Annotation of embedaddon/sudo/doc/sudoers.ldap.pod, revision 1.1

1.1     ! misho       1: Copyright (c) 2003-2011
        !             2:        Todd C. Miller <Todd.Miller@courtesan.com>
        !             3: 
        !             4: Permission to use, copy, modify, and distribute this software for any
        !             5: purpose with or without fee is hereby granted, provided that the above
        !             6: copyright notice and this permission notice appear in all copies.
        !             7: 
        !             8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
        !             9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
        !            10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
        !            11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
        !            12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
        !            13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
        !            14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
        !            15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
        !            16: 
        !            17: =pod
        !            18: 
        !            19: =head1 NAME
        !            20: 
        !            21: sudoers.ldap - sudo LDAP configuration
        !            22: 
        !            23: =head1 DESCRIPTION
        !            24: 
        !            25: In addition to the standard I<sudoers> file, B<sudo> may be configured
        !            26: via LDAP.  This can be especially useful for synchronizing I<sudoers>
        !            27: in a large, distributed environment.
        !            28: 
        !            29: Using LDAP for I<sudoers> has several benefits:
        !            30: 
        !            31: =over 4
        !            32: 
        !            33: =item *
        !            34: 
        !            35: B<sudo> no longer needs to read I<sudoers> in its entirety.  When
        !            36: LDAP is used, there are only two or three LDAP queries per invocation.
        !            37: This makes it especially fast and particularly usable in LDAP
        !            38: environments.
        !            39: 
        !            40: =item *
        !            41: 
        !            42: B<sudo> no longer exits if there is a typo in I<sudoers>.
        !            43: It is not possible to load LDAP data into the server that does
        !            44: not conform to the sudoers schema, so proper syntax is guaranteed.
        !            45: It is still possible to have typos in a user or host name, but
        !            46: this will not prevent B<sudo> from running.
        !            47: 
        !            48: =item *
        !            49: 
        !            50: It is possible to specify per-entry options that override the global
        !            51: default options.  F<@sysconfdir@/sudoers> only supports default options and
        !            52: limited options associated with user/host/commands/aliases.  The
        !            53: syntax is complicated and can be difficult for users to understand.
        !            54: Placing the options directly in the entry is more natural.
        !            55: 
        !            56: =item *
        !            57: 
        !            58: The B<visudo> program is no longer needed.  B<visudo> provides
        !            59: locking and syntax checking of the F<@sysconfdir@/sudoers> file.
        !            60: Since LDAP updates are atomic, locking is no longer necessary.
        !            61: Because syntax is checked when the data is inserted into LDAP, there
        !            62: is no need for a specialized tool to check syntax.
        !            63: 
        !            64: =back
        !            65: 
        !            66: Another major difference between LDAP and file-based I<sudoers>
        !            67: is that in LDAP, B<sudo>-specific Aliases are not supported.
        !            68: 
        !            69: For the most part, there is really no need for B<sudo>-specific
        !            70: Aliases.  Unix groups or user netgroups can be used in place of
        !            71: User_Aliases and Runas_Aliases.  Host netgroups can be used in place
        !            72: of Host_Aliases.  Since Unix groups and netgroups can also be stored
        !            73: in LDAP there is no real need for B<sudo>-specific aliases.
        !            74: 
        !            75: Cmnd_Aliases are not really required either since it is possible
        !            76: to have multiple users listed in a C<sudoRole>.  Instead of defining
        !            77: a Cmnd_Alias that is referenced by multiple users, one can create
        !            78: a C<sudoRole> that contains the commands and assign multiple users
        !            79: to it.
        !            80: 
        !            81: =head2 SUDOers LDAP container
        !            82: 
        !            83: The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
        !            84: container.
        !            85: 
        !            86: Sudo first looks for the C<cn=default> entry in the SUDOers container.
        !            87: If found, the multi-valued C<sudoOption> attribute is parsed in the
        !            88: same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>.  In
        !            89: the following example, the C<SSH_AUTH_SOCK> variable will be preserved
        !            90: in the environment for all users.
        !            91: 
        !            92:     dn: cn=defaults,ou=SUDOers,dc=example,dc=com
        !            93:     objectClass: top
        !            94:     objectClass: sudoRole
        !            95:     cn: defaults
        !            96:     description: Default sudoOption's go here
        !            97:     sudoOption: env_keep+=SSH_AUTH_SOCK
        !            98:  
        !            99: The equivalent of a sudoer in LDAP is a C<sudoRole>.  It consists of
        !           100: the following attributes:
        !           101: 
        !           102: =over 4
        !           103: 
        !           104: =item B<sudoUser>
        !           105: 
        !           106: A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
        !           107: a C<'%'>) or user netgroup (prefixed with a C<'+'>).
