ \f1
87: . ds #] \fP
88: .\}
89: .if t \{\
90: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
91: . ds #V .6m
92: . ds #F 0
93: . ds #[ \&
94: . ds #] \&
95: .\}
96: . \" simple accents for nroff and troff
97: .if n \{\
98: . ds ' \&
99: . ds ` \&
100: . ds ^ \&
101: . ds , \&
102: . ds ~ ~
103: . ds /
104: .\}
105: .if t \{\
106: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
107: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
108: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
109: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
110: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
111: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
112: .\}
113: . \" troff and (daisy-wheel) nroff accents
114: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
115: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
116: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
117: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
118: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
119: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
120: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
121: .ds ae a\h'-(\w'a'u*4/10)'e
122: .ds Ae A\h'-(\w'A'u*4/10)'E
123: . \" corrections for vroff
124: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
125: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
126: . \" for low resolution devices (crt and lpr)
127: .if \n(.H>23 .if \n(.V>19 \
128: \{\
129: . ds : e
130: . ds 8 ss
131: . ds o a
132: . ds d- d\h'-1'\(ga
133: . ds D- D\h'-1'\(hy
134: . ds th \o'bp'
135: . ds Th \o'LP'
136: . ds ae ae
137: . ds Ae AE
138: .\}
139: .rm #[ #] #H #V #F C
140: .\" ========================================================================
141: .\"
142: .IX Title "SUDOERS.LDAP @mansectform@"
1.1.1.2 ! misho 143: .TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
1.1 misho 144: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
145: .\" way too many mistakes in technical documents.
146: .if n .ad l
147: .nh
148: .SH "NAME"
149: sudoers.ldap \- sudo LDAP configuration
150: .SH "DESCRIPTION"
151: .IX Header "DESCRIPTION"
152: In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
153: via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
154: in a large, distributed environment.
155: .PP
156: Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
157: .IP "\(bu" 4
158: \&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
159: \&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
160: This makes it especially fast and particularly usable in \s-1LDAP\s0
161: environments.
162: .IP "\(bu" 4
163: \&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
164: It is not possible to load \s-1LDAP\s0 data into the server that does
165: not conform to the sudoers schema, so proper syntax is guaranteed.
166: It is still possible to have typos in a user or host name, but
167: this will not prevent \fBsudo\fR from running.
168: .IP "\(bu" 4
169: It is possible to specify per-entry options that override the global
170: default options. \fI@sysconfdir@/sudoers\fR only supports default options and
171: limited options associated with user/host/commands/aliases. The
172: syntax is complicated and can be difficult for users to understand.
173: Placing the options directly in the entry is more natural.
174: .IP "\(bu" 4
175: The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
176: locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
177: Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
178: Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
179: is no need for a specialized tool to check syntax.
180: .PP
181: Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
182: is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
183: .PP
184: For the most part, there is really no need for \fBsudo\fR\-specific
185: Aliases. Unix groups or user netgroups can be used in place of
186: User_Aliases and Runas_Aliases. Host netgroups can be used in place
187: of Host_Aliases. Since Unix groups and netgroups can also be stored
188: in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
189: .PP
190: Cmnd_Aliases are not really required either since it is possible
191: to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
192: a Cmnd_Alias that is referenced by multiple users, one can create
193: a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
194: to it.
195: .SS "SUDOers \s-1LDAP\s0 container"
196: .IX Subsection "SUDOers LDAP container"
197: The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
198: container.
199: .PP
200: Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
201: If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
202: same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
203: the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
204: in the environment for all users.
205: .PP
206: .Vb 6
207: \& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
208: \& objectClass: top
209: \& objectClass: sudoRole
210: \& cn: defaults
211: \& description: Default sudoOption\*(Aqs go here
212: \& sudoOption: env_keep+=SSH_AUTH_SOCK
213: .Ve
214: .PP
215: The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
216: the following attributes:
217: .IP "\fBsudoUser\fR" 4
218: .IX Item "sudoUser"
1.1.1.2 ! misho 219: A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
! 220: \&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup
! 221: (prefixed with \f(CW\*(Aq+\*(Aq\fR).
