1: .\"
2: .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .Dd February 7, 2014
18: .Dt SUDOERS.LDAP @mansectsu@
19: .Os Sudo @PACKAGE_VERSION@
20: .Sh NAME
21: .Nm sudoers.ldap
22: .Nd sudo LDAP configuration
23: .Sh DESCRIPTION
24: In addition to the standard
25: .Em sudoers
26: file,
27: .Nm sudo
28: may be configured
29: via LDAP.
30: This can be especially useful for synchronizing
31: .Em sudoers
32: in a large, distributed environment.
33: .Pp
34: Using LDAP for
35: .Em sudoers
36: has several benefits:
37: .Bl -bullet
38: .It
39: .Nm sudo
40: no longer needs to read
41: .Em sudoers
42: in its entirety.
43: When LDAP is used, there are only two or three LDAP queries per invocation.
44: This makes it especially fast and particularly usable in LDAP environments.
45: .It
46: .Nm sudo
47: no longer exits if there is a typo in
48: .Em sudoers .
49: It is not possible to load LDAP data into the server that does
50: not conform to the sudoers schema, so proper syntax is guaranteed.
51: It is still possible to have typos in a user or host name, but
52: this will not prevent
53: .Nm sudo
54: from running.
55: .It
56: It is possible to specify per-entry options that override the global
57: default options.
58: .Pa @sysconfdir@/sudoers
59: only supports default options and limited options associated with
60: user/host/commands/aliases.
61: The syntax is complicated and can be difficult for users to understand.
62: Placing the options directly in the entry is more natural.
63: .It
64: The
65: .Nm visudo
66: program is no longer needed.
67: .Nm visudo
68: provides locking and syntax checking of the
69: .Pa @sysconfdir@/sudoers
70: file.
71: Since LDAP updates are atomic, locking is no longer necessary.
72: Because syntax is checked when the data is inserted into LDAP, there
73: is no need for a specialized tool to check syntax.
74: .El
75: .Pp
76: Another major difference between LDAP and file-based
77: .Em sudoers
78: is that in LDAP,
79: .Nm sudo Ns -specific
80: Aliases are not supported.
81: .Pp
82: For the most part, there is really no need for
83: .Nm sudo Ns -specific
84: Aliases.
85: Unix groups, non-Unix groups (via the
86: .Em group_plugin )
87: or user netgroups can be used in place of User_Aliases and Runas_Aliases.
88: Host netgroups can be used in place of Host_Aliases.
89: Since groups and netgroups can also be stored in LDAP there is no real need for
90: .Nm sudo Ns -specific
91: aliases.
92: .Pp
93: Cmnd_Aliases are not really required either since it is possible
94: to have multiple users listed in a
95: .Li sudoRole .
96: Instead of defining a Cmnd_Alias that is referenced by multiple users,
97: one can create a
98: .Li sudoRole
99: that contains the commands and assign multiple users to it.
100: .Ss SUDOers LDAP container
101: The
102: .Em sudoers
103: configuration is contained in the
104: .Li ou=SUDOers
105: LDAP container.
106: .Pp
107: Sudo first looks for the
108: .Li cn=default
109: entry in the SUDOers container.
110: If found, the multi-valued
111: .Li sudoOption
112: attribute is parsed in the same manner as a global
113: .Li Defaults
114: line in
115: .Pa @sysconfdir@/sudoers .
116: In the following example, the
117: .Ev SSH_AUTH_SOCK
118: variable will be preserved in the environment for all users.
119: .Bd -literal -offset 4n
120: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
121: objectClass: top
122: objectClass: sudoRole
123: cn: defaults
124: description: Default sudoOption's go here
125: sudoOption: env_keep+=SSH_AUTH_SOCK
126: .Ed
127: .Pp
128: The equivalent of a sudoer in LDAP is a
129: .Li sudoRole .
130: It consists of the following attributes:
131: .Bl -tag -width 4n
132: .It Sy sudoUser
133: A user name, user ID (prefixed with
134: .Ql # ) ,
135: Unix group name or ID (prefixed with
136: .Ql %
137: or
138: .Ql %#
139: respectively), user netgroup (prefixed with
140: .Ql + ) ,
141: or non-Unix group name or ID (prefixed with
142: .Ql %:
143: or
144: .Ql %:#
145: respectively).
146: Non-Unix group support is only available when an appropriate
147: .Em group_plugin
148: is defined in the global
149: .Em defaults
150: .Li sudoRole
151: object.
152: .It Sy sudoHost
153: A host name, IP address, IP network, or host netgroup (prefixed with a
154: .Ql + ) .
155: The special value
156: .Li ALL
157: will match any host.
158: .It Sy sudoCommand
159: A fully-qualified Unix command name with optional command line arguments,
160: potentially including globbing characters (aka wild cards).
161: If a command name is preceded by an exclamation point,
162: .Ql \&! ,
163: the user will be prohibited from running that command.
164: .Pp
165: The built-in command
166: .Dq Li sudoedit
167: is used to permit a user to run
168: .Nm sudo
169: with the
170: .Fl e
171: option (or as
172: .Nm sudoedit ) .