        !           108: 
        !           109: =item B<sudoHost>
        !           110: 
        !           111: A host name, IP address, IP network, or host netgroup (prefixed
        !           112: with a C<'+'>).
        !           113: The special value C<ALL> will match any host.
        !           114: 
        !           115: =item B<sudoCommand>
        !           116: 
        !           117: A Unix command with optional command line arguments, potentially
        !           118: including globbing characters (aka wild cards).
        !           119: The special value C<ALL> will match any command.
        !           120: If a command is prefixed with an exclamation point C<'!'>, the
        !           121: user will be prohibited from running that command.
        !           122: 
        !           123: =item B<sudoOption>
        !           124: 
        !           125: Identical in function to the global options described above, but
        !           126: specific to the C<sudoRole> in which it resides.
        !           127: 
        !           128: =item B<sudoRunAsUser>
        !           129: 
        !           130: A user name or uid (prefixed with C<'#'>) that commands may be run
        !           131: as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
        !           132: with a C<'+'>) that contains a list of users that commands may be
        !           133: run as.
        !           134: The special value C<ALL> will match any user.
        !           135: 
        !           136: The C<sudoRunAsUser> attribute is only available in B<sudo> versions
        !           137: 1.7.0 and higher.  Older versions of B<sudo> use the C<sudoRunAs>
        !           138: attribute instead.
        !           139: 
        !           140: =item B<sudoRunAsGroup>
        !           141: 
        !           142: A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
        !           143: The special value C<ALL> will match any group.
        !           144: 
        !           145: The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
        !           146: 1.7.0 and higher.
        !           147: 
        !           148: =item B<sudoNotBefore>
        !           149: 
        !           150: A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
        !           151: a start date/time for when the C<sudoRole> will be valid.  If
        !           152: multiple C<sudoNotBefore> entries are present, the earliest is used.
        !           153: Note that timestamps must be in Coordinated Universal Time (UTC),
        !           154: not the local timezone.  The minute and seconds portions are optional,
        !           155: but some LDAP servers require that they be present (contrary to the RFC).
        !           156: 
        !           157: The C<sudoNotBefore> attribute is only available in B<sudo> versions
        !           158: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
        !           159: option in F<@ldap_conf@>.
        !           160: 
        !           161: =item B<sudoNotAfter>
        !           162: 
        !           163: A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
        !           164: date/time, after which the C<sudoRole> will no longer be valid.  If
        !           165: multiple C<sudoNotBefore> entries are present, the last one is used.
        !           166: Note that timestamps must be in Coordinated Universal Time (UTC),
        !           167: not the local timezone.  The minute and seconds portions are optional,
        !           168: but some LDAP servers require that they be present (contrary to the RFC).
        !           169: 
        !           170: The C<sudoNotAfter> attribute is only available in B<sudo> versions
        !           171: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
        !           172: option in F<@ldap_conf@>.
        !           173: 
        !           174: =item B<sudoOrder>
        !           175: 
        !           176: The C<sudoRole> entries retrieved from the LDAP directory have no
        !           177: inherent order.  The C<sudoOrder> attribute is an integer (or
        !           178: floating point value for LDAP servers that support it) that is used
        !           179: to sort the matching entries.  This allows LDAP-based sudoers entries
        !           180: to more closely mimic the behaviour of the sudoers file, where the
        !           181: of the entries influences the result.  If multiple entries match,
        !           182: the entry with the highest C<sudoOrder> attribute is chosen.  This
        !           183: corresponds to the "last match" behavior of the sudoers file.  If
        !           184: the C<sudoOrder> attribute is not present, a value of 0 is assumed.
        !           185: 
        !           186: The C<sudoOrder> attribute is only available in B<sudo> versions
        !           187: 1.7.5 and higher.
        !           188: 
        !           189: =back
        !           190: 
        !           191: Each attribute listed above should contain a single value, but there
        !           192: may be multiple instances of each attribute type.  A C<sudoRole> must
        !           193: contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
        !           194: 
        !           195: The following example allows users in group wheel to run any command
        !           196: on any host via B<sudo>:
        !           197: 
        !           198:     dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
        !           199:     objectClass: top
        !           200:     objectClass: sudoRole
        !           201:     cn: %wheel
        !           202:     sudoUser: %wheel
        !           203:     sudoHost: ALL
        !           204:     sudoCommand: ALL
        !           205: 
        !           206: =head2 Anatomy of LDAP sudoers lookup
        !           207: 
        !           208: When looking up a sudoer using LDAP there are only two or three
        !           209: LDAP queries per invocation.  The first query is to parse the global
        !           210: options.  The second is to match against the user's name and the
        !           211: groups that the user belongs to.  (The special ALL tag is matched
        !           212: in this query too.)  If no match is returned for the user's name
        !           213: and groups, a third query returns all entries containing user
        !           214: netgroups and checks to see if the user belongs to any of them.