1.1 misho 222: .IP "\fBsudoHost\fR" 4
223: .IX Item "sudoHost"
224: A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
225: with a \f(CW\*(Aq+\*(Aq\fR).
226: The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
227: .IP "\fBsudoCommand\fR" 4
228: .IX Item "sudoCommand"
229: A Unix command with optional command line arguments, potentially
230: including globbing characters (aka wild cards).
231: The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
232: If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
233: user will be prohibited from running that command.
234: .IP "\fBsudoOption\fR" 4
235: .IX Item "sudoOption"
236: Identical in function to the global options described above, but
237: specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
238: .IP "\fBsudoRunAsUser\fR" 4
239: .IX Item "sudoRunAsUser"
240: A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
241: as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
242: with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
243: run as.
244: The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
245: .Sp
246: The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
247: 1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
248: attribute instead.
249: .IP "\fBsudoRunAsGroup\fR" 4
250: .IX Item "sudoRunAsGroup"
251: A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
252: The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
253: .Sp
254: The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
255: 1.7.0 and higher.
256: .IP "\fBsudoNotBefore\fR" 4
257: .IX Item "sudoNotBefore"
258: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
259: a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
260: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
261: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
262: not the local timezone. The minute and seconds portions are optional,
263: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
264: .Sp
265: The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
266: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
267: option in \fI@ldap_conf@\fR.
268: .IP "\fBsudoNotAfter\fR" 4
269: .IX Item "sudoNotAfter"
270: A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
271: date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
272: multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
273: Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
274: not the local timezone. The minute and seconds portions are optional,
275: but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
276: .Sp
277: The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
278: 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
279: option in \fI@ldap_conf@\fR.
280: .IP "\fBsudoOrder\fR" 4
281: .IX Item "sudoOrder"
282: The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
283: inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
284: floating point value for \s-1LDAP\s0 servers that support it) that is used
285: to sort the matching entries. This allows LDAP-based sudoers entries
286: to more closely mimic the behaviour of the sudoers file, where the
287: of the entries influences the result. If multiple entries match,
288: the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
289: corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
290: the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
291: .Sp
292: The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
293: 1.7.5 and higher.
294: .PP
295: Each attribute listed above should contain a single value, but there
296: may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
297: contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
298: .PP
299: The following example allows users in group wheel to run any command
300: on any host via \fBsudo\fR:
301: .PP
302: .Vb 7
303: \& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
304: \& objectClass: top
305: \& objectClass: sudoRole
306: \& cn: %wheel
307: \& sudoUser: %wheel
308: \& sudoHost: ALL
309: \& sudoCommand: ALL
310: .Ve
311: .SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
312: .IX Subsection "Anatomy of LDAP sudoers lookup"
313: When looking up a sudoer using \s-1LDAP\s0 there are only two or three
314: \&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
315: options. The second is to match against the user's name and the
316: groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
317: in this query too.) If no match is returned for the user's name
318: and groups, a third query returns all entries containing user
319: netgroups and checks to see if the user belongs to any of them.
320: .PP
321: If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
322: directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
323: to entries that satisfy the time constraints, if any.
324: .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
325: .IX Subsection "Differences between LDAP and non-LDAP sudoers"
326: There are some subtle differences in the way sudoers is handled
327: once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
328: \&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
329: and Entries are returned in any specific order.
330: .PP
331: The order in which different entries are applied can be controlled
332: using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
333: the order of attributes within a specific entry. If there are
334: conflicting command rules in an entry, the negative takes precedence.
335: This is called paranoid behavior (not necessarily the most specific
336: match).
337: .PP
338: Here is an example:
339: .PP
340: .Vb 5
341: \& # /etc/sudoers:
342: \& # Allow all commands except shell
343: \& johnny ALL=(root) ALL,!/bin/sh
344: \& # Always allows all commands because ALL is matched last
345: \& puddles ALL=(root) !/bin/sh,ALL
346: \&
347: \& # LDAP equivalent of johnny
348: \& # Allows all commands except shell
349: \& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
350: \& objectClass: sudoRole
351: \& objectClass: top
352: \& cn: role1
353: \& sudoUser: johnny
354: \& sudoHost: ALL
355: \& sudoCommand: ALL
356: \& sudoCommand: !/bin/sh
357: \&
358: \& # LDAP equivalent of puddles
359: \& # Notice that even though ALL comes last, it still behaves like
360: \& # role1 since the LDAP code assumes the more paranoid configuration
361: \& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
362: \& objectClass: sudoRole
363: \& objectClass: top
364: \& cn: role2
365: \& sudoUser: puddles
366: \& sudoHost: ALL
367: \& sudoCommand: !/bin/sh
368: \& sudoCommand: ALL
369: .Ve
370: .PP
371: Another difference is that negations on the Host, User or Runas are
372: currently ignored. For example, the following attributes do not
373: behave the way one might expect.
