Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1.1.5

1.1.1.3   misho       1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
                      2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
                      3: .\"
1.1.1.4   misho       4: .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1.1.3   misho       5: .\"
1.1       misho       6: .\" Permission to use, copy, modify, and distribute this software for any
                      7: .\" purpose with or without fee is hereby granted, provided that the above
                      8: .\" copyright notice and this permission notice appear in all copies.
1.1.1.3   misho       9: .\"
1.1       misho      10: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                     11: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     12: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     13: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     14: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     15: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     16: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     17: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     18: .\"
1.1.1.5 ! misho      19: .TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
1.1       misho      20: .nh
1.1.1.3   misho      21: .if n .ad l
1.1       misho      22: .SH "NAME"
1.1.1.3   misho      23: \fBsudoers.ldap\fR
                     24: \- sudo LDAP configuration
1.1       misho      25: .SH "DESCRIPTION"
1.1.1.3   misho      26: In addition to the standard
                     27: \fIsudoers\fR
                     28: file,
                     29: \fBsudo\fR
                     30: may be configured
                     31: via LDAP.
                     32: This can be especially useful for synchronizing
                     33: \fIsudoers\fR
1.1       misho      34: in a large, distributed environment.
                     35: .PP
1.1.1.3   misho      36: Using LDAP for
                     37: \fIsudoers\fR
                     38: has several benefits:
                     39: .TP 4n
                     40: \fBo\fR
                     41: \fBsudo\fR
                     42: no longer needs to read
                     43: \fIsudoers\fR
                     44: in its entirety.
                     45: When LDAP is used, there are only two or three LDAP queries per invocation.
                     46: This makes it especially fast and particularly usable in LDAP environments.
                     47: .TP 4n
                     48: \fBo\fR
                     49: \fBsudo\fR
                     50: no longer exits if there is a typo in
                     51: \fIsudoers\fR.
                     52: It is not possible to load LDAP data into the server that does
1.1       misho      53: not conform to the sudoers schema, so proper syntax is guaranteed.
                     54: It is still possible to have typos in a user or host name, but
1.1.1.3   misho      55: this will not prevent
                     56: \fBsudo\fR
                     57: from running.
                     58: .TP 4n
                     59: \fBo\fR
1.1       misho      60: It is possible to specify per-entry options that override the global
1.1.1.3   misho      61: default options.
                     62: \fI@sysconfdir@/sudoers\fR
                     63: only supports default options and limited options associated with
                     64: user/host/commands/aliases.
                     65: The syntax is complicated and can be difficult for users to understand.
1.1       misho      66: Placing the options directly in the entry is more natural.
1.1.1.3   misho      67: .TP 4n
                     68: \fBo\fR
                     69: The
                     70: \fBvisudo\fR
                     71: program is no longer needed.
                     72: \fBvisudo\fR
                     73: provides locking and syntax checking of the
                     74: \fI@sysconfdir@/sudoers\fR
                     75: file.
                     76: Since LDAP updates are atomic, locking is no longer necessary.
                     77: Because syntax is checked when the data is inserted into LDAP, there
1.1       misho      78: is no need for a specialized tool to check syntax.
                     79: .PP
1.1.1.3   misho      80: Another major difference between LDAP and file-based
                     81: \fIsudoers\fR
                     82: is that in LDAP,
                     83: \fBsudo\fR-specific
                     84: Aliases are not supported.
                     85: .PP
                     86: For the most part, there is really no need for
                     87: \fBsudo\fR-specific
                     88: Aliases.
1.1.1.4   misho      89: Unix groups, non-Unix groups (via the
                     90: \fIgroup_plugin\fR)
                     91: or user netgroups can be used in place of User_Aliases and Runas_Aliases.
1.1.1.3   misho      92: Host netgroups can be used in place of Host_Aliases.
1.1.1.4   misho      93: Since groups and netgroups can also be stored in LDAP there is no real need for
1.1.1.3   misho      94: \fBsudo\fR-specific
                     95: aliases.
1.1       misho      96: .PP
                     97: Cmnd_Aliases are not really required either since it is possible
1.1.1.3   misho      98: to have multiple users listed in a
                     99: \fRsudoRole\fR.
                    100: Instead of defining a Cmnd_Alias that is referenced by multiple users,
                    101: one can create a
                    102: \fRsudoRole\fR
                    103: that contains the commands and assign multiple users to it.
                    104: .SS "SUDOers LDAP container"
                    105: The
                    106: \fIsudoers\fR
                    107: configuration is contained in the
                    108: \fRou=SUDOers\fR
                    109: LDAP container.
                    110: .PP
                    111: Sudo first looks for the
                    112: \fRcn=default\fR
                    113: entry in the SUDOers container.
                    114: If found, the multi-valued
                    115: \fRsudoOption\fR
                    116: attribute is parsed in the same manner as a global
                    117: \fRDefaults\fR
                    118: line in
                    119: \fI@sysconfdir@/sudoers\fR.
                    120: In the following example, the
                    121: \fRSSH_AUTH_SOCK\fR
                    122: variable will be preserved in the environment for all users.
                    123: .nf
                    124: .sp
                    125: .RS 4n
                    126: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
                    127: objectClass: top
                    128: objectClass: sudoRole
                    129: cn: defaults
                    130: description: Default sudoOption's go here
                    131: sudoOption: env_keep+=SSH_AUTH_SOCK
                    132: .RE
                    133: .fi
                    134: .PP
                    135: The equivalent of a sudoer in LDAP is a
                    136: \fRsudoRole\fR.
                    137: It consists of the following attributes:
                    138: .TP 6n
                    139: \fBsudoUser\fR
                    140: A user name, user ID (prefixed with
                    141: `#'),
1.1.1.4   misho     142: Unix group name or ID (prefixed with
                    143: `%'
                    144: or
                    145: `%#'
                    146: respectively), user netgroup (prefixed with
                    147: `+'),
                    148: or non-Unix group name or ID (prefixed with
                    149: `%:'
                    150: or
                    151: `%:#'
                    152: respectively).
                    153: Non-Unix group support is only available when an appropriate
                    154: \fIgroup_plugin\fR
                    155: is defined in the global
                    156: \fIdefaults\fR
                    157: \fRsudoRole\fR
                    158: object.
1.1.1.3   misho     159: .TP 6n
                    160: \fBsudoHost\fR
                    161: A host name, IP address, IP network, or host netgroup (prefixed with a
                    162: `+').
                    163: The special value
                    164: \fRALL\fR
                    165: will match any host.
                    166: .TP 6n
                    167: \fBsudoCommand\fR
1.1.1.4   misho     168: A fully-qualified Unix command name with optional command line arguments,
                    169: potentially including globbing characters (aka wild cards).
