Annotation of embedaddon/sudo/doc/sudoers.ldap.mdoc.in, revision 1.1.1.1
1.1 misho 1: .\"
2: .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .Dd July 12, 2012
18: .Dt SUDOERS.LDAP @mansectsu@
19: .Os Sudo @PACKAGE_VERSION@
20: .Sh NAME
21: .Nm sudoers.ldap
22: .Nd sudo LDAP configuration
23: .Sh DESCRIPTION
24: In addition to the standard
25: .Em sudoers
26: file,
27: .Nm sudo
28: may be configured
29: via LDAP.
30: This can be especially useful for synchronizing
31: .Em sudoers
32: in a large, distributed environment.
33: .Pp
34: Using LDAP for
35: .Em sudoers
36: has several benefits:
37: .Bl -bullet
38: .It
39: .Nm sudo
40: no longer needs to read
41: .Em sudoers
42: in its entirety.
43: When LDAP is used, there are only two or three LDAP queries per invocation.
44: This makes it especially fast and particularly usable in LDAP environments.
45: .It
46: .Nm sudo
47: no longer exits if there is a typo in
48: .Em sudoers .
49: It is not possible to load LDAP data into the server that does
50: not conform to the sudoers schema, so proper syntax is guaranteed.
51: It is still possible to have typos in a user or host name, but
52: this will not prevent
53: .Nm sudo
54: from running.
55: .It
56: It is possible to specify per-entry options that override the global
57: default options.
58: .Pa @sysconfdir@/sudoers
59: only supports default options and limited options associated with
60: user/host/commands/aliases.
61: The syntax is complicated and can be difficult for users to understand.
62: Placing the options directly in the entry is more natural.
63: .It
64: The
65: .Nm visudo
66: program is no longer needed.
67: .Nm visudo
68: provides locking and syntax checking of the
69: .Pa @sysconfdir@/sudoers
70: file.
71: Since LDAP updates are atomic, locking is no longer necessary.
72: Because syntax is checked when the data is inserted into LDAP, there
73: is no need for a specialized tool to check syntax.
74: .El
75: .Pp
76: Another major difference between LDAP and file-based
77: .Em sudoers
78: is that in LDAP,
79: .Nm sudo Ns No -specific
80: Aliases are not supported.
81: .Pp
82: For the most part, there is really no need for
83: .Nm sudo Ns No -specific
84: Aliases.
85: Unix groups or user netgroups can be used in place of User_Aliases and
86: Runas_Aliases.
87: Host netgroups can be used in place of Host_Aliases.
88: Since Unix groups and netgroups can also be stored in LDAP there is no
89: real need for
90: .Nm sudo Ns No -specific
91: aliases.
92: .Pp
93: Cmnd_Aliases are not really required either since it is possible
94: to have multiple users listed in a
95: .Li sudoRole .
96: Instead of defining a Cmnd_Alias that is referenced by multiple users,
97: one can create a
98: .Li sudoRole
99: that contains the commands and assign multiple users to it.
100: .Ss SUDOers LDAP container
101: The
102: .Em sudoers
103: configuration is contained in the
104: .Li ou=SUDOers
105: LDAP container.
106: .Pp
107: Sudo first looks for the
108: .Li cn=default
109: entry in the SUDOers container.
110: If found, the multi-valued
111: .Li sudoOption
112: attribute is parsed in the same manner as a global
113: .Li Defaults
114: line in
115: .Pa @sysconfdir@/sudoers .
116: In the following example, the
117: .Ev SSH_AUTH_SOCK
118: variable will be preserved in the environment for all users.
119: .Bd -literal -offset 4n
120: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
121: objectClass: top
122: objectClass: sudoRole
123: cn: defaults
124: description: Default sudoOption's go here
125: sudoOption: env_keep+=SSH_AUTH_SOCK
126: .Ed
127: .Pp
128: The equivalent of a sudoer in LDAP is a
129: .Li sudoRole .
130: It consists of the following attributes:
131: .Bl -tag -width 4n
132: .It Sy sudoUser
133: A user name, user ID (prefixed with
134: .Ql # ) ,
135: Unix group (prefixed with
136: .Ql % ) ,
137: Unix group ID (prefixed with
138: .Ql %# ) ,
139: or user netgroup (prefixed with
140: .Ql + ) .
141: .It Sy sudoHost
142: A host name, IP address, IP network, or host netgroup (prefixed with a
143: .Ql + ) .
144: The special value
145: .Li ALL
146: will match any host.
147: .It Sy sudoCommand
148: A Unix command with optional command line arguments, potentially
149: including globbing characters (aka wild cards).
150: The special value
151: .Li ALL
152: will match any command.
