Annotation of embedaddon/sudo/doc/sudoers.ldap.pod, revision 1.1
1.1 ! misho 1: Copyright (c) 2003-2011
! 2: Todd C. Miller <Todd.Miller@courtesan.com>
! 3:
! 4: Permission to use, copy, modify, and distribute this software for any
! 5: purpose with or without fee is hereby granted, provided that the above
! 6: copyright notice and this permission notice appear in all copies.
! 7:
! 8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 16:
! 17: =pod
! 18:
! 19: =head1 NAME
! 20:
! 21: sudoers.ldap - sudo LDAP configuration
! 22:
! 23: =head1 DESCRIPTION
! 24:
! 25: In addition to the standard I<sudoers> file, B<sudo> may be configured
! 26: via LDAP. This can be especially useful for synchronizing I<sudoers>
! 27: in a large, distributed environment.
! 28:
! 29: Using LDAP for I<sudoers> has several benefits:
! 30:
! 31: =over 4
! 32:
! 33: =item *
! 34:
! 35: B<sudo> no longer needs to read I<sudoers> in its entirety. When
! 36: LDAP is used, there are only two or three LDAP queries per invocation.
! 37: This makes it especially fast and particularly usable in LDAP
! 38: environments.
! 39:
! 40: =item *
! 41:
! 42: B<sudo> no longer exits if there is a typo in I<sudoers>.
! 43: It is not possible to load LDAP data into the server that does
! 44: not conform to the sudoers schema, so proper syntax is guaranteed.
! 45: It is still possible to have typos in a user or host name, but
! 46: this will not prevent B<sudo> from running.
! 47:
! 48: =item *
! 49:
! 50: It is possible to specify per-entry options that override the global
! 51: default options. F<@sysconfdir@/sudoers> only supports default options and
! 52: limited options associated with user/host/commands/aliases. The
! 53: syntax is complicated and can be difficult for users to understand.
! 54: Placing the options directly in the entry is more natural.
! 55:
! 56: =item *
! 57:
! 58: The B<visudo> program is no longer needed. B<visudo> provides
! 59: locking and syntax checking of the F<@sysconfdir@/sudoers> file.
! 60: Since LDAP updates are atomic, locking is no longer necessary.
! 61: Because syntax is checked when the data is inserted into LDAP, there
! 62: is no need for a specialized tool to check syntax.
! 63:
! 64: =back
! 65:
! 66: Another major difference between LDAP and file-based I<sudoers>
! 67: is that in LDAP, B<sudo>-specific Aliases are not supported.
! 68:
! 69: For the most part, there is really no need for B<sudo>-specific
! 70: Aliases. Unix groups or user netgroups can be used in place of
! 71: User_Aliases and Runas_Aliases. Host netgroups can be used in place
! 72: of Host_Aliases. Since Unix groups and netgroups can also be stored
! 73: in LDAP there is no real need for B<sudo>-specific aliases.
! 74:
! 75: Cmnd_Aliases are not really required either since it is possible
! 76: to have multiple users listed in a C<sudoRole>. Instead of defining
! 77: a Cmnd_Alias that is referenced by multiple users, one can create
! 78: a C<sudoRole> that contains the commands and assign multiple users
! 79: to it.
! 80:
! 81: =head2 SUDOers LDAP container
! 82:
! 83: The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
! 84: container.
! 85:
! 86: Sudo first looks for the C<cn=default> entry in the SUDOers container.
! 87: If found, the multi-valued C<sudoOption> attribute is parsed in the
! 88: same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
! 89: the following example, the C<SSH_AUTH_SOCK> variable will be preserved
! 90: in the environment for all users.
! 91:
! 92: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
! 93: objectClass: top
! 94: objectClass: sudoRole
! 95: cn: defaults
! 96: description: Default sudoOption's go here
! 97: sudoOption: env_keep+=SSH_AUTH_SOCK
! 98:
! 99: The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
! 100: the following attributes:
! 101:
! 102: =over 4
! 103:
! 104: =item B<sudoUser>
! 105:
! 106: A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
! 107: a C<'%'>) or user netgroup (prefixed with a C<'+'>).
! 108:
! 109: =item B<sudoHost>
! 110:
! 111: A host name, IP address, IP network, or host netgroup (prefixed
! 112: with a C<'+'>).