                    170: If a command name is preceded by an exclamation point,
                    171: `\&!',
                    172: the user will be prohibited from running that command.
                    173: .sp
                    174: The built-in command
                    175: ``\fRsudoedit\fR''
                    176: is used to permit a user to run
                    177: \fBsudo\fR
                    178: with the
                    179: \fB\-e\fR
                    180: option (or as
                    181: \fBsudoedit\fR).
                    182: It may take command line arguments just as a normal command does.
                    183: Note that
                    184: ``\fRsudoedit\fR''
                    185: is a command built into
                    186: \fBsudo\fR
                    187: itself and must be specified in without a leading path.
                    188: .sp
1.1.1.3   misho     189: The special value
                    190: \fRALL\fR
                    191: will match any command.
1.1.1.4   misho     192: .sp
                    193: If a command name is prefixed with a SHA-2 digest, it will
                    194: only be allowed if the digest matches.
                    195: This may be useful in situations where the user invoking
                    196: \fBsudo\fR
                    197: has write access to the command or its parent directory.
                    198: The following digest formats are supported: sha224, sha256, sha384 and sha512.
                    199: The digest name must be followed by a colon
                    200: (`:\&')
                    201: and then the actual digest, in either hex or base64 format.
                    202: For example, given the following value for sudoCommand:
                    203: .RS
                    204: .nf
                    205: .sp
                    206: .RS 4n
                    207: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
                    208: .RE
                    209: .fi
                    210: .sp
                    211: The user may only run
                    212: \fI/bin/ls\fR
                    213: if its sha224 digest matches the specified value.
                    214: Command digests are only supported by version 1.8.7 or higher.
                    215: .PP
                    216: .RE
                    217: .PD 0
1.1.1.3   misho     218: .TP 6n
                    219: \fBsudoOption\fR
1.1       misho     220: Identical in function to the global options described above, but
1.1.1.3   misho     221: specific to the
                    222: \fRsudoRole\fR
                    223: in which it resides.
1.1.1.4   misho     224: .PD
1.1.1.3   misho     225: .TP 6n
                    226: \fBsudoRunAsUser\fR
                    227: A user name or uid (prefixed with
                    228: `#')
                    229: that commands may be run as or a Unix group (prefixed with a
                    230: `%')
                    231: or user netgroup (prefixed with a
                    232: `+')
                    233: that contains a list of users that commands may be run as.
                    234: The special value
                    235: \fRALL\fR
                    236: will match any user.
                    237: .sp
                    238: The
                    239: \fRsudoRunAsUser\fR
                    240: attribute is only available in
                    241: \fBsudo\fR
                    242: versions
                    243: 1.7.0 and higher.
                    244: Older versions of
                    245: \fBsudo\fR
                    246: use the
                    247: \fRsudoRunAs\fR
1.1       misho     248: attribute instead.
1.1.1.3   misho     249: .TP 6n
                    250: \fBsudoRunAsGroup\fR
                    251: A Unix group or gid (prefixed with
                    252: `#')
                    253: that commands may be run as.
                    254: The special value
                    255: \fRALL\fR
                    256: will match any group.
                    257: .sp
                    258: The
                    259: \fRsudoRunAsGroup\fR
                    260: attribute is only available in
                    261: \fBsudo\fR
                    262: versions
1.1       misho     263: 1.7.0 and higher.
1.1.1.3   misho     264: .TP 6n
                    265: \fBsudoNotBefore\fR
                    266: A timestamp in the form
                    267: \fRyyyymmddHHMMSSZ\fR
                    268: that can be used to provide a start date/time for when the
                    269: \fRsudoRole\fR
                    270: will be valid.
                    271: If multiple
                    272: \fRsudoNotBefore\fR
                    273: entries are present, the earliest is used.
                    274: Note that timestamps must be in Coordinated Universal Time (UTC),
                    275: not the local timezone.
                    276: The minute and seconds portions are optional, but some LDAP servers
                    277: require that they be present (contrary to the RFC).
                    278: .sp
                    279: The
                    280: \fRsudoNotBefore\fR
                    281: attribute is only available in
                    282: \fBsudo\fR
                    283: versions 1.7.5 and higher and must be explicitly enabled via the
                    284: \fBSUDOERS_TIMED\fR
                    285: option in
                    286: \fI@ldap_conf@\fR.
                    287: .TP 6n
                    288: \fBsudoNotAfter\fR
                    289: A timestamp in the form
                    290: \fRyyyymmddHHMMSSZ\fR
                    291: that indicates an expiration date/time, after which the
                    292: \fRsudoRole\fR
                    293: will no longer be valid.
                    294: If multiple
                    295: \fRsudoNotBefore\fR
                    296: entries are present, the last one is used.
                    297: Note that timestamps must be in Coordinated Universal Time (UTC),
                    298: not the local timezone.
                    299: The minute and seconds portions are optional, but some LDAP servers
                    300: require that they be present (contrary to the RFC).
                    301: .sp
                    302: The
                    303: \fRsudoNotAfter\fR
                    304: attribute is only available in
                    305: \fBsudo\fR
                    306: versions
                    307: 1.7.5 and higher and must be explicitly enabled via the
                    308: \fBSUDOERS_TIMED\fR
                    309: option in
                    310: \fI@ldap_conf@\fR.
                    311: .TP 6n
                    312: \fBsudoOrder\fR
                    313: The
                    314: \fRsudoRole\fR
                    315: entries retrieved from the LDAP directory have no inherent order.
                    316: The
                    317: \fRsudoOrder\fR
                    318: attribute is an integer (or floating point value for LDAP servers
                    319: that support it) that is used to sort the matching entries.
1.1.1.4   misho     320: This allows LDAP-based sudoers entries to more closely mimic the behavior
1.1.1.3   misho     321: of the sudoers file, where the of the entries influences the result.
                    322: If multiple entries match, the entry with the highest
                    323: \fRsudoOrder\fR
                    324: attribute is chosen.
                    325: This corresponds to the
                    326: ``last match''
                    327: behavior of the sudoers file.
                    328: If the
                    329: \fRsudoOrder\fR
                    330: attribute is not present, a value of 0 is assumed.
                    331: .sp
                    332: The
                    333: \fRsudoOrder\fR
                    334: attribute is only available in
                    335: \fBsudo\fR
                    336: versions 1.7.5 and higher.
1.1       misho     337: .PP
                    338: Each attribute listed above should contain a single value, but there
1.1.1.3   misho     339: may be multiple instances of each attribute type.
                    340: A
                    341: \fRsudoRole\fR
                    342: must contain at least one
                    343: \fRsudoUser\fR,
                    344: \fRsudoHost\fR
                    345: and
                    346: \fRsudoCommand\fR.