153: If a command is prefixed with an exclamation point
154: .Ql \&! ,
155: the user will be prohibited from running that command.
156: .It Sy sudoOption
157: Identical in function to the global options described above, but
158: specific to the
159: .Li sudoRole
160: in which it resides.
161: .It Sy sudoRunAsUser
162: A user name or uid (prefixed with
163: .Ql # )
164: that commands may be run as or a Unix group (prefixed with a
165: .Ql % )
166: or user netgroup (prefixed with a
167: .Ql + )
168: that contains a list of users that commands may be run as.
169: The special value
170: .Li ALL
171: will match any user.
172: .Pp
173: The
174: .Li sudoRunAsUser
175: attribute is only available in
176: .Nm sudo
177: versions
178: 1.7.0 and higher.
179: Older versions of
180: .Nm sudo
181: use the
182: .Li sudoRunAs
183: attribute instead.
184: .It Sy sudoRunAsGroup
185: A Unix group or gid (prefixed with
186: .Ql # )
187: that commands may be run as.
188: The special value
189: .Li ALL
190: will match any group.
191: .Pp
192: The
193: .Li sudoRunAsGroup
194: attribute is only available in
195: .Nm sudo
196: versions
197: 1.7.0 and higher.
198: .It Sy sudoNotBefore
199: A timestamp in the form
200: .Li yyyymmddHHMMSSZ
201: that can be used to provide a start date/time for when the
202: .Li sudoRole
203: will be valid.
204: If multiple
205: .Li sudoNotBefore
206: entries are present, the earliest is used.
207: Note that timestamps must be in Coordinated Universal Time (UTC),
208: not the local timezone.
209: The minute and seconds portions are optional, but some LDAP servers
210: require that they be present (contrary to the RFC).
211: .Pp
212: The
213: .Li sudoNotBefore
214: attribute is only available in
215: .Nm sudo
216: versions 1.7.5 and higher and must be explicitly enabled via the
217: .Sy SUDOERS_TIMED
218: option in
219: .Pa @ldap_conf@ .
220: .It Sy sudoNotAfter
221: A timestamp in the form
222: .Li yyyymmddHHMMSSZ
223: that indicates an expiration date/time, after which the
224: .Li sudoRole
225: will no longer be valid.
226: If multiple
227: .Li sudoNotBefore
228: entries are present, the last one is used.
229: Note that timestamps must be in Coordinated Universal Time (UTC),
230: not the local timezone.
231: The minute and seconds portions are optional, but some LDAP servers
232: require that they be present (contrary to the RFC).
233: .Pp
234: The
235: .Li sudoNotAfter
236: attribute is only available in
237: .Nm sudo
238: versions
239: 1.7.5 and higher and must be explicitly enabled via the
240: .Sy SUDOERS_TIMED
241: option in
242: .Pa @ldap_conf@ .
243: .It Sy sudoOrder
244: The
245: .Li sudoRole
246: entries retrieved from the LDAP directory have no inherent order.
247: The
248: .Li sudoOrder
249: attribute is an integer (or floating point value for LDAP servers
250: that support it) that is used to sort the matching entries.
251: This allows LDAP-based sudoers entries to more closely mimic the behaviour
252: of the sudoers file, where the of the entries influences the result.
253: If multiple entries match, the entry with the highest
254: .Li sudoOrder
255: attribute is chosen.
256: This corresponds to the
257: .Dq last match
258: behavior of the sudoers file.
259: If the
260: .Li sudoOrder
261: attribute is not present, a value of 0 is assumed.
262: .Pp
263: The
264: .Li sudoOrder
265: attribute is only available in
266: .Nm sudo
267: versions 1.7.5 and higher.
268: .El
269: .Pp
270: Each attribute listed above should contain a single value, but there
271: may be multiple instances of each attribute type.
272: A
273: .Li sudoRole
274: must contain at least one
275: .Li sudoUser ,
276: .Li sudoHost
277: and
278: .Li sudoCommand .
279: .Pp
280: The following example allows users in group wheel to run any command
281: on any host via
282: .Nm sudo :
283: .Bd -literal -offset 4n
284: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
285: objectClass: top
286: objectClass: sudoRole
287: cn: %wheel
288: sudoUser: %wheel
289: sudoHost: ALL
290: sudoCommand: ALL
291: .Ed
292: .Ss Anatomy of LDAP sudoers lookup
293: When looking up a sudoer using LDAP there are only two or three
294: LDAP queries per invocation.
295: The first query is to parse the global options.
296: The second is to match against the user's name and the groups that
297: the user belongs to.
298: (The special
299: .Li ALL
300: tag is matched in this query too.)
