1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
3: .\"
4: .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
5: .\"
6: .\" Permission to use, copy, modify, and distribute this software for any
7: .\" purpose with or without fee is hereby granted, provided that the above
8: .\" copyright notice and this permission notice appear in all copies.
9: .\"
10: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18: .\"
19: .TH "SUDOERS.LDAP" "8" "February 7, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
20: .nh
21: .if n .ad l
22: .SH "NAME"
23: \fBsudoers.ldap\fR
24: \- sudo LDAP configuration
25: .SH "DESCRIPTION"
26: In addition to the standard
27: \fIsudoers\fR
28: file,
29: \fBsudo\fR
30: may be configured
31: via LDAP.
32: This can be especially useful for synchronizing
33: \fIsudoers\fR
34: in a large, distributed environment.
35: .PP
36: Using LDAP for
37: \fIsudoers\fR
38: has several benefits:
39: .TP 4n
40: \fBo\fR
41: \fBsudo\fR
42: no longer needs to read
43: \fIsudoers\fR
44: in its entirety.
45: When LDAP is used, there are only two or three LDAP queries per invocation.
46: This makes it especially fast and particularly usable in LDAP environments.
47: .TP 4n
48: \fBo\fR
49: \fBsudo\fR
50: no longer exits if there is a typo in
51: \fIsudoers\fR.
52: It is not possible to load LDAP data into the server that does
53: not conform to the sudoers schema, so proper syntax is guaranteed.
54: It is still possible to have typos in a user or host name, but
55: this will not prevent
56: \fBsudo\fR
57: from running.
58: .TP 4n
59: \fBo\fR
60: It is possible to specify per-entry options that override the global
61: default options.
62: \fI@sysconfdir@/sudoers\fR
63: only supports default options and limited options associated with
64: user/host/commands/aliases.
65: The syntax is complicated and can be difficult for users to understand.
66: Placing the options directly in the entry is more natural.
67: .TP 4n
68: \fBo\fR
69: The
70: \fBvisudo\fR
71: program is no longer needed.
72: \fBvisudo\fR
73: provides locking and syntax checking of the
74: \fI@sysconfdir@/sudoers\fR
75: file.
76: Since LDAP updates are atomic, locking is no longer necessary.
77: Because syntax is checked when the data is inserted into LDAP, there
78: is no need for a specialized tool to check syntax.
79: .PP
80: Another major difference between LDAP and file-based
81: \fIsudoers\fR
82: is that in LDAP,
83: \fBsudo\fR-specific
84: Aliases are not supported.
85: .PP
86: For the most part, there is really no need for
87: \fBsudo\fR-specific
88: Aliases.
89: Unix groups, non-Unix groups (via the
90: \fIgroup_plugin\fR)
91: or user netgroups can be used in place of User_Aliases and Runas_Aliases.
92: Host netgroups can be used in place of Host_Aliases.
93: Since groups and netgroups can also be stored in LDAP there is no real need for
94: \fBsudo\fR-specific
95: aliases.
96: .PP
97: Cmnd_Aliases are not really required either since it is possible
98: to have multiple users listed in a
99: \fRsudoRole\fR.
100: Instead of defining a Cmnd_Alias that is referenced by multiple users,
101: one can create a
102: \fRsudoRole\fR
103: that contains the commands and assign multiple users to it.
104: .SS "SUDOers LDAP container"
105: The
106: \fIsudoers\fR
107: configuration is contained in the
108: \fRou=SUDOers\fR
109: LDAP container.
110: .PP
111: Sudo first looks for the
112: \fRcn=default\fR
113: entry in the SUDOers container.
114: If found, the multi-valued
115: \fRsudoOption\fR
116: attribute is parsed in the same manner as a global
117: \fRDefaults\fR
118: line in
119: \fI@sysconfdir@/sudoers\fR.
120: In the following example, the
121: \fRSSH_AUTH_SOCK\fR
122: variable will be preserved in the environment for all users.
123: .nf
124: .sp
125: .RS 4n
126: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
127: objectClass: top
128: objectClass: sudoRole
129: cn: defaults
130: description: Default sudoOption's go here
131: sudoOption: env_keep+=SSH_AUTH_SOCK
132: .RE
133: .fi
134: .PP
135: The equivalent of a sudoer in LDAP is a
136: \fRsudoRole\fR.
137: It consists of the following attributes:
138: .TP 6n
139: \fBsudoUser\fR
140: A user name, user ID (prefixed with
141: \(oq#\(cq),
142: Unix group name or ID (prefixed with
143: \(oq%\(cq
144: or
145: \(oq%#\(cq
146: respectively), user netgroup (prefixed with
147: \(oq+\(cq),
148: or non-Unix group name or ID (prefixed with
149: \(oq%:\(cq
150: or
151: \(oq%:#\(cq
152: respectively).
153: Non-Unix group support is only available when an appropriate
154: \fIgroup_plugin\fR
155: is defined in the global
156: \fIdefaults\fR
157: \fRsudoRole\fR
158: object.
159: .TP 6n
160: \fBsudoHost\fR
161: A host name, IP address, IP network, or host netgroup (prefixed with a
162: \(oq+\(cq).
163: The special value
164: \fRALL\fR
165: will match any host.
166: .TP 6n
167: \fBsudoCommand\fR
168: A fully-qualified Unix command name with optional command line arguments,
169: potentially including globbing characters (aka wild cards).
170: If a command name is preceded by an exclamation point,
171: \(oq\&!\(cq,
172: the user will be prohibited from running that command.