        !           215: 
        !           216: If timed entries are enabled with the B<SUDOERS_TIMED> configuration
        !           217: directive, the LDAP queries include a subfilter that limits retrieval
        !           218: to entries that satisfy the time constraints, if any.
        !           219: 
        !           220: =head2 Differences between LDAP and non-LDAP sudoers
        !           221: 
        !           222: There are some subtle differences in the way sudoers is handled
        !           223: once in LDAP.  Probably the biggest is that according to the RFC,
        !           224: LDAP ordering is arbitrary and you cannot expect that Attributes
        !           225: and Entries are returned in any specific order.
        !           226: 
        !           227: The order in which different entries are applied can be controlled
        !           228: using the C<sudoOrder> attribute, but there is no way to guarantee
        !           229: the order of attributes within a specific entry.  If there are
        !           230: conflicting command rules in an entry, the negative takes precedence.
        !           231: This is called paranoid behavior (not necessarily the most specific
        !           232: match).
        !           233: 
        !           234: Here is an example:
        !           235: 
        !           236:     # /etc/sudoers:
        !           237:     # Allow all commands except shell
        !           238:     johnny  ALL=(root) ALL,!/bin/sh
        !           239:     # Always allows all commands because ALL is matched last
        !           240:     puddles ALL=(root) !/bin/sh,ALL
        !           241: 
        !           242:     # LDAP equivalent of johnny
        !           243:     # Allows all commands except shell
        !           244:     dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
        !           245:     objectClass: sudoRole
        !           246:     objectClass: top
        !           247:     cn: role1
        !           248:     sudoUser: johnny
        !           249:     sudoHost: ALL
        !           250:     sudoCommand: ALL
        !           251:     sudoCommand: !/bin/sh
        !           252: 
        !           253:     # LDAP equivalent of puddles
        !           254:     # Notice that even though ALL comes last, it still behaves like
        !           255:     # role1 since the LDAP code assumes the more paranoid configuration
        !           256:     dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
        !           257:     objectClass: sudoRole
        !           258:     objectClass: top
        !           259:     cn: role2
        !           260:     sudoUser: puddles
        !           261:     sudoHost: ALL
        !           262:     sudoCommand: !/bin/sh
        !           263:     sudoCommand: ALL
        !           264: 
        !           265: Another difference is that negations on the Host, User or Runas are
        !           266: currently ignored.  For example, the following attributes do not
        !           267: behave the way one might expect.
        !           268: 
        !           269:     # does not match all but joe
        !           270:     # rather, does not match anyone
        !           271:     sudoUser: !joe
        !           272: 
        !           273:     # does not match all but joe
        !           274:     # rather, matches everyone including Joe
        !           275:     sudoUser: ALL
        !           276:     sudoUser: !joe
        !           277: 
        !           278:     # does not match all but web01
        !           279:     # rather, matches all hosts including web01
        !           280:     sudoHost: ALL
        !           281:     sudoHost: !web01
        !           282: 
        !           283: =head2 Sudoers Schema
        !           284: 
        !           285: In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
        !           286: installed on your LDAP server.  In addition, be sure to index the
        !           287: 'sudoUser' attribute.
        !           288: 
        !           289: Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
        !           290: one for Netscape-derived servers (F<schema.iPlanet>), and one for
        !           291: Microsoft Active Directory (F<schema.ActiveDirectory>) may
        !           292: be found in the B<sudo> distribution.
        !           293: 
        !           294: The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
        !           295: section.
        !           296: 
        !           297: =head2 Configuring ldap.conf
        !           298: 
        !           299: Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
        !           300: Typically, this file is shared amongst different LDAP-aware clients.
        !           301: As such, most of the settings are not B<sudo>-specific.  Note that
        !           302: B<sudo> parses F<@ldap_conf@> itself and may support options
        !           303: that differ from those described in the L<ldap.conf(5)> manual.
        !           304: 
        !           305: Also note that on systems using the OpenLDAP libraries, default
        !           306: values specified in F</etc/openldap/ldap.conf> or the user's
        !           307: F<.ldaprc> files are not used.
        !           308: 
        !           309: Only those options explicitly listed in F<@ldap_conf@> as being
        !           310: supported by B<sudo> are honored.  Configuration options are listed
        !           311: below in upper case but are parsed in a case-independent manner.
        !           312: 
        !           313: =over 4
        !           314: 
        !           315: =item B<URI> ldap[s]://[hostname[:port]] ...
        !           316: 
        !           317: Specifies a whitespace-delimited list of one or more URIs describing
        !           318: the LDAP server(s) to connect to.  The I<protocol> may be either
        !           319: B<ldap> or B<ldaps>, the latter being for servers that support TLS
        !           320: (SSL) encryption.  If no I<port> is specified, the default is port
        !           321: 389 for C<ldap://> or port 636 for C<ldaps://>.  If no I<hostname>
        !           322: is specified, B<sudo> will connect to B<localhost>.  Multiple B<URI>
        !           323: lines are treated identically to a B<URI> line containing multiple
        !           324: entries.  Only systems using the OpenSSL libraries support the
        !           325: mixing of C<ldap://> and C<ldaps://> URIs.  The Netscape-derived
        !           326: libraries used on most commercial versions of Unix are only capable
        !           327: of supporting one or the other.