374: .PP
375: .Vb 3
376: \& # does not match all but joe
377: \& # rather, does not match anyone
378: \& sudoUser: !joe
379: \&
380: \& # does not match all but joe
381: \& # rather, matches everyone including Joe
382: \& sudoUser: ALL
383: \& sudoUser: !joe
384: \&
385: \& # does not match all but web01
386: \& # rather, matches all hosts including web01
387: \& sudoHost: ALL
388: \& sudoHost: !web01
389: .Ve
390: .SS "Sudoers Schema"
391: .IX Subsection "Sudoers Schema"
392: In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
393: installed on your \s-1LDAP\s0 server. In addition, be sure to index the
394: \&'sudoUser' attribute.
395: .PP
396: Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
397: one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
398: Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
399: be found in the \fBsudo\fR distribution.
400: .PP
401: The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
402: section.
403: .SS "Configuring ldap.conf"
404: .IX Subsection "Configuring ldap.conf"
405: Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
406: Typically, this file is shared amongst different LDAP-aware clients.
407: As such, most of the settings are not \fBsudo\fR\-specific. Note that
408: \&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
409: that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
410: .PP
411: Also note that on systems using the OpenLDAP libraries, default
412: values specified in \fI/etc/openldap/ldap.conf\fR or the user's
413: \&\fI.ldaprc\fR files are not used.
414: .PP
415: Only those options explicitly listed in \fI@ldap_conf@\fR as being
416: supported by \fBsudo\fR are honored. Configuration options are listed
417: below in upper case but are parsed in a case-independent manner.
418: .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
419: .IX Item "URI ldap[s]://[hostname[:port]] ..."
420: Specifies a whitespace-delimited list of one or more URIs describing
421: the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
422: \&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
423: (\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
424: 389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
425: is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
426: lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
427: entries. Only systems using the OpenSSL libraries support the
428: mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
429: libraries used on most commercial versions of Unix are only capable
430: of supporting one or the other.
431: .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
432: .IX Item "HOST name[:port] ..."
433: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
434: whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
435: may include an optional \fIport\fR separated by a colon (':'). The
436: \&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
437: and is included for backwards compatibility.
438: .IP "\fB\s-1PORT\s0\fR port_number" 4
439: .IX Item "PORT port_number"
440: If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
441: default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
442: does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
443: the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
444: (\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
445: specification and is included for backwards compatibility.
446: .IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
447: .IX Item "BIND_TIMELIMIT seconds"
448: The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
449: to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
450: \&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
451: the next one in the list.
452: .IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
453: .IX Item "NETWORK_TIMEOUT seconds"
454: An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
455: .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
456: .IX Item "TIMELIMIT seconds"
457: The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
458: to wait for a response to an \s-1LDAP\s0 query.
459: .IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
460: .IX Item "TIMEOUT seconds"
461: The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
462: to wait for a response from the various \s-1LDAP\s0 APIs.
463: .IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
464: .IX Item "SUDOERS_BASE base"
465: The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
466: this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
467: \&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
468: in which case they are queried in the order specified.
469: .IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
470: .IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
471: An \s-1LDAP\s0 filter which is used to restrict the set of records returned
472: when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
473: form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
474: .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
475: .IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
476: Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
477: attributes that implement time-dependent sudoers entries.
478: .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
479: .IX Item "SUDOERS_DEBUG debug_level"
480: This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
481: information is printed to the standard error. A value of 1 results
482: in a moderate amount of debugging information. A value of 2 shows
483: the results of the matches themselves. This parameter should not
484: be set in a production environment as the extra information is
485: likely to confuse users.
