Annotation of embedaddon/sudo/doc/sudoers.ldap.mdoc.in, revision 1.1.1.3
1.1 misho 1: .\"
1.1.1.2 misho 2: .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
1.1.1.3 ! misho 17: .Dd August 30, 2013
1.1 misho 18: .Dt SUDOERS.LDAP @mansectsu@
19: .Os Sudo @PACKAGE_VERSION@
20: .Sh NAME
21: .Nm sudoers.ldap
22: .Nd sudo LDAP configuration
23: .Sh DESCRIPTION
24: In addition to the standard
25: .Em sudoers
26: file,
27: .Nm sudo
28: may be configured
29: via LDAP.
30: This can be especially useful for synchronizing
31: .Em sudoers
32: in a large, distributed environment.
33: .Pp
34: Using LDAP for
35: .Em sudoers
36: has several benefits:
37: .Bl -bullet
38: .It
39: .Nm sudo
40: no longer needs to read
41: .Em sudoers
42: in its entirety.
43: When LDAP is used, there are only two or three LDAP queries per invocation.
44: This makes it especially fast and particularly usable in LDAP environments.
45: .It
46: .Nm sudo
47: no longer exits if there is a typo in
48: .Em sudoers .
49: It is not possible to load LDAP data into the server that does
50: not conform to the sudoers schema, so proper syntax is guaranteed.
51: It is still possible to have typos in a user or host name, but
52: this will not prevent
53: .Nm sudo
54: from running.
55: .It
56: It is possible to specify per-entry options that override the global
57: default options.
58: .Pa @sysconfdir@/sudoers
59: only supports default options and limited options associated with
60: user/host/commands/aliases.
61: The syntax is complicated and can be difficult for users to understand.
62: Placing the options directly in the entry is more natural.
63: .It
64: The
65: .Nm visudo
66: program is no longer needed.
67: .Nm visudo
68: provides locking and syntax checking of the
69: .Pa @sysconfdir@/sudoers
70: file.
71: Since LDAP updates are atomic, locking is no longer necessary.
72: Because syntax is checked when the data is inserted into LDAP, there
73: is no need for a specialized tool to check syntax.
74: .El
75: .Pp
76: Another major difference between LDAP and file-based
77: .Em sudoers
78: is that in LDAP,
79: .Nm sudo Ns No -specific
80: Aliases are not supported.
81: .Pp
82: For the most part, there is really no need for
83: .Nm sudo Ns No -specific
84: Aliases.
1.1.1.2 misho 85: Unix groups, non-Unix groups (via the
86: .Em group_plugin )
87: or user netgroups can be used in place of User_Aliases and Runas_Aliases.
1.1 misho 88: Host netgroups can be used in place of Host_Aliases.
1.1.1.2 misho 89: Since groups and netgroups can also be stored in LDAP there is no real need for
1.1 misho 90: .Nm sudo Ns No -specific
91: aliases.
92: .Pp
93: Cmnd_Aliases are not really required either since it is possible
94: to have multiple users listed in a
95: .Li sudoRole .
96: Instead of defining a Cmnd_Alias that is referenced by multiple users,
97: one can create a
98: .Li sudoRole
99: that contains the commands and assign multiple users to it.
100: .Ss SUDOers LDAP container
101: The
102: .Em sudoers
103: configuration is contained in the
104: .Li ou=SUDOers
105: LDAP container.
106: .Pp
107: Sudo first looks for the
108: .Li cn=default
109: entry in the SUDOers container.
110: If found, the multi-valued
111: .Li sudoOption
112: attribute is parsed in the same manner as a global
113: .Li Defaults
114: line in
115: .Pa @sysconfdir@/sudoers .
116: In the following example, the
117: .Ev SSH_AUTH_SOCK
118: variable will be preserved in the environment for all users.
119: .Bd -literal -offset 4n
120: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
121: objectClass: top
122: objectClass: sudoRole
123: cn: defaults
124: description: Default sudoOption's go here
125: sudoOption: env_keep+=SSH_AUTH_SOCK
126: .Ed
127: .Pp
128: The equivalent of a sudoer in LDAP is a
129: .Li sudoRole .
130: It consists of the following attributes:
131: .Bl -tag -width 4n
132: .It Sy sudoUser
133: A user name, user ID (prefixed with
134: .Ql # ) ,
1.1.1.2 misho 135: Unix group name or ID (prefixed with
136: .Ql %
137: or
138: .Ql %#
139: respectively), user netgroup (prefixed with
140: .Ql + ) ,
141: or non-Unix group name or ID (prefixed with
142: .Ql %:
143: or
144: .Ql %:#
145: respectively).
146: Non-Unix group support is only available when an appropriate
147: .Em group_plugin
148: is defined in the global
149: .Em defaults
150: .Li sudoRole
151: object.
1.1 misho 152: .It Sy sudoHost
153: A host name, IP address, IP network, or host netgroup (prefixed with a
154: .Ql + ) .
155: The special value
156: .Li ALL
157: will match any host.
158: .It Sy sudoCommand
1.1.1.2 misho 159: A fully-qualified Unix command name with optional command line arguments,
160: potentially including globbing characters (aka wild cards).
161: If a command name is preceded by an exclamation point,
162: .Ql \&! ,
163: the user will be prohibited from running that command.