        !           328: 
        !           329: =item B<HOST> name[:port] ...
        !           330: 
        !           331: If no B<URI> is specified, the B<HOST> parameter specifies a
        !           332: whitespace-delimited list of LDAP servers to connect to.  Each host
        !           333: may include an optional I<port> separated by a colon (':').  The
        !           334: B<HOST> parameter is deprecated in favor of the B<URI> specification
        !           335: and is included for backwards compatibility.
        !           336: 
        !           337: =item B<PORT> port_number
        !           338: 
        !           339: If no B<URI> is specified, the B<PORT> parameter specifies the
        !           340: default port to connect to on the LDAP server if a B<HOST> parameter
        !           341: does not specify the port itself.  If no B<PORT> parameter is used,
        !           342: the default is port 389 for LDAP and port 636 for LDAP over TLS
        !           343: (SSL).  The B<PORT> parameter is deprecated in favor of the B<URI>
        !           344: specification and is included for backwards compatibility.
        !           345: 
        !           346: =item B<BIND_TIMELIMIT> seconds
        !           347: 
        !           348: The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
        !           349: to wait while trying to connect to an LDAP server.  If multiple B<URI>s or
        !           350: B<HOST>s are specified, this is the amount of time to wait before trying
        !           351: the next one in the list.
        !           352: 
        !           353: =item B<NETWORK_TIMEOUT> seconds
        !           354: 
        !           355: An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
        !           356: 
        !           357: =item B<TIMELIMIT> seconds
        !           358: 
        !           359: The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
        !           360: to wait for a response to an LDAP query.
        !           361: 
        !           362: =item B<TIMEOUT> seconds
        !           363: 
        !           364: The B<TIMEOUT> parameter specifies the amount of time, in seconds,
        !           365: to wait for a response from the various LDAP APIs.
        !           366: 
        !           367: =item B<SUDOERS_BASE> base
        !           368: 
        !           369: The base DN to use when performing B<sudo> LDAP queries.  Typically
        !           370: this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
        !           371: C<example.com>.  Multiple B<SUDOERS_BASE> lines may be specified,
        !           372: in which case they are queried in the order specified.
        !           373: 
        !           374: =item B<SUDOERS_SEARCH_FILTER> ldap_filter
        !           375: 
        !           376: An LDAP filter which is used to restrict the set of records returned
        !           377: when performing a B<sudo> LDAP query.  Typically, this is of the
        !           378: form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
        !           379: 
        !           380: =item B<SUDOERS_TIMED> on/true/yes/off/false/no
        !           381: 
        !           382: Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
        !           383: attributes that implement time-dependent sudoers entries.
        !           384: 
        !           385: =item B<SUDOERS_DEBUG> debug_level
        !           386: 
        !           387: This sets the debug level for B<sudo> LDAP queries.  Debugging
        !           388: information is printed to the standard error.  A value of 1 results
        !           389: in a moderate amount of debugging information.  A value of 2 shows
        !           390: the results of the matches themselves.  This parameter should not
        !           391: be set in a production environment as the extra information is
        !           392: likely to confuse users.
        !           393: 
        !           394: =item B<BINDDN> DN
        !           395: 
        !           396: The B<BINDDN> parameter specifies the identity, in the form of a
        !           397: Distinguished Name (DN), to use when performing LDAP operations.
        !           398: If not specified, LDAP operations are performed with an anonymous
        !           399: identity.  By default, most LDAP servers will allow anonymous access.
        !           400: 
        !           401: =item B<BINDPW> secret
        !           402: 
        !           403: The B<BINDPW> parameter specifies the password to use when performing
        !           404: LDAP operations.  This is typically used in conjunction with the
        !           405: B<BINDDN> parameter.
        !           406: 
        !           407: =item B<ROOTBINDDN> DN
        !           408: 
        !           409: The B<ROOTBINDDN> parameter specifies the identity, in the form of
        !           410: a Distinguished Name (DN), to use when performing privileged LDAP
        !           411: operations, such as I<sudoers> queries.  The password corresponding
        !           412: to the identity should be stored in F<@ldap_secret@>.
        !           413: If not specified, the B<BINDDN> identity is used (if any).
        !           414: 
        !           415: =item B<LDAP_VERSION> number
        !           416: 
        !           417: The version of the LDAP protocol to use when connecting to the server.
        !           418: The default value is protocol version 3.