! 113: The special value C<ALL> will match any host.
! 114:
! 115: =item B<sudoCommand>
! 116:
! 117: A Unix command with optional command line arguments, potentially
! 118: including globbing characters (aka wild cards).
! 119: The special value C<ALL> will match any command.
! 120: If a command is prefixed with an exclamation point C<'!'>, the
! 121: user will be prohibited from running that command.
! 122:
! 123: =item B<sudoOption>
! 124:
! 125: Identical in function to the global options described above, but
! 126: specific to the C<sudoRole> in which it resides.
! 127:
! 128: =item B<sudoRunAsUser>
! 129:
! 130: A user name or uid (prefixed with C<'#'>) that commands may be run
! 131: as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
! 132: with a C<'+'>) that contains a list of users that commands may be
! 133: run as.
! 134: The special value C<ALL> will match any user.
! 135:
! 136: The C<sudoRunAsUser> attribute is only available in B<sudo> versions
! 137: 1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
! 138: attribute instead.
! 139:
! 140: =item B<sudoRunAsGroup>
! 141:
! 142: A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
! 143: The special value C<ALL> will match any group.
! 144:
! 145: The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
! 146: 1.7.0 and higher.
! 147:
! 148: =item B<sudoNotBefore>
! 149:
! 150: A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
! 151: a start date/time for when the C<sudoRole> will be valid. If
! 152: multiple C<sudoNotBefore> entries are present, the earliest is used.
! 153: Note that timestamps must be in Coordinated Universal Time (UTC),
! 154: not the local timezone. The minute and seconds portions are optional,
! 155: but some LDAP servers require that they be present (contrary to the RFC).
! 156:
! 157: The C<sudoNotBefore> attribute is only available in B<sudo> versions
! 158: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
! 159: option in F<@ldap_conf@>.
! 160:
! 161: =item B<sudoNotAfter>
! 162:
! 163: A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
! 164: date/time, after which the C<sudoRole> will no longer be valid. If
! 165: multiple C<sudoNotBefore> entries are present, the last one is used.
! 166: Note that timestamps must be in Coordinated Universal Time (UTC),
! 167: not the local timezone. The minute and seconds portions are optional,
! 168: but some LDAP servers require that they be present (contrary to the RFC).
! 169:
! 170: The C<sudoNotAfter> attribute is only available in B<sudo> versions
! 171: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
! 172: option in F<@ldap_conf@>.
! 173:
! 174: =item B<sudoOrder>
! 175:
! 176: The C<sudoRole> entries retrieved from the LDAP directory have no
! 177: inherent order. The C<sudoOrder> attribute is an integer (or
! 178: floating point value for LDAP servers that support it) that is used
! 179: to sort the matching entries. This allows LDAP-based sudoers entries
! 180: to more closely mimic the behaviour of the sudoers file, where the
! 181: of the entries influences the result. If multiple entries match,
! 182: the entry with the highest C<sudoOrder> attribute is chosen. This
! 183: corresponds to the "last match" behavior of the sudoers file. If
! 184: the C<sudoOrder> attribute is not present, a value of 0 is assumed.
! 185:
! 186: The C<sudoOrder> attribute is only available in B<sudo> versions
! 187: 1.7.5 and higher.
! 188:
! 189: =back
! 190:
! 191: Each attribute listed above should contain a single value, but there
! 192: may be multiple instances of each attribute type. A C<sudoRole> must
! 193: contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
! 194:
! 195: The following example allows users in group wheel to run any command
! 196: on any host via B<sudo>:
! 197:
! 198: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
! 199: objectClass: top
! 200: objectClass: sudoRole
! 201: cn: %wheel
! 202: sudoUser: %wheel
! 203: sudoHost: ALL
! 204: sudoCommand: ALL
! 205:
! 206: =head2 Anatomy of LDAP sudoers lookup
! 207:
! 208: When looking up a sudoer using LDAP there are only two or three
! 209: LDAP queries per invocation. The first query is to parse the global
! 210: options. The second is to match against the user's name and the
! 211: groups that the user belongs to. (The special ALL tag is matched
! 212: in this query too.) If no match is returned for the user's name
! 213: and groups, a third query returns all entries containing user
! 214: netgroups and checks to see if the user belongs to any of them.