173: It may take command line arguments just as a normal command does.
174: Note that
175: .Dq Li sudoedit
176: is a command built into
177: .Nm sudo
178: itself and must be specified in without a leading path.
179: .Pp
180: The special value
181: .Li ALL
182: will match any command.
183: .Pp
184: If a command name is prefixed with a SHA-2 digest, it will
185: only be allowed if the digest matches.
186: This may be useful in situations where the user invoking
187: .Nm sudo
188: has write access to the command or its parent directory.
189: The following digest formats are supported: sha224, sha256, sha384 and sha512.
190: The digest name must be followed by a colon
191: .Pq Ql :\&
192: and then the actual digest, in either hex or base64 format.
193: For example, given the following value for sudoCommand:
194: .Bd -literal -offset 4n
195: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
196: .Ed
197: .Pp
198: The user may only run
199: .Pa /bin/ls
200: if its sha224 digest matches the specified value.
201: Command digests are only supported by version 1.8.7 or higher.
202: .It Sy sudoOption
203: Identical in function to the global options described above, but
204: specific to the
205: .Li sudoRole
206: in which it resides.
207: .It Sy sudoRunAsUser
208: A user name or uid (prefixed with
209: .Ql # )
210: that commands may be run as or a Unix group (prefixed with a
211: .Ql % )
212: or user netgroup (prefixed with a
213: .Ql + )
214: that contains a list of users that commands may be run as.
215: The special value
216: .Li ALL
217: will match any user.
218: .Pp
219: The
220: .Li sudoRunAsUser
221: attribute is only available in
222: .Nm sudo
223: versions
224: 1.7.0 and higher.
225: Older versions of
226: .Nm sudo
227: use the
228: .Li sudoRunAs
229: attribute instead.
230: .It Sy sudoRunAsGroup
231: A Unix group or gid (prefixed with
232: .Ql # )
233: that commands may be run as.
234: The special value
235: .Li ALL
236: will match any group.
237: .Pp
238: The
239: .Li sudoRunAsGroup
240: attribute is only available in
241: .Nm sudo
242: versions
243: 1.7.0 and higher.
244: .It Sy sudoNotBefore
245: A timestamp in the form
246: .Li yyyymmddHHMMSSZ
247: that can be used to provide a start date/time for when the
248: .Li sudoRole
249: will be valid.
250: If multiple
251: .Li sudoNotBefore
252: entries are present, the earliest is used.
253: Note that timestamps must be in Coordinated Universal Time (UTC),
254: not the local timezone.
255: The minute and seconds portions are optional, but some LDAP servers
256: require that they be present (contrary to the RFC).
257: .Pp
258: The
259: .Li sudoNotBefore
260: attribute is only available in
261: .Nm sudo
262: versions 1.7.5 and higher and must be explicitly enabled via the
263: .Sy SUDOERS_TIMED
264: option in
265: .Pa @ldap_conf@ .
266: .It Sy sudoNotAfter
267: A timestamp in the form
268: .Li yyyymmddHHMMSSZ
269: that indicates an expiration date/time, after which the
270: .Li sudoRole
271: will no longer be valid.
272: If multiple
273: .Li sudoNotBefore
274: entries are present, the last one is used.
275: Note that timestamps must be in Coordinated Universal Time (UTC),
276: not the local timezone.
277: The minute and seconds portions are optional, but some LDAP servers
278: require that they be present (contrary to the RFC).
279: .Pp
280: The
281: .Li sudoNotAfter
282: attribute is only available in
283: .Nm sudo
284: versions
285: 1.7.5 and higher and must be explicitly enabled via the
286: .Sy SUDOERS_TIMED
287: option in
288: .Pa @ldap_conf@ .
289: .It Sy sudoOrder
290: The
291: .Li sudoRole
292: entries retrieved from the LDAP directory have no inherent order.
293: The
294: .Li sudoOrder
295: attribute is an integer (or floating point value for LDAP servers
296: that support it) that is used to sort the matching entries.
297: This allows LDAP-based sudoers entries to more closely mimic the behavior
298: of the sudoers file, where the of the entries influences the result.
299: If multiple entries match, the entry with the highest
300: .Li sudoOrder
301: attribute is chosen.
302: This corresponds to the
303: .Dq last match
304: behavior of the sudoers file.
305: If the
306: .Li sudoOrder
307: attribute is not present, a value of 0 is assumed.
308: .Pp
309: The
310: .Li sudoOrder
311: attribute is only available in
312: .Nm sudo
313: versions 1.7.5 and higher.
314: .El
315: .Pp
316: Each attribute listed above should contain a single value, but there
317: may be multiple instances of each attribute type.
318: A
319: .Li sudoRole
320: must contain at least one
321: .Li sudoUser ,
322: .Li sudoHost
323: and
324: .Li sudoCommand .
325: .Pp
326: The following example allows users in group wheel to run any command
327: on any host via
328: .Nm sudo :
329: .Bd -literal -offset 4n
330: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
331: objectClass: top
332: objectClass: sudoRole
333: cn: %wheel
334: sudoUser: %wheel
335: sudoHost: ALL
336: sudoCommand: ALL
337: .Ed
338: .Ss Anatomy of LDAP sudoers lookup
339: When looking up a sudoer using LDAP there are only two or three
340: LDAP queries per invocation.