        !           419: 
        !           420: =item B<SSL> on/true/yes/off/false/no
        !           421: 
        !           422: If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
        !           423: (SSL) encryption is always used when communicating with the LDAP
        !           424: server.  Typically, this involves connecting to the server on port
        !           425: 636 (ldaps).
        !           426: 
        !           427: =item B<SSL> start_tls
        !           428: 
        !           429: If the B<SSL> parameter is set to C<start_tls>, the LDAP server
        !           430: connection is initiated normally and TLS encryption is begun before
        !           431: the bind credentials are sent.  This has the advantage of not
        !           432: requiring a dedicated port for encrypted communications.  This
        !           433: parameter is only supported by LDAP servers that honor the C<start_tls>
        !           434: extension, such as the OpenLDAP server.
        !           435: 
        !           436: =item B<TLS_CHECKPEER> on/true/yes/off/false/no
        !           437: 
        !           438: If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
        !           439: certificated to be verified.  If the server's TLS certificate cannot
        !           440: be verified (usually because it is signed by an unknown certificate
        !           441: authority), B<sudo> will be unable to connect to it.  If B<TLS_CHECKPEER>
        !           442: is disabled, no check is made.  Note that disabling the check creates
        !           443: an opportunity for man-in-the-middle attacks since the server's
        !           444: identity will not be authenticated.  If possible, the CA's certificate
        !           445: should be installed locally so it can be verified.
        !           446: 
        !           447: =item B<TLS_CACERT> file name
        !           448: 
        !           449: An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
        !           450: 
        !           451: =item B<TLS_CACERTFILE> file name
        !           452: 
        !           453: The path to a certificate authority bundle which contains the certificates
        !           454: for all the Certificate Authorities the client knows to be valid,
        !           455: e.g. F</etc/ssl/ca-bundle.pem>.
        !           456: This option is only supported by the OpenLDAP libraries.
        !           457: Netscape-derived LDAP libraries use the same certificate
        !           458: database for CA and client certificates (see B<TLS_CERT>).
        !           459: 
        !           460: =item B<TLS_CACERTDIR> directory
        !           461: 
        !           462: Similar to B<TLS_CACERTFILE> but instead of a file, it is a
        !           463: directory containing individual Certificate Authority certificates,
        !           464: e.g. F</etc/ssl/certs>.
        !           465: The directory specified by B<TLS_CACERTDIR> is checked after
        !           466: B<TLS_CACERTFILE>.
        !           467: This option is only supported by the OpenLDAP libraries.
        !           468: 
        !           469: =item B<TLS_CERT> file name
        !           470: 
        !           471: The path to a file containing the client certificate which can
        !           472: be used to authenticate the client to the LDAP server.
        !           473: The certificate type depends on the LDAP libraries used.
        !           474: 
        !           475: OpenLDAP:
        !           476:     C<tls_cert /etc/ssl/client_cert.pem>
        !           477: 
        !           478: Netscape-derived:
        !           479:     C<tls_cert /var/ldap/cert7.db>
        !           480: 
        !           481: When using Netscape-derived libraries, this file may also contain
        !           482: Certificate Authority certificates.
        !           483: 
        !           484: =item B<TLS_KEY> file name
        !           485: 
        !           486: The path to a file containing the private key which matches the
        !           487: certificate specified by B<TLS_CERT>.  The private key must not be
        !           488: password-protected.  The key type depends on the LDAP libraries
        !           489: used.
        !           490: 
        !           491: OpenLDAP:
        !           492:     C<tls_key /etc/ssl/client_key.pem>
        !           493: 
        !           494: Netscape-derived:
        !           495:     C<tls_key /var/ldap/key3.db>
        !           496: 
        !           497: =item B<TLS_RANDFILE> file name
        !           498: 
        !           499: The B<TLS_RANDFILE> parameter specifies the path to an entropy
        !           500: source for systems that lack a random device.  It is generally used
        !           501: in conjunction with I<prngd> or I<egd>.
        !           502: This option is only supported by the OpenLDAP libraries.
        !           503: 
        !           504: =item B<TLS_CIPHERS> cipher list
        !           505: 
        !           506: The B<TLS_CIPHERS> parameter allows the administer to restrict
        !           507: which encryption algorithms may be used for TLS (SSL) connections.
        !           508: See the OpenSSL manual for a list of valid ciphers.
        !           509: This option is only supported by the OpenLDAP libraries.
        !           510: 
        !           511: =item B<USE_SASL> on/true/yes/off/false/no
        !           512: 
        !           513: Enable B<USE_SASL> for LDAP servers that support SASL authentication.
        !           514: 
        !           515: =item B<SASL_AUTH_ID> identity
        !           516: 
        !           517: The SASL user name to use when connecting to the LDAP server.
        !           518: By default, B<sudo> will use an anonymous connection.