! 215:
! 216: If timed entries are enabled with the B<SUDOERS_TIMED> configuration
! 217: directive, the LDAP queries include a subfilter that limits retrieval
! 218: to entries that satisfy the time constraints, if any.
! 219:
! 220: =head2 Differences between LDAP and non-LDAP sudoers
! 221:
! 222: There are some subtle differences in the way sudoers is handled
! 223: once in LDAP. Probably the biggest is that according to the RFC,
! 224: LDAP ordering is arbitrary and you cannot expect that Attributes
! 225: and Entries are returned in any specific order.
! 226:
! 227: The order in which different entries are applied can be controlled
! 228: using the C<sudoOrder> attribute, but there is no way to guarantee
! 229: the order of attributes within a specific entry. If there are
! 230: conflicting command rules in an entry, the negative takes precedence.
! 231: This is called paranoid behavior (not necessarily the most specific
! 232: match).
! 233:
! 234: Here is an example:
! 235:
! 236: # /etc/sudoers:
! 237: # Allow all commands except shell
! 238: johnny ALL=(root) ALL,!/bin/sh
! 239: # Always allows all commands because ALL is matched last
! 240: puddles ALL=(root) !/bin/sh,ALL
! 241:
! 242: # LDAP equivalent of johnny
! 243: # Allows all commands except shell
! 244: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
! 245: objectClass: sudoRole
! 246: objectClass: top
! 247: cn: role1
! 248: sudoUser: johnny
! 249: sudoHost: ALL
! 250: sudoCommand: ALL
! 251: sudoCommand: !/bin/sh
! 252:
! 253: # LDAP equivalent of puddles
! 254: # Notice that even though ALL comes last, it still behaves like
! 255: # role1 since the LDAP code assumes the more paranoid configuration
! 256: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
! 257: objectClass: sudoRole
! 258: objectClass: top
! 259: cn: role2
! 260: sudoUser: puddles
! 261: sudoHost: ALL
! 262: sudoCommand: !/bin/sh
! 263: sudoCommand: ALL
! 264:
! 265: Another difference is that negations on the Host, User or Runas are
! 266: currently ignored. For example, the following attributes do not
! 267: behave the way one might expect.
! 268:
! 269: # does not match all but joe
! 270: # rather, does not match anyone
! 271: sudoUser: !joe
! 272:
! 273: # does not match all but joe
! 274: # rather, matches everyone including Joe
! 275: sudoUser: ALL
! 276: sudoUser: !joe
! 277:
! 278: # does not match all but web01
! 279: # rather, matches all hosts including web01
! 280: sudoHost: ALL
! 281: sudoHost: !web01
! 282:
! 283: =head2 Sudoers Schema
! 284:
! 285: In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
! 286: installed on your LDAP server. In addition, be sure to index the
! 287: 'sudoUser' attribute.
! 288:
! 289: Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
! 290: one for Netscape-derived servers (F<schema.iPlanet>), and one for
! 291: Microsoft Active Directory (F<schema.ActiveDirectory>) may
! 292: be found in the B<sudo> distribution.
! 293:
! 294: The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
! 295: section.
! 296:
! 297: =head2 Configuring ldap.conf
! 298:
! 299: Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
! 300: Typically, this file is shared amongst different LDAP-aware clients.
! 301: As such, most of the settings are not B<sudo>-specific. Note that
! 302: B<sudo> parses F<@ldap_conf@> itself and may support options
! 303: that differ from those described in the L<ldap.conf(5)> manual.
! 304:
! 305: Also note that on systems using the OpenLDAP libraries, default
! 306: values specified in F</etc/openldap/ldap.conf> or the user's
! 307: F<.ldaprc> files are not used.
! 308:
! 309: Only those options explicitly listed in F<@ldap_conf@> as being
! 310: supported by B<sudo> are honored. Configuration options are listed
! 311: below in upper case but are parsed in a case-independent manner.
! 312:
! 313: =over 4
! 314:
! 315: =item B<URI> ldap[s]://[hostname[:port]] ...
! 316:
! 317: Specifies a whitespace-delimited list of one or more URIs describing
! 318: the LDAP server(s) to connect to. The I<protocol> may be either
! 319: B<ldap> or B<ldaps>, the latter being for servers that support TLS
! 320: (SSL) encryption. If no I<port> is specified, the default is port
! 321: 389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
! 322: is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
! 323: lines are treated identically to a B<URI> line containing multiple
! 324: entries. Only systems using the OpenSSL libraries support the
! 325: mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
! 326: libraries used on most commercial versions of Unix are only capable
! 327: of supporting one or the other.