341: The first query is to parse the global options.
342: The second is to match against the user's name and the groups that
343: the user belongs to.
344: (The special
345: .Li ALL
346: tag is matched in this query too.)
347: If no match is returned for the user's name and groups, a third
348: query returns all entries containing user netgroups and checks
349: to see if the user belongs to any of them.
350: .Pp
351: If timed entries are enabled with the
352: .Sy SUDOERS_TIMED
353: configuration directive, the LDAP queries include a sub-filter that
354: limits retrieval to entries that satisfy the time constraints, if any.
355: .Ss Differences between LDAP and non-LDAP sudoers
356: There are some subtle differences in the way sudoers is handled
357: once in LDAP.
358: Probably the biggest is that according to the RFC, LDAP ordering
359: is arbitrary and you cannot expect that Attributes and Entries are
360: returned in any specific order.
361: .Pp
362: The order in which different entries are applied can be controlled
363: using the
364: .Li sudoOrder
365: attribute, but there is no way to guarantee the order of attributes
366: within a specific entry.
367: If there are conflicting command rules in an entry, the negative
368: takes precedence.
369: This is called paranoid behavior (not necessarily the most specific
370: match).
371: .Pp
372: Here is an example:
373: .Bd -literal -offset 4n
374: # /etc/sudoers:
375: # Allow all commands except shell
376: johnny ALL=(root) ALL,!/bin/sh
377: # Always allows all commands because ALL is matched last
378: puddles ALL=(root) !/bin/sh,ALL
379:
380: # LDAP equivalent of johnny
381: # Allows all commands except shell
382: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
383: objectClass: sudoRole
384: objectClass: top
385: cn: role1
386: sudoUser: johnny
387: sudoHost: ALL
388: sudoCommand: ALL
389: sudoCommand: !/bin/sh
390:
391: # LDAP equivalent of puddles
392: # Notice that even though ALL comes last, it still behaves like
393: # role1 since the LDAP code assumes the more paranoid configuration
394: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
395: objectClass: sudoRole
396: objectClass: top
397: cn: role2
398: sudoUser: puddles
399: sudoHost: ALL
400: sudoCommand: !/bin/sh
401: sudoCommand: ALL
402: .Ed
403: .Pp
404: Another difference is that negations on the Host, User or Runas are
405: currently ignored.
406: For example, the following attributes do not behave the way one might expect.
407: .Bd -literal -offset 4n
408: # does not match all but joe
409: # rather, does not match anyone
410: sudoUser: !joe
411:
412: # does not match all but joe
413: # rather, matches everyone including Joe
414: sudoUser: ALL
415: sudoUser: !joe
416:
417: # does not match all but web01
418: # rather, matches all hosts including web01
419: sudoHost: ALL
420: sudoHost: !web01
421: .Ed
422: .Ss Sudoers schema
423: In order to use
424: .Nm sudo Ns 's
425: LDAP support, the
426: .Nm sudo
427: schema must be
428: installed on your LDAP server.
429: In addition, be sure to index the
430: .Li sudoUser
431: attribute.
432: .Pp
433: Three versions of the schema: one for OpenLDAP servers
434: .Pq Pa schema.OpenLDAP ,
435: one for Netscape-derived servers
436: .Pq Pa schema.iPlanet ,
437: and one for Microsoft Active Directory
438: .Pq Pa schema.ActiveDirectory
439: may be found in the
440: .Nm sudo
441: distribution.
442: .Pp
443: The schema for
444: .Nm sudo
445: in OpenLDAP form is also included in the
446: .Sx EXAMPLES
447: section.
448: .Ss Configuring ldap.conf
449: Sudo reads the
450: .Pa @ldap_conf@
451: file for LDAP-specific configuration.
452: Typically, this file is shared between different LDAP-aware clients.
453: As such, most of the settings are not
454: .Nm sudo Ns -specific.
455: Note that
456: .Nm sudo
457: parses
458: .Pa @ldap_conf@
459: itself and may support options that differ from those described in the
460: system's
461: .Xr ldap.conf @mansectsu@
462: manual.
463: The path to
464: .Pa ldap.conf
465: may be overridden via the
466: .Em ldap_conf
467: plugin argument in
468: .Xr sudo.conf @mansectform@ .
469: .Pp
470: Also note that on systems using the OpenLDAP libraries, default
471: values specified in
472: .Pa /etc/openldap/ldap.conf
473: or the user's
474: .Pa .ldaprc
475: files are not used.
476: .Pp
477: Only those options explicitly listed in
478: .Pa @ldap_conf@
479: as being supported by
480: .Nm sudo
481: are honored.
482: Configuration options are listed below in upper case but are parsed
483: in a case-independent manner.
484: .Pp
485: The pound sign
486: .Pq Ql #
487: is used to indicate a comment.
488: Both the comment character and any text after it, up to the end of
489: the line, are ignored.
490: Long lines can be continued with a backslash
491: .Pq Ql \e
492: as the last character on the line.