1.1       misho     347: .PP
                    348: The following example allows users in group wheel to run any command
1.1.1.3   misho     349: on any host via
                    350: \fBsudo\fR:
                    351: .nf
                    352: .sp
                    353: .RS 4n
                    354: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
                    355: objectClass: top
                    356: objectClass: sudoRole
                    357: cn: %wheel
                    358: sudoUser: %wheel
                    359: sudoHost: ALL
                    360: sudoCommand: ALL
                    361: .RE
                    362: .fi
                    363: .SS "Anatomy of LDAP sudoers lookup"
                    364: When looking up a sudoer using LDAP there are only two or three
                    365: LDAP queries per invocation.
                    366: The first query is to parse the global options.
                    367: The second is to match against the user's name and the groups that
                    368: the user belongs to.
                    369: (The special
                    370: \fRALL\fR
                    371: tag is matched in this query too.)
                    372: If no match is returned for the user's name and groups, a third
                    373: query returns all entries containing user netgroups and checks
                    374: to see if the user belongs to any of them.
                    375: .PP
                    376: If timed entries are enabled with the
                    377: \fBSUDOERS_TIMED\fR
1.1.1.4   misho     378: configuration directive, the LDAP queries include a sub-filter that
1.1.1.3   misho     379: limits retrieval to entries that satisfy the time constraints, if any.
                    380: .SS "Differences between LDAP and non-LDAP sudoers"
1.1       misho     381: There are some subtle differences in the way sudoers is handled
1.1.1.3   misho     382: once in LDAP.
                    383: Probably the biggest is that according to the RFC, LDAP ordering
                    384: is arbitrary and you cannot expect that Attributes and Entries are
                    385: returned in any specific order.
1.1       misho     386: .PP
                    387: The order in which different entries are applied can be controlled
1.1.1.3   misho     388: using the
                    389: \fRsudoOrder\fR
                    390: attribute, but there is no way to guarantee the order of attributes
                    391: within a specific entry.
                    392: If there are conflicting command rules in an entry, the negative
                    393: takes precedence.
1.1       misho     394: This is called paranoid behavior (not necessarily the most specific
                    395: match).
                    396: .PP
                    397: Here is an example:
1.1.1.3   misho     398: .nf
                    399: .sp
                    400: .RS 4n
                    401: # /etc/sudoers:
                    402: # Allow all commands except shell
                    403: johnny  ALL=(root) ALL,!/bin/sh
                    404: # Always allows all commands because ALL is matched last
                    405: puddles ALL=(root) !/bin/sh,ALL
                    406: 
                    407: # LDAP equivalent of johnny
                    408: # Allows all commands except shell
                    409: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
                    410: objectClass: sudoRole
                    411: objectClass: top
                    412: cn: role1
                    413: sudoUser: johnny
                    414: sudoHost: ALL
                    415: sudoCommand: ALL
                    416: sudoCommand: !/bin/sh
                    417: 
                    418: # LDAP equivalent of puddles
                    419: # Notice that even though ALL comes last, it still behaves like
                    420: # role1 since the LDAP code assumes the more paranoid configuration
                    421: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
                    422: objectClass: sudoRole
                    423: objectClass: top
                    424: cn: role2
                    425: sudoUser: puddles
                    426: sudoHost: ALL
                    427: sudoCommand: !/bin/sh
                    428: sudoCommand: ALL
                    429: .RE
                    430: .fi
1.1       misho     431: .PP
                    432: Another difference is that negations on the Host, User or Runas are
1.1.1.3   misho     433: currently ignored.
                    434: For example, the following attributes do not behave the way one might expect.
                    435: .nf
                    436: .sp
                    437: .RS 4n
                    438: # does not match all but joe
                    439: # rather, does not match anyone
                    440: sudoUser: !joe
                    441: 
                    442: # does not match all but joe
                    443: # rather, matches everyone including Joe
                    444: sudoUser: ALL
                    445: sudoUser: !joe
                    446: 
                    447: # does not match all but web01
                    448: # rather, matches all hosts including web01
                    449: sudoHost: ALL
                    450: sudoHost: !web01
                    451: .RE
                    452: .fi
                    453: .SS "Sudoers schema"
                    454: In order to use
                    455: \fBsudo\fR's
                    456: LDAP support, the
                    457: \fBsudo\fR
                    458: schema must be
                    459: installed on your LDAP server.
                    460: In addition, be sure to index the
                    461: \fRsudoUser\fR
                    462: attribute.
                    463: .PP
                    464: Three versions of the schema: one for OpenLDAP servers
                    465: (\fIschema.OpenLDAP\fR),
                    466: one for Netscape-derived servers
                    467: (\fIschema.iPlanet\fR),
                    468: and one for Microsoft Active Directory
                    469: (\fIschema.ActiveDirectory\fR)
                    470: may be found in the
                    471: \fBsudo\fR
                    472: distribution.
                    473: .PP
                    474: The schema for
                    475: \fBsudo\fR
                    476: in OpenLDAP form is also included in the
                    477: \fIEXAMPLES\fR
1.1       misho     478: section.
                    479: .SS "Configuring ldap.conf"
1.1.1.3   misho     480: Sudo reads the
                    481: \fI@ldap_conf@\fR
                    482: file for LDAP-specific configuration.
1.1.1.4   misho     483: Typically, this file is shared between different LDAP-aware clients.
1.1.1.3   misho     484: As such, most of the settings are not
                    485: \fBsudo\fR-specific.
                    486: Note that
                    487: \fBsudo\fR
                    488: parses
                    489: \fI@ldap_conf@\fR
                    490: itself and may support options that differ from those described in the
                    491: system's
                    492: ldap.conf(@mansectsu@)
                    493: manual.
1.1.1.4   misho     494: The path to
                    495: \fIldap.conf\fR
                    496: may be overridden via the
                    497: \fIldap_conf\fR
                    498: plugin argument in
                    499: sudo.conf(@mansectform@).
1.1       misho     500: .PP
                    501: Also note that on systems using the OpenLDAP libraries, default
1.1.1.3   misho     502: values specified in
                    503: \fI/etc/openldap/ldap.conf\fR
                    504: or the user's
                    505: \fI.ldaprc\fR
                    506: files are not used.
                    507: .PP
                    508: Only those options explicitly listed in
                    509: \fI@ldap_conf@\fR
                    510: as being supported by
                    511: \fBsudo\fR
                    512: are honored.
                    513: Configuration options are listed below in upper case but are parsed
                    514: in a case-independent manner.
1.1.1.4   misho     515: .PP
1.1.1.5 ! misho     516: The pound sign
        !           517: (`#')
        !           518: is used to indicate a comment.