173: .sp
174: The built-in command
175: \(lq\fRsudoedit\fR\(rq
176: is used to permit a user to run
177: \fBsudo\fR
178: with the
179: \fB\-e\fR
180: option (or as
181: \fBsudoedit\fR).
182: It may take command line arguments just as a normal command does.
183: Note that
184: \(lq\fRsudoedit\fR\(rq
185: is a command built into
186: \fBsudo\fR
187: itself and must be specified in without a leading path.
188: .sp
189: The special value
190: \fRALL\fR
191: will match any command.
192: .sp
193: If a command name is prefixed with a SHA-2 digest, it will
194: only be allowed if the digest matches.
195: This may be useful in situations where the user invoking
196: \fBsudo\fR
197: has write access to the command or its parent directory.
198: The following digest formats are supported: sha224, sha256, sha384 and sha512.
199: The digest name must be followed by a colon
200: (\(oq:\&\(cq)
201: and then the actual digest, in either hex or base64 format.
202: For example, given the following value for sudoCommand:
203: .nf
204: .sp
205: .RS 10n
206: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
207: .RE
208: .fi
209: .RS 6n
210: .sp
211: The user may only run
212: \fI/bin/ls\fR
213: if its sha224 digest matches the specified value.
214: Command digests are only supported by version 1.8.7 or higher.
215: .RE
216: .TP 6n
217: \fBsudoOption\fR
218: Identical in function to the global options described above, but
219: specific to the
220: \fRsudoRole\fR
221: in which it resides.
222: .TP 6n
223: \fBsudoRunAsUser\fR
224: A user name or uid (prefixed with
225: \(oq#\(cq)
226: that commands may be run as or a Unix group (prefixed with a
227: \(oq%\(cq)
228: or user netgroup (prefixed with a
229: \(oq+\(cq)
230: that contains a list of users that commands may be run as.
231: The special value
232: \fRALL\fR
233: will match any user.
234: .sp
235: The
236: \fRsudoRunAsUser\fR
237: attribute is only available in
238: \fBsudo\fR
239: versions
240: 1.7.0 and higher.
241: Older versions of
242: \fBsudo\fR
243: use the
244: \fRsudoRunAs\fR
245: attribute instead.
246: .TP 6n
247: \fBsudoRunAsGroup\fR
248: A Unix group or gid (prefixed with
249: \(oq#\(cq)
250: that commands may be run as.
251: The special value
252: \fRALL\fR
253: will match any group.
254: .sp
255: The
256: \fRsudoRunAsGroup\fR
257: attribute is only available in
258: \fBsudo\fR
259: versions
260: 1.7.0 and higher.
261: .TP 6n
262: \fBsudoNotBefore\fR
263: A timestamp in the form
264: \fRyyyymmddHHMMSSZ\fR
265: that can be used to provide a start date/time for when the
266: \fRsudoRole\fR
267: will be valid.
268: If multiple
269: \fRsudoNotBefore\fR
270: entries are present, the earliest is used.
271: Note that timestamps must be in Coordinated Universal Time (UTC),
272: not the local timezone.
273: The minute and seconds portions are optional, but some LDAP servers
274: require that they be present (contrary to the RFC).
275: .sp
276: The
277: \fRsudoNotBefore\fR
278: attribute is only available in
279: \fBsudo\fR
280: versions 1.7.5 and higher and must be explicitly enabled via the
281: \fBSUDOERS_TIMED\fR
282: option in
283: \fI@ldap_conf@\fR.
284: .TP 6n
285: \fBsudoNotAfter\fR
286: A timestamp in the form
287: \fRyyyymmddHHMMSSZ\fR
288: that indicates an expiration date/time, after which the
289: \fRsudoRole\fR
290: will no longer be valid.
291: If multiple
292: \fRsudoNotBefore\fR
293: entries are present, the last one is used.
294: Note that timestamps must be in Coordinated Universal Time (UTC),
295: not the local timezone.
296: The minute and seconds portions are optional, but some LDAP servers
297: require that they be present (contrary to the RFC).
298: .sp
299: The
300: \fRsudoNotAfter\fR
301: attribute is only available in
302: \fBsudo\fR
303: versions
304: 1.7.5 and higher and must be explicitly enabled via the
305: \fBSUDOERS_TIMED\fR
306: option in
307: \fI@ldap_conf@\fR.
308: .TP 6n
309: \fBsudoOrder\fR
310: The
311: \fRsudoRole\fR
312: entries retrieved from the LDAP directory have no inherent order.
313: The
314: \fRsudoOrder\fR
315: attribute is an integer (or floating point value for LDAP servers
316: that support it) that is used to sort the matching entries.
317: This allows LDAP-based sudoers entries to more closely mimic the behavior
318: of the sudoers file, where the of the entries influences the result.
319: If multiple entries match, the entry with the highest
320: \fRsudoOrder\fR
321: attribute is chosen.
322: This corresponds to the
323: \(lqlast match\(rq
324: behavior of the sudoers file.
325: If the
326: \fRsudoOrder\fR
327: attribute is not present, a value of 0 is assumed.
328: .sp
329: The
330: \fRsudoOrder\fR
331: attribute is only available in
332: \fBsudo\fR
333: versions 1.7.5 and higher.
334: .PP
335: Each attribute listed above should contain a single value, but there
336: may be multiple instances of each attribute type.
337: A
338: \fRsudoRole\fR
339: must contain at least one
340: \fRsudoUser\fR,
341: \fRsudoHost\fR
342: and
343: \fRsudoCommand\fR.