! 328:
! 329: =item B<HOST> name[:port] ...
! 330:
! 331: If no B<URI> is specified, the B<HOST> parameter specifies a
! 332: whitespace-delimited list of LDAP servers to connect to. Each host
! 333: may include an optional I<port> separated by a colon (':'). The
! 334: B<HOST> parameter is deprecated in favor of the B<URI> specification
! 335: and is included for backwards compatibility.
! 336:
! 337: =item B<PORT> port_number
! 338:
! 339: If no B<URI> is specified, the B<PORT> parameter specifies the
! 340: default port to connect to on the LDAP server if a B<HOST> parameter
! 341: does not specify the port itself. If no B<PORT> parameter is used,
! 342: the default is port 389 for LDAP and port 636 for LDAP over TLS
! 343: (SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
! 344: specification and is included for backwards compatibility.
! 345:
! 346: =item B<BIND_TIMELIMIT> seconds
! 347:
! 348: The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
! 349: to wait while trying to connect to an LDAP server. If multiple B<URI>s or
! 350: B<HOST>s are specified, this is the amount of time to wait before trying
! 351: the next one in the list.
! 352:
! 353: =item B<NETWORK_TIMEOUT> seconds
! 354:
! 355: An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
! 356:
! 357: =item B<TIMELIMIT> seconds
! 358:
! 359: The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
! 360: to wait for a response to an LDAP query.
! 361:
! 362: =item B<TIMEOUT> seconds
! 363:
! 364: The B<TIMEOUT> parameter specifies the amount of time, in seconds,
! 365: to wait for a response from the various LDAP APIs.
! 366:
! 367: =item B<SUDOERS_BASE> base
! 368:
! 369: The base DN to use when performing B<sudo> LDAP queries. Typically
! 370: this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
! 371: C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
! 372: in which case they are queried in the order specified.
! 373:
! 374: =item B<SUDOERS_SEARCH_FILTER> ldap_filter
! 375:
! 376: An LDAP filter which is used to restrict the set of records returned
! 377: when performing a B<sudo> LDAP query. Typically, this is of the
! 378: form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
! 379:
! 380: =item B<SUDOERS_TIMED> on/true/yes/off/false/no
! 381:
! 382: Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
! 383: attributes that implement time-dependent sudoers entries.
! 384:
! 385: =item B<SUDOERS_DEBUG> debug_level
! 386:
! 387: This sets the debug level for B<sudo> LDAP queries. Debugging
! 388: information is printed to the standard error. A value of 1 results
! 389: in a moderate amount of debugging information. A value of 2 shows
! 390: the results of the matches themselves. This parameter should not
! 391: be set in a production environment as the extra information is
! 392: likely to confuse users.
! 393:
! 394: =item B<BINDDN> DN
! 395:
! 396: The B<BINDDN> parameter specifies the identity, in the form of a
! 397: Distinguished Name (DN), to use when performing LDAP operations.
! 398: If not specified, LDAP operations are performed with an anonymous
! 399: identity. By default, most LDAP servers will allow anonymous access.
! 400:
! 401: =item B<BINDPW> secret
! 402:
! 403: The B<BINDPW> parameter specifies the password to use when performing
! 404: LDAP operations. This is typically used in conjunction with the
! 405: B<BINDDN> parameter.
! 406:
! 407: =item B<ROOTBINDDN> DN
! 408:
! 409: The B<ROOTBINDDN> parameter specifies the identity, in the form of
! 410: a Distinguished Name (DN), to use when performing privileged LDAP
! 411: operations, such as I<sudoers> queries. The password corresponding
! 412: to the identity should be stored in F<@ldap_secret@>.
! 413: If not specified, the B<BINDDN> identity is used (if any).
! 414:
! 415: =item B<LDAP_VERSION> number
! 416:
! 417: The version of the LDAP protocol to use when connecting to the server.
! 418: The default value is protocol version 3.
! 419:
! 420: =item B<SSL> on/true/yes/off/false/no
! 421:
! 422: If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
! 423: (SSL) encryption is always used when communicating with the LDAP
! 424: server. Typically, this involves connecting to the server on port
! 425: 636 (ldaps).