301: If no match is returned for the user's name and groups, a third
302: query returns all entries containing user netgroups and checks
303: to see if the user belongs to any of them.
304: .Pp
305: If timed entries are enabled with the
306: .Sy SUDOERS_TIMED
307: configuration directive, the LDAP queries include a subfilter that
308: limits retrieval to entries that satisfy the time constraints, if any.
309: .Ss Differences between LDAP and non-LDAP sudoers
310: There are some subtle differences in the way sudoers is handled
311: once in LDAP.
312: Probably the biggest is that according to the RFC, LDAP ordering
313: is arbitrary and you cannot expect that Attributes and Entries are
314: returned in any specific order.
315: .Pp
316: The order in which different entries are applied can be controlled
317: using the
318: .Li sudoOrder
319: attribute, but there is no way to guarantee the order of attributes
320: within a specific entry.
321: If there are conflicting command rules in an entry, the negative
322: takes precedence.
323: This is called paranoid behavior (not necessarily the most specific
324: match).
325: .Pp
326: Here is an example:
327: .Bd -literal -offset 4n
328: # /etc/sudoers:
329: # Allow all commands except shell
330: johnny ALL=(root) ALL,!/bin/sh
331: # Always allows all commands because ALL is matched last
332: puddles ALL=(root) !/bin/sh,ALL
333:
334: # LDAP equivalent of johnny
335: # Allows all commands except shell
336: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
337: objectClass: sudoRole
338: objectClass: top
339: cn: role1
340: sudoUser: johnny
341: sudoHost: ALL
342: sudoCommand: ALL
343: sudoCommand: !/bin/sh
344:
345: # LDAP equivalent of puddles
346: # Notice that even though ALL comes last, it still behaves like
347: # role1 since the LDAP code assumes the more paranoid configuration
348: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
349: objectClass: sudoRole
350: objectClass: top
351: cn: role2
352: sudoUser: puddles
353: sudoHost: ALL
354: sudoCommand: !/bin/sh
355: sudoCommand: ALL
356: .Ed
357: .Pp
358: Another difference is that negations on the Host, User or Runas are
359: currently ignored.
360: For example, the following attributes do not behave the way one might expect.
361: .Bd -literal -offset 4n
362: # does not match all but joe
363: # rather, does not match anyone
364: sudoUser: !joe
365:
366: # does not match all but joe
367: # rather, matches everyone including Joe
368: sudoUser: ALL
369: sudoUser: !joe
370:
371: # does not match all but web01
372: # rather, matches all hosts including web01
373: sudoHost: ALL
374: sudoHost: !web01
375: .Ed
376: .Ss Sudoers schema
377: In order to use
378: .Nm sudo Ns No 's
379: LDAP support, the
380: .Nm sudo
381: schema must be
382: installed on your LDAP server.
383: In addition, be sure to index the
384: .Li sudoUser
385: attribute.
386: .Pp
387: Three versions of the schema: one for OpenLDAP servers
388: .Pq Pa schema.OpenLDAP ,
389: one for Netscape-derived servers
390: .Pq Pa schema.iPlanet ,
391: and one for Microsoft Active Directory
392: .Pq Pa schema.ActiveDirectory
393: may be found in the
394: .Nm sudo
395: distribution.
396: .Pp
397: The schema for
398: .Nm sudo
399: in OpenLDAP form is also included in the
400: .Sx EXAMPLES
401: section.
402: .Ss Configuring ldap.conf
403: Sudo reads the
404: .Pa @ldap_conf@
405: file for LDAP-specific configuration.
406: Typically, this file is shared amongst different LDAP-aware clients.
407: As such, most of the settings are not
408: .Nm sudo Ns No -specific.
409: Note that
410: .Nm sudo
411: parses
412: .Pa @ldap_conf@
413: itself and may support options that differ from those described in the
414: system's
415: .Xr ldap.conf @mansectsu@
416: manual.
417: .Pp
418: Also note that on systems using the OpenLDAP libraries, default
419: values specified in
420: .Pa /etc/openldap/ldap.conf
421: or the user's
422: .Pa .ldaprc
423: files are not used.
424: .Pp
425: Only those options explicitly listed in
426: .Pa @ldap_conf@
427: as being supported by
428: .Nm sudo
429: are honored.
430: Configuration options are listed below in upper case but are parsed
431: in a case-independent manner.
432: .Bl -tag -width 4n
433: .It Sy URI Ar ldap[s]://[hostname[:port]] ...
434: Specifies a whitespace-delimited list of one or more URIs describing
435: the LDAP server(s) to connect to.
436: The
437: .Em protocol
438: may be either
439: .Em ldap
440: .Em ldaps ,
441: the latter being for servers that support TLS (SSL) encryption.