        !           519: Both the comment character and any text after it, up to the end of
        !           520: the line, are ignored.
1.1.1.4   misho     521: Long lines can be continued with a backslash
                    522: (`\e')
                    523: as the last character on the line.
                    524: Note that leading white space is removed from the beginning of lines
                    525: even when the continuation character is used.
1.1.1.3   misho     526: .TP 6n
                    527: \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
1.1.1.4   misho     528: Specifies a white space-delimited list of one or more URIs describing
1.1.1.3   misho     529: the LDAP server(s) to connect to.
                    530: The
                    531: \fIprotocol\fR
                    532: may be either
                    533: \fIldap\fR
                    534: \fIldaps\fR,
                    535: the latter being for servers that support TLS (SSL) encryption.
                    536: If no
                    537: \fIport\fR
                    538: is specified, the default is port 389 for
                    539: \fRldap://\fR
                    540: or port 636 for
                    541: \fRldaps://\fR.
                    542: If no
                    543: \fIhostname\fR
                    544: is specified,
                    545: \fBsudo\fR
                    546: will connect to
                    547: \fIlocalhost\fR.
                    548: Multiple
                    549: \fBURI\fR
                    550: lines are treated identically to a
                    551: \fBURI\fR
                    552: line containing multiple entries.
                    553: Only systems using the OpenSSL libraries support the mixing of
                    554: \fRldap://\fR
                    555: and
                    556: \fRldaps://\fR
                    557: URIs.
                    558: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
                    559: versions of Unix are only capable of supporting one or the other.
                    560: .TP 6n
                    561: \fBHOST\fR \fIname[:port] ...\fR
                    562: If no
                    563: \fBURI\fR
                    564: is specified, the
                    565: \fBHOST\fR
1.1.1.4   misho     566: parameter specifies a white space-delimited list of LDAP servers to connect to.
1.1.1.3   misho     567: Each host may include an optional
                    568: \fIport\fR
                    569: separated by a colon
                    570: (`:\&').
                    571: The
                    572: \fBHOST\fR
                    573: parameter is deprecated in favor of the
                    574: \fBURI\fR
                    575: specification and is included for backwards compatibility.
                    576: .TP 6n
                    577: \fBPORT\fR \fIport_number\fR
                    578: If no
                    579: \fBURI\fR
                    580: is specified, the
                    581: \fBPORT\fR
                    582: parameter specifies the default port to connect to on the LDAP server if a
                    583: \fBHOST\fR
                    584: parameter does not specify the port itself.
                    585: If no
                    586: \fBPORT\fR
                    587: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
                    588: over TLS (SSL).
                    589: The
                    590: \fBPORT\fR
                    591: parameter is deprecated in favor of the
                    592: \fBURI\fR
1.1       misho     593: specification and is included for backwards compatibility.
1.1.1.3   misho     594: .TP 6n
                    595: \fBBIND_TIMELIMIT\fR \fIseconds\fR
                    596: The
                    597: \fBBIND_TIMELIMIT\fR
                    598: parameter specifies the amount of time, in seconds, to wait while trying
                    599: to connect to an LDAP server.
                    600: If multiple
                    601: \fBURI\fRs
                    602: or
                    603: \fBHOST\fRs
                    604: are specified, this is the amount of time to wait before trying
1.1       misho     605: the next one in the list.
1.1.1.3   misho     606: .TP 6n
                    607: \fBNETWORK_TIMEOUT\fR \fIseconds\fR
                    608: An alias for
                    609: \fBBIND_TIMELIMIT\fR
                    610: for OpenLDAP compatibility.
                    611: .TP 6n
                    612: \fBTIMELIMIT\fR \fIseconds\fR
                    613: The
                    614: \fBTIMELIMIT\fR
                    615: parameter specifies the amount of time, in seconds, to wait for a
                    616: response to an LDAP query.
                    617: .TP 6n
                    618: \fBTIMEOUT\fR \fIseconds\fR
                    619: The
                    620: \fBTIMEOUT\fR
                    621: parameter specifies the amount of time, in seconds, to wait for a
                    622: response from the various LDAP APIs.
                    623: .TP 6n
                    624: \fBSUDOERS_BASE\fR \fIbase\fR
                    625: The base DN to use when performing
                    626: \fBsudo\fR
                    627: LDAP queries.
                    628: Typically this is of the form
                    629: \fRou=SUDOers,dc=example,dc=com\fR
                    630: for the domain
                    631: \fRexample.com\fR.
                    632: Multiple
                    633: \fBSUDOERS_BASE\fR
                    634: lines may be specified, in which case they are queried in the order specified.
                    635: .TP 6n
                    636: \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
                    637: An LDAP filter which is used to restrict the set of records returned
                    638: when performing a
                    639: \fBsudo\fR
                    640: LDAP query.
                    641: Typically, this is of the
                    642: form
                    643: \fRattribute=value\fR
                    644: or
                    645: \fR(&(attribute=value)(attribute2=value2))\fR.
                    646: .TP 6n
                    647: \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
                    648: Whether or not to evaluate the
                    649: \fRsudoNotBefore\fR
                    650: and
                    651: \fRsudoNotAfter\fR
1.1       misho     652: attributes that implement time-dependent sudoers entries.
1.1.1.3   misho     653: .TP 6n
                    654: \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
                    655: This sets the debug level for
                    656: \fBsudo\fR
                    657: LDAP queries.
                    658: Debugging information is printed to the standard error.
                    659: A value of 1 results in a moderate amount of debugging information.
                    660: A value of 2 shows the results of the matches themselves.
                    661: This parameter should not be set in a production environment as the
                    662: extra information is likely to confuse users.
1.1.1.4   misho     663: .sp
                    664: The
                    665: \fBSUDOERS_DEBUG\fR
                    666: parameter is deprecated and will be removed in a future release.
                    667: The same information is now logged via the
                    668: \fBsudo\fR
                    669: debugging framework using the
                    670: ``ldap''
                    671: subsystem at priorities
                    672: \fIdiag\fR
                    673: and
                    674: \fIinfo\fR
                    675: for
                    676: \fIdebug_level\fR
                    677: values 1 and 2 respectively.
                    678: See the
                    679: sudo.conf(@mansectform@)
                    680: manual for details on how to configure
                    681: \fBsudo\fR
                    682: debugging.
1.1.1.3   misho     683: .TP 6n
                    684: \fBBINDDN\fR \fIDN\fR
                    685: The
                    686: \fBBINDDN\fR
                    687: parameter specifies the identity, in the form of a Distinguished Name (DN),
                    688: to use when performing LDAP operations.
                    689: If not specified, LDAP operations are performed with an anonymous identity.
                    690: By default, most LDAP servers will allow anonymous access.