493: Note that leading white space is removed from the beginning of lines
494: even when the continuation character is used.
495: .Bl -tag -width 4n
496: .It Sy URI Ar ldap[s]://[hostname[:port]] ...
497: Specifies a white space-delimited list of one or more URIs describing
498: the LDAP server(s) to connect to.
499: The
500: .Em protocol
501: may be either
502: .Em ldap
503: .Em ldaps ,
504: the latter being for servers that support TLS (SSL) encryption.
505: If no
506: .Em port
507: is specified, the default is port 389 for
508: .Li ldap://
509: or port 636 for
510: .Li ldaps:// .
511: If no
512: .Em hostname
513: is specified,
514: .Nm sudo
515: will connect to
516: .Em localhost .
517: Multiple
518: .Sy URI
519: lines are treated identically to a
520: .Sy URI
521: line containing multiple entries.
522: Only systems using the OpenSSL libraries support the mixing of
523: .Li ldap://
524: and
525: .Li ldaps://
526: URIs.
527: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
528: versions of Unix are only capable of supporting one or the other.
529: .It Sy HOST Ar name[:port] ...
530: If no
531: .Sy URI
532: is specified, the
533: .Sy HOST
534: parameter specifies a white space-delimited list of LDAP servers to connect to.
535: Each host may include an optional
536: .Em port
537: separated by a colon
538: .Pq Ql :\& .
539: The
540: .Sy HOST
541: parameter is deprecated in favor of the
542: .Sy URI
543: specification and is included for backwards compatibility.
544: .It Sy PORT Ar port_number
545: If no
546: .Sy URI
547: is specified, the
548: .Sy PORT
549: parameter specifies the default port to connect to on the LDAP server if a
550: .Sy HOST
551: parameter does not specify the port itself.
552: If no
553: .Sy PORT
554: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
555: over TLS (SSL).
556: The
557: .Sy PORT
558: parameter is deprecated in favor of the
559: .Sy URI
560: specification and is included for backwards compatibility.
561: .It Sy BIND_TIMELIMIT Ar seconds
562: The
563: .Sy BIND_TIMELIMIT
564: parameter specifies the amount of time, in seconds, to wait while trying
565: to connect to an LDAP server.
566: If multiple
567: .Sy URI Ns s
568: or
569: .Sy HOST Ns s
570: are specified, this is the amount of time to wait before trying
571: the next one in the list.
572: .It Sy NETWORK_TIMEOUT Ar seconds
573: An alias for
574: .Sy BIND_TIMELIMIT
575: for OpenLDAP compatibility.
576: .It Sy TIMELIMIT Ar seconds
577: The
578: .Sy TIMELIMIT
579: parameter specifies the amount of time, in seconds, to wait for a
580: response to an LDAP query.
581: .It Sy TIMEOUT Ar seconds
582: The
583: .Sy TIMEOUT
584: parameter specifies the amount of time, in seconds, to wait for a
585: response from the various LDAP APIs.
586: .It Sy SUDOERS_BASE Ar base
587: The base DN to use when performing
588: .Nm sudo
589: LDAP queries.
590: Typically this is of the form
591: .Li ou=SUDOers,dc=example,dc=com
592: for the domain
593: .Li example.com .
594: Multiple
595: .Sy SUDOERS_BASE
596: lines may be specified, in which case they are queried in the order specified.
597: .It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
598: An LDAP filter which is used to restrict the set of records returned
599: when performing a
600: .Nm sudo
601: LDAP query.
602: Typically, this is of the
603: form
604: .Li attribute=value
605: or
606: .Li (&(attribute=value)(attribute2=value2)) .
607: The default search filter is:
608: .Li objectClass=sudoRole .
609: If
610: .Ar ldap_filter
611: is omitted, no search filter will be used.
612: .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
613: Whether or not to evaluate the
614: .Li sudoNotBefore
615: and
616: .Li sudoNotAfter
617: attributes that implement time-dependent sudoers entries.
618: .It Sy SUDOERS_DEBUG Ar debug_level
619: This sets the debug level for
620: .Nm sudo
621: LDAP queries.
622: Debugging information is printed to the standard error.
623: A value of 1 results in a moderate amount of debugging information.
624: A value of 2 shows the results of the matches themselves.
625: This parameter should not be set in a production environment as the
626: extra information is likely to confuse users.
627: .Pp
628: The
629: .Sy SUDOERS_DEBUG
630: parameter is deprecated and will be removed in a future release.
631: The same information is now logged via the
632: .Nm sudo
633: debugging framework using the
634: .Dq ldap
635: subsystem at priorities
636: .Em diag
637: and
638: .Em info
639: for
640: .Em debug_level
641: values 1 and 2 respectively.
642: See the
643: .Xr sudo.conf @mansectform@
644: manual for details on how to configure
645: .Nm sudo
646: debugging.
647: .It Sy BINDDN Ar DN
648: The
649: .Sy BINDDN
650: parameter specifies the identity, in the form of a Distinguished Name (DN),
651: to use when performing LDAP operations.
652: If not specified, LDAP operations are performed with an anonymous identity.