486: .IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
487: .IX Item "BINDDN DN"
488: The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
489: Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
490: If not specified, \s-1LDAP\s0 operations are performed with an anonymous
491: identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
492: .IP "\fB\s-1BINDPW\s0\fR secret" 4
493: .IX Item "BINDPW secret"
494: The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
495: \&\s-1LDAP\s0 operations. This is typically used in conjunction with the
496: \&\fB\s-1BINDDN\s0\fR parameter.
497: .IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
498: .IX Item "ROOTBINDDN DN"
499: The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
500: a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
501: operations, such as \fIsudoers\fR queries. The password corresponding
502: to the identity should be stored in \fI@ldap_secret@\fR.
503: If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
504: .IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
505: .IX Item "LDAP_VERSION number"
506: The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
507: The default value is protocol version 3.
508: .IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
509: .IX Item "SSL on/true/yes/off/false/no"
510: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
511: (\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
512: server. Typically, this involves connecting to the server on port
513: 636 (ldaps).
514: .IP "\fB\s-1SSL\s0\fR start_tls" 4
515: .IX Item "SSL start_tls"
516: If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
517: connection is initiated normally and \s-1TLS\s0 encryption is begun before
518: the bind credentials are sent. This has the advantage of not
519: requiring a dedicated port for encrypted communications. This
520: parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
521: extension, such as the OpenLDAP server.
522: .IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
523: .IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
524: If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
525: certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
526: be verified (usually because it is signed by an unknown certificate
527: authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
528: is disabled, no check is made. Note that disabling the check creates
529: an opportunity for man-in-the-middle attacks since the server's
530: identity will not be authenticated. If possible, the \s-1CA\s0's certificate
531: should be installed locally so it can be verified.
532: .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
533: .IX Item "TLS_CACERT file name"
534: An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
535: .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
536: .IX Item "TLS_CACERTFILE file name"
537: The path to a certificate authority bundle which contains the certificates
538: for all the Certificate Authorities the client knows to be valid,
539: e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
540: This option is only supported by the OpenLDAP libraries.
541: Netscape-derived \s-1LDAP\s0 libraries use the same certificate
542: database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
543: .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
544: .IX Item "TLS_CACERTDIR directory"
545: Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
546: directory containing individual Certificate Authority certificates,
547: e.g. \fI/etc/ssl/certs\fR.
548: The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
549: \&\fB\s-1TLS_CACERTFILE\s0\fR.
550: This option is only supported by the OpenLDAP libraries.
551: .IP "\fB\s-1TLS_CERT\s0\fR file name" 4
552: .IX Item "TLS_CERT file name"
553: The path to a file containing the client certificate which can
554: be used to authenticate the client to the \s-1LDAP\s0 server.
555: The certificate type depends on the \s-1LDAP\s0 libraries used.
556: .Sp
557: OpenLDAP:
558: \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
559: .Sp
560: Netscape-derived:
561: \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
562: .Sp
563: When using Netscape-derived libraries, this file may also contain
564: Certificate Authority certificates.
565: .IP "\fB\s-1TLS_KEY\s0\fR file name" 4
566: .IX Item "TLS_KEY file name"
567: The path to a file containing the private key which matches the
568: certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
569: password-protected. The key type depends on the \s-1LDAP\s0 libraries
570: used.
571: .Sp
572: OpenLDAP:
573: \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
574: .Sp
575: Netscape-derived:
576: \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
577: .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
578: .IX Item "TLS_RANDFILE file name"
579: The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
580: source for systems that lack a random device. It is generally used
581: in conjunction with \fIprngd\fR or \fIegd\fR.
582: This option is only supported by the OpenLDAP libraries.
583: .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
584: .IX Item "TLS_CIPHERS cipher list"
585: The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
586: which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
587: See the OpenSSL manual for a list of valid ciphers.
588: This option is only supported by the OpenLDAP libraries.
589: .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
590: .IX Item "USE_SASL on/true/yes/off/false/no"
591: Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
592: .IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
593: .IX Item "SASL_AUTH_ID identity"
594: The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
595: By default, \fBsudo\fR will use an anonymous connection.
