--- embedaddon/sudo/doc/sudoers.ldap.mdoc.in	2013/10/14 07:56:34	1.1.1.3
+++ embedaddon/sudo/doc/sudoers.ldap.mdoc.in	2014/06/15 16:12:54	1.1.1.4
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 30, 2013
+.Dd February 7, 2014
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -76,18 +76,18 @@ is no need for a specialized tool to check syntax.
 Another major difference between LDAP and file-based
 .Em sudoers
 is that in LDAP,
-.Nm sudo Ns No -specific
+.Nm sudo Ns -specific
 Aliases are not supported.
 .Pp
 For the most part, there is really no need for
-.Nm sudo Ns No -specific
+.Nm sudo Ns -specific
 Aliases.
 Unix groups, non-Unix groups (via the
 .Em group_plugin )
 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
 Since groups and netgroups can also be stored in LDAP there is no real need for
-.Nm sudo Ns No -specific
+.Nm sudo Ns -specific
 aliases.
 .Pp
 Cmnd_Aliases are not really required either since it is possible
@@ -421,7 +421,7 @@ sudoHost: !web01
 .Ed
 .Ss Sudoers schema
 In order to use
-.Nm sudo Ns No 's
+.Nm sudo Ns 's
 LDAP support, the
 .Nm sudo
 schema must be
@@ -451,7 +451,7 @@ Sudo reads the
 file for LDAP-specific configuration.
 Typically, this file is shared between different LDAP-aware clients.
 As such, most of the settings are not
-.Nm sudo Ns No -specific.
+.Nm sudo Ns -specific.
 Note that
 .Nm sudo
 parses
@@ -564,9 +564,9 @@ The
 parameter specifies the amount of time, in seconds, to wait while trying
 to connect to an LDAP server.
 If multiple
-.Sy URI Ns No s
+.Sy URI Ns s
 or
-.Sy HOST Ns No s
+.Sy HOST Ns s
 are specified, this is the amount of time to wait before trying
 the next one in the list.
 .It Sy NETWORK_TIMEOUT Ar seconds
@@ -604,6 +604,11 @@ form
 .Li attribute=value
 or
 .Li (&(attribute=value)(attribute2=value2)) .
+The default search filter is:
+.Li objectClass=sudoRole .
+If
+.Ar ldap_filter
+is omitted, no search filter will be used.
 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
 Whether or not to evaluate the
 .Li sudoNotBefore