344: .PP
345: The following example allows users in group wheel to run any command
346: on any host via
347: \fBsudo\fR:
348: .nf
349: .sp
350: .RS 4n
351: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
352: objectClass: top
353: objectClass: sudoRole
354: cn: %wheel
355: sudoUser: %wheel
356: sudoHost: ALL
357: sudoCommand: ALL
358: .RE
359: .fi
360: .SS "Anatomy of LDAP sudoers lookup"
361: When looking up a sudoer using LDAP there are only two or three
362: LDAP queries per invocation.
363: The first query is to parse the global options.
364: The second is to match against the user's name and the groups that
365: the user belongs to.
366: (The special
367: \fRALL\fR
368: tag is matched in this query too.)
369: If no match is returned for the user's name and groups, a third
370: query returns all entries containing user netgroups and checks
371: to see if the user belongs to any of them.
372: .PP
373: If timed entries are enabled with the
374: \fBSUDOERS_TIMED\fR
375: configuration directive, the LDAP queries include a sub-filter that
376: limits retrieval to entries that satisfy the time constraints, if any.
377: .SS "Differences between LDAP and non-LDAP sudoers"
378: There are some subtle differences in the way sudoers is handled
379: once in LDAP.
380: Probably the biggest is that according to the RFC, LDAP ordering
381: is arbitrary and you cannot expect that Attributes and Entries are
382: returned in any specific order.
383: .PP
384: The order in which different entries are applied can be controlled
385: using the
386: \fRsudoOrder\fR
387: attribute, but there is no way to guarantee the order of attributes
388: within a specific entry.
389: If there are conflicting command rules in an entry, the negative
390: takes precedence.
391: This is called paranoid behavior (not necessarily the most specific
392: match).
393: .PP
394: Here is an example:
395: .nf
396: .sp
397: .RS 4n
398: # /etc/sudoers:
399: # Allow all commands except shell
400: johnny ALL=(root) ALL,!/bin/sh
401: # Always allows all commands because ALL is matched last
402: puddles ALL=(root) !/bin/sh,ALL
403:
404: # LDAP equivalent of johnny
405: # Allows all commands except shell
406: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
407: objectClass: sudoRole
408: objectClass: top
409: cn: role1
410: sudoUser: johnny
411: sudoHost: ALL
412: sudoCommand: ALL
413: sudoCommand: !/bin/sh
414:
415: # LDAP equivalent of puddles
416: # Notice that even though ALL comes last, it still behaves like
417: # role1 since the LDAP code assumes the more paranoid configuration
418: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
419: objectClass: sudoRole
420: objectClass: top
421: cn: role2
422: sudoUser: puddles
423: sudoHost: ALL
424: sudoCommand: !/bin/sh
425: sudoCommand: ALL
426: .RE
427: .fi
428: .PP
429: Another difference is that negations on the Host, User or Runas are
430: currently ignored.
431: For example, the following attributes do not behave the way one might expect.
432: .nf
433: .sp
434: .RS 4n
435: # does not match all but joe
436: # rather, does not match anyone
437: sudoUser: !joe
438:
439: # does not match all but joe
440: # rather, matches everyone including Joe
441: sudoUser: ALL
442: sudoUser: !joe
443:
444: # does not match all but web01
445: # rather, matches all hosts including web01
446: sudoHost: ALL
447: sudoHost: !web01
448: .RE
449: .fi
450: .SS "Sudoers schema"
451: In order to use
452: \fBsudo\fR's
453: LDAP support, the
454: \fBsudo\fR
455: schema must be
456: installed on your LDAP server.
457: In addition, be sure to index the
458: \fRsudoUser\fR
459: attribute.
460: .PP
461: Three versions of the schema: one for OpenLDAP servers
462: (\fIschema.OpenLDAP\fR),
463: one for Netscape-derived servers
464: (\fIschema.iPlanet\fR),
465: and one for Microsoft Active Directory
466: (\fIschema.ActiveDirectory\fR)
467: may be found in the
468: \fBsudo\fR
469: distribution.
470: .PP
471: The schema for
472: \fBsudo\fR
473: in OpenLDAP form is also included in the
474: \fIEXAMPLES\fR
475: section.
476: .SS "Configuring ldap.conf"
477: Sudo reads the
478: \fI@ldap_conf@\fR
479: file for LDAP-specific configuration.
480: Typically, this file is shared between different LDAP-aware clients.
481: As such, most of the settings are not
482: \fBsudo\fR-specific.
483: Note that
484: \fBsudo\fR
485: parses
486: \fI@ldap_conf@\fR
487: itself and may support options that differ from those described in the
488: system's
489: ldap.conf(@mansectsu@)
490: manual.
491: The path to
492: \fIldap.conf\fR
493: may be overridden via the
494: \fIldap_conf\fR
495: plugin argument in
496: sudo.conf(@mansectform@).
497: .PP
498: Also note that on systems using the OpenLDAP libraries, default
499: values specified in
500: \fI/etc/openldap/ldap.conf\fR
501: or the user's
502: \fI.ldaprc\fR
503: files are not used.
504: .PP
505: Only those options explicitly listed in
506: \fI@ldap_conf@\fR
507: as being supported by
508: \fBsudo\fR
509: are honored.
510: Configuration options are listed below in upper case but are parsed
511: in a case-independent manner.
512: .PP
513: The pound sign
514: (\(oq#\(cq)
515: is used to indicate a comment.
516: Both the comment character and any text after it, up to the end of
517: the line, are ignored.
518: Long lines can be continued with a backslash
519: (\(oq\e\(cq)
520: as the last character on the line.