596: .IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
597: .IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
598: Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
599: to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
600: .IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
601: .IX Item "ROOTSASL_AUTH_ID identity"
602: The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
603: .IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
604: .IX Item "SASL_SECPROPS none/properties"
605: \&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
606: \&\s-1SASL\s0 programmer's manual for details.
607: .IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
608: .IX Item "KRB5_CCNAME file name"
609: The path to the Kerberos 5 credential cache to use when authenticating
610: with the remote server.
611: .IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
612: .IX Item "DEREF never/searching/finding/always"
613: How alias dereferencing is to be performed when searching. See the
614: \&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
615: .PP
616: See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
617: .SS "Configuring nsswitch.conf"
618: .IX Subsection "Configuring nsswitch.conf"
619: Unless it is disabled at build time, \fBsudo\fR consults the Name
620: Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
621: search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
622: uses this to determine the search order. Note that \fBsudo\fR does
623: not stop searching after the first match and later matches take
624: precedence over earlier ones.
625: .PP
626: The following sources are recognized:
627: .PP
628: .Vb 2
629: \& files read sudoers from F<@sysconfdir@/sudoers>
630: \& ldap read sudoers from LDAP
631: .Ve
632: .PP
633: In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
634: search if the user was not found in the preceding source.
635: .PP
636: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
637: exists), use:
638: .PP
639: .Vb 1
640: \& sudoers: ldap files
641: .Ve
642: .PP
643: The local \fIsudoers\fR file can be ignored completely by using:
644: .PP
645: .Vb 1
646: \& sudoers: ldap
647: .Ve
648: .PP
649: If the \fI@nsswitch_conf@\fR file is not present or there is no
650: sudoers line, the following default is assumed:
651: .PP
652: .Vb 1
653: \& sudoers: files
654: .Ve
655: .PP
656: Note that \fI@nsswitch_conf@\fR is supported even when the underlying
657: operating system does not use an nsswitch.conf file.
658: .SS "Configuring netsvc.conf"
659: .IX Subsection "Configuring netsvc.conf"
660: On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
661: \&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
662: variant of \fInsswitch.conf\fR; information in the previous section
663: unrelated to the file format itself still applies.
664: .PP
665: To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
666: exists), use:
667: .PP
668: .Vb 1
669: \& sudoers = ldap, files
670: .Ve
671: .PP
672: The local \fIsudoers\fR file can be ignored completely by using:
673: .PP
674: .Vb 1
675: \& sudoers = ldap
676: .Ve
677: .PP
678: To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
679: if the user is not present in \s-1LDAP\s0, use:
680: .PP
681: .Vb 1
682: \& sudoers = ldap = auth, files
683: .Ve
684: .PP
685: Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
686: user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
687: entries.
688: .PP
689: If the \fI@netsvc_conf@\fR file is not present or there is no
690: sudoers line, the following default is assumed:
691: .PP
692: .Vb 1
693: \& sudoers = files
694: .Ve
695: .SH "FILES"
696: .IX Header "FILES"
697: .ie n .IP "\fI@ldap_conf@\fR" 24
698: .el .IP "\fI@ldap_conf@\fR" 24
699: .IX Item "@ldap_conf@"
700: \&\s-1LDAP\s0 configuration file
701: .ie n .IP "\fI@nsswitch_conf@\fR" 24
702: .el .IP "\fI@nsswitch_conf@\fR" 24
703: .IX Item "@nsswitch_conf@"
704: determines sudoers source order
705: .ie n .IP "\fI@netsvc_conf@\fR" 24
706: .el .IP "\fI@netsvc_conf@\fR" 24
707: .IX Item "@netsvc_conf@"
708: determines sudoers source order on \s-1AIX\s0
709: .SH "EXAMPLES"
710: .IX Header "EXAMPLES"
711: .SS "Example ldap.conf"
712: .IX Subsection "Example ldap.conf"
713: .Vb 10
714: \& # Either specify one or more URIs or one or more host:port pairs.
715: \& # If neither is specified sudo will default to localhost, port 389.
716: \& #
717: \& #host ldapserver
718: \& #host ldapserver1 ldapserver2:390
719: \& #
720: \& # Default port if host is specified without one, defaults to 389.