653: By default, most LDAP servers will allow anonymous access.
654: .It Sy BINDPW Ar secret
655: The
656: .Sy BINDPW
657: parameter specifies the password to use when performing LDAP operations.
658: This is typically used in conjunction with the
659: .Sy BINDDN
660: parameter.
661: .It Sy ROOTBINDDN Ar DN
662: The
663: .Sy ROOTBINDDN
664: parameter specifies the identity, in the form of a Distinguished Name (DN),
665: to use when performing privileged LDAP operations, such as
666: .Em sudoers
667: queries.
668: The password corresponding to the identity should be stored in the
669: or the path specified by the
670: .Em ldap_secret
671: plugin argument in
672: .Xr sudo.conf @mansectform@ ,
673: which defaults to
674: .Pa @ldap_secret@ .
675: If no
676: .Sy ROOTBINDDN
677: is specified, the
678: .Sy BINDDN
679: identity is used (if any).
680: .It Sy LDAP_VERSION Ar number
681: The version of the LDAP protocol to use when connecting to the server.
682: The default value is protocol version 3.
683: .It Sy SSL Ar on/true/yes/off/false/no
684: If the
685: .Sy SSL
686: parameter is set to
687: .Li on ,
688: .Li true
689: .Li or
690: .Li yes ,
691: TLS (SSL) encryption is always used when communicating with the LDAP server.
692: Typically, this involves connecting to the server on port 636 (ldaps).
693: .It Sy SSL Ar start_tls
694: If the
695: .Sy SSL
696: parameter is set to
697: .Li start_tls ,
698: the LDAP server connection is initiated normally and TLS encryption is
699: begun before the bind credentials are sent.
700: This has the advantage of not requiring a dedicated port for encrypted
701: communications.
702: This parameter is only supported by LDAP servers that honor the
703: .Em start_tls
704: extension, such as the OpenLDAP and Tivoli Directory servers.
705: .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
706: If enabled,
707: .Sy TLS_CHECKPEER
708: will cause the LDAP server's TLS certificated to be verified.
709: If the server's TLS certificate cannot be verified (usually because it
710: is signed by an unknown certificate authority),
711: .Nm sudo
712: will be unable to connect to it.
713: If
714: .Sy TLS_CHECKPEER
715: is disabled, no check is made.
716: Note that disabling the check creates an opportunity for man-in-the-middle
717: attacks since the server's identity will not be authenticated.
718: If possible, the CA's certificate should be installed locally so it can
719: be verified.
720: This option is not supported by the Tivoli Directory Server LDAP libraries.
721: .It Sy TLS_CACERT Ar file name
722: An alias for
723: .Sy TLS_CACERTFILE
724: for OpenLDAP compatibility.
725: .It Sy TLS_CACERTFILE Ar file name
726: The path to a certificate authority bundle which contains the certificates
727: for all the Certificate Authorities the client knows to be valid, e.g.\&
728: .Pa /etc/ssl/ca-bundle.pem .
729: This option is only supported by the OpenLDAP libraries.
730: Netscape-derived LDAP libraries use the same certificate
731: database for CA and client certificates (see
732: .Sy TLS_CERT ) .
733: .It Sy TLS_CACERTDIR Ar directory
734: Similar to
735: .Sy TLS_CACERTFILE
736: but instead of a file, it is a directory containing individual
737: Certificate Authority certificates, e.g.\&
738: .Pa /etc/ssl/certs .
739: The directory specified by
740: .Sy TLS_CACERTDIR
741: is checked after
742: .Sy TLS_CACERTFILE .
743: This option is only supported by the OpenLDAP libraries.
744: .It Sy TLS_CERT Ar file name
745: The path to a file containing the client certificate which can
746: be used to authenticate the client to the LDAP server.
747: The certificate type depends on the LDAP libraries used.
748: .Bl -tag -width 4n
749: .It OpenLDAP:
750: .Li tls_cert /etc/ssl/client_cert.pem
751: .It Netscape-derived:
752: .Li tls_cert /var/ldap/cert7.db
753: .It Tivoli Directory Server:
754: Unused, the key database specified by
755: .Sy TLS_KEY
756: contains both keys and certificates.
757: .Pp
758: When using Netscape-derived libraries, this file may also contain
759: Certificate Authority certificates.
760: .El
761: .It Sy TLS_KEY Ar file name
762: The path to a file containing the private key which matches the
763: certificate specified by
764: .Sy TLS_CERT .
765: The private key must not be password-protected.
766: The key type depends on the LDAP libraries used.
767: .Bl -tag -width 4n
768: .It OpenLDAP:
769: .Li tls_key /etc/ssl/client_key.pem
770: .It Netscape-derived:
771: .Li tls_key /var/ldap/key3.db
772: .It Tivoli Directory Server:
773: .Li tls_key /usr/ldap/ldapkey.kdb
774: .El
775: When using Tivoli LDAP libraries, this file may also contain
776: Certificate Authority and client certificates and may be encrypted.
777: .It Sy TLS_KEYPW Ar secret
778: The
779: .Sy TLS_KEYPW
780: contains the password used to decrypt the key database on clients
781: using the Tivoli Directory Server LDAP library.