164: .Pp
165: The built-in command
166: .Dq Li sudoedit
167: is used to permit a user to run
168: .Nm sudo
169: with the
170: .Fl e
171: option (or as
172: .Nm sudoedit ) .
173: It may take command line arguments just as a normal command does.
174: Note that
175: .Dq Li sudoedit
176: is a command built into
177: .Nm sudo
178: itself and must be specified in without a leading path.
179: .Pp
1.1 misho 180: The special value
181: .Li ALL
182: will match any command.
1.1.1.2 misho 183: .Pp
184: If a command name is prefixed with a SHA-2 digest, it will
185: only be allowed if the digest matches.
186: This may be useful in situations where the user invoking
187: .Nm sudo
188: has write access to the command or its parent directory.
189: The following digest formats are supported: sha224, sha256, sha384 and sha512.
190: The digest name must be followed by a colon
191: .Pq Ql :\&
192: and then the actual digest, in either hex or base64 format.
193: For example, given the following value for sudoCommand:
194: .Bd -literal -offset 4n
195: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
196: .Ed
197: .Pp
198: The user may only run
199: .Pa /bin/ls
200: if its sha224 digest matches the specified value.
201: Command digests are only supported by version 1.8.7 or higher.
1.1 misho 202: .It Sy sudoOption
203: Identical in function to the global options described above, but
204: specific to the
205: .Li sudoRole
206: in which it resides.
207: .It Sy sudoRunAsUser
208: A user name or uid (prefixed with
209: .Ql # )
210: that commands may be run as or a Unix group (prefixed with a
211: .Ql % )
212: or user netgroup (prefixed with a
213: .Ql + )
214: that contains a list of users that commands may be run as.
215: The special value
216: .Li ALL
217: will match any user.
218: .Pp
219: The
220: .Li sudoRunAsUser
221: attribute is only available in
222: .Nm sudo
223: versions
224: 1.7.0 and higher.
225: Older versions of
226: .Nm sudo
227: use the
228: .Li sudoRunAs
229: attribute instead.
230: .It Sy sudoRunAsGroup
231: A Unix group or gid (prefixed with
232: .Ql # )
233: that commands may be run as.
234: The special value
235: .Li ALL
236: will match any group.
237: .Pp
238: The
239: .Li sudoRunAsGroup
240: attribute is only available in
241: .Nm sudo
242: versions
243: 1.7.0 and higher.
244: .It Sy sudoNotBefore
245: A timestamp in the form
246: .Li yyyymmddHHMMSSZ
247: that can be used to provide a start date/time for when the
248: .Li sudoRole
249: will be valid.
250: If multiple
251: .Li sudoNotBefore
252: entries are present, the earliest is used.
253: Note that timestamps must be in Coordinated Universal Time (UTC),
254: not the local timezone.
255: The minute and seconds portions are optional, but some LDAP servers
256: require that they be present (contrary to the RFC).
257: .Pp
258: The
259: .Li sudoNotBefore
260: attribute is only available in
261: .Nm sudo
262: versions 1.7.5 and higher and must be explicitly enabled via the
263: .Sy SUDOERS_TIMED
264: option in
265: .Pa @ldap_conf@ .
266: .It Sy sudoNotAfter
267: A timestamp in the form
268: .Li yyyymmddHHMMSSZ
269: that indicates an expiration date/time, after which the
270: .Li sudoRole
271: will no longer be valid.
272: If multiple
273: .Li sudoNotBefore
274: entries are present, the last one is used.
275: Note that timestamps must be in Coordinated Universal Time (UTC),
276: not the local timezone.
277: The minute and seconds portions are optional, but some LDAP servers
278: require that they be present (contrary to the RFC).
279: .Pp
280: The
281: .Li sudoNotAfter
282: attribute is only available in
283: .Nm sudo
284: versions
285: 1.7.5 and higher and must be explicitly enabled via the
286: .Sy SUDOERS_TIMED
287: option in
288: .Pa @ldap_conf@ .
289: .It Sy sudoOrder
290: The
291: .Li sudoRole
292: entries retrieved from the LDAP directory have no inherent order.
293: The
294: .Li sudoOrder
295: attribute is an integer (or floating point value for LDAP servers
296: that support it) that is used to sort the matching entries.
1.1.1.2 misho 297: This allows LDAP-based sudoers entries to more closely mimic the behavior
1.1 misho 298: of the sudoers file, where the of the entries influences the result.
299: If multiple entries match, the entry with the highest
300: .Li sudoOrder
301: attribute is chosen.
302: This corresponds to the
303: .Dq last match
304: behavior of the sudoers file.
305: If the
306: .Li sudoOrder
307: attribute is not present, a value of 0 is assumed.
308: .Pp
309: The
310: .Li sudoOrder
311: attribute is only available in
312: .Nm sudo
313: versions 1.7.5 and higher.
314: .El
315: .Pp
316: Each attribute listed above should contain a single value, but there
317: may be multiple instances of each attribute type.
318: A
319: .Li sudoRole
320: must contain at least one
321: .Li sudoUser ,
322: .Li sudoHost
323: and
324: .Li sudoCommand .