721: \& #port 389
722: \& #
723: \& # URI will override the host and port settings.
724: \& uri ldap://ldapserver
725: \& #uri ldaps://secureldapserver
726: \& #uri ldaps://secureldapserver ldap://ldapserver
727: \& #
728: \& # The amount of time, in seconds, to wait while trying to connect to
729: \& # an LDAP server.
730: \& bind_timelimit 30
731: \& #
732: \& # The amount of time, in seconds, to wait while performing an LDAP query.
733: \& timelimit 30
734: \& #
735: \& # Must be set or sudo will ignore LDAP; may be specified multiple times.
736: \& sudoers_base ou=SUDOers,dc=example,dc=com
737: \& #
738: \& # verbose sudoers matching from ldap
739: \& #sudoers_debug 2
740: \& #
741: \& # Enable support for time\-based entries in sudoers.
742: \& #sudoers_timed yes
743: \& #
744: \& # optional proxy credentials
745: \& #binddn <who to search as>
746: \& #bindpw <password>
747: \& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
748: \& #
749: \& # LDAP protocol version, defaults to 3
750: \& #ldap_version 3
751: \& #
752: \& # Define if you want to use an encrypted LDAP connection.
753: \& # Typically, you must also set the port to 636 (ldaps).
754: \& #ssl on
755: \& #
756: \& # Define if you want to use port 389 and switch to
757: \& # encryption before the bind credentials are sent.
758: \& # Only supported by LDAP servers that support the start_tls
759: \& # extension such as OpenLDAP.
760: \& #ssl start_tls
761: \& #
762: \& # Additional TLS options follow that allow tweaking of the
763: \& # SSL/TLS connection.
764: \& #
765: \& #tls_checkpeer yes # verify server SSL certificate
766: \& #tls_checkpeer no # ignore server SSL certificate
767: \& #
768: \& # If you enable tls_checkpeer, specify either tls_cacertfile
769: \& # or tls_cacertdir. Only supported when using OpenLDAP.
770: \& #
771: \& #tls_cacertfile /etc/certs/trusted_signers.pem
772: \& #tls_cacertdir /etc/certs
773: \& #
774: \& # For systems that don\*(Aqt have /dev/random
775: \& # use this along with PRNGD or EGD.pl to seed the
776: \& # random number pool to generate cryptographic session keys.
777: \& # Only supported when using OpenLDAP.
778: \& #
779: \& #tls_randfile /etc/egd\-pool
780: \& #
781: \& # You may restrict which ciphers are used. Consult your SSL
782: \& # documentation for which options go here.
783: \& # Only supported when using OpenLDAP.
784: \& #
785: \& #tls_ciphers <cipher\-list>
786: \& #
787: \& # Sudo can provide a client certificate when communicating to
788: \& # the LDAP server.
789: \& # Tips:
790: \& # * Enable both lines at the same time.
791: \& # * Do not password protect the key file.
792: \& # * Ensure the keyfile is only readable by root.
793: \& #
794: \& # For OpenLDAP:
795: \& #tls_cert /etc/certs/client_cert.pem
796: \& #tls_key /etc/certs/client_key.pem
797: \& #
798: \& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
799: \& # a directory, in which case the files in the directory must have the
800: \& # default names (e.g. cert8.db and key4.db), or the path to the cert
801: \& # and key files themselves. However, a bug in version 5.0 of the LDAP
802: \& # SDK will prevent specific file names from working. For this reason
803: \& # it is suggested that tls_cert and tls_key be set to a directory,
804: \& # not a file name.
805: \& #
806: \& # The certificate database specified by tls_cert may contain CA certs
807: \& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
808: \& # should be specified as well.
809: \& # For backward compatibility, "sslpath" may be used in place of tls_cert.