        !           519: 
        !           520: =item B<ROOTUSE_SASL> on/true/yes/off/false/no
        !           521: 
        !           522: Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
        !           523: to an LDAP server from a privileged process, such as B<sudo>.
        !           524: 
        !           525: =item B<ROOTSASL_AUTH_ID> identity
        !           526: 
        !           527: The SASL user name to use when B<ROOTUSE_SASL> is enabled.
        !           528: 
        !           529: =item B<SASL_SECPROPS> none/properties
        !           530: 
        !           531: SASL security properties or I<none> for no properties.  See the
        !           532: SASL programmer's manual for details.
        !           533: 
        !           534: =item B<KRB5_CCNAME> file name
        !           535: 
        !           536: The path to the Kerberos 5 credential cache to use when authenticating
        !           537: with the remote server.
        !           538: 
        !           539: =item B<DEREF> never/searching/finding/always
        !           540: 
        !           541: How alias dereferencing is to be performed when searching.  See the
        !           542: L<ldap.conf(5)> manual for a full description of this option.
        !           543: 
        !           544: =back
        !           545: 
        !           546: See the C<ldap.conf> entry in the L<EXAMPLES> section.
        !           547: 
        !           548: =head2 Configuring nsswitch.conf
        !           549: 
        !           550: Unless it is disabled at build time, B<sudo> consults the Name
        !           551: Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
        !           552: search order.  Sudo looks for a line beginning with C<sudoers>: and
        !           553: uses this to determine the search order.  Note that B<sudo> does
        !           554: not stop searching after the first match and later matches take
        !           555: precedence over earlier ones.
        !           556: 
        !           557: The following sources are recognized:
        !           558: 
        !           559:     files      read sudoers from F<@sysconfdir@/sudoers>
        !           560:     ldap       read sudoers from LDAP
        !           561: 
        !           562: In addition, the entry C<[NOTFOUND=return]> will short-circuit the
        !           563: search if the user was not found in the preceding source.
        !           564: 
        !           565: To consult LDAP first followed by the local sudoers file (if it
        !           566: exists), use:
        !           567: 
        !           568:     sudoers: ldap files
        !           569: 
        !           570: The local I<sudoers> file can be ignored completely by using:
        !           571: 
        !           572:     sudoers: ldap
        !           573: 
        !           574: If the F<@nsswitch_conf@> file is not present or there is no
        !           575: sudoers line, the following default is assumed:
        !           576: 
        !           577:     sudoers: files
        !           578: 
        !           579: Note that F<@nsswitch_conf@> is supported even when the underlying
        !           580: operating system does not use an nsswitch.conf file.
        !           581: 
        !           582: =head2 Configuring netsvc.conf
        !           583: 
        !           584: On AIX systems, the F<@netsvc_conf@> file is consulted instead of
        !           585: F<@nsswitch_conf@>.  B<sudo> simply treats I<netsvc.conf> as a
        !           586: variant of I<nsswitch.conf>; information in the previous section
        !           587: unrelated to the file format itself still applies.
        !           588: 
        !           589: To consult LDAP first followed by the local sudoers file (if it
        !           590: exists), use:
        !           591: 
        !           592:     sudoers = ldap, files
        !           593: 
        !           594: The local I<sudoers> file can be ignored completely by using:
        !           595: 
        !           596:     sudoers = ldap
        !           597: 
        !           598: To treat LDAP as authoratative and only use the local sudoers file
        !           599: if the user is not present in LDAP, use:
        !           600: 
        !           601:     sudoers = ldap = auth, files
        !           602: 
        !           603: Note that in the above example, the C<auth> qualfier only affects
        !           604: user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
        !           605: entries.
        !           606: 
        !           607: If the F<@netsvc_conf@> file is not present or there is no
        !           608: sudoers line, the following default is assumed:
        !           609: 
        !           610:     sudoers = files
        !           611: 
        !           612: =head1 FILES
        !           613: 
        !           614: =over 24
        !           615: 
        !           616: =item F<@ldap_conf@>
        !           617: 
        !           618: LDAP configuration file
        !           619: 
        !           620: =item F<@nsswitch_conf@>
        !           621: 
        !           622: determines sudoers source order
        !           623: 
        !           624: =item F<@netsvc_conf@>
        !           625: 
        !           626: determines sudoers source order on AIX
        !           627: 
        !           628: =back
        !           629: 
        !           630: =head1 EXAMPLES
        !           631: 
        !           632: =head2 Example ldap.conf
        !           633: 
        !           634:   # Either specify one or more URIs or one or more host:port pairs.
        !           635:   # If neither is specified sudo will default to localhost, port 389.
        !           636:   #
        !           637:   #host          ldapserver
        !           638:   #host          ldapserver1 ldapserver2:390
        !           639:   #
        !           640:   # Default port if host is specified without one, defaults to 389.
        !           641:   #port          389
        !           642:   #
        !           643:   # URI will override the host and port settings.