! 426:
! 427: =item B<SSL> start_tls
! 428:
! 429: If the B<SSL> parameter is set to C<start_tls>, the LDAP server
! 430: connection is initiated normally and TLS encryption is begun before
! 431: the bind credentials are sent. This has the advantage of not
! 432: requiring a dedicated port for encrypted communications. This
! 433: parameter is only supported by LDAP servers that honor the C<start_tls>
! 434: extension, such as the OpenLDAP server.
! 435:
! 436: =item B<TLS_CHECKPEER> on/true/yes/off/false/no
! 437:
! 438: If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
! 439: certificated to be verified. If the server's TLS certificate cannot
! 440: be verified (usually because it is signed by an unknown certificate
! 441: authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
! 442: is disabled, no check is made. Note that disabling the check creates
! 443: an opportunity for man-in-the-middle attacks since the server's
! 444: identity will not be authenticated. If possible, the CA's certificate
! 445: should be installed locally so it can be verified.
! 446:
! 447: =item B<TLS_CACERT> file name
! 448:
! 449: An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
! 450:
! 451: =item B<TLS_CACERTFILE> file name
! 452:
! 453: The path to a certificate authority bundle which contains the certificates
! 454: for all the Certificate Authorities the client knows to be valid,
! 455: e.g. F</etc/ssl/ca-bundle.pem>.
! 456: This option is only supported by the OpenLDAP libraries.
! 457: Netscape-derived LDAP libraries use the same certificate
! 458: database for CA and client certificates (see B<TLS_CERT>).
! 459:
! 460: =item B<TLS_CACERTDIR> directory
! 461:
! 462: Similar to B<TLS_CACERTFILE> but instead of a file, it is a
! 463: directory containing individual Certificate Authority certificates,
! 464: e.g. F</etc/ssl/certs>.
! 465: The directory specified by B<TLS_CACERTDIR> is checked after
! 466: B<TLS_CACERTFILE>.
! 467: This option is only supported by the OpenLDAP libraries.
! 468:
! 469: =item B<TLS_CERT> file name
! 470:
! 471: The path to a file containing the client certificate which can
! 472: be used to authenticate the client to the LDAP server.
! 473: The certificate type depends on the LDAP libraries used.
! 474:
! 475: OpenLDAP:
! 476: C<tls_cert /etc/ssl/client_cert.pem>
! 477:
! 478: Netscape-derived:
! 479: C<tls_cert /var/ldap/cert7.db>
! 480:
! 481: When using Netscape-derived libraries, this file may also contain
! 482: Certificate Authority certificates.
! 483:
! 484: =item B<TLS_KEY> file name
! 485:
! 486: The path to a file containing the private key which matches the
! 487: certificate specified by B<TLS_CERT>. The private key must not be
! 488: password-protected. The key type depends on the LDAP libraries
! 489: used.
! 490:
! 491: OpenLDAP:
! 492: C<tls_key /etc/ssl/client_key.pem>
! 493:
! 494: Netscape-derived:
! 495: C<tls_key /var/ldap/key3.db>
! 496:
! 497: =item B<TLS_RANDFILE> file name
! 498:
! 499: The B<TLS_RANDFILE> parameter specifies the path to an entropy
! 500: source for systems that lack a random device. It is generally used
! 501: in conjunction with I<prngd> or I<egd>.
! 502: This option is only supported by the OpenLDAP libraries.
! 503:
! 504: =item B<TLS_CIPHERS> cipher list
! 505:
! 506: The B<TLS_CIPHERS> parameter allows the administer to restrict
! 507: which encryption algorithms may be used for TLS (SSL) connections.
! 508: See the OpenSSL manual for a list of valid ciphers.
! 509: This option is only supported by the OpenLDAP libraries.
! 510:
! 511: =item B<USE_SASL> on/true/yes/off/false/no
! 512:
! 513: Enable B<USE_SASL> for LDAP servers that support SASL authentication.
! 514:
! 515: =item B<SASL_AUTH_ID> identity
! 516:
! 517: The SASL user name to use when connecting to the LDAP server.
! 518: By default, B<sudo> will use an anonymous connection.