521: Note that leading white space is removed from the beginning of lines
522: even when the continuation character is used.
523: .TP 6n
524: \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
525: Specifies a white space-delimited list of one or more URIs describing
526: the LDAP server(s) to connect to.
527: The
528: \fIprotocol\fR
529: may be either
530: \fIldap\fR
531: \fIldaps\fR,
532: the latter being for servers that support TLS (SSL) encryption.
533: If no
534: \fIport\fR
535: is specified, the default is port 389 for
536: \fRldap://\fR
537: or port 636 for
538: \fRldaps://\fR.
539: If no
540: \fIhostname\fR
541: is specified,
542: \fBsudo\fR
543: will connect to
544: \fIlocalhost\fR.
545: Multiple
546: \fBURI\fR
547: lines are treated identically to a
548: \fBURI\fR
549: line containing multiple entries.
550: Only systems using the OpenSSL libraries support the mixing of
551: \fRldap://\fR
552: and
553: \fRldaps://\fR
554: URIs.
555: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
556: versions of Unix are only capable of supporting one or the other.
557: .TP 6n
558: \fBHOST\fR \fIname[:port] ...\fR
559: If no
560: \fBURI\fR
561: is specified, the
562: \fBHOST\fR
563: parameter specifies a white space-delimited list of LDAP servers to connect to.
564: Each host may include an optional
565: \fIport\fR
566: separated by a colon
567: (\(oq:\&\(cq).
568: The
569: \fBHOST\fR
570: parameter is deprecated in favor of the
571: \fBURI\fR
572: specification and is included for backwards compatibility.
573: .TP 6n
574: \fBPORT\fR \fIport_number\fR
575: If no
576: \fBURI\fR
577: is specified, the
578: \fBPORT\fR
579: parameter specifies the default port to connect to on the LDAP server if a
580: \fBHOST\fR
581: parameter does not specify the port itself.
582: If no
583: \fBPORT\fR
584: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
585: over TLS (SSL).
586: The
587: \fBPORT\fR
588: parameter is deprecated in favor of the
589: \fBURI\fR
590: specification and is included for backwards compatibility.
591: .TP 6n
592: \fBBIND_TIMELIMIT\fR \fIseconds\fR
593: The
594: \fBBIND_TIMELIMIT\fR
595: parameter specifies the amount of time, in seconds, to wait while trying
596: to connect to an LDAP server.
597: If multiple
598: \fBURI\fRs
599: or
600: \fBHOST\fRs
601: are specified, this is the amount of time to wait before trying
602: the next one in the list.
603: .TP 6n
604: \fBNETWORK_TIMEOUT\fR \fIseconds\fR
605: An alias for
606: \fBBIND_TIMELIMIT\fR
607: for OpenLDAP compatibility.
608: .TP 6n
609: \fBTIMELIMIT\fR \fIseconds\fR
610: The
611: \fBTIMELIMIT\fR
612: parameter specifies the amount of time, in seconds, to wait for a
613: response to an LDAP query.
614: .TP 6n
615: \fBTIMEOUT\fR \fIseconds\fR
616: The
617: \fBTIMEOUT\fR
618: parameter specifies the amount of time, in seconds, to wait for a
619: response from the various LDAP APIs.
620: .TP 6n
621: \fBSUDOERS_BASE\fR \fIbase\fR
622: The base DN to use when performing
623: \fBsudo\fR
624: LDAP queries.
625: Typically this is of the form
626: \fRou=SUDOers,dc=example,dc=com\fR
627: for the domain
628: \fRexample.com\fR.
629: Multiple
630: \fBSUDOERS_BASE\fR
631: lines may be specified, in which case they are queried in the order specified.
632: .TP 6n
633: \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
634: An LDAP filter which is used to restrict the set of records returned
635: when performing a
636: \fBsudo\fR
637: LDAP query.
638: Typically, this is of the
639: form
640: \fRattribute=value\fR
641: or
642: \fR(&(attribute=value)(attribute2=value2))\fR.
643: The default search filter is:
644: \fRobjectClass=sudoRole\fR.
645: If
646: \fIldap_filter\fR
647: is omitted, no search filter will be used.
648: .TP 6n
649: \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
650: Whether or not to evaluate the
651: \fRsudoNotBefore\fR
652: and
653: \fRsudoNotAfter\fR
654: attributes that implement time-dependent sudoers entries.
655: .TP 6n
656: \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
657: This sets the debug level for
658: \fBsudo\fR
659: LDAP queries.
660: Debugging information is printed to the standard error.
661: A value of 1 results in a moderate amount of debugging information.
662: A value of 2 shows the results of the matches themselves.
663: This parameter should not be set in a production environment as the
664: extra information is likely to confuse users.
665: .sp
666: The
667: \fBSUDOERS_DEBUG\fR
668: parameter is deprecated and will be removed in a future release.
669: The same information is now logged via the
670: \fBsudo\fR
671: debugging framework using the
672: \(lqldap\(rq
673: subsystem at priorities
674: \fIdiag\fR
675: and
676: \fIinfo\fR
677: for
678: \fIdebug_level\fR
679: values 1 and 2 respectively.
680: See the
681: sudo.conf(@mansectform@)
682: manual for details on how to configure
683: \fBsudo\fR
684: debugging.
685: .TP 6n
686: \fBBINDDN\fR \fIDN\fR
687: The
688: \fBBINDDN\fR
689: parameter specifies the identity, in the form of a Distinguished Name (DN),
690: to use when performing LDAP operations.
691: If not specified, LDAP operations are performed with an anonymous identity.