        !           644:   uri            ldap://ldapserver
        !           645:   #uri            ldaps://secureldapserver
        !           646:   #uri            ldaps://secureldapserver ldap://ldapserver
        !           647:   #
        !           648:   # The amount of time, in seconds, to wait while trying to connect to
        !           649:   # an LDAP server.
        !           650:   bind_timelimit 30
        !           651:   #
        !           652:   # The amount of time, in seconds, to wait while performing an LDAP query.
        !           653:   timelimit 30
        !           654:   #
        !           655:   # Must be set or sudo will ignore LDAP; may be specified multiple times.
        !           656:   sudoers_base   ou=SUDOers,dc=example,dc=com
        !           657:   #
        !           658:   # verbose sudoers matching from ldap
        !           659:   #sudoers_debug 2
        !           660:   #
        !           661:   # Enable support for time-based entries in sudoers.
        !           662:   #sudoers_timed yes
        !           663:   #
        !           664:   # optional proxy credentials
        !           665:   #binddn        <who to search as>
        !           666:   #bindpw        <password>
        !           667:   #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
        !           668:   #
        !           669:   # LDAP protocol version, defaults to 3
        !           670:   #ldap_version 3
        !           671:   #
        !           672:   # Define if you want to use an encrypted LDAP connection.
        !           673:   # Typically, you must also set the port to 636 (ldaps).
        !           674:   #ssl on
        !           675:   #
        !           676:   # Define if you want to use port 389 and switch to
        !           677:   # encryption before the bind credentials are sent.
        !           678:   # Only supported by LDAP servers that support the start_tls
        !           679:   # extension such as OpenLDAP.
        !           680:   #ssl start_tls
        !           681:   #
        !           682:   # Additional TLS options follow that allow tweaking of the
        !           683:   # SSL/TLS connection.
        !           684:   #
        !           685:   #tls_checkpeer yes # verify server SSL certificate
        !           686:   #tls_checkpeer no  # ignore server SSL certificate
        !           687:   #
        !           688:   # If you enable tls_checkpeer, specify either tls_cacertfile
        !           689:   # or tls_cacertdir.  Only supported when using OpenLDAP.
        !           690:   #
        !           691:   #tls_cacertfile /etc/certs/trusted_signers.pem
        !           692:   #tls_cacertdir  /etc/certs
        !           693:   #
        !           694:   # For systems that don't have /dev/random
        !           695:   # use this along with PRNGD or EGD.pl to seed the
        !           696:   # random number pool to generate cryptographic session keys.
        !           697:   # Only supported when using OpenLDAP.
        !           698:   #
        !           699:   #tls_randfile /etc/egd-pool
        !           700:   #
        !           701:   # You may restrict which ciphers are used.  Consult your SSL
        !           702:   # documentation for which options go here.
        !           703:   # Only supported when using OpenLDAP.
        !           704:   #
        !           705:   #tls_ciphers <cipher-list>
        !           706:   #
        !           707:   # Sudo can provide a client certificate when communicating to
        !           708:   # the LDAP server.
        !           709:   # Tips:
        !           710:   #   * Enable both lines at the same time.
        !           711:   #   * Do not password protect the key file.
        !           712:   #   * Ensure the keyfile is only readable by root.
        !           713:   #
        !           714:   # For OpenLDAP:
        !           715:   #tls_cert /etc/certs/client_cert.pem
        !           716:   #tls_key  /etc/certs/client_key.pem
        !           717:   #
        !           718:   # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
        !           719:   # a directory, in which case the files in the directory must have the
        !           720:   # default names (e.g. cert8.db and key4.db), or the path to the cert
        !           721:   # and key files themselves.  However, a bug in version 5.0 of the LDAP
        !           722:   # SDK will prevent specific file names from working.  For this reason
        !           723:   # it is suggested that tls_cert and tls_key be set to a directory,
        !           724:   # not a file name.
        !           725:   #
        !           726:   # The certificate database specified by tls_cert may contain CA certs
        !           727:   # and/or the client's cert.  If the client's cert is included, tls_key
        !           728:   # should be specified as well.
        !           729:   # For backward compatibility, "sslpath" may be used in place of tls_cert.
        !           730:   #tls_cert /var/ldap
        !           731:   #tls_key /var/ldap
        !           732:   #
        !           733:   # If using SASL authentication for LDAP (OpenSSL)
        !           734:   # use_sasl yes
        !           735:   # sasl_auth_id <SASL user name>
        !           736:   # rootuse_sasl yes
        !           737:   # rootsasl_auth_id <SASL user name for root access>
        !           738:   # sasl_secprops none
        !           739:   # krb5_ccname /etc/.ldapcache
        !           740: 
        !           741: =head2 Sudo schema for OpenLDAP 
        !           742: 
        !           743: The following schema, in OpenLDAP format, is included with B<sudo>
        !           744: source and binary distributions as F<schema.OpenLDAP>.  Simply copy
        !           745: it to the schema directory (e.g. F</etc/openldap/schema>), add the
        !           746: proper C<include> line in C<slapd.conf> and restart B<slapd>.