810: \& #tls_cert /var/ldap
811: \& #tls_key /var/ldap
812: \& #
813: \& # If using SASL authentication for LDAP (OpenSSL)
814: \& # use_sasl yes
815: \& # sasl_auth_id <SASL user name>
816: \& # rootuse_sasl yes
817: \& # rootsasl_auth_id <SASL user name for root access>
818: \& # sasl_secprops none
819: \& # krb5_ccname /etc/.ldapcache
820: .Ve
821: .SS "Sudo schema for OpenLDAP"
822: .IX Subsection "Sudo schema for OpenLDAP"
823: The following schema, in OpenLDAP format, is included with \fBsudo\fR
824: source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
825: it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
826: proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
827: .PP
828: .Vb 6
829: \& attributetype ( 1.3.6.1.4.1.15953.9.1.1
830: \& NAME \*(AqsudoUser\*(Aq
831: \& DESC \*(AqUser(s) who may run sudo\*(Aq
832: \& EQUALITY caseExactIA5Match
833: \& SUBSTR caseExactIA5SubstringsMatch
834: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
835: \&
836: \& attributetype ( 1.3.6.1.4.1.15953.9.1.2
837: \& NAME \*(AqsudoHost\*(Aq
838: \& DESC \*(AqHost(s) who may run sudo\*(Aq
839: \& EQUALITY caseExactIA5Match
840: \& SUBSTR caseExactIA5SubstringsMatch
841: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
842: \&
843: \& attributetype ( 1.3.6.1.4.1.15953.9.1.3
844: \& NAME \*(AqsudoCommand\*(Aq
845: \& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
846: \& EQUALITY caseExactIA5Match
847: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
848: \&
849: \& attributetype ( 1.3.6.1.4.1.15953.9.1.4
850: \& NAME \*(AqsudoRunAs\*(Aq
851: \& DESC \*(AqUser(s) impersonated by sudo\*(Aq
852: \& EQUALITY caseExactIA5Match
853: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
854: \&
855: \& attributetype ( 1.3.6.1.4.1.15953.9.1.5
856: \& NAME \*(AqsudoOption\*(Aq
857: \& DESC \*(AqOptions(s) followed by sudo\*(Aq
858: \& EQUALITY caseExactIA5Match
859: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
860: \&
861: \& attributetype ( 1.3.6.1.4.1.15953.9.1.6
862: \& NAME \*(AqsudoRunAsUser\*(Aq
863: \& DESC \*(AqUser(s) impersonated by sudo\*(Aq
864: \& EQUALITY caseExactIA5Match
865: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
866: \&
867: \& attributetype ( 1.3.6.1.4.1.15953.9.1.7
868: \& NAME \*(AqsudoRunAsGroup\*(Aq
869: \& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
870: \& EQUALITY caseExactIA5Match
871: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
872: \&
873: \& attributetype ( 1.3.6.1.4.1.15953.9.1.8
874: \& NAME \*(AqsudoNotBefore\*(Aq
875: \& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
876: \& EQUALITY generalizedTimeMatch
877: \& ORDERING generalizedTimeOrderingMatch
878: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
879: \&
880: \& attributetype ( 1.3.6.1.4.1.15953.9.1.9
881: \& NAME \*(AqsudoNotAfter\*(Aq
882: \& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
883: \& EQUALITY generalizedTimeMatch
884: \& ORDERING generalizedTimeOrderingMatch
885: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
886: \&
887: \& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
888: \& NAME \*(AqsudoOrder\*(Aq
889: \& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
890: \& EQUALITY integerMatch
891: \& ORDERING integerOrderingMatch
892: \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
893: \&
894: \& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
895: \& DESC \*(AqSudoer Entries\*(Aq
896: \& MUST ( cn )
897: \& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
898: \& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
899: \& sudoOrder $ description )
900: \& )
901: .Ve
902: .SH "SEE ALSO"
903: .IX Header "SEE ALSO"
904: \&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
905: .SH "CAVEATS"
906: .IX Header "CAVEATS"
907: Note that there are differences in the way that LDAP-based \fIsudoers\fR
908: is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
909: between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
910: .SH "BUGS"
911: .IX Header "BUGS"
912: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
913: at http://www.sudo.ws/sudo/bugs/
914: .SH "SUPPORT"
915: .IX Header "SUPPORT"
916: Limited free support is available via the sudo-users mailing list,
917: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
918: search the archives.
919: .SH "DISCLAIMER"
920: .IX Header "DISCLAIMER"
921: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
922: including, but not limited to, the implied warranties of merchantability
923: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
924: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
925: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>