692: By default, most LDAP servers will allow anonymous access.
693: .TP 6n
694: \fBBINDPW\fR \fIsecret\fR
695: The
696: \fBBINDPW\fR
697: parameter specifies the password to use when performing LDAP operations.
698: This is typically used in conjunction with the
699: \fBBINDDN\fR
700: parameter.
701: .TP 6n
702: \fBROOTBINDDN\fR \fIDN\fR
703: The
704: \fBROOTBINDDN\fR
705: parameter specifies the identity, in the form of a Distinguished Name (DN),
706: to use when performing privileged LDAP operations, such as
707: \fIsudoers\fR
708: queries.
709: The password corresponding to the identity should be stored in the
710: or the path specified by the
711: \fIldap_secret\fR
712: plugin argument in
713: sudo.conf(@mansectform@),
714: which defaults to
715: \fI@ldap_secret@\fR.
716: If no
717: \fBROOTBINDDN\fR
718: is specified, the
719: \fBBINDDN\fR
720: identity is used (if any).
721: .TP 6n
722: \fBLDAP_VERSION\fR \fInumber\fR
723: The version of the LDAP protocol to use when connecting to the server.
724: The default value is protocol version 3.
725: .TP 6n
726: \fBSSL\fR \fIon/true/yes/off/false/no\fR
727: If the
728: \fBSSL\fR
729: parameter is set to
730: \fRon\fR,
731: \fRtrue\fR
732: \fRor\fR
733: \fRyes\fR,
734: TLS (SSL) encryption is always used when communicating with the LDAP server.
735: Typically, this involves connecting to the server on port 636 (ldaps).
736: .TP 6n
737: \fBSSL\fR \fIstart_tls\fR
738: If the
739: \fBSSL\fR
740: parameter is set to
741: \fRstart_tls\fR,
742: the LDAP server connection is initiated normally and TLS encryption is
743: begun before the bind credentials are sent.
744: This has the advantage of not requiring a dedicated port for encrypted
745: communications.
746: This parameter is only supported by LDAP servers that honor the
747: \fIstart_tls\fR
748: extension, such as the OpenLDAP and Tivoli Directory servers.
749: .TP 6n
750: \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
751: If enabled,
752: \fBTLS_CHECKPEER\fR
753: will cause the LDAP server's TLS certificated to be verified.
754: If the server's TLS certificate cannot be verified (usually because it
755: is signed by an unknown certificate authority),
756: \fBsudo\fR
757: will be unable to connect to it.
758: If
759: \fBTLS_CHECKPEER\fR
760: is disabled, no check is made.
761: Note that disabling the check creates an opportunity for man-in-the-middle
762: attacks since the server's identity will not be authenticated.
763: If possible, the CA's certificate should be installed locally so it can
764: be verified.
765: This option is not supported by the Tivoli Directory Server LDAP libraries.
766: .TP 6n
767: \fBTLS_CACERT\fR \fIfile name\fR
768: An alias for
769: \fBTLS_CACERTFILE\fR
770: for OpenLDAP compatibility.
771: .TP 6n
772: \fBTLS_CACERTFILE\fR \fIfile name\fR
773: The path to a certificate authority bundle which contains the certificates
774: for all the Certificate Authorities the client knows to be valid, e.g.\&
775: \fI/etc/ssl/ca-bundle.pem\fR.
776: This option is only supported by the OpenLDAP libraries.
777: Netscape-derived LDAP libraries use the same certificate
778: database for CA and client certificates (see
779: \fBTLS_CERT\fR).
780: .TP 6n
781: \fBTLS_CACERTDIR\fR \fIdirectory\fR
782: Similar to
783: \fBTLS_CACERTFILE\fR
784: but instead of a file, it is a directory containing individual
785: Certificate Authority certificates, e.g.\&
786: \fI/etc/ssl/certs\fR.
787: The directory specified by
788: \fBTLS_CACERTDIR\fR
789: is checked after
790: \fBTLS_CACERTFILE\fR.
791: This option is only supported by the OpenLDAP libraries.
792: .TP 6n
793: \fBTLS_CERT\fR \fIfile name\fR
794: The path to a file containing the client certificate which can
795: be used to authenticate the client to the LDAP server.
796: The certificate type depends on the LDAP libraries used.
797: .PP
798: .RS 6n
799: .PD 0
800: .TP 6n
801: OpenLDAP:
802: \fRtls_cert /etc/ssl/client_cert.pem\fR
803: .PD
804: .TP 6n
805: Netscape-derived:
806: \fRtls_cert /var/ldap/cert7.db\fR
807: .TP 6n
808: Tivoli Directory Server:
809: Unused, the key database specified by
810: \fBTLS_KEY\fR
811: contains both keys and certificates.
812: .sp
813: When using Netscape-derived libraries, this file may also contain
814: Certificate Authority certificates.
815: .PD 0
816: .PP
817: .RE
818: .PD
819: .TP 6n
820: \fBTLS_KEY\fR \fIfile name\fR
821: The path to a file containing the private key which matches the
822: certificate specified by
823: \fBTLS_CERT\fR.
824: The private key must not be password-protected.
825: The key type depends on the LDAP libraries used.
826: .PP
827: .RS 6n
828: .PD 0
829: .TP 6n
830: OpenLDAP:
831: \fRtls_key /etc/ssl/client_key.pem\fR
832: .PD
833: .TP 6n
834: Netscape-derived:
835: \fRtls_key /var/ldap/key3.db\fR
836: .TP 6n
837: Tivoli Directory Server:
838: \fRtls_key /usr/ldap/ldapkey.kdb\fR
839: .PD 0
840: .PP
841: When using Tivoli LDAP libraries, this file may also contain
842: Certificate Authority and client certificates and may be encrypted.