                    691: .TP 6n
                    692: \fBBINDPW\fR \fIsecret\fR
                    693: The
                    694: \fBBINDPW\fR
                    695: parameter specifies the password to use when performing LDAP operations.
                    696: This is typically used in conjunction with the
                    697: \fBBINDDN\fR
                    698: parameter.
                    699: .TP 6n
                    700: \fBROOTBINDDN\fR \fIDN\fR
                    701: The
                    702: \fBROOTBINDDN\fR
                    703: parameter specifies the identity, in the form of a Distinguished Name (DN),
                    704: to use when performing privileged LDAP operations, such as
                    705: \fIsudoers\fR
                    706: queries.
1.1.1.4   misho     707: The password corresponding to the identity should be stored in the
                    708: or the path specified by the
                    709: \fIldap_secret\fR
                    710: plugin argument in
                    711: sudo.conf(@mansectform@),
                    712: which defaults to
1.1.1.3   misho     713: \fI@ldap_secret@\fR.
1.1.1.4   misho     714: If no
                    715: \fBROOTBINDDN\fR
                    716: is specified, the
1.1.1.3   misho     717: \fBBINDDN\fR
                    718: identity is used (if any).
                    719: .TP 6n
                    720: \fBLDAP_VERSION\fR \fInumber\fR
                    721: The version of the LDAP protocol to use when connecting to the server.
1.1       misho     722: The default value is protocol version 3.
1.1.1.3   misho     723: .TP 6n
                    724: \fBSSL\fR \fIon/true/yes/off/false/no\fR
                    725: If the
                    726: \fBSSL\fR
                    727: parameter is set to
                    728: \fRon\fR,
                    729: \fRtrue\fR
                    730: \fRor\fR
                    731: \fRyes\fR,
                    732: TLS (SSL) encryption is always used when communicating with the LDAP server.
                    733: Typically, this involves connecting to the server on port 636 (ldaps).
                    734: .TP 6n
                    735: \fBSSL\fR \fIstart_tls\fR
                    736: If the
                    737: \fBSSL\fR
                    738: parameter is set to
                    739: \fRstart_tls\fR,
                    740: the LDAP server connection is initiated normally and TLS encryption is
                    741: begun before the bind credentials are sent.
                    742: This has the advantage of not requiring a dedicated port for encrypted
                    743: communications.
                    744: This parameter is only supported by LDAP servers that honor the
                    745: \fIstart_tls\fR
                    746: extension, such as the OpenLDAP and Tivoli Directory servers.
                    747: .TP 6n
                    748: \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
                    749: If enabled,
                    750: \fBTLS_CHECKPEER\fR
                    751: will cause the LDAP server's TLS certificated to be verified.
                    752: If the server's TLS certificate cannot be verified (usually because it
                    753: is signed by an unknown certificate authority),
                    754: \fBsudo\fR
                    755: will be unable to connect to it.
                    756: If
                    757: \fBTLS_CHECKPEER\fR
                    758: is disabled, no check is made.
                    759: Note that disabling the check creates an opportunity for man-in-the-middle
                    760: attacks since the server's identity will not be authenticated.
                    761: If possible, the CA's certificate should be installed locally so it can
                    762: be verified.
                    763: This option is not supported by the Tivoli Directory Server LDAP libraries.
                    764: .TP 6n
                    765: \fBTLS_CACERT\fR \fIfile name\fR
                    766: An alias for
                    767: \fBTLS_CACERTFILE\fR
                    768: for OpenLDAP compatibility.
                    769: .TP 6n
                    770: \fBTLS_CACERTFILE\fR \fIfile name\fR
1.1       misho     771: The path to a certificate authority bundle which contains the certificates
1.1.1.3   misho     772: for all the Certificate Authorities the client knows to be valid, e.g.\&
                    773: \fI/etc/ssl/ca-bundle.pem\fR.
1.1       misho     774: This option is only supported by the OpenLDAP libraries.
1.1.1.3   misho     775: Netscape-derived LDAP libraries use the same certificate
                    776: database for CA and client certificates (see
                    777: \fBTLS_CERT\fR).
                    778: .TP 6n
                    779: \fBTLS_CACERTDIR\fR \fIdirectory\fR
                    780: Similar to
                    781: \fBTLS_CACERTFILE\fR
                    782: but instead of a file, it is a directory containing individual
                    783: Certificate Authority certificates, e.g.\&
                    784: \fI/etc/ssl/certs\fR.
                    785: The directory specified by
                    786: \fBTLS_CACERTDIR\fR
                    787: is checked after
                    788: \fBTLS_CACERTFILE\fR.
1.1       misho     789: This option is only supported by the OpenLDAP libraries.
1.1.1.3   misho     790: .TP 6n
                    791: \fBTLS_CERT\fR \fIfile name\fR
1.1       misho     792: The path to a file containing the client certificate which can
1.1.1.3   misho     793: be used to authenticate the client to the LDAP server.
                    794: The certificate type depends on the LDAP libraries used.
                    795: .RS
                    796: .TP 6n
1.1       misho     797: OpenLDAP:
1.1.1.3   misho     798: \fRtls_cert /etc/ssl/client_cert.pem\fR
                    799: .TP 6n
1.1       misho     800: Netscape-derived:
1.1.1.3   misho     801: \fRtls_cert /var/ldap/cert7.db\fR
                    802: .TP 6n
                    803: Tivoli Directory Server:
                    804: Unused, the key database specified by
                    805: \fBTLS_KEY\fR
                    806: contains both keys and certificates.
                    807: .sp
1.1       misho     808: When using Netscape-derived libraries, this file may also contain
                    809: Certificate Authority certificates.
1.1.1.3   misho     810: .PP
                    811: .RE
                    812: .PD 0
                    813: .TP 6n
                    814: \fBTLS_KEY\fR \fIfile name\fR
1.1       misho     815: The path to a file containing the private key which matches the
1.1.1.3   misho     816: certificate specified by
                    817: \fBTLS_CERT\fR.
                    818: The private key must not be password-protected.
                    819: The key type depends on the LDAP libraries used.
                    820: .RS
                    821: .PD
                    822: .TP 6n
1.1       misho     823: OpenLDAP:
1.1.1.3   misho     824: \fRtls_key /etc/ssl/client_key.pem\fR
                    825: .TP 6n
1.1       misho     826: Netscape-derived:
1.1.1.3   misho     827: \fRtls_key /var/ldap/key3.db\fR
                    828: .TP 6n
                    829: Tivoli Directory Server:
1.1.1.5 ! misho     830: \fRtls_key /usr/ldap/ldapkey.kdb\fR
1.1.1.3   misho     831: .PD 0
                    832: .PP
                    833: .PD
                    834: When using Tivoli LDAP libraries, this file may also contain
                    835: Certificate Authority and client certificates and may be encrypted.