325: .Pp
326: The following example allows users in group wheel to run any command
327: on any host via
328: .Nm sudo :
329: .Bd -literal -offset 4n
330: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
331: objectClass: top
332: objectClass: sudoRole
333: cn: %wheel
334: sudoUser: %wheel
335: sudoHost: ALL
336: sudoCommand: ALL
337: .Ed
338: .Ss Anatomy of LDAP sudoers lookup
339: When looking up a sudoer using LDAP there are only two or three
340: LDAP queries per invocation.
341: The first query is to parse the global options.
342: The second is to match against the user's name and the groups that
343: the user belongs to.
344: (The special
345: .Li ALL
346: tag is matched in this query too.)
347: If no match is returned for the user's name and groups, a third
348: query returns all entries containing user netgroups and checks
349: to see if the user belongs to any of them.
350: .Pp
351: If timed entries are enabled with the
352: .Sy SUDOERS_TIMED
1.1.1.2 misho 353: configuration directive, the LDAP queries include a sub-filter that
1.1 misho 354: limits retrieval to entries that satisfy the time constraints, if any.
355: .Ss Differences between LDAP and non-LDAP sudoers
356: There are some subtle differences in the way sudoers is handled
357: once in LDAP.
358: Probably the biggest is that according to the RFC, LDAP ordering
359: is arbitrary and you cannot expect that Attributes and Entries are
360: returned in any specific order.
361: .Pp
362: The order in which different entries are applied can be controlled
363: using the
364: .Li sudoOrder
365: attribute, but there is no way to guarantee the order of attributes
366: within a specific entry.
367: If there are conflicting command rules in an entry, the negative
368: takes precedence.
369: This is called paranoid behavior (not necessarily the most specific
370: match).
371: .Pp
372: Here is an example:
373: .Bd -literal -offset 4n
374: # /etc/sudoers:
375: # Allow all commands except shell
376: johnny ALL=(root) ALL,!/bin/sh
377: # Always allows all commands because ALL is matched last
378: puddles ALL=(root) !/bin/sh,ALL
379:
380: # LDAP equivalent of johnny
381: # Allows all commands except shell
382: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
383: objectClass: sudoRole
384: objectClass: top
385: cn: role1
386: sudoUser: johnny
387: sudoHost: ALL
388: sudoCommand: ALL
389: sudoCommand: !/bin/sh
390:
391: # LDAP equivalent of puddles
392: # Notice that even though ALL comes last, it still behaves like
393: # role1 since the LDAP code assumes the more paranoid configuration
394: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
395: objectClass: sudoRole
396: objectClass: top
397: cn: role2
398: sudoUser: puddles
399: sudoHost: ALL
400: sudoCommand: !/bin/sh
401: sudoCommand: ALL
402: .Ed
403: .Pp
404: Another difference is that negations on the Host, User or Runas are
405: currently ignored.
406: For example, the following attributes do not behave the way one might expect.
407: .Bd -literal -offset 4n
408: # does not match all but joe
409: # rather, does not match anyone
410: sudoUser: !joe
411:
412: # does not match all but joe
413: # rather, matches everyone including Joe
414: sudoUser: ALL
415: sudoUser: !joe
416:
417: # does not match all but web01
418: # rather, matches all hosts including web01
419: sudoHost: ALL
420: sudoHost: !web01
421: .Ed
422: .Ss Sudoers schema
423: In order to use
424: .Nm sudo Ns No 's
425: LDAP support, the
426: .Nm sudo
427: schema must be
428: installed on your LDAP server.
429: In addition, be sure to index the
430: .Li sudoUser
431: attribute.
432: .Pp
433: Three versions of the schema: one for OpenLDAP servers
434: .Pq Pa schema.OpenLDAP ,
435: one for Netscape-derived servers
436: .Pq Pa schema.iPlanet ,
437: and one for Microsoft Active Directory
438: .Pq Pa schema.ActiveDirectory
439: may be found in the
440: .Nm sudo
441: distribution.
442: .Pp
443: The schema for
444: .Nm sudo
445: in OpenLDAP form is also included in the
446: .Sx EXAMPLES
447: section.
448: .Ss Configuring ldap.conf
449: Sudo reads the
450: .Pa @ldap_conf@
451: file for LDAP-specific configuration.
1.1.1.2 misho 452: Typically, this file is shared between different LDAP-aware clients.
1.1 misho 453: As such, most of the settings are not
454: .Nm sudo Ns No -specific.
455: Note that
456: .Nm sudo
457: parses
458: .Pa @ldap_conf@
459: itself and may support options that differ from those described in the
460: system's
461: .Xr ldap.conf @mansectsu@
462: manual.
1.1.1.2 misho 463: The path to
464: .Pa ldap.conf
465: may be overridden via the
466: .Em ldap_conf
467: plugin argument in
468: .Xr sudo.conf @mansectform@ .
1.1 misho 469: .Pp
470: Also note that on systems using the OpenLDAP libraries, default
471: values specified in
472: .Pa /etc/openldap/ldap.conf
473: or the user's
474: .Pa .ldaprc
475: files are not used.
476: .Pp
477: Only those options explicitly listed in
478: .Pa @ldap_conf@
479: as being supported by
480: .Nm sudo
481: are honored.
482: Configuration options are listed below in upper case but are parsed
483: in a case-independent manner.