! 519:
! 520: =item B<ROOTUSE_SASL> on/true/yes/off/false/no
! 521:
! 522: Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
! 523: to an LDAP server from a privileged process, such as B<sudo>.
! 524:
! 525: =item B<ROOTSASL_AUTH_ID> identity
! 526:
! 527: The SASL user name to use when B<ROOTUSE_SASL> is enabled.
! 528:
! 529: =item B<SASL_SECPROPS> none/properties
! 530:
! 531: SASL security properties or I<none> for no properties. See the
! 532: SASL programmer's manual for details.
! 533:
! 534: =item B<KRB5_CCNAME> file name
! 535:
! 536: The path to the Kerberos 5 credential cache to use when authenticating
! 537: with the remote server.
! 538:
! 539: =item B<DEREF> never/searching/finding/always
! 540:
! 541: How alias dereferencing is to be performed when searching. See the
! 542: L<ldap.conf(5)> manual for a full description of this option.
! 543:
! 544: =back
! 545:
! 546: See the C<ldap.conf> entry in the L<EXAMPLES> section.
! 547:
! 548: =head2 Configuring nsswitch.conf
! 549:
! 550: Unless it is disabled at build time, B<sudo> consults the Name
! 551: Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
! 552: search order. Sudo looks for a line beginning with C<sudoers>: and
! 553: uses this to determine the search order. Note that B<sudo> does
! 554: not stop searching after the first match and later matches take
! 555: precedence over earlier ones.
! 556:
! 557: The following sources are recognized:
! 558:
! 559: files read sudoers from F<@sysconfdir@/sudoers>
! 560: ldap read sudoers from LDAP
! 561:
! 562: In addition, the entry C<[NOTFOUND=return]> will short-circuit the
! 563: search if the user was not found in the preceding source.
! 564:
! 565: To consult LDAP first followed by the local sudoers file (if it
! 566: exists), use:
! 567:
! 568: sudoers: ldap files
! 569:
! 570: The local I<sudoers> file can be ignored completely by using:
! 571:
! 572: sudoers: ldap
! 573:
! 574: If the F<@nsswitch_conf@> file is not present or there is no
! 575: sudoers line, the following default is assumed:
! 576:
! 577: sudoers: files
! 578:
! 579: Note that F<@nsswitch_conf@> is supported even when the underlying
! 580: operating system does not use an nsswitch.conf file.
! 581:
! 582: =head2 Configuring netsvc.conf
! 583:
! 584: On AIX systems, the F<@netsvc_conf@> file is consulted instead of
! 585: F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
! 586: variant of I<nsswitch.conf>; information in the previous section
! 587: unrelated to the file format itself still applies.
! 588:
! 589: To consult LDAP first followed by the local sudoers file (if it
! 590: exists), use:
! 591:
! 592: sudoers = ldap, files
! 593:
! 594: The local I<sudoers> file can be ignored completely by using:
! 595:
! 596: sudoers = ldap
! 597:
! 598: To treat LDAP as authoratative and only use the local sudoers file
! 599: if the user is not present in LDAP, use:
! 600:
! 601: sudoers = ldap = auth, files
! 602:
! 603: Note that in the above example, the C<auth> qualfier only affects
! 604: user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
! 605: entries.
! 606:
! 607: If the F<@netsvc_conf@> file is not present or there is no
! 608: sudoers line, the following default is assumed:
! 609:
! 610: sudoers = files
! 611:
! 612: =head1 FILES
! 613:
! 614: =over 24
! 615:
! 616: =item F<@ldap_conf@>
! 617:
! 618: LDAP configuration file
! 619:
! 620: =item F<@nsswitch_conf@>
! 621:
! 622: determines sudoers source order
! 623:
! 624: =item F<@netsvc_conf@>
! 625:
! 626: determines sudoers source order on AIX
! 627:
! 628: =back
! 629:
! 630: =head1 EXAMPLES
! 631:
! 632: =head2 Example ldap.conf
! 633:
! 634: # Either specify one or more URIs or one or more host:port pairs.
! 635: # If neither is specified sudo will default to localhost, port 389.
! 636: #
! 637: #host ldapserver
! 638: #host ldapserver1 ldapserver2:390
! 639: #
! 640: # Default port if host is specified without one, defaults to 389.
! 641: #port 389
! 642: #
! 643: # URI will override the host and port settings.