                    836: .PP
                    837: .RE
                    838: .PD 0
                    839: .TP 6n
                    840: \fBTLS_KEYPW\fR \fIsecret\fR
                    841: The
                    842: \fBTLS_KEYPW\fR
                    843: contains the password used to decrypt the key database on clients
                    844: using the Tivoli Directory Server LDAP library.
1.1.1.5 ! misho     845: This should be a simple string without quotes.
        !           846: The password may not include the comment character
        !           847: (`#')
        !           848: and escaping of special characters with a backslash
        !           849: (`\e')
        !           850: is not supported.
        !           851: If this option is used,
        !           852: \fI@ldap_conf@\fR
        !           853: must not be world-readable to avoid exposing the password.
        !           854: Alternately, a
        !           855: \fIstash file\fR
        !           856: can be used to store the password in encrypted form (see below).
        !           857: .sp
1.1.1.3   misho     858: If no
                    859: \fBTLS_KEYPW\fR
                    860: is specified, a
                    861: \fIstash file\fR
                    862: will be used if it exists.
                    863: The
                    864: \fIstash file\fR
                    865: must have the same path as the file specified by
                    866: \fBTLS_KEY\fR,
                    867: but use a
                    868: \fR.sth\fR
                    869: file extension instead of
                    870: \fR.kdb\fR,
                    871: e.g.\&
                    872: \fRldapkey.sth\fR.
                    873: The default
                    874: \fRldapkey.kdb\fR
                    875: that ships with Tivoli Directory Server is encrypted with the password
                    876: \fRssl_password\fR.
1.1.1.5 ! misho     877: The
        !           878: \fIgsk8capicmd\fR
        !           879: utility can be used to manage the key database and create a
        !           880: \fIstash file\fR.
1.1.1.3   misho     881: This option is only supported by the Tivoli LDAP libraries.
                    882: .PD
                    883: .TP 6n
                    884: \fBTLS_RANDFILE\fR \fIfile name\fR
                    885: The
                    886: \fBTLS_RANDFILE\fR
                    887: parameter specifies the path to an entropy source for systems that lack
                    888: a random device.
                    889: It is generally used in conjunction with
                    890: \fIprngd\fR
                    891: or
                    892: \fIegd\fR.
1.1       misho     893: This option is only supported by the OpenLDAP libraries.
1.1.1.3   misho     894: .TP 6n
                    895: \fBTLS_CIPHERS\fR \fIcipher list\fR
                    896: The
                    897: \fBTLS_CIPHERS\fR
                    898: parameter allows the administer to restrict which encryption algorithms
                    899: may be used for TLS (SSL) connections.
                    900: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
                    901: ciphers.
                    902: This option is not supported by Netscape-derived libraries.
                    903: .TP 6n
                    904: \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
                    905: Enable
                    906: \fBUSE_SASL\fR
                    907: for LDAP servers that support SASL authentication.
                    908: .TP 6n
                    909: \fBSASL_AUTH_ID\fR \fIidentity\fR
                    910: The SASL user name to use when connecting to the LDAP server.
                    911: By default,
                    912: \fBsudo\fR
                    913: will use an anonymous connection.
                    914: .TP 6n
                    915: \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
                    916: Enable
                    917: \fBROOTUSE_SASL\fR
                    918: to enable SASL authentication when connecting
                    919: to an LDAP server from a privileged process, such as
                    920: \fBsudo\fR.
                    921: .TP 6n
                    922: \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
                    923: The SASL user name to use when
                    924: \fBROOTUSE_SASL\fR
                    925: is enabled.
                    926: .TP 6n
                    927: \fBSASL_SECPROPS\fR \fInone/properties\fR
                    928: SASL security properties or
                    929: \fInone\fR
                    930: for no properties.
                    931: See the SASL programmer's manual for details.
                    932: .TP 6n
                    933: \fBKRB5_CCNAME\fR \fIfile name\fR
1.1       misho     934: The path to the Kerberos 5 credential cache to use when authenticating
                    935: with the remote server.
1.1.1.3   misho     936: .TP 6n
                    937: \fBDEREF\fR \fInever/searching/finding/always\fR
                    938: How alias dereferencing is to be performed when searching.
                    939: See the
                    940: ldap.conf(@mansectsu@)
                    941: manual for a full description of this option.
                    942: .PP
                    943: See the
                    944: \fIldap.conf\fR
                    945: entry in the
                    946: \fIEXAMPLES\fR
                    947: section.
1.1       misho     948: .SS "Configuring nsswitch.conf"
1.1.1.3   misho     949: Unless it is disabled at build time,
                    950: \fBsudo\fR
                    951: consults the Name Service Switch file,
                    952: \fI@nsswitch_conf@\fR,
                    953: to specify the
                    954: \fIsudoers\fR
                    955: search order.
                    956: Sudo looks for a line beginning with
                    957: \fRsudoers\fR:
                    958: and uses this to determine the search order.
                    959: Note that
                    960: \fBsudo\fR
                    961: does
1.1       misho     962: not stop searching after the first match and later matches take
                    963: precedence over earlier ones.
                    964: The following sources are recognized:
1.1.1.3   misho     965: .TP 10n
                    966: files
                    967: read sudoers from
                    968: \fI@sysconfdir@/sudoers\fR
                    969: .PD 0
                    970: .TP 10n
                    971: ldap
                    972: read sudoers from LDAP
                    973: .PD
                    974: .PP
                    975: In addition, the entry
                    976: \fR[NOTFOUND=return]\fR
                    977: will short-circuit the search if the user was not found in the
                    978: preceding source.
1.1       misho     979: .PP
1.1.1.3   misho     980: To consult LDAP first followed by the local sudoers file (if it
1.1       misho     981: exists), use:
1.1.1.3   misho     982: .nf
                    983: .sp
                    984: .RS 4n
                    985: sudoers: ldap files
                    986: .RE
                    987: .fi
1.1       misho     988: .PP
1.1.1.3   misho     989: The local
                    990: \fIsudoers\fR
                    991: file can be ignored completely by using:
                    992: .nf
                    993: .sp
                    994: .RS 4n
                    995: sudoers: ldap
                    996: .RE
                    997: .fi
1.1       misho     998: .PP
1.1.1.3   misho     999: If the
                   1000: \fI@nsswitch_conf@\fR
                   1001: file is not present or there is no sudoers line, the following
                   1002: default is assumed:
                   1003: .nf
                   1004: .sp
                   1005: .RS 4n
                   1006: sudoers: files
                   1007: .RE
                   1008: .fi
1.1       misho    1009: .PP
1.1.1.3   misho    1010: Note that
                   1011: \fI@nsswitch_conf@\fR
                   1012: is supported even when the underlying operating system does not use
                   1013: an nsswitch.conf file, except on AIX (see below).