1.1.1.2 misho 484: .Pp
1.1.1.3 ! misho 485: The pound sign
! 486: .Pq Ql #
! 487: is used to indicate a comment.
! 488: Both the comment character and any text after it, up to the end of
! 489: the line, are ignored.
1.1.1.2 misho 490: Long lines can be continued with a backslash
491: .Pq Ql \e
492: as the last character on the line.
493: Note that leading white space is removed from the beginning of lines
494: even when the continuation character is used.
1.1 misho 495: .Bl -tag -width 4n
496: .It Sy URI Ar ldap[s]://[hostname[:port]] ...
1.1.1.2 misho 497: Specifies a white space-delimited list of one or more URIs describing
1.1 misho 498: the LDAP server(s) to connect to.
499: The
500: .Em protocol
501: may be either
502: .Em ldap
503: .Em ldaps ,
504: the latter being for servers that support TLS (SSL) encryption.
505: If no
506: .Em port
507: is specified, the default is port 389 for
508: .Li ldap://
509: or port 636 for
510: .Li ldaps:// .
511: If no
512: .Em hostname
513: is specified,
514: .Nm sudo
515: will connect to
516: .Em localhost .
517: Multiple
518: .Sy URI
519: lines are treated identically to a
520: .Sy URI
521: line containing multiple entries.
522: Only systems using the OpenSSL libraries support the mixing of
523: .Li ldap://
524: and
525: .Li ldaps://
526: URIs.
527: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
528: versions of Unix are only capable of supporting one or the other.
529: .It Sy HOST Ar name[:port] ...
530: If no
531: .Sy URI
532: is specified, the
533: .Sy HOST
1.1.1.2 misho 534: parameter specifies a white space-delimited list of LDAP servers to connect to.
1.1 misho 535: Each host may include an optional
536: .Em port
537: separated by a colon
538: .Pq Ql :\& .
539: The
540: .Sy HOST
541: parameter is deprecated in favor of the
542: .Sy URI
543: specification and is included for backwards compatibility.
544: .It Sy PORT Ar port_number
545: If no
546: .Sy URI
547: is specified, the
548: .Sy PORT
549: parameter specifies the default port to connect to on the LDAP server if a
550: .Sy HOST
551: parameter does not specify the port itself.
552: If no
553: .Sy PORT
554: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
555: over TLS (SSL).
556: The
557: .Sy PORT
558: parameter is deprecated in favor of the
559: .Sy URI
560: specification and is included for backwards compatibility.
561: .It Sy BIND_TIMELIMIT Ar seconds
562: The
563: .Sy BIND_TIMELIMIT
564: parameter specifies the amount of time, in seconds, to wait while trying
565: to connect to an LDAP server.
566: If multiple
567: .Sy URI Ns No s
568: or
569: .Sy HOST Ns No s
570: are specified, this is the amount of time to wait before trying
571: the next one in the list.
572: .It Sy NETWORK_TIMEOUT Ar seconds
573: An alias for
574: .Sy BIND_TIMELIMIT
575: for OpenLDAP compatibility.
576: .It Sy TIMELIMIT Ar seconds
577: The
578: .Sy TIMELIMIT
579: parameter specifies the amount of time, in seconds, to wait for a
580: response to an LDAP query.
581: .It Sy TIMEOUT Ar seconds
582: The
583: .Sy TIMEOUT
584: parameter specifies the amount of time, in seconds, to wait for a
585: response from the various LDAP APIs.
586: .It Sy SUDOERS_BASE Ar base
587: The base DN to use when performing
588: .Nm sudo
589: LDAP queries.
590: Typically this is of the form
591: .Li ou=SUDOers,dc=example,dc=com
592: for the domain
593: .Li example.com .
594: Multiple
595: .Sy SUDOERS_BASE
596: lines may be specified, in which case they are queried in the order specified.
597: .It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
598: An LDAP filter which is used to restrict the set of records returned
599: when performing a
600: .Nm sudo
601: LDAP query.
602: Typically, this is of the
603: form
604: .Li attribute=value
605: or
606: .Li (&(attribute=value)(attribute2=value2)) .
607: .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
608: Whether or not to evaluate the
609: .Li sudoNotBefore
610: and
611: .Li sudoNotAfter
612: attributes that implement time-dependent sudoers entries.
613: .It Sy SUDOERS_DEBUG Ar debug_level
614: This sets the debug level for
615: .Nm sudo
616: LDAP queries.
617: Debugging information is printed to the standard error.
618: A value of 1 results in a moderate amount of debugging information.
619: A value of 2 shows the results of the matches themselves.
620: This parameter should not be set in a production environment as the
621: extra information is likely to confuse users.
1.1.1.2 misho 622: .Pp
623: The
624: .Sy SUDOERS_DEBUG
625: parameter is deprecated and will be removed in a future release.
626: The same information is now logged via the
627: .Nm sudo
628: debugging framework using the
629: .Dq ldap
630: subsystem at priorities
631: .Em diag
632: and
633: .Em info
634: for
635: .Em debug_level
636: values 1 and 2 respectively.
637: See the
638: .Xr sudo.conf @mansectform@
639: manual for details on how to configure
640: .Nm sudo
641: debugging.