442: If no
443: .Em port
444: is specified, the default is port 389 for
445: .Li ldap://
446: or port 636 for
447: .Li ldaps:// .
448: If no
449: .Em hostname
450: is specified,
451: .Nm sudo
452: will connect to
453: .Em localhost .
454: Multiple
455: .Sy URI
456: lines are treated identically to a
457: .Sy URI
458: line containing multiple entries.
459: Only systems using the OpenSSL libraries support the mixing of
460: .Li ldap://
461: and
462: .Li ldaps://
463: URIs.
464: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
465: versions of Unix are only capable of supporting one or the other.
466: .It Sy HOST Ar name[:port] ...
467: If no
468: .Sy URI
469: is specified, the
470: .Sy HOST
471: parameter specifies a whitespace-delimited list of LDAP servers to connect to.
472: Each host may include an optional
473: .Em port
474: separated by a colon
475: .Pq Ql :\& .
476: The
477: .Sy HOST
478: parameter is deprecated in favor of the
479: .Sy URI
480: specification and is included for backwards compatibility.
481: .It Sy PORT Ar port_number
482: If no
483: .Sy URI
484: is specified, the
485: .Sy PORT
486: parameter specifies the default port to connect to on the LDAP server if a
487: .Sy HOST
488: parameter does not specify the port itself.
489: If no
490: .Sy PORT
491: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
492: over TLS (SSL).
493: The
494: .Sy PORT
495: parameter is deprecated in favor of the
496: .Sy URI
497: specification and is included for backwards compatibility.
498: .It Sy BIND_TIMELIMIT Ar seconds
499: The
500: .Sy BIND_TIMELIMIT
501: parameter specifies the amount of time, in seconds, to wait while trying
502: to connect to an LDAP server.
503: If multiple
504: .Sy URI Ns No s
505: or
506: .Sy HOST Ns No s
507: are specified, this is the amount of time to wait before trying
508: the next one in the list.
509: .It Sy NETWORK_TIMEOUT Ar seconds
510: An alias for
511: .Sy BIND_TIMELIMIT
512: for OpenLDAP compatibility.
513: .It Sy TIMELIMIT Ar seconds
514: The
515: .Sy TIMELIMIT
516: parameter specifies the amount of time, in seconds, to wait for a
517: response to an LDAP query.
518: .It Sy TIMEOUT Ar seconds
519: The
520: .Sy TIMEOUT
521: parameter specifies the amount of time, in seconds, to wait for a
522: response from the various LDAP APIs.
523: .It Sy SUDOERS_BASE Ar base
524: The base DN to use when performing
525: .Nm sudo
526: LDAP queries.
527: Typically this is of the form
528: .Li ou=SUDOers,dc=example,dc=com
529: for the domain
530: .Li example.com .
531: Multiple
532: .Sy SUDOERS_BASE
533: lines may be specified, in which case they are queried in the order specified.
534: .It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
535: An LDAP filter which is used to restrict the set of records returned
536: when performing a
537: .Nm sudo
538: LDAP query.
539: Typically, this is of the
540: form
541: .Li attribute=value
542: or
543: .Li (&(attribute=value)(attribute2=value2)) .
544: .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
545: Whether or not to evaluate the
546: .Li sudoNotBefore
547: and
548: .Li sudoNotAfter
549: attributes that implement time-dependent sudoers entries.
550: .It Sy SUDOERS_DEBUG Ar debug_level
551: This sets the debug level for
552: .Nm sudo
553: LDAP queries.
554: Debugging information is printed to the standard error.
555: A value of 1 results in a moderate amount of debugging information.
556: A value of 2 shows the results of the matches themselves.
557: This parameter should not be set in a production environment as the
558: extra information is likely to confuse users.
559: .It Sy BINDDN Ar DN
560: The
561: .Sy BINDDN
562: parameter specifies the identity, in the form of a Distinguished Name (DN),
563: to use when performing LDAP operations.
564: If not specified, LDAP operations are performed with an anonymous identity.
565: By default, most LDAP servers will allow anonymous access.
566: .It Sy BINDPW Ar secret
567: The
568: .Sy BINDPW
569: parameter specifies the password to use when performing LDAP operations.
570: This is typically used in conjunction with the
571: .Sy BINDDN
572: parameter.
573: .It Sy ROOTBINDDN Ar DN
574: The
575: .Sy ROOTBINDDN
576: parameter specifies the identity, in the form of a Distinguished Name (DN),
577: to use when performing privileged LDAP operations, such as
578: .Em sudoers
579: queries.
580: The password corresponding
581: to the identity should be stored in
582: .Pa @ldap_secret@ .
583: If not specified, the
584: .Sy BINDDN
585: identity is used (if any).