1.1       misho    1014: .SS "Configuring netsvc.conf"
1.1.1.3   misho    1015: On AIX systems, the
                   1016: \fI@netsvc_conf@\fR
                   1017: file is consulted instead of
                   1018: \fI@nsswitch_conf@\fR.
                   1019: \fBsudo\fR
                   1020: simply treats
                   1021: \fInetsvc.conf\fR
                   1022: as a variant of
                   1023: \fInsswitch.conf\fR;
                   1024: information in the previous section unrelated to the file format
                   1025: itself still applies.
1.1       misho    1026: .PP
1.1.1.3   misho    1027: To consult LDAP first followed by the local sudoers file (if it
1.1       misho    1028: exists), use:
1.1.1.3   misho    1029: .nf
                   1030: .sp
                   1031: .RS 4n
                   1032: sudoers = ldap, files
                   1033: .RE
                   1034: .fi
1.1       misho    1035: .PP
1.1.1.3   misho    1036: The local
                   1037: \fIsudoers\fR
                   1038: file can be ignored completely by using:
                   1039: .nf
                   1040: .sp
                   1041: .RS 4n
                   1042: sudoers = ldap
                   1043: .RE
                   1044: .fi
1.1       misho    1045: .PP
1.1.1.4   misho    1046: To treat LDAP as authoritative and only use the local sudoers file
1.1.1.3   misho    1047: if the user is not present in LDAP, use:
                   1048: .nf
                   1049: .sp
                   1050: .RS 4n
                   1051: sudoers = ldap = auth, files
                   1052: .RE
                   1053: .fi
1.1       misho    1054: .PP
1.1.1.3   misho    1055: Note that in the above example, the
                   1056: \fRauth\fR
1.1.1.4   misho    1057: qualifier only affects user lookups; both LDAP and
1.1.1.3   misho    1058: \fIsudoers\fR
                   1059: will be queried for
                   1060: \fRDefaults\fR
1.1       misho    1061: entries.
                   1062: .PP
1.1.1.3   misho    1063: If the
                   1064: \fI@netsvc_conf@\fR
                   1065: file is not present or there is no sudoers line, the following
                   1066: default is assumed:
                   1067: .nf
                   1068: .sp
                   1069: .RS 4n
                   1070: sudoers = files
                   1071: .RE
                   1072: .fi
1.1       misho    1073: .SH "FILES"
1.1.1.3   misho    1074: .TP 26n
                   1075: \fI@ldap_conf@\fR
                   1076: LDAP configuration file
                   1077: .TP 26n
                   1078: \fI@nsswitch_conf@\fR
1.1       misho    1079: determines sudoers source order
1.1.1.3   misho    1080: .TP 26n
                   1081: \fI@netsvc_conf@\fR
                   1082: determines sudoers source order on AIX
1.1       misho    1083: .SH "EXAMPLES"
                   1084: .SS "Example ldap.conf"
1.1.1.3   misho    1085: .nf
                   1086: .RS 2n
                   1087: # Either specify one or more URIs or one or more host:port pairs.
                   1088: # If neither is specified sudo will default to localhost, port 389.
                   1089: #
                   1090: #host          ldapserver
                   1091: #host          ldapserver1 ldapserver2:390
                   1092: #
                   1093: # Default port if host is specified without one, defaults to 389.
                   1094: #port          389
                   1095: #
                   1096: # URI will override the host and port settings.
                   1097: uri            ldap://ldapserver
                   1098: #uri            ldaps://secureldapserver
                   1099: #uri            ldaps://secureldapserver ldap://ldapserver
                   1100: #
                   1101: # The amount of time, in seconds, to wait while trying to connect to
                   1102: # an LDAP server.
                   1103: bind_timelimit 30
                   1104: #
                   1105: # The amount of time, in seconds, to wait while performing an LDAP query.
                   1106: timelimit 30
                   1107: #
                   1108: # Must be set or sudo will ignore LDAP; may be specified multiple times.
                   1109: sudoers_base   ou=SUDOers,dc=example,dc=com
                   1110: #
                   1111: # verbose sudoers matching from ldap
                   1112: #sudoers_debug 2
                   1113: #
                   1114: # Enable support for time-based entries in sudoers.
                   1115: #sudoers_timed yes
                   1116: #
                   1117: # optional proxy credentials
                   1118: #binddn        <who to search as>
                   1119: #bindpw        <password>
                   1120: #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
                   1121: #
                   1122: # LDAP protocol version, defaults to 3
                   1123: #ldap_version 3
                   1124: #
                   1125: # Define if you want to use an encrypted LDAP connection.
                   1126: # Typically, you must also set the port to 636 (ldaps).
                   1127: #ssl on
                   1128: #
                   1129: # Define if you want to use port 389 and switch to
                   1130: # encryption before the bind credentials are sent.
                   1131: # Only supported by LDAP servers that support the start_tls
                   1132: # extension such as OpenLDAP.
                   1133: #ssl start_tls
                   1134: #
                   1135: # Additional TLS options follow that allow tweaking of the
                   1136: # SSL/TLS connection.
                   1137: #
                   1138: #tls_checkpeer yes # verify server SSL certificate
                   1139: #tls_checkpeer no  # ignore server SSL certificate
                   1140: #
                   1141: # If you enable tls_checkpeer, specify either tls_cacertfile
                   1142: # or tls_cacertdir.  Only supported when using OpenLDAP.
                   1143: #
                   1144: #tls_cacertfile /etc/certs/trusted_signers.pem
                   1145: #tls_cacertdir  /etc/certs
                   1146: #
                   1147: # For systems that don't have /dev/random
                   1148: # use this along with PRNGD or EGD.pl to seed the
                   1149: # random number pool to generate cryptographic session keys.
                   1150: # Only supported when using OpenLDAP.
                   1151: #
                   1152: #tls_randfile /etc/egd-pool
                   1153: #
                   1154: # You may restrict which ciphers are used.  Consult your SSL
                   1155: # documentation for which options go here.
                   1156: # Only supported when using OpenLDAP.
                   1157: #
                   1158: #tls_ciphers <cipher-list>
                   1159: #
                   1160: # Sudo can provide a client certificate when communicating to
                   1161: # the LDAP server.
                   1162: # Tips:
                   1163: #   * Enable both lines at the same time.
                   1164: #   * Do not password protect the key file.
                   1165: #   * Ensure the keyfile is only readable by root.