1.1 misho 642: .It Sy BINDDN Ar DN
643: The
644: .Sy BINDDN
645: parameter specifies the identity, in the form of a Distinguished Name (DN),
646: to use when performing LDAP operations.
647: If not specified, LDAP operations are performed with an anonymous identity.
648: By default, most LDAP servers will allow anonymous access.
649: .It Sy BINDPW Ar secret
650: The
651: .Sy BINDPW
652: parameter specifies the password to use when performing LDAP operations.
653: This is typically used in conjunction with the
654: .Sy BINDDN
655: parameter.
656: .It Sy ROOTBINDDN Ar DN
657: The
658: .Sy ROOTBINDDN
659: parameter specifies the identity, in the form of a Distinguished Name (DN),
660: to use when performing privileged LDAP operations, such as
661: .Em sudoers
662: queries.
1.1.1.2 misho 663: The password corresponding to the identity should be stored in the
664: or the path specified by the
665: .Em ldap_secret
666: plugin argument in
667: .Xr sudo.conf @mansectform@ ,
668: which defaults to
1.1 misho 669: .Pa @ldap_secret@ .
1.1.1.2 misho 670: If no
671: .Sy ROOTBINDDN
672: is specified, the
1.1 misho 673: .Sy BINDDN
674: identity is used (if any).
675: .It Sy LDAP_VERSION Ar number
676: The version of the LDAP protocol to use when connecting to the server.
677: The default value is protocol version 3.
678: .It Sy SSL Ar on/true/yes/off/false/no
679: If the
680: .Sy SSL
681: parameter is set to
682: .Li on ,
683: .Li true
684: .Li or
685: .Li yes ,
686: TLS (SSL) encryption is always used when communicating with the LDAP server.
687: Typically, this involves connecting to the server on port 636 (ldaps).
688: .It Sy SSL Ar start_tls
689: If the
690: .Sy SSL
691: parameter is set to
692: .Li start_tls ,
693: the LDAP server connection is initiated normally and TLS encryption is
694: begun before the bind credentials are sent.
695: This has the advantage of not requiring a dedicated port for encrypted
696: communications.
697: This parameter is only supported by LDAP servers that honor the
698: .Em start_tls
699: extension, such as the OpenLDAP and Tivoli Directory servers.
700: .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
701: If enabled,
702: .Sy TLS_CHECKPEER
703: will cause the LDAP server's TLS certificated to be verified.
704: If the server's TLS certificate cannot be verified (usually because it
705: is signed by an unknown certificate authority),
706: .Nm sudo
707: will be unable to connect to it.
708: If
709: .Sy TLS_CHECKPEER
710: is disabled, no check is made.
711: Note that disabling the check creates an opportunity for man-in-the-middle
712: attacks since the server's identity will not be authenticated.
713: If possible, the CA's certificate should be installed locally so it can
714: be verified.
715: This option is not supported by the Tivoli Directory Server LDAP libraries.
716: .It Sy TLS_CACERT Ar file name
717: An alias for
718: .Sy TLS_CACERTFILE
719: for OpenLDAP compatibility.
720: .It Sy TLS_CACERTFILE Ar file name
721: The path to a certificate authority bundle which contains the certificates
722: for all the Certificate Authorities the client knows to be valid, e.g.\&
723: .Pa /etc/ssl/ca-bundle.pem .
724: This option is only supported by the OpenLDAP libraries.
725: Netscape-derived LDAP libraries use the same certificate
726: database for CA and client certificates (see
727: .Sy TLS_CERT ) .
728: .It Sy TLS_CACERTDIR Ar directory
729: Similar to
730: .Sy TLS_CACERTFILE
731: but instead of a file, it is a directory containing individual
732: Certificate Authority certificates, e.g.\&
733: .Pa /etc/ssl/certs .
734: The directory specified by
735: .Sy TLS_CACERTDIR
736: is checked after
737: .Sy TLS_CACERTFILE .
738: This option is only supported by the OpenLDAP libraries.
739: .It Sy TLS_CERT Ar file name
740: The path to a file containing the client certificate which can
741: be used to authenticate the client to the LDAP server.
742: The certificate type depends on the LDAP libraries used.
743: .Bl -tag -width 4n
744: .It OpenLDAP:
745: .Li tls_cert /etc/ssl/client_cert.pem
746: .It Netscape-derived:
747: .Li tls_cert /var/ldap/cert7.db
748: .It Tivoli Directory Server:
749: Unused, the key database specified by
750: .Sy TLS_KEY
751: contains both keys and certificates.
752: .Pp
753: When using Netscape-derived libraries, this file may also contain
754: Certificate Authority certificates.
755: .El
756: .It Sy TLS_KEY Ar file name
757: The path to a file containing the private key which matches the
758: certificate specified by
759: .Sy TLS_CERT .
760: The private key must not be password-protected.
761: The key type depends on the LDAP libraries used.
762: .Bl -tag -width 4n
763: .It OpenLDAP:
764: .Li tls_key /etc/ssl/client_key.pem
765: .It Netscape-derived:
766: .Li tls_key /var/ldap/key3.db
767: .It Tivoli Directory Server:
1.1.1.3 ! misho 768: .Li tls_key /usr/ldap/ldapkey.kdb
1.1 misho 769: .El
770: When using Tivoli LDAP libraries, this file may also contain
771: Certificate Authority and client certificates and may be encrypted.