782: This should be a simple string without quotes.
783: The password may not include the comment character
784: .Pq Ql #
785: and escaping of special characters with a backslash
786: .Pq Ql \e
787: is not supported.
788: If this option is used,
789: .Pa @ldap_conf@
790: must not be world-readable to avoid exposing the password.
791: Alternately, a
792: .Em stash file
793: can be used to store the password in encrypted form (see below).
794: .Pp
795: If no
796: .Sy TLS_KEYPW
797: is specified, a
798: .Em stash file
799: will be used if it exists.
800: The
801: .Em stash file
802: must have the same path as the file specified by
803: .Sy TLS_KEY ,
804: but use a
805: .Li .sth
806: file extension instead of
807: .Li .kdb ,
808: e.g.\&
809: .Li ldapkey.sth .
810: The default
811: .Li ldapkey.kdb
812: that ships with Tivoli Directory Server is encrypted with the password
813: .Li ssl_password .
814: The
815: .Em gsk8capicmd
816: utility can be used to manage the key database and create a
817: .Em stash file .
818: This option is only supported by the Tivoli LDAP libraries.
819: .It Sy TLS_RANDFILE Ar file name
820: The
821: .Sy TLS_RANDFILE
822: parameter specifies the path to an entropy source for systems that lack
823: a random device.
824: It is generally used in conjunction with
825: .Em prngd
826: or
827: .Em egd .
828: This option is only supported by the OpenLDAP libraries.
829: .It Sy TLS_CIPHERS Ar cipher list
830: The
831: .Sy TLS_CIPHERS
832: parameter allows the administer to restrict which encryption algorithms
833: may be used for TLS (SSL) connections.
834: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
835: ciphers.
836: This option is not supported by Netscape-derived libraries.
837: .It Sy USE_SASL Ar on/true/yes/off/false/no
838: Enable
839: .Sy USE_SASL
840: for LDAP servers that support SASL authentication.
841: .It Sy SASL_AUTH_ID Ar identity
842: The SASL user name to use when connecting to the LDAP server.
843: By default,
844: .Nm sudo
845: will use an anonymous connection.
846: .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
847: Enable
848: .Sy ROOTUSE_SASL
849: to enable SASL authentication when connecting
850: to an LDAP server from a privileged process, such as
851: .Nm sudo .
852: .It Sy ROOTSASL_AUTH_ID Ar identity
853: The SASL user name to use when
854: .Sy ROOTUSE_SASL
855: is enabled.
856: .It Sy SASL_SECPROPS Ar none/properties
857: SASL security properties or
858: .Em none
859: for no properties.
860: See the SASL programmer's manual for details.
861: .It Sy KRB5_CCNAME Ar file name
862: The path to the Kerberos 5 credential cache to use when authenticating
863: with the remote server.
864: .It Sy DEREF Ar never/searching/finding/always
865: How alias dereferencing is to be performed when searching.
866: See the
867: .Xr ldap.conf @mansectsu@
868: manual for a full description of this option.
869: .El
870: .Pp
871: See the
872: .Pa ldap.conf
873: entry in the
874: .Sx EXAMPLES
875: section.
876: .Ss Configuring nsswitch.conf
877: Unless it is disabled at build time,
878: .Nm sudo
879: consults the Name Service Switch file,
880: .Pa @nsswitch_conf@ ,
881: to specify the
882: .Em sudoers
883: search order.
884: Sudo looks for a line beginning with
885: .Li sudoers :
886: and uses this to determine the search order.
887: Note that
888: .Nm sudo
889: does
890: not stop searching after the first match and later matches take
891: precedence over earlier ones.
892: The following sources are recognized:
893: .Pp
894: .Bl -tag -width 8n -offset 4n -compact
895: .It files
896: read sudoers from
897: .Pa @sysconfdir@/sudoers
898: .It ldap
899: read sudoers from LDAP
900: .El
901: .Pp
902: In addition, the entry
903: .Li [NOTFOUND=return]
904: will short-circuit the search if the user was not found in the
905: preceding source.
906: .Pp
907: To consult LDAP first followed by the local sudoers file (if it
908: exists), use:
909: .Bd -literal -offset 4n
910: sudoers: ldap files
911: .Ed
912: .Pp
913: The local
914: .Em sudoers
915: file can be ignored completely by using:
916: .Bd -literal -offset 4n
917: sudoers: ldap
918: .Ed
919: .Pp
920: If the
921: .Pa @nsswitch_conf@
922: file is not present or there is no sudoers line, the following
923: default is assumed:
924: .Bd -literal -offset 4n
925: sudoers: files
926: .Ed
927: .Pp
928: Note that
929: .Pa @nsswitch_conf@
930: is supported even when the underlying operating system does not use
931: an nsswitch.conf file, except on AIX (see below).
932: .Ss Configuring netsvc.conf
933: On AIX systems, the
934: .Pa @netsvc_conf@
935: file is consulted instead of
936: .Pa @nsswitch_conf@ .