! 644: uri ldap://ldapserver
! 645: #uri ldaps://secureldapserver
! 646: #uri ldaps://secureldapserver ldap://ldapserver
! 647: #
! 648: # The amount of time, in seconds, to wait while trying to connect to
! 649: # an LDAP server.
! 650: bind_timelimit 30
! 651: #
! 652: # The amount of time, in seconds, to wait while performing an LDAP query.
! 653: timelimit 30
! 654: #
! 655: # Must be set or sudo will ignore LDAP; may be specified multiple times.
! 656: sudoers_base ou=SUDOers,dc=example,dc=com
! 657: #
! 658: # verbose sudoers matching from ldap
! 659: #sudoers_debug 2
! 660: #
! 661: # Enable support for time-based entries in sudoers.
! 662: #sudoers_timed yes
! 663: #
! 664: # optional proxy credentials
! 665: #binddn <who to search as>
! 666: #bindpw <password>
! 667: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
! 668: #
! 669: # LDAP protocol version, defaults to 3
! 670: #ldap_version 3
! 671: #
! 672: # Define if you want to use an encrypted LDAP connection.
! 673: # Typically, you must also set the port to 636 (ldaps).
! 674: #ssl on
! 675: #
! 676: # Define if you want to use port 389 and switch to
! 677: # encryption before the bind credentials are sent.
! 678: # Only supported by LDAP servers that support the start_tls
! 679: # extension such as OpenLDAP.
! 680: #ssl start_tls
! 681: #
! 682: # Additional TLS options follow that allow tweaking of the
! 683: # SSL/TLS connection.
! 684: #
! 685: #tls_checkpeer yes # verify server SSL certificate
! 686: #tls_checkpeer no # ignore server SSL certificate
! 687: #
! 688: # If you enable tls_checkpeer, specify either tls_cacertfile
! 689: # or tls_cacertdir. Only supported when using OpenLDAP.
! 690: #
! 691: #tls_cacertfile /etc/certs/trusted_signers.pem
! 692: #tls_cacertdir /etc/certs
! 693: #
! 694: # For systems that don't have /dev/random
! 695: # use this along with PRNGD or EGD.pl to seed the
! 696: # random number pool to generate cryptographic session keys.
! 697: # Only supported when using OpenLDAP.
! 698: #
! 699: #tls_randfile /etc/egd-pool
! 700: #
! 701: # You may restrict which ciphers are used. Consult your SSL
! 702: # documentation for which options go here.
! 703: # Only supported when using OpenLDAP.
! 704: #
! 705: #tls_ciphers <cipher-list>
! 706: #
! 707: # Sudo can provide a client certificate when communicating to
! 708: # the LDAP server.
! 709: # Tips:
! 710: # * Enable both lines at the same time.
! 711: # * Do not password protect the key file.
! 712: # * Ensure the keyfile is only readable by root.
! 713: #
! 714: # For OpenLDAP:
! 715: #tls_cert /etc/certs/client_cert.pem
! 716: #tls_key /etc/certs/client_key.pem
! 717: #
! 718: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
! 719: # a directory, in which case the files in the directory must have the
! 720: # default names (e.g. cert8.db and key4.db), or the path to the cert
! 721: # and key files themselves. However, a bug in version 5.0 of the LDAP
! 722: # SDK will prevent specific file names from working. For this reason
! 723: # it is suggested that tls_cert and tls_key be set to a directory,
! 724: # not a file name.
! 725: #
! 726: # The certificate database specified by tls_cert may contain CA certs
! 727: # and/or the client's cert. If the client's cert is included, tls_key
! 728: # should be specified as well.
! 729: # For backward compatibility, "sslpath" may be used in place of tls_cert.
! 730: #tls_cert /var/ldap
! 731: #tls_key /var/ldap
! 732: #
! 733: # If using SASL authentication for LDAP (OpenSSL)
! 734: # use_sasl yes
! 735: # sasl_auth_id <SASL user name>
! 736: # rootuse_sasl yes
! 737: # rootsasl_auth_id <SASL user name for root access>
! 738: # sasl_secprops none
! 739: # krb5_ccname /etc/.ldapcache
! 740:
! 741: =head2 Sudo schema for OpenLDAP
! 742:
! 743: The following schema, in OpenLDAP format, is included with B<sudo>
! 744: source and binary distributions as F<schema.OpenLDAP>. Simply copy
! 745: it to the schema directory (e.g. F</etc/openldap/schema>), add the
! 746: proper C<include> line in C<slapd.conf> and restart B<slapd>.