843: .RE
844: .PD
845: .TP 6n
846: \fBTLS_KEYPW\fR \fIsecret\fR
847: The
848: \fBTLS_KEYPW\fR
849: contains the password used to decrypt the key database on clients
850: using the Tivoli Directory Server LDAP library.
851: This should be a simple string without quotes.
852: The password may not include the comment character
853: (\(oq#\(cq)
854: and escaping of special characters with a backslash
855: (\(oq\e\(cq)
856: is not supported.
857: If this option is used,
858: \fI@ldap_conf@\fR
859: must not be world-readable to avoid exposing the password.
860: Alternately, a
861: \fIstash file\fR
862: can be used to store the password in encrypted form (see below).
863: .sp
864: If no
865: \fBTLS_KEYPW\fR
866: is specified, a
867: \fIstash file\fR
868: will be used if it exists.
869: The
870: \fIstash file\fR
871: must have the same path as the file specified by
872: \fBTLS_KEY\fR,
873: but use a
874: \fR.sth\fR
875: file extension instead of
876: \fR.kdb\fR,
877: e.g.\&
878: \fRldapkey.sth\fR.
879: The default
880: \fRldapkey.kdb\fR
881: that ships with Tivoli Directory Server is encrypted with the password
882: \fRssl_password\fR.
883: The
884: \fIgsk8capicmd\fR
885: utility can be used to manage the key database and create a
886: \fIstash file\fR.
887: This option is only supported by the Tivoli LDAP libraries.
888: .TP 6n
889: \fBTLS_RANDFILE\fR \fIfile name\fR
890: The
891: \fBTLS_RANDFILE\fR
892: parameter specifies the path to an entropy source for systems that lack
893: a random device.
894: It is generally used in conjunction with
895: \fIprngd\fR
896: or
897: \fIegd\fR.
898: This option is only supported by the OpenLDAP libraries.
899: .TP 6n
900: \fBTLS_CIPHERS\fR \fIcipher list\fR
901: The
902: \fBTLS_CIPHERS\fR
903: parameter allows the administer to restrict which encryption algorithms
904: may be used for TLS (SSL) connections.
905: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
906: ciphers.
907: This option is not supported by Netscape-derived libraries.
908: .TP 6n
909: \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
910: Enable
911: \fBUSE_SASL\fR
912: for LDAP servers that support SASL authentication.
913: .TP 6n
914: \fBSASL_AUTH_ID\fR \fIidentity\fR
915: The SASL user name to use when connecting to the LDAP server.
916: By default,
917: \fBsudo\fR
918: will use an anonymous connection.
919: .TP 6n
920: \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
921: Enable
922: \fBROOTUSE_SASL\fR
923: to enable SASL authentication when connecting
924: to an LDAP server from a privileged process, such as
925: \fBsudo\fR.
926: .TP 6n
927: \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
928: The SASL user name to use when
929: \fBROOTUSE_SASL\fR
930: is enabled.
931: .TP 6n
932: \fBSASL_SECPROPS\fR \fInone/properties\fR
933: SASL security properties or
934: \fInone\fR
935: for no properties.
936: See the SASL programmer's manual for details.
937: .TP 6n
938: \fBKRB5_CCNAME\fR \fIfile name\fR
939: The path to the Kerberos 5 credential cache to use when authenticating
940: with the remote server.
941: .TP 6n
942: \fBDEREF\fR \fInever/searching/finding/always\fR
943: How alias dereferencing is to be performed when searching.
944: See the
945: ldap.conf(@mansectsu@)
946: manual for a full description of this option.
947: .PP
948: See the
949: \fIldap.conf\fR
950: entry in the
951: \fIEXAMPLES\fR
952: section.
953: .SS "Configuring nsswitch.conf"
954: Unless it is disabled at build time,
955: \fBsudo\fR
956: consults the Name Service Switch file,
957: \fI@nsswitch_conf@\fR,
958: to specify the
959: \fIsudoers\fR
960: search order.
961: Sudo looks for a line beginning with
962: \fRsudoers\fR:
963: and uses this to determine the search order.
964: Note that
965: \fBsudo\fR
966: does
967: not stop searching after the first match and later matches take
968: precedence over earlier ones.
969: The following sources are recognized:
970: .PP
971: .RS 4n
972: .PD 0
973: .TP 10n
974: files
975: read sudoers from
976: \fI@sysconfdir@/sudoers\fR
977: .TP 10n
978: ldap
979: read sudoers from LDAP
980: .RE
981: .PD
982: .PP
983: In addition, the entry
984: \fR[NOTFOUND=return]\fR
985: will short-circuit the search if the user was not found in the
986: preceding source.
987: .PP
988: To consult LDAP first followed by the local sudoers file (if it
989: exists), use:
990: .nf
991: .sp
992: .RS 4n
993: sudoers: ldap files
994: .RE
995: .fi
996: .PP
997: The local
998: \fIsudoers\fR
999: file can be ignored completely by using:
1000: .nf
1001: .sp
1002: .RS 4n
1003: sudoers: ldap
1004: .RE
1005: .fi
1006: .PP
1007: If the
1008: \fI@nsswitch_conf@\fR
1009: file is not present or there is no sudoers line, the following
1010: default is assumed:
1011: .nf
1012: .sp
1013: .RS 4n
1014: sudoers: files
1015: .RE
1016: .fi
1017: .PP
1018: Note that
1019: \fI@nsswitch_conf@\fR
1020: is supported even when the underlying operating system does not use
1021: an nsswitch.conf file, except on AIX (see below).