586: .It Sy LDAP_VERSION Ar number
587: The version of the LDAP protocol to use when connecting to the server.
588: The default value is protocol version 3.
589: .It Sy SSL Ar on/true/yes/off/false/no
590: If the
591: .Sy SSL
592: parameter is set to
593: .Li on ,
594: .Li true
595: .Li or
596: .Li yes ,
597: TLS (SSL) encryption is always used when communicating with the LDAP server.
598: Typically, this involves connecting to the server on port 636 (ldaps).
599: .It Sy SSL Ar start_tls
600: If the
601: .Sy SSL
602: parameter is set to
603: .Li start_tls ,
604: the LDAP server connection is initiated normally and TLS encryption is
605: begun before the bind credentials are sent.
606: This has the advantage of not requiring a dedicated port for encrypted
607: communications.
608: This parameter is only supported by LDAP servers that honor the
609: .Em start_tls
610: extension, such as the OpenLDAP and Tivoli Directory servers.
611: .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
612: If enabled,
613: .Sy TLS_CHECKPEER
614: will cause the LDAP server's TLS certificated to be verified.
615: If the server's TLS certificate cannot be verified (usually because it
616: is signed by an unknown certificate authority),
617: .Nm sudo
618: will be unable to connect to it.
619: If
620: .Sy TLS_CHECKPEER
621: is disabled, no check is made.
622: Note that disabling the check creates an opportunity for man-in-the-middle
623: attacks since the server's identity will not be authenticated.
624: If possible, the CA's certificate should be installed locally so it can
625: be verified.
626: This option is not supported by the Tivoli Directory Server LDAP libraries.
627: .It Sy TLS_CACERT Ar file name
628: An alias for
629: .Sy TLS_CACERTFILE
630: for OpenLDAP compatibility.
631: .It Sy TLS_CACERTFILE Ar file name
632: The path to a certificate authority bundle which contains the certificates
633: for all the Certificate Authorities the client knows to be valid, e.g.\&
634: .Pa /etc/ssl/ca-bundle.pem .
635: This option is only supported by the OpenLDAP libraries.
636: Netscape-derived LDAP libraries use the same certificate
637: database for CA and client certificates (see
638: .Sy TLS_CERT ) .
639: .It Sy TLS_CACERTDIR Ar directory
640: Similar to
641: .Sy TLS_CACERTFILE
642: but instead of a file, it is a directory containing individual
643: Certificate Authority certificates, e.g.\&
644: .Pa /etc/ssl/certs .
645: The directory specified by
646: .Sy TLS_CACERTDIR
647: is checked after
648: .Sy TLS_CACERTFILE .
649: This option is only supported by the OpenLDAP libraries.
650: .It Sy TLS_CERT Ar file name
651: The path to a file containing the client certificate which can
652: be used to authenticate the client to the LDAP server.
653: The certificate type depends on the LDAP libraries used.
654: .Bl -tag -width 4n
655: .It OpenLDAP:
656: .Li tls_cert /etc/ssl/client_cert.pem
657: .It Netscape-derived:
658: .Li tls_cert /var/ldap/cert7.db
659: .It Tivoli Directory Server:
660: Unused, the key database specified by
661: .Sy TLS_KEY
662: contains both keys and certificates.
663: .Pp
664: When using Netscape-derived libraries, this file may also contain
665: Certificate Authority certificates.
666: .El
667: .It Sy TLS_KEY Ar file name
668: The path to a file containing the private key which matches the
669: certificate specified by
670: .Sy TLS_CERT .
671: The private key must not be password-protected.
672: The key type depends on the LDAP libraries used.
673: .Bl -tag -width 4n
674: .It OpenLDAP:
675: .Li tls_key /etc/ssl/client_key.pem
676: .It Netscape-derived:
677: .Li tls_key /var/ldap/key3.db
678: .It Tivoli Directory Server:
679: .Li tls_cert /usr/ldap/ldapkey.kdb
680: .El
681: When using Tivoli LDAP libraries, this file may also contain
682: Certificate Authority and client certificates and may be encrypted.
683: .It Sy TLS_KEYPW Ar secret
684: The
685: .Sy TLS_KEYPW
686: contains the password used to decrypt the key database on clients
687: using the Tivoli Directory Server LDAP library.
688: If no
689: .Sy TLS_KEYPW
690: is specified, a
691: .Em stash file
692: will be used if it exists.
693: The
694: .Em stash file
695: must have the same path as the file specified by
696: .Sy TLS_KEY ,
697: but use a
698: .Li .sth
699: file extension instead of
700: .Li .kdb ,
701: e.g.\&
702: .Li ldapkey.sth .