! 747:
! 748: attributetype ( 1.3.6.1.4.1.15953.9.1.1
! 749: NAME 'sudoUser'
! 750: DESC 'User(s) who may run sudo'
! 751: EQUALITY caseExactIA5Match
! 752: SUBSTR caseExactIA5SubstringsMatch
! 753: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 754:
! 755: attributetype ( 1.3.6.1.4.1.15953.9.1.2
! 756: NAME 'sudoHost'
! 757: DESC 'Host(s) who may run sudo'
! 758: EQUALITY caseExactIA5Match
! 759: SUBSTR caseExactIA5SubstringsMatch
! 760: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 761:
! 762: attributetype ( 1.3.6.1.4.1.15953.9.1.3
! 763: NAME 'sudoCommand'
! 764: DESC 'Command(s) to be executed by sudo'
! 765: EQUALITY caseExactIA5Match
! 766: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 767:
! 768: attributetype ( 1.3.6.1.4.1.15953.9.1.4
! 769: NAME 'sudoRunAs'
! 770: DESC 'User(s) impersonated by sudo'
! 771: EQUALITY caseExactIA5Match
! 772: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 773:
! 774: attributetype ( 1.3.6.1.4.1.15953.9.1.5
! 775: NAME 'sudoOption'
! 776: DESC 'Options(s) followed by sudo'
! 777: EQUALITY caseExactIA5Match
! 778: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 779:
! 780: attributetype ( 1.3.6.1.4.1.15953.9.1.6
! 781: NAME 'sudoRunAsUser'
! 782: DESC 'User(s) impersonated by sudo'
! 783: EQUALITY caseExactIA5Match
! 784: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 785:
! 786: attributetype ( 1.3.6.1.4.1.15953.9.1.7
! 787: NAME 'sudoRunAsGroup'
! 788: DESC 'Group(s) impersonated by sudo'
! 789: EQUALITY caseExactIA5Match
! 790: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 791:
! 792: attributetype ( 1.3.6.1.4.1.15953.9.1.8
! 793: NAME 'sudoNotBefore'
! 794: DESC 'Start of time interval for which the entry is valid'
! 795: EQUALITY generalizedTimeMatch
! 796: ORDERING generalizedTimeOrderingMatch
! 797: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 798:
! 799: attributetype ( 1.3.6.1.4.1.15953.9.1.9
! 800: NAME 'sudoNotAfter'
! 801: DESC 'End of time interval for which the entry is valid'
! 802: EQUALITY generalizedTimeMatch
! 803: ORDERING generalizedTimeOrderingMatch
! 804: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
! 805:
! 806: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
! 807: NAME 'sudoOrder'
! 808: DESC 'an integer to order the sudoRole entries'
! 809: EQUALITY integerMatch
! 810: ORDERING integerOrderingMatch
! 811: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
! 812:
! 813: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
! 814: DESC 'Sudoer Entries'
! 815: MUST ( cn )
! 816: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
! 817: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
! 818: sudoOrder $ description )
! 819: )
! 820:
! 821: =head1 SEE ALSO
! 822:
! 823: L<ldap.conf(5)>, L<sudoers(5)>
! 824:
! 825: =head1 CAVEATS
! 826:
! 827: Note that there are differences in the way that LDAP-based I<sudoers>
! 828: is parsed compared to file-based I<sudoers>. See the L<Differences
! 829: between LDAP and non-LDAP sudoers> section for more information.
! 830:
! 831: =head1 BUGS
! 832:
! 833: If you feel you have found a bug in B<sudo>, please submit a bug report
! 834: at http://www.sudo.ws/sudo/bugs/
! 835:
! 836: =head1 SUPPORT
! 837:
! 838: Limited free support is available via the sudo-users mailing list,
! 839: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
! 840: search the archives.
! 841:
! 842: =head1 DISCLAIMER
! 843:
! 844: B<sudo> is provided ``AS IS'' and any express or implied warranties,
! 845: including, but not limited to, the implied warranties of merchantability
! 846: and fitness for a particular purpose are disclaimed. See the LICENSE
! 847: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
! 848: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>