1022: .SS "Configuring netsvc.conf"
1023: On AIX systems, the
1024: \fI@netsvc_conf@\fR
1025: file is consulted instead of
1026: \fI@nsswitch_conf@\fR.
1027: \fBsudo\fR
1028: simply treats
1029: \fInetsvc.conf\fR
1030: as a variant of
1031: \fInsswitch.conf\fR;
1032: information in the previous section unrelated to the file format
1033: itself still applies.
1034: .PP
1035: To consult LDAP first followed by the local sudoers file (if it
1036: exists), use:
1037: .nf
1038: .sp
1039: .RS 4n
1040: sudoers = ldap, files
1041: .RE
1042: .fi
1043: .PP
1044: The local
1045: \fIsudoers\fR
1046: file can be ignored completely by using:
1047: .nf
1048: .sp
1049: .RS 4n
1050: sudoers = ldap
1051: .RE
1052: .fi
1053: .PP
1054: To treat LDAP as authoritative and only use the local sudoers file
1055: if the user is not present in LDAP, use:
1056: .nf
1057: .sp
1058: .RS 4n
1059: sudoers = ldap = auth, files
1060: .RE
1061: .fi
1062: .PP
1063: Note that in the above example, the
1064: \fRauth\fR
1065: qualifier only affects user lookups; both LDAP and
1066: \fIsudoers\fR
1067: will be queried for
1068: \fRDefaults\fR
1069: entries.
1070: .PP
1071: If the
1072: \fI@netsvc_conf@\fR
1073: file is not present or there is no sudoers line, the following
1074: default is assumed:
1075: .nf
1076: .sp
1077: .RS 4n
1078: sudoers = files
1079: .RE
1080: .fi
1081: .SH "FILES"
1082: .TP 26n
1083: \fI@ldap_conf@\fR
1084: LDAP configuration file
1085: .TP 26n
1086: \fI@nsswitch_conf@\fR
1087: determines sudoers source order
1088: .TP 26n
1089: \fI@netsvc_conf@\fR
1090: determines sudoers source order on AIX
1091: .SH "EXAMPLES"
1092: .SS "Example ldap.conf"
1093: .nf
1094: .RS 2n
1095: # Either specify one or more URIs or one or more host:port pairs.
1096: # If neither is specified sudo will default to localhost, port 389.
1097: #
1098: #host ldapserver
1099: #host ldapserver1 ldapserver2:390
1100: #
1101: # Default port if host is specified without one, defaults to 389.
1102: #port 389
1103: #
1104: # URI will override the host and port settings.
1105: uri ldap://ldapserver
1106: #uri ldaps://secureldapserver
1107: #uri ldaps://secureldapserver ldap://ldapserver
1108: #
1109: # The amount of time, in seconds, to wait while trying to connect to
1110: # an LDAP server.
1111: bind_timelimit 30
1112: #
1113: # The amount of time, in seconds, to wait while performing an LDAP query.
1114: timelimit 30
1115: #
1116: # Must be set or sudo will ignore LDAP; may be specified multiple times.
1117: sudoers_base ou=SUDOers,dc=example,dc=com
1118: #
1119: # verbose sudoers matching from ldap
1120: #sudoers_debug 2
1121: #
1122: # Enable support for time-based entries in sudoers.
1123: #sudoers_timed yes
1124: #
1125: # optional proxy credentials
1126: #binddn <who to search as>
1127: #bindpw <password>
1128: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1129: #
1130: # LDAP protocol version, defaults to 3
1131: #ldap_version 3
1132: #
1133: # Define if you want to use an encrypted LDAP connection.
1134: # Typically, you must also set the port to 636 (ldaps).
1135: #ssl on
1136: #
1137: # Define if you want to use port 389 and switch to
1138: # encryption before the bind credentials are sent.
1139: # Only supported by LDAP servers that support the start_tls
1140: # extension such as OpenLDAP.
1141: #ssl start_tls
1142: #
1143: # Additional TLS options follow that allow tweaking of the
1144: # SSL/TLS connection.
1145: #
1146: #tls_checkpeer yes # verify server SSL certificate
1147: #tls_checkpeer no # ignore server SSL certificate
1148: #
1149: # If you enable tls_checkpeer, specify either tls_cacertfile
1150: # or tls_cacertdir. Only supported when using OpenLDAP.
1151: #
1152: #tls_cacertfile /etc/certs/trusted_signers.pem
1153: #tls_cacertdir /etc/certs
1154: #
1155: # For systems that don't have /dev/random
1156: # use this along with PRNGD or EGD.pl to seed the
1157: # random number pool to generate cryptographic session keys.
1158: # Only supported when using OpenLDAP.
1159: #
1160: #tls_randfile /etc/egd-pool
1161: #
1162: # You may restrict which ciphers are used. Consult your SSL
1163: # documentation for which options go here.
1164: # Only supported when using OpenLDAP.
1165: #
1166: #tls_ciphers <cipher-list>
1167: #
1168: # Sudo can provide a client certificate when communicating to
1169: # the LDAP server.
1170: # Tips:
1171: # * Enable both lines at the same time.
1172: # * Do not password protect the key file.
1173: # * Ensure the keyfile is only readable by root.