937: .Nm sudo
938: simply treats
939: .Pa netsvc.conf
940: as a variant of
941: .Pa nsswitch.conf ;
942: information in the previous section unrelated to the file format
943: itself still applies.
944: .Pp
945: To consult LDAP first followed by the local sudoers file (if it
946: exists), use:
947: .Bd -literal -offset 4n
948: sudoers = ldap, files
949: .Ed
950: .Pp
951: The local
952: .Em sudoers
953: file can be ignored completely by using:
954: .Bd -literal -offset 4n
955: sudoers = ldap
956: .Ed
957: .Pp
958: To treat LDAP as authoritative and only use the local sudoers file
959: if the user is not present in LDAP, use:
960: .Bd -literal -offset 4n
961: sudoers = ldap = auth, files
962: .Ed
963: .Pp
964: Note that in the above example, the
965: .Li auth
966: qualifier only affects user lookups; both LDAP and
967: .Em sudoers
968: will be queried for
969: .Li Defaults
970: entries.
971: .Pp
972: If the
973: .Pa @netsvc_conf@
974: file is not present or there is no sudoers line, the following
975: default is assumed:
976: .Bd -literal -offset 4n
977: sudoers = files
978: .Ed
979: .Sh FILES
980: .Bl -tag -width 24n
981: .It Pa @ldap_conf@
982: LDAP configuration file
983: .It Pa @nsswitch_conf@
984: determines sudoers source order
985: .It Pa @netsvc_conf@
986: determines sudoers source order on AIX
987: .El
988: .Sh EXAMPLES
989: .Ss Example ldap.conf
990: .Bd -literal -offset 2n
991: # Either specify one or more URIs or one or more host:port pairs.
992: # If neither is specified sudo will default to localhost, port 389.
993: #
994: #host ldapserver
995: #host ldapserver1 ldapserver2:390
996: #
997: # Default port if host is specified without one, defaults to 389.
998: #port 389
999: #
1000: # URI will override the host and port settings.
1001: uri ldap://ldapserver
1002: #uri ldaps://secureldapserver
1003: #uri ldaps://secureldapserver ldap://ldapserver
1004: #
1005: # The amount of time, in seconds, to wait while trying to connect to
1006: # an LDAP server.
1007: bind_timelimit 30
1008: #
1009: # The amount of time, in seconds, to wait while performing an LDAP query.
1010: timelimit 30
1011: #
1012: # Must be set or sudo will ignore LDAP; may be specified multiple times.
1013: sudoers_base ou=SUDOers,dc=example,dc=com
1014: #
1015: # verbose sudoers matching from ldap
1016: #sudoers_debug 2
1017: #
1018: # Enable support for time-based entries in sudoers.
1019: #sudoers_timed yes
1020: #
1021: # optional proxy credentials
1022: #binddn <who to search as>
1023: #bindpw <password>
1024: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1025: #
1026: # LDAP protocol version, defaults to 3
1027: #ldap_version 3
1028: #
1029: # Define if you want to use an encrypted LDAP connection.
1030: # Typically, you must also set the port to 636 (ldaps).
1031: #ssl on
1032: #
1033: # Define if you want to use port 389 and switch to
1034: # encryption before the bind credentials are sent.
1035: # Only supported by LDAP servers that support the start_tls
1036: # extension such as OpenLDAP.
1037: #ssl start_tls
1038: #
1039: # Additional TLS options follow that allow tweaking of the
1040: # SSL/TLS connection.
1041: #
1042: #tls_checkpeer yes # verify server SSL certificate
1043: #tls_checkpeer no # ignore server SSL certificate
1044: #
1045: # If you enable tls_checkpeer, specify either tls_cacertfile
1046: # or tls_cacertdir. Only supported when using OpenLDAP.
1047: #
1048: #tls_cacertfile /etc/certs/trusted_signers.pem
1049: #tls_cacertdir /etc/certs
1050: #
1051: # For systems that don't have /dev/random
1052: # use this along with PRNGD or EGD.pl to seed the
1053: # random number pool to generate cryptographic session keys.
1054: # Only supported when using OpenLDAP.
1055: #
1056: #tls_randfile /etc/egd-pool
1057: #
1058: # You may restrict which ciphers are used. Consult your SSL
1059: # documentation for which options go here.
1060: # Only supported when using OpenLDAP.
1061: #
1062: #tls_ciphers <cipher-list>
1063: #
1064: # Sudo can provide a client certificate when communicating to
1065: # the LDAP server.
1066: # Tips:
1067: # * Enable both lines at the same time.
1068: # * Do not password protect the key file.
1069: # * Ensure the keyfile is only readable by root.
1070: #
1071: # For OpenLDAP:
1072: #tls_cert /etc/certs/client_cert.pem
1073: #tls_key /etc/certs/client_key.pem
1074: #
1075: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1076: # a directory, in which case the files in the directory must have the
1077: # default names (e.g. cert8.db and key4.db), or the path to the cert
1078: # and key files themselves. However, a bug in version 5.0 of the LDAP
1079: # SDK will prevent specific file names from working. For this reason
1080: # it is suggested that tls_cert and tls_key be set to a directory,
1081: # not a file name.
