version 1.1.1.3, 2013/10/14 07:56:34
|
version 1.1.1.4, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
.\" |
.\" |
.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
Line 14
|
Line 14
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.Dd August 30, 2013 | .Dd February 7, 2014 |
.Dt SUDOERS.LDAP @mansectsu@ |
.Dt SUDOERS.LDAP @mansectsu@ |
.Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
.Sh NAME |
.Sh NAME |
Line 76 is no need for a specialized tool to check syntax.
|
Line 76 is no need for a specialized tool to check syntax.
|
Another major difference between LDAP and file-based |
Another major difference between LDAP and file-based |
.Em sudoers |
.Em sudoers |
is that in LDAP, |
is that in LDAP, |
.Nm sudo Ns No -specific | .Nm sudo Ns -specific |
Aliases are not supported. |
Aliases are not supported. |
.Pp |
.Pp |
For the most part, there is really no need for |
For the most part, there is really no need for |
.Nm sudo Ns No -specific | .Nm sudo Ns -specific |
Aliases. |
Aliases. |
Unix groups, non-Unix groups (via the |
Unix groups, non-Unix groups (via the |
.Em group_plugin ) |
.Em group_plugin ) |
or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Since groups and netgroups can also be stored in LDAP there is no real need for |
Since groups and netgroups can also be stored in LDAP there is no real need for |
.Nm sudo Ns No -specific | .Nm sudo Ns -specific |
aliases. |
aliases. |
.Pp |
.Pp |
Cmnd_Aliases are not really required either since it is possible |
Cmnd_Aliases are not really required either since it is possible |
Line 421 sudoHost: !web01
|
Line 421 sudoHost: !web01
|
.Ed |
.Ed |
.Ss Sudoers schema |
.Ss Sudoers schema |
In order to use |
In order to use |
.Nm sudo Ns No 's | .Nm sudo Ns 's |
LDAP support, the |
LDAP support, the |
.Nm sudo |
.Nm sudo |
schema must be |
schema must be |
Line 451 Sudo reads the
|
Line 451 Sudo reads the
|
file for LDAP-specific configuration. |
file for LDAP-specific configuration. |
Typically, this file is shared between different LDAP-aware clients. |
Typically, this file is shared between different LDAP-aware clients. |
As such, most of the settings are not |
As such, most of the settings are not |
.Nm sudo Ns No -specific. | .Nm sudo Ns -specific. |
Note that |
Note that |
.Nm sudo |
.Nm sudo |
parses |
parses |
Line 564 The
|
Line 564 The
|
parameter specifies the amount of time, in seconds, to wait while trying |
parameter specifies the amount of time, in seconds, to wait while trying |
to connect to an LDAP server. |
to connect to an LDAP server. |
If multiple |
If multiple |
.Sy URI Ns No s | .Sy URI Ns s |
or |
or |
.Sy HOST Ns No s | .Sy HOST Ns s |
are specified, this is the amount of time to wait before trying |
are specified, this is the amount of time to wait before trying |
the next one in the list. |
the next one in the list. |
.It Sy NETWORK_TIMEOUT Ar seconds |
.It Sy NETWORK_TIMEOUT Ar seconds |
Line 604 form
|
Line 604 form
|
.Li attribute=value |
.Li attribute=value |
or |
or |
.Li (&(attribute=value)(attribute2=value2)) . |
.Li (&(attribute=value)(attribute2=value2)) . |
|
The default search filter is: |
|
.Li objectClass=sudoRole . |
|
If |
|
.Ar ldap_filter |
|
is omitted, no search filter will be used. |
.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no |
.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no |
Whether or not to evaluate the |
Whether or not to evaluate the |
.Li sudoNotBefore |
.Li sudoNotBefore |