703: The default
704: .Li ldapkey.kdb
705: that ships with Tivoli Directory Server is encrypted with the password
706: .Li ssl_password .
707: This option is only supported by the Tivoli LDAP libraries.
708: .It Sy TLS_RANDFILE Ar file name
709: The
710: .Sy TLS_RANDFILE
711: parameter specifies the path to an entropy source for systems that lack
712: a random device.
713: It is generally used in conjunction with
714: .Em prngd
715: or
716: .Em egd .
717: This option is only supported by the OpenLDAP libraries.
718: .It Sy TLS_CIPHERS Ar cipher list
719: The
720: .Sy TLS_CIPHERS
721: parameter allows the administer to restrict which encryption algorithms
722: may be used for TLS (SSL) connections.
723: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
724: ciphers.
725: This option is not supported by Netscape-derived libraries.
726: .It Sy USE_SASL Ar on/true/yes/off/false/no
727: Enable
728: .Sy USE_SASL
729: for LDAP servers that support SASL authentication.
730: .It Sy SASL_AUTH_ID Ar identity
731: The SASL user name to use when connecting to the LDAP server.
732: By default,
733: .Nm sudo
734: will use an anonymous connection.
735: .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
736: Enable
737: .Sy ROOTUSE_SASL
738: to enable SASL authentication when connecting
739: to an LDAP server from a privileged process, such as
740: .Nm sudo .
741: .It Sy ROOTSASL_AUTH_ID Ar identity
742: The SASL user name to use when
743: .Sy ROOTUSE_SASL
744: is enabled.
745: .It Sy SASL_SECPROPS Ar none/properties
746: SASL security properties or
747: .Em none
748: for no properties.
749: See the SASL programmer's manual for details.
750: .It Sy KRB5_CCNAME Ar file name
751: The path to the Kerberos 5 credential cache to use when authenticating
752: with the remote server.
753: .It Sy DEREF Ar never/searching/finding/always
754: How alias dereferencing is to be performed when searching.
755: See the
756: .Xr ldap.conf @mansectsu@
757: manual for a full description of this option.
758: .El
759: .Pp
760: See the
761: .Pa ldap.conf
762: entry in the
763: .Sx EXAMPLES
764: section.
765: .Ss Configuring nsswitch.conf
766: Unless it is disabled at build time,
767: .Nm sudo
768: consults the Name Service Switch file,
769: .Pa @nsswitch_conf@ ,
770: to specify the
771: .Em sudoers
772: search order.
773: Sudo looks for a line beginning with
774: .Li sudoers :
775: and uses this to determine the search order.
776: Note that
777: .Nm sudo
778: does
779: not stop searching after the first match and later matches take
780: precedence over earlier ones.
781: The following sources are recognized:
782: .Pp
783: .Bl -tag -width 8n -offset 4n -compact
784: .It files
785: read sudoers from
786: .Pa @sysconfdir@/sudoers
787: .It ldap
788: read sudoers from LDAP
789: .El
790: .Pp
791: In addition, the entry
792: .Li [NOTFOUND=return]
793: will short-circuit the search if the user was not found in the
794: preceding source.
795: .Pp
796: To consult LDAP first followed by the local sudoers file (if it
797: exists), use:
798: .Bd -literal -offset 4n
799: sudoers: ldap files
800: .Ed
801: .Pp
802: The local
803: .Em sudoers
804: file can be ignored completely by using:
805: .Bd -literal -offset 4n
806: sudoers: ldap
807: .Ed
808: .Pp
809: If the
810: .Pa @nsswitch_conf@
811: file is not present or there is no sudoers line, the following
812: default is assumed:
813: .Bd -literal -offset 4n
814: sudoers: files
815: .Ed
816: .Pp
817: Note that
818: .Pa @nsswitch_conf@
819: is supported even when the underlying operating system does not use
820: an nsswitch.conf file, except on AIX (see below).
821: .Ss Configuring netsvc.conf
822: On AIX systems, the
823: .Pa @netsvc_conf@
824: file is consulted instead of
825: .Pa @nsswitch_conf@ .
826: .Nm sudo
827: simply treats
828: .Pa netsvc.conf
829: as a variant of
830: .Pa nsswitch.conf ;
831: information in the previous section unrelated to the file format
832: itself still applies.
833: .Pp
834: To consult LDAP first followed by the local sudoers file (if it
835: exists), use:
836: .Bd -literal -offset 4n
837: sudoers = ldap, files
838: .Ed
839: .Pp
840: The local
841: .Em sudoers
842: file can be ignored completely by using:
843: .Bd -literal -offset 4n
844: sudoers = ldap
845: .Ed
846: .Pp
847: To treat LDAP as authoratative and only use the local sudoers file
848: if the user is not present in LDAP, use:
849: .Bd -literal -offset 4n
850: sudoers = ldap = auth, files
851: .Ed
852: .Pp
853: Note that in the above example, the
854: .Li auth
855: qualfier only affects user lookups; both LDAP and
856: .Em sudoers
857: will be queried for
858: .Li Defaults
859: entries.