772: .It Sy TLS_KEYPW Ar secret
773: The
774: .Sy TLS_KEYPW
775: contains the password used to decrypt the key database on clients
776: using the Tivoli Directory Server LDAP library.
1.1.1.3 ! misho 777: This should be a simple string without quotes.
! 778: The password may not include the comment character
! 779: .Pq Ql #
! 780: and escaping of special characters with a backslash
! 781: .Pq Ql \e
! 782: is not supported.
! 783: If this option is used,
! 784: .Pa @ldap_conf@
! 785: must not be world-readable to avoid exposing the password.
! 786: Alternately, a
! 787: .Em stash file
! 788: can be used to store the password in encrypted form (see below).
! 789: .Pp
1.1 misho 790: If no
791: .Sy TLS_KEYPW
792: is specified, a
793: .Em stash file
794: will be used if it exists.
795: The
796: .Em stash file
797: must have the same path as the file specified by
798: .Sy TLS_KEY ,
799: but use a
800: .Li .sth
801: file extension instead of
802: .Li .kdb ,
803: e.g.\&
804: .Li ldapkey.sth .
805: The default
806: .Li ldapkey.kdb
807: that ships with Tivoli Directory Server is encrypted with the password
808: .Li ssl_password .
1.1.1.3 ! misho 809: The
! 810: .Em gsk8capicmd
! 811: utility can be used to manage the key database and create a
! 812: .Em stash file .
1.1 misho 813: This option is only supported by the Tivoli LDAP libraries.
814: .It Sy TLS_RANDFILE Ar file name
815: The
816: .Sy TLS_RANDFILE
817: parameter specifies the path to an entropy source for systems that lack
818: a random device.
819: It is generally used in conjunction with
820: .Em prngd
821: or
822: .Em egd .
823: This option is only supported by the OpenLDAP libraries.
824: .It Sy TLS_CIPHERS Ar cipher list
825: The
826: .Sy TLS_CIPHERS
827: parameter allows the administer to restrict which encryption algorithms
828: may be used for TLS (SSL) connections.
829: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
830: ciphers.
831: This option is not supported by Netscape-derived libraries.
832: .It Sy USE_SASL Ar on/true/yes/off/false/no
833: Enable
834: .Sy USE_SASL
835: for LDAP servers that support SASL authentication.
836: .It Sy SASL_AUTH_ID Ar identity
837: The SASL user name to use when connecting to the LDAP server.
838: By default,
839: .Nm sudo
840: will use an anonymous connection.
841: .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
842: Enable
843: .Sy ROOTUSE_SASL
844: to enable SASL authentication when connecting
845: to an LDAP server from a privileged process, such as
846: .Nm sudo .
847: .It Sy ROOTSASL_AUTH_ID Ar identity
848: The SASL user name to use when
849: .Sy ROOTUSE_SASL
850: is enabled.
851: .It Sy SASL_SECPROPS Ar none/properties
852: SASL security properties or
853: .Em none
854: for no properties.
855: See the SASL programmer's manual for details.
856: .It Sy KRB5_CCNAME Ar file name
857: The path to the Kerberos 5 credential cache to use when authenticating
858: with the remote server.
859: .It Sy DEREF Ar never/searching/finding/always
860: How alias dereferencing is to be performed when searching.
861: See the
862: .Xr ldap.conf @mansectsu@
863: manual for a full description of this option.
864: .El
865: .Pp
866: See the
867: .Pa ldap.conf
868: entry in the
869: .Sx EXAMPLES
870: section.
871: .Ss Configuring nsswitch.conf
872: Unless it is disabled at build time,
873: .Nm sudo
874: consults the Name Service Switch file,
875: .Pa @nsswitch_conf@ ,
876: to specify the
877: .Em sudoers
878: search order.
879: Sudo looks for a line beginning with
880: .Li sudoers :
881: and uses this to determine the search order.
882: Note that
883: .Nm sudo
884: does
885: not stop searching after the first match and later matches take
886: precedence over earlier ones.
887: The following sources are recognized:
888: .Pp
889: .Bl -tag -width 8n -offset 4n -compact
890: .It files
891: read sudoers from
892: .Pa @sysconfdir@/sudoers
893: .It ldap
894: read sudoers from LDAP
895: .El
896: .Pp
897: In addition, the entry
898: .Li [NOTFOUND=return]
899: will short-circuit the search if the user was not found in the
900: preceding source.
901: .Pp
902: To consult LDAP first followed by the local sudoers file (if it
903: exists), use:
904: .Bd -literal -offset 4n
905: sudoers: ldap files
906: .Ed
907: .Pp
908: The local
909: .Em sudoers
910: file can be ignored completely by using:
911: .Bd -literal -offset 4n
912: sudoers: ldap
913: .Ed
914: .Pp
915: If the
916: .Pa @nsswitch_conf@
917: file is not present or there is no sudoers line, the following
918: default is assumed:
919: .Bd -literal -offset 4n
920: sudoers: files
921: .Ed
922: .Pp
923: Note that
924: .Pa @nsswitch_conf@
925: is supported even when the underlying operating system does not use
926: an nsswitch.conf file, except on AIX (see below).