                   1166: #
                   1167: # For OpenLDAP:
                   1168: #tls_cert /etc/certs/client_cert.pem
                   1169: #tls_key  /etc/certs/client_key.pem
                   1170: #
                   1171: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
                   1172: # a directory, in which case the files in the directory must have the
                   1173: # default names (e.g. cert8.db and key4.db), or the path to the cert
                   1174: # and key files themselves.  However, a bug in version 5.0 of the LDAP
                   1175: # SDK will prevent specific file names from working.  For this reason
                   1176: # it is suggested that tls_cert and tls_key be set to a directory,
                   1177: # not a file name.
                   1178: #
                   1179: # The certificate database specified by tls_cert may contain CA certs
                   1180: # and/or the client's cert.  If the client's cert is included, tls_key
                   1181: # should be specified as well.
                   1182: # For backward compatibility, "sslpath" may be used in place of tls_cert.
                   1183: #tls_cert /var/ldap
                   1184: #tls_key /var/ldap
                   1185: #
                   1186: # If using SASL authentication for LDAP (OpenSSL)
                   1187: # use_sasl yes
                   1188: # sasl_auth_id <SASL user name>
                   1189: # rootuse_sasl yes
                   1190: # rootsasl_auth_id <SASL user name for root access>
                   1191: # sasl_secprops none
                   1192: # krb5_ccname /etc/.ldapcache
                   1193: .RE
                   1194: .fi
1.1       misho    1195: .SS "Sudo schema for OpenLDAP"
1.1.1.3   misho    1196: The following schema, in OpenLDAP format, is included with
                   1197: \fBsudo\fR
                   1198: source and binary distributions as
                   1199: \fIschema.OpenLDAP\fR.
                   1200: Simply copy
                   1201: it to the schema directory (e.g.\&
                   1202: \fI/etc/openldap/schema\fR),
                   1203: add the proper
                   1204: \fRinclude\fR
                   1205: line in
                   1206: \fIslapd.conf\fR
                   1207: and restart
                   1208: \fBslapd\fR.
                   1209: .nf
                   1210: .sp
                   1211: .RS 2n
                   1212: attributetype ( 1.3.6.1.4.1.15953.9.1.1
                   1213:    NAME 'sudoUser'
                   1214:    DESC 'User(s) who may  run sudo'
                   1215:    EQUALITY caseExactIA5Match
                   1216:    SUBSTR caseExactIA5SubstringsMatch
                   1217:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1218: 
                   1219: attributetype ( 1.3.6.1.4.1.15953.9.1.2
                   1220:    NAME 'sudoHost'
                   1221:    DESC 'Host(s) who may run sudo'
                   1222:    EQUALITY caseExactIA5Match
                   1223:    SUBSTR caseExactIA5SubstringsMatch
                   1224:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1225: 
                   1226: attributetype ( 1.3.6.1.4.1.15953.9.1.3
                   1227:    NAME 'sudoCommand'
                   1228:    DESC 'Command(s) to be executed by sudo'
                   1229:    EQUALITY caseExactIA5Match
                   1230:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1231: 
                   1232: attributetype ( 1.3.6.1.4.1.15953.9.1.4
                   1233:    NAME 'sudoRunAs'
                   1234:    DESC 'User(s) impersonated by sudo'
                   1235:    EQUALITY caseExactIA5Match
                   1236:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1237: 
                   1238: attributetype ( 1.3.6.1.4.1.15953.9.1.5
                   1239:    NAME 'sudoOption'
                   1240:    DESC 'Options(s) followed by sudo'
                   1241:    EQUALITY caseExactIA5Match
                   1242:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1243: 
                   1244: attributetype ( 1.3.6.1.4.1.15953.9.1.6
                   1245:    NAME 'sudoRunAsUser'
                   1246:    DESC 'User(s) impersonated by sudo'
                   1247:    EQUALITY caseExactIA5Match
                   1248:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1249: 
                   1250: attributetype ( 1.3.6.1.4.1.15953.9.1.7
                   1251:    NAME 'sudoRunAsGroup'
                   1252:    DESC 'Group(s) impersonated by sudo'
                   1253:    EQUALITY caseExactIA5Match
                   1254:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                   1255: 
                   1256: attributetype ( 1.3.6.1.4.1.15953.9.1.8
                   1257:    NAME 'sudoNotBefore'
                   1258:    DESC 'Start of time interval for which the entry is valid'
                   1259:    EQUALITY generalizedTimeMatch
                   1260:    ORDERING generalizedTimeOrderingMatch
                   1261:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                   1262: 
                   1263: attributetype ( 1.3.6.1.4.1.15953.9.1.9
                   1264:    NAME 'sudoNotAfter'
                   1265:    DESC 'End of time interval for which the entry is valid'
                   1266:    EQUALITY generalizedTimeMatch
                   1267:    ORDERING generalizedTimeOrderingMatch
                   1268:    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                   1269: 
                   1270: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
                   1271:     NAME 'sudoOrder'
                   1272:     DESC 'an integer to order the sudoRole entries'
                   1273:     EQUALITY integerMatch
                   1274:     ORDERING integerOrderingMatch
                   1275:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
                   1276: 
                   1277: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
                   1278:    DESC 'Sudoer Entries'
                   1279:    MUST ( cn )
                   1280:    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
                   1281:         sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
                   1282:         sudoOrder $ description )
                   1283:    )
                   1284: .RE
                   1285: .fi
1.1       misho    1286: .SH "SEE ALSO"
1.1.1.4   misho    1287: ldap.conf(@mansectform@),
                   1288: sudo.conf(@mansectform@),
1.1.1.3   misho    1289: sudoers(@mansectsu@)
1.1       misho    1290: .SH "CAVEATS"
1.1.1.3   misho    1291: Note that there are differences in the way that LDAP-based
                   1292: \fIsudoers\fR
                   1293: is parsed compared to file-based
                   1294: \fIsudoers\fR.
                   1295: See the
                   1296: \fIDifferences between LDAP and non-LDAP sudoers\fR
                   1297: section for more information.
1.1       misho    1298: .SH "BUGS"
1.1.1.3   misho    1299: If you feel you have found a bug in
                   1300: \fBsudo\fR,
                   1301: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1.1       misho    1302: .SH "SUPPORT"
                   1303: Limited free support is available via the sudo-users mailing list,
1.1.1.3   misho    1304: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1.1       misho    1305: search the archives.
                   1306: .SH "DISCLAIMER"
1.1.1.3   misho    1307: \fBsudo\fR
                   1308: is provided
                   1309: ``AS IS''
                   1310: and any express or implied warranties, including, but not limited
                   1311: to, the implied warranties of merchantability and fitness for a
                   1312: particular purpose are disclaimed.
                   1313: See the LICENSE file distributed with
                   1314: \fBsudo\fR
                   1315: or http://www.sudo.ws/sudo/license.html for complete details.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>