1174: #
1175: # For OpenLDAP:
1176: #tls_cert /etc/certs/client_cert.pem
1177: #tls_key /etc/certs/client_key.pem
1178: #
1179: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1180: # a directory, in which case the files in the directory must have the
1181: # default names (e.g. cert8.db and key4.db), or the path to the cert
1182: # and key files themselves. However, a bug in version 5.0 of the LDAP
1183: # SDK will prevent specific file names from working. For this reason
1184: # it is suggested that tls_cert and tls_key be set to a directory,
1185: # not a file name.
1186: #
1187: # The certificate database specified by tls_cert may contain CA certs
1188: # and/or the client's cert. If the client's cert is included, tls_key
1189: # should be specified as well.
1190: # For backward compatibility, "sslpath" may be used in place of tls_cert.
1191: #tls_cert /var/ldap
1192: #tls_key /var/ldap
1193: #
1194: # If using SASL authentication for LDAP (OpenSSL)
1195: # use_sasl yes
1196: # sasl_auth_id <SASL user name>
1197: # rootuse_sasl yes
1198: # rootsasl_auth_id <SASL user name for root access>
1199: # sasl_secprops none
1200: # krb5_ccname /etc/.ldapcache
1201: .RE
1202: .fi
1203: .SS "Sudo schema for OpenLDAP"
1204: The following schema, in OpenLDAP format, is included with
1205: \fBsudo\fR
1206: source and binary distributions as
1207: \fIschema.OpenLDAP\fR.
1208: Simply copy
1209: it to the schema directory (e.g.\&
1210: \fI/etc/openldap/schema\fR),
1211: add the proper
1212: \fRinclude\fR
1213: line in
1214: \fIslapd.conf\fR
1215: and restart
1216: \fBslapd\fR.
1217: .nf
1218: .sp
1219: .RS 2n
1220: attributetype ( 1.3.6.1.4.1.15953.9.1.1
1221: NAME 'sudoUser'
1222: DESC 'User(s) who may run sudo'
1223: EQUALITY caseExactIA5Match
1224: SUBSTR caseExactIA5SubstringsMatch
1225: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1226:
1227: attributetype ( 1.3.6.1.4.1.15953.9.1.2
1228: NAME 'sudoHost'
1229: DESC 'Host(s) who may run sudo'
1230: EQUALITY caseExactIA5Match
1231: SUBSTR caseExactIA5SubstringsMatch
1232: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1233:
1234: attributetype ( 1.3.6.1.4.1.15953.9.1.3
1235: NAME 'sudoCommand'
1236: DESC 'Command(s) to be executed by sudo'
1237: EQUALITY caseExactIA5Match
1238: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1239:
1240: attributetype ( 1.3.6.1.4.1.15953.9.1.4
1241: NAME 'sudoRunAs'
1242: DESC 'User(s) impersonated by sudo'
1243: EQUALITY caseExactIA5Match
1244: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1245:
1246: attributetype ( 1.3.6.1.4.1.15953.9.1.5
1247: NAME 'sudoOption'
1248: DESC 'Options(s) followed by sudo'
1249: EQUALITY caseExactIA5Match
1250: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1251:
1252: attributetype ( 1.3.6.1.4.1.15953.9.1.6
1253: NAME 'sudoRunAsUser'
1254: DESC 'User(s) impersonated by sudo'
1255: EQUALITY caseExactIA5Match
1256: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1257:
1258: attributetype ( 1.3.6.1.4.1.15953.9.1.7
1259: NAME 'sudoRunAsGroup'
1260: DESC 'Group(s) impersonated by sudo'
1261: EQUALITY caseExactIA5Match
1262: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1263:
1264: attributetype ( 1.3.6.1.4.1.15953.9.1.8
1265: NAME 'sudoNotBefore'
1266: DESC 'Start of time interval for which the entry is valid'
1267: EQUALITY generalizedTimeMatch
1268: ORDERING generalizedTimeOrderingMatch
1269: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1270:
1271: attributetype ( 1.3.6.1.4.1.15953.9.1.9
1272: NAME 'sudoNotAfter'
1273: DESC 'End of time interval for which the entry is valid'
1274: EQUALITY generalizedTimeMatch
1275: ORDERING generalizedTimeOrderingMatch
1276: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1277:
1278: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1279: NAME 'sudoOrder'
1280: DESC 'an integer to order the sudoRole entries'
1281: EQUALITY integerMatch
1282: ORDERING integerOrderingMatch
1283: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1284:
1285: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1286: DESC 'Sudoer Entries'
1287: MUST ( cn )
1288: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1289: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1290: sudoOrder $ description )
1291: )
1292: .RE
1293: .fi
1294: .SH "SEE ALSO"
1295: ldap.conf(@mansectform@),
1296: sudo.conf(@mansectform@),
1297: sudoers(@mansectsu@)
1298: .SH "CAVEATS"
1299: Note that there are differences in the way that LDAP-based
1300: \fIsudoers\fR
1301: is parsed compared to file-based
1302: \fIsudoers\fR.
1303: See the
1304: \fIDifferences between LDAP and non-LDAP sudoers\fR
1305: section for more information.
1306: .SH "BUGS"
1307: If you feel you have found a bug in
1308: \fBsudo\fR,
1309: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1310: .SH "SUPPORT"
1311: Limited free support is available via the sudo-users mailing list,
1312: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1313: search the archives.
1314: .SH "DISCLAIMER"
1315: \fBsudo\fR
1316: is provided
1317: \(lqAS IS\(rq
1318: and any express or implied warranties, including, but not limited
1319: to, the implied warranties of merchantability and fitness for a
1320: particular purpose are disclaimed.
1321: See the LICENSE file distributed with
1322: \fBsudo\fR
1323: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>