927: .Ss Configuring netsvc.conf
928: On AIX systems, the
929: .Pa @netsvc_conf@
930: file is consulted instead of
931: .Pa @nsswitch_conf@ .
932: .Nm sudo
933: simply treats
934: .Pa netsvc.conf
935: as a variant of
936: .Pa nsswitch.conf ;
937: information in the previous section unrelated to the file format
938: itself still applies.
939: .Pp
940: To consult LDAP first followed by the local sudoers file (if it
941: exists), use:
942: .Bd -literal -offset 4n
943: sudoers = ldap, files
944: .Ed
945: .Pp
946: The local
947: .Em sudoers
948: file can be ignored completely by using:
949: .Bd -literal -offset 4n
950: sudoers = ldap
951: .Ed
952: .Pp
1.1.1.2 misho 953: To treat LDAP as authoritative and only use the local sudoers file
1.1 misho 954: if the user is not present in LDAP, use:
955: .Bd -literal -offset 4n
956: sudoers = ldap = auth, files
957: .Ed
958: .Pp
959: Note that in the above example, the
960: .Li auth
1.1.1.2 misho 961: qualifier only affects user lookups; both LDAP and
1.1 misho 962: .Em sudoers
963: will be queried for
964: .Li Defaults
965: entries.
966: .Pp
967: If the
968: .Pa @netsvc_conf@
969: file is not present or there is no sudoers line, the following
970: default is assumed:
971: .Bd -literal -offset 4n
972: sudoers = files
973: .Ed
974: .Sh FILES
975: .Bl -tag -width 24n
976: .It Pa @ldap_conf@
977: LDAP configuration file
978: .It Pa @nsswitch_conf@
979: determines sudoers source order
980: .It Pa @netsvc_conf@
981: determines sudoers source order on AIX
982: .El
983: .Sh EXAMPLES
984: .Ss Example ldap.conf
985: .Bd -literal -offset 2n
986: # Either specify one or more URIs or one or more host:port pairs.
987: # If neither is specified sudo will default to localhost, port 389.
988: #
989: #host ldapserver
990: #host ldapserver1 ldapserver2:390
991: #
992: # Default port if host is specified without one, defaults to 389.
993: #port 389
994: #
995: # URI will override the host and port settings.
996: uri ldap://ldapserver
997: #uri ldaps://secureldapserver
998: #uri ldaps://secureldapserver ldap://ldapserver
999: #
1000: # The amount of time, in seconds, to wait while trying to connect to
1001: # an LDAP server.
1002: bind_timelimit 30
1003: #
1004: # The amount of time, in seconds, to wait while performing an LDAP query.
1005: timelimit 30
1006: #
1007: # Must be set or sudo will ignore LDAP; may be specified multiple times.
1008: sudoers_base ou=SUDOers,dc=example,dc=com
1009: #
1010: # verbose sudoers matching from ldap
1011: #sudoers_debug 2
1012: #
1013: # Enable support for time-based entries in sudoers.
1014: #sudoers_timed yes
1015: #
1016: # optional proxy credentials
1017: #binddn <who to search as>
1018: #bindpw <password>
1019: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1020: #
1021: # LDAP protocol version, defaults to 3
1022: #ldap_version 3
1023: #
1024: # Define if you want to use an encrypted LDAP connection.
1025: # Typically, you must also set the port to 636 (ldaps).
1026: #ssl on
1027: #
1028: # Define if you want to use port 389 and switch to
1029: # encryption before the bind credentials are sent.
1030: # Only supported by LDAP servers that support the start_tls
1031: # extension such as OpenLDAP.
1032: #ssl start_tls
1033: #
1034: # Additional TLS options follow that allow tweaking of the
1035: # SSL/TLS connection.
1036: #
1037: #tls_checkpeer yes # verify server SSL certificate
1038: #tls_checkpeer no # ignore server SSL certificate
1039: #
1040: # If you enable tls_checkpeer, specify either tls_cacertfile
1041: # or tls_cacertdir. Only supported when using OpenLDAP.
1042: #
1043: #tls_cacertfile /etc/certs/trusted_signers.pem
1044: #tls_cacertdir /etc/certs
1045: #
1046: # For systems that don't have /dev/random
1047: # use this along with PRNGD or EGD.pl to seed the
1048: # random number pool to generate cryptographic session keys.
1049: # Only supported when using OpenLDAP.
1050: #
1051: #tls_randfile /etc/egd-pool
1052: #
1053: # You may restrict which ciphers are used. Consult your SSL
1054: # documentation for which options go here.
1055: # Only supported when using OpenLDAP.
1056: #
1057: #tls_ciphers <cipher-list>
1058: #
1059: # Sudo can provide a client certificate when communicating to
1060: # the LDAP server.
1061: # Tips:
1062: # * Enable both lines at the same time.
1063: # * Do not password protect the key file.
1064: # * Ensure the keyfile is only readable by root.
1065: #
1066: # For OpenLDAP:
1067: #tls_cert /etc/certs/client_cert.pem
1068: #tls_key /etc/certs/client_key.pem
1069: #
1070: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1071: # a directory, in which case the files in the directory must have the
1072: # default names (e.g. cert8.db and key4.db), or the path to the cert
1073: # and key files themselves. However, a bug in version 5.0 of the LDAP
1074: # SDK will prevent specific file names from working. For this reason
1075: # it is suggested that tls_cert and tls_key be set to a directory,
1076: # not a file name.