        !           747: 
        !           748:  attributetype ( 1.3.6.1.4.1.15953.9.1.1
        !           749:     NAME 'sudoUser'
        !           750:     DESC 'User(s) who may  run sudo'
        !           751:     EQUALITY caseExactIA5Match
        !           752:     SUBSTR caseExactIA5SubstringsMatch
        !           753:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           754: 
        !           755:  attributetype ( 1.3.6.1.4.1.15953.9.1.2
        !           756:     NAME 'sudoHost'
        !           757:     DESC 'Host(s) who may run sudo'
        !           758:     EQUALITY caseExactIA5Match
        !           759:     SUBSTR caseExactIA5SubstringsMatch
        !           760:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           761: 
        !           762:  attributetype ( 1.3.6.1.4.1.15953.9.1.3
        !           763:     NAME 'sudoCommand'
        !           764:     DESC 'Command(s) to be executed by sudo'
        !           765:     EQUALITY caseExactIA5Match
        !           766:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           767: 
        !           768:  attributetype ( 1.3.6.1.4.1.15953.9.1.4
        !           769:     NAME 'sudoRunAs'
        !           770:     DESC 'User(s) impersonated by sudo'
        !           771:     EQUALITY caseExactIA5Match
        !           772:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           773: 
        !           774:  attributetype ( 1.3.6.1.4.1.15953.9.1.5
        !           775:     NAME 'sudoOption'
        !           776:     DESC 'Options(s) followed by sudo'
        !           777:     EQUALITY caseExactIA5Match
        !           778:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           779: 
        !           780:  attributetype ( 1.3.6.1.4.1.15953.9.1.6
        !           781:     NAME 'sudoRunAsUser'
        !           782:     DESC 'User(s) impersonated by sudo'
        !           783:     EQUALITY caseExactIA5Match
        !           784:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           785: 
        !           786:  attributetype ( 1.3.6.1.4.1.15953.9.1.7
        !           787:     NAME 'sudoRunAsGroup'
        !           788:     DESC 'Group(s) impersonated by sudo'
        !           789:     EQUALITY caseExactIA5Match
        !           790:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
        !           791: 
        !           792:  attributetype ( 1.3.6.1.4.1.15953.9.1.8
        !           793:     NAME 'sudoNotBefore'
        !           794:     DESC 'Start of time interval for which the entry is valid'
        !           795:     EQUALITY generalizedTimeMatch
        !           796:     ORDERING generalizedTimeOrderingMatch
        !           797:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
        !           798: 
        !           799:  attributetype ( 1.3.6.1.4.1.15953.9.1.9
        !           800:     NAME 'sudoNotAfter'
        !           801:     DESC 'End of time interval for which the entry is valid'
        !           802:     EQUALITY generalizedTimeMatch
        !           803:     ORDERING generalizedTimeOrderingMatch
        !           804:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
        !           805: 
        !           806:  attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
        !           807:      NAME 'sudoOrder'
        !           808:      DESC 'an integer to order the sudoRole entries'
        !           809:      EQUALITY integerMatch
        !           810:      ORDERING integerOrderingMatch
        !           811:      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
        !           812: 
        !           813:  objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
        !           814:     DESC 'Sudoer Entries'
        !           815:     MUST ( cn )
        !           816:     MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
        !           817:          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
        !           818:          sudoOrder $ description )
        !           819:     )
        !           820: 
        !           821: =head1 SEE ALSO
        !           822: 
        !           823: L<ldap.conf(5)>, L<sudoers(5)>
        !           824: 
        !           825: =head1 CAVEATS
        !           826: 
        !           827: Note that there are differences in the way that LDAP-based I<sudoers>
        !           828: is parsed compared to file-based I<sudoers>.  See the L<Differences
        !           829: between LDAP and non-LDAP sudoers> section for more information.
        !           830: 
        !           831: =head1 BUGS
        !           832: 
        !           833: If you feel you have found a bug in B<sudo>, please submit a bug report
        !           834: at http://www.sudo.ws/sudo/bugs/
        !           835: 
        !           836: =head1 SUPPORT
        !           837: 
        !           838: Limited free support is available via the sudo-users mailing list,
        !           839: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
        !           840: search the archives.
        !           841: 
        !           842: =head1 DISCLAIMER
        !           843: 
        !           844: B<sudo> is provided ``AS IS'' and any express or implied warranties,
        !           845: including, but not limited to, the implied warranties of merchantability
        !           846: and fitness for a particular purpose are disclaimed.  See the LICENSE
        !           847: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
        !           848: for complete details.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>