860: .Pp
861: If the
862: .Pa @netsvc_conf@
863: file is not present or there is no sudoers line, the following
864: default is assumed:
865: .Bd -literal -offset 4n
866: sudoers = files
867: .Ed
868: .Sh FILES
869: .Bl -tag -width 24n
870: .It Pa @ldap_conf@
871: LDAP configuration file
872: .It Pa @nsswitch_conf@
873: determines sudoers source order
874: .It Pa @netsvc_conf@
875: determines sudoers source order on AIX
876: .El
877: .Sh EXAMPLES
878: .Ss Example ldap.conf
879: .Bd -literal -offset 2n
880: # Either specify one or more URIs or one or more host:port pairs.
881: # If neither is specified sudo will default to localhost, port 389.
882: #
883: #host ldapserver
884: #host ldapserver1 ldapserver2:390
885: #
886: # Default port if host is specified without one, defaults to 389.
887: #port 389
888: #
889: # URI will override the host and port settings.
890: uri ldap://ldapserver
891: #uri ldaps://secureldapserver
892: #uri ldaps://secureldapserver ldap://ldapserver
893: #
894: # The amount of time, in seconds, to wait while trying to connect to
895: # an LDAP server.
896: bind_timelimit 30
897: #
898: # The amount of time, in seconds, to wait while performing an LDAP query.
899: timelimit 30
900: #
901: # Must be set or sudo will ignore LDAP; may be specified multiple times.
902: sudoers_base ou=SUDOers,dc=example,dc=com
903: #
904: # verbose sudoers matching from ldap
905: #sudoers_debug 2
906: #
907: # Enable support for time-based entries in sudoers.
908: #sudoers_timed yes
909: #
910: # optional proxy credentials
911: #binddn <who to search as>
912: #bindpw <password>
913: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
914: #
915: # LDAP protocol version, defaults to 3
916: #ldap_version 3
917: #
918: # Define if you want to use an encrypted LDAP connection.
919: # Typically, you must also set the port to 636 (ldaps).
920: #ssl on
921: #
922: # Define if you want to use port 389 and switch to
923: # encryption before the bind credentials are sent.
924: # Only supported by LDAP servers that support the start_tls
925: # extension such as OpenLDAP.
926: #ssl start_tls
927: #
928: # Additional TLS options follow that allow tweaking of the
929: # SSL/TLS connection.
930: #
931: #tls_checkpeer yes # verify server SSL certificate
932: #tls_checkpeer no # ignore server SSL certificate
933: #
934: # If you enable tls_checkpeer, specify either tls_cacertfile
935: # or tls_cacertdir. Only supported when using OpenLDAP.
936: #
937: #tls_cacertfile /etc/certs/trusted_signers.pem
938: #tls_cacertdir /etc/certs
939: #
940: # For systems that don't have /dev/random
941: # use this along with PRNGD or EGD.pl to seed the
942: # random number pool to generate cryptographic session keys.
943: # Only supported when using OpenLDAP.
944: #
945: #tls_randfile /etc/egd-pool
946: #
947: # You may restrict which ciphers are used. Consult your SSL
948: # documentation for which options go here.
949: # Only supported when using OpenLDAP.
950: #
951: #tls_ciphers <cipher-list>
952: #
953: # Sudo can provide a client certificate when communicating to
954: # the LDAP server.
955: # Tips:
956: # * Enable both lines at the same time.
957: # * Do not password protect the key file.
958: # * Ensure the keyfile is only readable by root.
959: #
960: # For OpenLDAP:
961: #tls_cert /etc/certs/client_cert.pem
962: #tls_key /etc/certs/client_key.pem
963: #
964: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
965: # a directory, in which case the files in the directory must have the
966: # default names (e.g. cert8.db and key4.db), or the path to the cert
967: # and key files themselves. However, a bug in version 5.0 of the LDAP
968: # SDK will prevent specific file names from working. For this reason
969: # it is suggested that tls_cert and tls_key be set to a directory,
970: # not a file name.
971: #
972: # The certificate database specified by tls_cert may contain CA certs
973: # and/or the client's cert. If the client's cert is included, tls_key
974: # should be specified as well.
975: # For backward compatibility, "sslpath" may be used in place of tls_cert.
976: #tls_cert /var/ldap
977: #tls_key /var/ldap
978: #
979: # If using SASL authentication for LDAP (OpenSSL)
980: # use_sasl yes
981: # sasl_auth_id <SASL user name>
982: # rootuse_sasl yes
983: # rootsasl_auth_id <SASL user name for root access>
984: # sasl_secprops none
985: # krb5_ccname /etc/.ldapcache
986: .Ed
987: .Ss Sudo schema for OpenLDAP
988: The following schema, in OpenLDAP format, is included with
989: .Nm sudo
990: source and binary distributions as
991: .Pa schema.OpenLDAP .
992: Simply copy
993: it to the schema directory (e.g.\&
994: .Pa /etc/openldap/schema ) ,
995: add the proper
996: .Li include
997: line in
998: .Pa slapd.conf
999: and restart
1000: .Nm slapd .
1001: .Bd -literal -offset 2n
1002: attributetype ( 1.3.6.1.4.1.15953.9.1.1
1003: NAME 'sudoUser'
1004: DESC 'User(s) who may run sudo'
1005: EQUALITY caseExactIA5Match
1006: SUBSTR caseExactIA5SubstringsMatch
1007: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1008:
1009: attributetype ( 1.3.6.1.4.1.15953.9.1.2
1010: NAME 'sudoHost'
1011: DESC 'Host(s) who may run sudo'
1012: EQUALITY caseExactIA5Match
1013: SUBSTR caseExactIA5SubstringsMatch
1014: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1015:
1016: attributetype ( 1.3.6.1.4.1.15953.9.1.3
1017: NAME 'sudoCommand'
1018: DESC 'Command(s) to be executed by sudo'
1019: EQUALITY caseExactIA5Match
1020: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1021:
1022: attributetype ( 1.3.6.1.4.1.15953.9.1.4
1023: NAME 'sudoRunAs'
1024: DESC 'User(s) impersonated by sudo'
1025: EQUALITY caseExactIA5Match
1026: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1027:
1028: attributetype ( 1.3.6.1.4.1.15953.9.1.5
1029: NAME 'sudoOption'
1030: DESC 'Options(s) followed by sudo'
1031: EQUALITY caseExactIA5Match
1032: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1033:
1034: attributetype ( 1.3.6.1.4.1.15953.9.1.6
1035: NAME 'sudoRunAsUser'
1036: DESC 'User(s) impersonated by sudo'
1037: EQUALITY caseExactIA5Match
1038: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1039:
1040: attributetype ( 1.3.6.1.4.1.15953.9.1.7
1041: NAME 'sudoRunAsGroup'
1042: DESC 'Group(s) impersonated by sudo'
1043: EQUALITY caseExactIA5Match
1044: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1045:
1046: attributetype ( 1.3.6.1.4.1.15953.9.1.8
1047: NAME 'sudoNotBefore'
1048: DESC 'Start of time interval for which the entry is valid'
1049: EQUALITY generalizedTimeMatch
1050: ORDERING generalizedTimeOrderingMatch
1051: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1052:
1053: attributetype ( 1.3.6.1.4.1.15953.9.1.9
1054: NAME 'sudoNotAfter'
1055: DESC 'End of time interval for which the entry is valid'
1056: EQUALITY generalizedTimeMatch
1057: ORDERING generalizedTimeOrderingMatch
1058: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1059:
1060: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1061: NAME 'sudoOrder'
1062: DESC 'an integer to order the sudoRole entries'
1063: EQUALITY integerMatch
1064: ORDERING integerOrderingMatch
1065: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1066:
1067: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1068: DESC 'Sudoer Entries'
1069: MUST ( cn )
1070: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1071: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1072: sudoOrder $ description )
1073: )
1074: .Ed
1075: .Sh SEE ALSO
1076: .Xr ldap.conf @mansectsu@ ,
1077: .Xr sudoers @mansectsu@
1078: .Sh CAVEATS
1079: Note that there are differences in the way that LDAP-based
1080: .Em sudoers
1081: is parsed compared to file-based
1082: .Em sudoers .
1083: See the
1084: .Sx Differences between LDAP and non-LDAP sudoers
1085: section for more information.
1086: .Sh BUGS
1087: If you feel you have found a bug in
1088: .Nm sudo ,
1089: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1090: .Sh SUPPORT
1091: Limited free support is available via the sudo-users mailing list,
1092: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1093: search the archives.
1094: .Sh DISCLAIMER
1095: .Nm sudo
1096: is provided
1097: .Dq AS IS
1098: and any express or implied warranties, including, but not limited
1099: to, the implied warranties of merchantability and fitness for a
1100: particular purpose are disclaimed.
1101: See the LICENSE file distributed with
1102: .Nm sudo
1103: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>