1077: #
1078: # The certificate database specified by tls_cert may contain CA certs
1079: # and/or the client's cert. If the client's cert is included, tls_key
1080: # should be specified as well.
1081: # For backward compatibility, "sslpath" may be used in place of tls_cert.
1082: #tls_cert /var/ldap
1083: #tls_key /var/ldap
1084: #
1085: # If using SASL authentication for LDAP (OpenSSL)
1086: # use_sasl yes
1087: # sasl_auth_id <SASL user name>
1088: # rootuse_sasl yes
1089: # rootsasl_auth_id <SASL user name for root access>
1090: # sasl_secprops none
1091: # krb5_ccname /etc/.ldapcache
1092: .Ed
1093: .Ss Sudo schema for OpenLDAP
1094: The following schema, in OpenLDAP format, is included with
1095: .Nm sudo
1096: source and binary distributions as
1097: .Pa schema.OpenLDAP .
1098: Simply copy
1099: it to the schema directory (e.g.\&
1100: .Pa /etc/openldap/schema ) ,
1101: add the proper
1102: .Li include
1103: line in
1104: .Pa slapd.conf
1105: and restart
1106: .Nm slapd .
1107: .Bd -literal -offset 2n
1108: attributetype ( 1.3.6.1.4.1.15953.9.1.1
1109: NAME 'sudoUser'
1110: DESC 'User(s) who may run sudo'
1111: EQUALITY caseExactIA5Match
1112: SUBSTR caseExactIA5SubstringsMatch
1113: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1114:
1115: attributetype ( 1.3.6.1.4.1.15953.9.1.2
1116: NAME 'sudoHost'
1117: DESC 'Host(s) who may run sudo'
1118: EQUALITY caseExactIA5Match
1119: SUBSTR caseExactIA5SubstringsMatch
1120: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1121:
1122: attributetype ( 1.3.6.1.4.1.15953.9.1.3
1123: NAME 'sudoCommand'
1124: DESC 'Command(s) to be executed by sudo'
1125: EQUALITY caseExactIA5Match
1126: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1127:
1128: attributetype ( 1.3.6.1.4.1.15953.9.1.4
1129: NAME 'sudoRunAs'
1130: DESC 'User(s) impersonated by sudo'
1131: EQUALITY caseExactIA5Match
1132: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1133:
1134: attributetype ( 1.3.6.1.4.1.15953.9.1.5
1135: NAME 'sudoOption'
1136: DESC 'Options(s) followed by sudo'
1137: EQUALITY caseExactIA5Match
1138: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1139:
1140: attributetype ( 1.3.6.1.4.1.15953.9.1.6
1141: NAME 'sudoRunAsUser'
1142: DESC 'User(s) impersonated by sudo'
1143: EQUALITY caseExactIA5Match
1144: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1145:
1146: attributetype ( 1.3.6.1.4.1.15953.9.1.7
1147: NAME 'sudoRunAsGroup'
1148: DESC 'Group(s) impersonated by sudo'
1149: EQUALITY caseExactIA5Match
1150: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1151:
1152: attributetype ( 1.3.6.1.4.1.15953.9.1.8
1153: NAME 'sudoNotBefore'
1154: DESC 'Start of time interval for which the entry is valid'
1155: EQUALITY generalizedTimeMatch
1156: ORDERING generalizedTimeOrderingMatch
1157: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1158:
1159: attributetype ( 1.3.6.1.4.1.15953.9.1.9
1160: NAME 'sudoNotAfter'
1161: DESC 'End of time interval for which the entry is valid'
1162: EQUALITY generalizedTimeMatch
1163: ORDERING generalizedTimeOrderingMatch
1164: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1165:
1166: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1167: NAME 'sudoOrder'
1168: DESC 'an integer to order the sudoRole entries'
1169: EQUALITY integerMatch
1170: ORDERING integerOrderingMatch
1171: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1172:
1173: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1174: DESC 'Sudoer Entries'
1175: MUST ( cn )
1176: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1177: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1178: sudoOrder $ description )
1179: )
1180: .Ed
1181: .Sh SEE ALSO
1.1.1.2 misho 1182: .Xr ldap.conf @mansectform@ ,
1183: .Xr sudo.conf @mansectform@ ,
1.1 misho 1184: .Xr sudoers @mansectsu@
1185: .Sh CAVEATS
1186: Note that there are differences in the way that LDAP-based
1187: .Em sudoers
1188: is parsed compared to file-based
1189: .Em sudoers .
1190: See the
1191: .Sx Differences between LDAP and non-LDAP sudoers
1192: section for more information.
1193: .Sh BUGS
1194: If you feel you have found a bug in
1195: .Nm sudo ,
1196: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1197: .Sh SUPPORT
1198: Limited free support is available via the sudo-users mailing list,
1199: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1200: search the archives.
1201: .Sh DISCLAIMER
1202: .Nm sudo
1203: is provided
1204: .Dq AS IS
1205: and any express or implied warranties, including, but not limited
1206: to, the implied warranties of merchantability and fitness for a
1207: particular purpose are disclaimed.
1208: See the LICENSE file distributed with
1209: .Nm sudo
1210: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>