1082: #
1083: # The certificate database specified by tls_cert may contain CA certs
1084: # and/or the client's cert. If the client's cert is included, tls_key
1085: # should be specified as well.
1086: # For backward compatibility, "sslpath" may be used in place of tls_cert.
1087: #tls_cert /var/ldap
1088: #tls_key /var/ldap
1089: #
1090: # If using SASL authentication for LDAP (OpenSSL)
1091: # use_sasl yes
1092: # sasl_auth_id <SASL user name>
1093: # rootuse_sasl yes
1094: # rootsasl_auth_id <SASL user name for root access>
1095: # sasl_secprops none
1096: # krb5_ccname /etc/.ldapcache
1097: .Ed
1098: .Ss Sudo schema for OpenLDAP
1099: The following schema, in OpenLDAP format, is included with
1100: .Nm sudo
1101: source and binary distributions as
1102: .Pa schema.OpenLDAP .
1103: Simply copy
1104: it to the schema directory (e.g.\&
1105: .Pa /etc/openldap/schema ) ,
1106: add the proper
1107: .Li include
1108: line in
1109: .Pa slapd.conf
1110: and restart
1111: .Nm slapd .
1112: .Bd -literal -offset 2n
1113: attributetype ( 1.3.6.1.4.1.15953.9.1.1
1114: NAME 'sudoUser'
1115: DESC 'User(s) who may run sudo'
1116: EQUALITY caseExactIA5Match
1117: SUBSTR caseExactIA5SubstringsMatch
1118: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1119:
1120: attributetype ( 1.3.6.1.4.1.15953.9.1.2
1121: NAME 'sudoHost'
1122: DESC 'Host(s) who may run sudo'
1123: EQUALITY caseExactIA5Match
1124: SUBSTR caseExactIA5SubstringsMatch
1125: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1126:
1127: attributetype ( 1.3.6.1.4.1.15953.9.1.3
1128: NAME 'sudoCommand'
1129: DESC 'Command(s) to be executed by sudo'
1130: EQUALITY caseExactIA5Match
1131: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1132:
1133: attributetype ( 1.3.6.1.4.1.15953.9.1.4
1134: NAME 'sudoRunAs'
1135: DESC 'User(s) impersonated by sudo'
1136: EQUALITY caseExactIA5Match
1137: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1138:
1139: attributetype ( 1.3.6.1.4.1.15953.9.1.5
1140: NAME 'sudoOption'
1141: DESC 'Options(s) followed by sudo'
1142: EQUALITY caseExactIA5Match
1143: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1144:
1145: attributetype ( 1.3.6.1.4.1.15953.9.1.6
1146: NAME 'sudoRunAsUser'
1147: DESC 'User(s) impersonated by sudo'
1148: EQUALITY caseExactIA5Match
1149: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1150:
1151: attributetype ( 1.3.6.1.4.1.15953.9.1.7
1152: NAME 'sudoRunAsGroup'
1153: DESC 'Group(s) impersonated by sudo'
1154: EQUALITY caseExactIA5Match
1155: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1156:
1157: attributetype ( 1.3.6.1.4.1.15953.9.1.8
1158: NAME 'sudoNotBefore'
1159: DESC 'Start of time interval for which the entry is valid'
1160: EQUALITY generalizedTimeMatch
1161: ORDERING generalizedTimeOrderingMatch
1162: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1163:
1164: attributetype ( 1.3.6.1.4.1.15953.9.1.9
1165: NAME 'sudoNotAfter'
1166: DESC 'End of time interval for which the entry is valid'
1167: EQUALITY generalizedTimeMatch
1168: ORDERING generalizedTimeOrderingMatch
1169: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1170:
1171: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1172: NAME 'sudoOrder'
1173: DESC 'an integer to order the sudoRole entries'
1174: EQUALITY integerMatch
1175: ORDERING integerOrderingMatch
1176: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1177:
1178: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1179: DESC 'Sudoer Entries'
1180: MUST ( cn )
1181: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1182: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1183: sudoOrder $ description )
1184: )
1185: .Ed
1186: .Sh SEE ALSO
1187: .Xr ldap.conf @mansectform@ ,
1188: .Xr sudo.conf @mansectform@ ,
1189: .Xr sudoers @mansectsu@
1190: .Sh CAVEATS
1191: Note that there are differences in the way that LDAP-based
1192: .Em sudoers
1193: is parsed compared to file-based
1194: .Em sudoers .
1195: See the
1196: .Sx Differences between LDAP and non-LDAP sudoers
1197: section for more information.
1198: .Sh BUGS
1199: If you feel you have found a bug in
1200: .Nm sudo ,
1201: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1202: .Sh SUPPORT
1203: Limited free support is available via the sudo-users mailing list,
1204: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1205: search the archives.
1206: .Sh DISCLAIMER
1207: .Nm sudo
1208: is provided
1209: .Dq AS IS
1210: and any express or implied warranties, including, but not limited
1211: to, the implied warranties of merchantability and fitness for a
1212: particular purpose are disclaimed.
1213: See the LICENSE file distributed with
1214: .Nm sudo
1215: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc