Annotation of embedaddon/sudo/doc/sudoers.ldap.pod, revision 1.1.1.1

1.1       misho       1: Copyright (c) 2003-2011
                      2:        Todd C. Miller <Todd.Miller@courtesan.com>
                      3: 
                      4: Permission to use, copy, modify, and distribute this software for any
                      5: purpose with or without fee is hereby granted, provided that the above
                      6: copyright notice and this permission notice appear in all copies.
                      7: 
                      8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                      9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     16: 
                     17: =pod
                     18: 
                     19: =head1 NAME
                     20: 
                     21: sudoers.ldap - sudo LDAP configuration
                     22: 
                     23: =head1 DESCRIPTION
                     24: 
                     25: In addition to the standard I<sudoers> file, B<sudo> may be configured
                     26: via LDAP.  This can be especially useful for synchronizing I<sudoers>
                     27: in a large, distributed environment.
                     28: 
                     29: Using LDAP for I<sudoers> has several benefits:
                     30: 
                     31: =over 4
                     32: 
                     33: =item *
                     34: 
                     35: B<sudo> no longer needs to read I<sudoers> in its entirety.  When
                     36: LDAP is used, there are only two or three LDAP queries per invocation.
                     37: This makes it especially fast and particularly usable in LDAP
                     38: environments.
                     39: 
                     40: =item *
                     41: 
                     42: B<sudo> no longer exits if there is a typo in I<sudoers>.
                     43: It is not possible to load LDAP data into the server that does
                     44: not conform to the sudoers schema, so proper syntax is guaranteed.
                     45: It is still possible to have typos in a user or host name, but
                     46: this will not prevent B<sudo> from running.
                     47: 
                     48: =item *
                     49: 
                     50: It is possible to specify per-entry options that override the global
                     51: default options.  F<@sysconfdir@/sudoers> only supports default options and
                     52: limited options associated with user/host/commands/aliases.  The
                     53: syntax is complicated and can be difficult for users to understand.
                     54: Placing the options directly in the entry is more natural.
                     55: 
                     56: =item *
                     57: 
                     58: The B<visudo> program is no longer needed.  B<visudo> provides
                     59: locking and syntax checking of the F<@sysconfdir@/sudoers> file.
                     60: Since LDAP updates are atomic, locking is no longer necessary.
                     61: Because syntax is checked when the data is inserted into LDAP, there
                     62: is no need for a specialized tool to check syntax.
                     63: 
                     64: =back
                     65: 
                     66: Another major difference between LDAP and file-based I<sudoers>
                     67: is that in LDAP, B<sudo>-specific Aliases are not supported.
                     68: 
                     69: For the most part, there is really no need for B<sudo>-specific
                     70: Aliases.  Unix groups or user netgroups can be used in place of
                     71: User_Aliases and Runas_Aliases.  Host netgroups can be used in place
                     72: of Host_Aliases.  Since Unix groups and netgroups can also be stored
                     73: in LDAP there is no real need for B<sudo>-specific aliases.
                     74: 
                     75: Cmnd_Aliases are not really required either since it is possible
                     76: to have multiple users listed in a C<sudoRole>.  Instead of defining
                     77: a Cmnd_Alias that is referenced by multiple users, one can create
                     78: a C<sudoRole> that contains the commands and assign multiple users
                     79: to it.
                     80: 
                     81: =head2 SUDOers LDAP container
                     82: 
                     83: The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
                     84: container.
                     85: 
                     86: Sudo first looks for the C<cn=default> entry in the SUDOers container.
                     87: If found, the multi-valued C<sudoOption> attribute is parsed in the
                     88: same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>.  In
                     89: the following example, the C<SSH_AUTH_SOCK> variable will be preserved
                     90: in the environment for all users.
                     91: 
                     92:     dn: cn=defaults,ou=SUDOers,dc=example,dc=com
                     93:     objectClass: top
                     94:     objectClass: sudoRole
                     95:     cn: defaults
                     96:     description: Default sudoOption's go here
                     97:     sudoOption: env_keep+=SSH_AUTH_SOCK
                     98:  
                     99: The equivalent of a sudoer in LDAP is a C<sudoRole>.  It consists of
                    100: the following attributes:
                    101: 
                    102: =over 4
                    103: 
                    104: =item B<sudoUser>
                    105: 
                    106: A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
                    107: a C<'%'>) or user netgroup (prefixed with a C<'+'>).
                    108: 
                    109: =item B<sudoHost>
                    110: 
                    111: A host name, IP address, IP network, or host netgroup (prefixed
                    112: with a C<'+'>).
                    113: The special value C<ALL> will match any host.
                    114: 
                    115: =item B<sudoCommand>
                    116: 
                    117: A Unix command with optional command line arguments, potentially
                    118: including globbing characters (aka wild cards).
                    119: The special value C<ALL> will match any command.
                    120: If a command is prefixed with an exclamation point C<'!'>, the
                    121: user will be prohibited from running that command.
                    122: 
                    123: =item B<sudoOption>
                    124: 
                    125: Identical in function to the global options described above, but
                    126: specific to the C<sudoRole> in which it resides.
                    127: 
                    128: =item B<sudoRunAsUser>
                    129: 
                    130: A user name or uid (prefixed with C<'#'>) that commands may be run
                    131: as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
                    132: with a C<'+'>) that contains a list of users that commands may be
                    133: run as.
                    134: The special value C<ALL> will match any user.
                    135: 
                    136: The C<sudoRunAsUser> attribute is only available in B<sudo> versions
                    137: 1.7.0 and higher.  Older versions of B<sudo> use the C<sudoRunAs>
                    138: attribute instead.
                    139: 
                    140: =item B<sudoRunAsGroup>
                    141: 
                    142: A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
                    143: The special value C<ALL> will match any group.
                    144: 
                    145: The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
                    146: 1.7.0 and higher.
                    147: 
                    148: =item B<sudoNotBefore>
                    149: 
                    150: A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
                    151: a start date/time for when the C<sudoRole> will be valid.  If
                    152: multiple C<sudoNotBefore> entries are present, the earliest is used.
                    153: Note that timestamps must be in Coordinated Universal Time (UTC),
                    154: not the local timezone.  The minute and seconds portions are optional,
                    155: but some LDAP servers require that they be present (contrary to the RFC).
                    156: 
                    157: The C<sudoNotBefore> attribute is only available in B<sudo> versions
                    158: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
                    159: option in F<@ldap_conf@>.
                    160: 
                    161: =item B<sudoNotAfter>
                    162: 
                    163: A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
                    164: date/time, after which the C<sudoRole> will no longer be valid.  If
                    165: multiple C<sudoNotBefore> entries are present, the last one is used.
                    166: Note that timestamps must be in Coordinated Universal Time (UTC),
                    167: not the local timezone.  The minute and seconds portions are optional,
                    168: but some LDAP servers require that they be present (contrary to the RFC).
                    169: 
                    170: The C<sudoNotAfter> attribute is only available in B<sudo> versions
                    171: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
                    172: option in F<@ldap_conf@>.
                    173: 
                    174: =item B<sudoOrder>
                    175: 
                    176: The C<sudoRole> entries retrieved from the LDAP directory have no
                    177: inherent order.  The C<sudoOrder> attribute is an integer (or
                    178: floating point value for LDAP servers that support it) that is used
                    179: to sort the matching entries.  This allows LDAP-based sudoers entries
                    180: to more closely mimic the behaviour of the sudoers file, where the
                    181: of the entries influences the result.  If multiple entries match,
                    182: the entry with the highest C<sudoOrder> attribute is chosen.  This
                    183: corresponds to the "last match" behavior of the sudoers file.  If
                    184: the C<sudoOrder> attribute is not present, a value of 0 is assumed.
                    185: 
                    186: The C<sudoOrder> attribute is only available in B<sudo> versions
                    187: 1.7.5 and higher.
                    188: 
                    189: =back
                    190: 
                    191: Each attribute listed above should contain a single value, but there
                    192: may be multiple instances of each attribute type.  A C<sudoRole> must
                    193: contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
                    194: 
                    195: The following example allows users in group wheel to run any command
                    196: on any host via B<sudo>:
                    197: 
                    198:     dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
                    199:     objectClass: top
                    200:     objectClass: sudoRole
                    201:     cn: %wheel
                    202:     sudoUser: %wheel
                    203:     sudoHost: ALL
                    204:     sudoCommand: ALL
                    205: 
                    206: =head2 Anatomy of LDAP sudoers lookup
                    207: 
                    208: When looking up a sudoer using LDAP there are only two or three
                    209: LDAP queries per invocation.  The first query is to parse the global
                    210: options.  The second is to match against the user's name and the
                    211: groups that the user belongs to.  (The special ALL tag is matched
                    212: in this query too.)  If no match is returned for the user's name
                    213: and groups, a third query returns all entries containing user
                    214: netgroups and checks to see if the user belongs to any of them.
                    215: 
                    216: If timed entries are enabled with the B<SUDOERS_TIMED> configuration
                    217: directive, the LDAP queries include a subfilter that limits retrieval
                    218: to entries that satisfy the time constraints, if any.
                    219: 
                    220: =head2 Differences between LDAP and non-LDAP sudoers
                    221: 
                    222: There are some subtle differences in the way sudoers is handled
                    223: once in LDAP.  Probably the biggest is that according to the RFC,
                    224: LDAP ordering is arbitrary and you cannot expect that Attributes
                    225: and Entries are returned in any specific order.
                    226: 
                    227: The order in which different entries are applied can be controlled
                    228: using the C<sudoOrder> attribute, but there is no way to guarantee
                    229: the order of attributes within a specific entry.  If there are
                    230: conflicting command rules in an entry, the negative takes precedence.
                    231: This is called paranoid behavior (not necessarily the most specific
                    232: match).
                    233: 
                    234: Here is an example:
                    235: 
                    236:     # /etc/sudoers:
                    237:     # Allow all commands except shell
                    238:     johnny  ALL=(root) ALL,!/bin/sh
                    239:     # Always allows all commands because ALL is matched last
                    240:     puddles ALL=(root) !/bin/sh,ALL
                    241: 
                    242:     # LDAP equivalent of johnny
                    243:     # Allows all commands except shell
                    244:     dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
                    245:     objectClass: sudoRole
                    246:     objectClass: top
                    247:     cn: role1
                    248:     sudoUser: johnny
                    249:     sudoHost: ALL
                    250:     sudoCommand: ALL
                    251:     sudoCommand: !/bin/sh
                    252: 
                    253:     # LDAP equivalent of puddles
                    254:     # Notice that even though ALL comes last, it still behaves like
                    255:     # role1 since the LDAP code assumes the more paranoid configuration
                    256:     dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
                    257:     objectClass: sudoRole
                    258:     objectClass: top
                    259:     cn: role2
                    260:     sudoUser: puddles
                    261:     sudoHost: ALL
                    262:     sudoCommand: !/bin/sh
                    263:     sudoCommand: ALL
                    264: 
                    265: Another difference is that negations on the Host, User or Runas are
                    266: currently ignored.  For example, the following attributes do not
                    267: behave the way one might expect.
                    268: 
                    269:     # does not match all but joe
                    270:     # rather, does not match anyone
                    271:     sudoUser: !joe
                    272: 
                    273:     # does not match all but joe
                    274:     # rather, matches everyone including Joe
                    275:     sudoUser: ALL
                    276:     sudoUser: !joe
                    277: 
                    278:     # does not match all but web01
                    279:     # rather, matches all hosts including web01
                    280:     sudoHost: ALL
                    281:     sudoHost: !web01
                    282: 
                    283: =head2 Sudoers Schema
                    284: 
                    285: In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
                    286: installed on your LDAP server.  In addition, be sure to index the
                    287: 'sudoUser' attribute.
                    288: 
                    289: Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
                    290: one for Netscape-derived servers (F<schema.iPlanet>), and one for
                    291: Microsoft Active Directory (F<schema.ActiveDirectory>) may
                    292: be found in the B<sudo> distribution.
                    293: 
                    294: The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
                    295: section.
                    296: 
                    297: =head2 Configuring ldap.conf
                    298: 
                    299: Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
                    300: Typically, this file is shared amongst different LDAP-aware clients.
                    301: As such, most of the settings are not B<sudo>-specific.  Note that
                    302: B<sudo> parses F<@ldap_conf@> itself and may support options
                    303: that differ from those described in the L<ldap.conf(5)> manual.
                    304: 
                    305: Also note that on systems using the OpenLDAP libraries, default
                    306: values specified in F</etc/openldap/ldap.conf> or the user's
                    307: F<.ldaprc> files are not used.
                    308: 
                    309: Only those options explicitly listed in F<@ldap_conf@> as being
                    310: supported by B<sudo> are honored.  Configuration options are listed
                    311: below in upper case but are parsed in a case-independent manner.
                    312: 
                    313: =over 4
                    314: 
                    315: =item B<URI> ldap[s]://[hostname[:port]] ...
                    316: 
                    317: Specifies a whitespace-delimited list of one or more URIs describing
                    318: the LDAP server(s) to connect to.  The I<protocol> may be either
                    319: B<ldap> or B<ldaps>, the latter being for servers that support TLS
                    320: (SSL) encryption.  If no I<port> is specified, the default is port
                    321: 389 for C<ldap://> or port 636 for C<ldaps://>.  If no I<hostname>
                    322: is specified, B<sudo> will connect to B<localhost>.  Multiple B<URI>
                    323: lines are treated identically to a B<URI> line containing multiple
                    324: entries.  Only systems using the OpenSSL libraries support the
                    325: mixing of C<ldap://> and C<ldaps://> URIs.  The Netscape-derived
                    326: libraries used on most commercial versions of Unix are only capable
                    327: of supporting one or the other.
                    328: 
                    329: =item B<HOST> name[:port] ...
                    330: 
                    331: If no B<URI> is specified, the B<HOST> parameter specifies a
                    332: whitespace-delimited list of LDAP servers to connect to.  Each host
                    333: may include an optional I<port> separated by a colon (':').  The
                    334: B<HOST> parameter is deprecated in favor of the B<URI> specification
                    335: and is included for backwards compatibility.
                    336: 
                    337: =item B<PORT> port_number
                    338: 
                    339: If no B<URI> is specified, the B<PORT> parameter specifies the
                    340: default port to connect to on the LDAP server if a B<HOST> parameter
                    341: does not specify the port itself.  If no B<PORT> parameter is used,
                    342: the default is port 389 for LDAP and port 636 for LDAP over TLS
                    343: (SSL).  The B<PORT> parameter is deprecated in favor of the B<URI>
                    344: specification and is included for backwards compatibility.
                    345: 
                    346: =item B<BIND_TIMELIMIT> seconds
                    347: 
                    348: The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
                    349: to wait while trying to connect to an LDAP server.  If multiple B<URI>s or
                    350: B<HOST>s are specified, this is the amount of time to wait before trying
                    351: the next one in the list.
                    352: 
                    353: =item B<NETWORK_TIMEOUT> seconds
                    354: 
                    355: An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
                    356: 
                    357: =item B<TIMELIMIT> seconds
                    358: 
                    359: The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
                    360: to wait for a response to an LDAP query.
                    361: 
                    362: =item B<TIMEOUT> seconds
                    363: 
                    364: The B<TIMEOUT> parameter specifies the amount of time, in seconds,
                    365: to wait for a response from the various LDAP APIs.
                    366: 
                    367: =item B<SUDOERS_BASE> base
                    368: 
                    369: The base DN to use when performing B<sudo> LDAP queries.  Typically
                    370: this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
                    371: C<example.com>.  Multiple B<SUDOERS_BASE> lines may be specified,
                    372: in which case they are queried in the order specified.
                    373: 
                    374: =item B<SUDOERS_SEARCH_FILTER> ldap_filter
                    375: 
                    376: An LDAP filter which is used to restrict the set of records returned
                    377: when performing a B<sudo> LDAP query.  Typically, this is of the
                    378: form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
                    379: 
                    380: =item B<SUDOERS_TIMED> on/true/yes/off/false/no
                    381: 
                    382: Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
                    383: attributes that implement time-dependent sudoers entries.
                    384: 
                    385: =item B<SUDOERS_DEBUG> debug_level
                    386: 
                    387: This sets the debug level for B<sudo> LDAP queries.  Debugging
                    388: information is printed to the standard error.  A value of 1 results
                    389: in a moderate amount of debugging information.  A value of 2 shows
                    390: the results of the matches themselves.  This parameter should not
                    391: be set in a production environment as the extra information is
                    392: likely to confuse users.
                    393: 
                    394: =item B<BINDDN> DN
                    395: 
                    396: The B<BINDDN> parameter specifies the identity, in the form of a
                    397: Distinguished Name (DN), to use when performing LDAP operations.
                    398: If not specified, LDAP operations are performed with an anonymous
                    399: identity.  By default, most LDAP servers will allow anonymous access.
                    400: 
                    401: =item B<BINDPW> secret
                    402: 
                    403: The B<BINDPW> parameter specifies the password to use when performing
                    404: LDAP operations.  This is typically used in conjunction with the
                    405: B<BINDDN> parameter.
                    406: 
                    407: =item B<ROOTBINDDN> DN
                    408: 
                    409: The B<ROOTBINDDN> parameter specifies the identity, in the form of
                    410: a Distinguished Name (DN), to use when performing privileged LDAP
                    411: operations, such as I<sudoers> queries.  The password corresponding
                    412: to the identity should be stored in F<@ldap_secret@>.
                    413: If not specified, the B<BINDDN> identity is used (if any).
                    414: 
                    415: =item B<LDAP_VERSION> number
                    416: 
                    417: The version of the LDAP protocol to use when connecting to the server.
                    418: The default value is protocol version 3.
                    419: 
                    420: =item B<SSL> on/true/yes/off/false/no
                    421: 
                    422: If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
                    423: (SSL) encryption is always used when communicating with the LDAP
                    424: server.  Typically, this involves connecting to the server on port
                    425: 636 (ldaps).
                    426: 
                    427: =item B<SSL> start_tls
                    428: 
                    429: If the B<SSL> parameter is set to C<start_tls>, the LDAP server
                    430: connection is initiated normally and TLS encryption is begun before
                    431: the bind credentials are sent.  This has the advantage of not
                    432: requiring a dedicated port for encrypted communications.  This
                    433: parameter is only supported by LDAP servers that honor the C<start_tls>
                    434: extension, such as the OpenLDAP server.
                    435: 
                    436: =item B<TLS_CHECKPEER> on/true/yes/off/false/no
                    437: 
                    438: If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
                    439: certificated to be verified.  If the server's TLS certificate cannot
                    440: be verified (usually because it is signed by an unknown certificate
                    441: authority), B<sudo> will be unable to connect to it.  If B<TLS_CHECKPEER>
                    442: is disabled, no check is made.  Note that disabling the check creates
                    443: an opportunity for man-in-the-middle attacks since the server's
                    444: identity will not be authenticated.  If possible, the CA's certificate
                    445: should be installed locally so it can be verified.
                    446: 
                    447: =item B<TLS_CACERT> file name
                    448: 
                    449: An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
                    450: 
                    451: =item B<TLS_CACERTFILE> file name
                    452: 
                    453: The path to a certificate authority bundle which contains the certificates
                    454: for all the Certificate Authorities the client knows to be valid,
                    455: e.g. F</etc/ssl/ca-bundle.pem>.
                    456: This option is only supported by the OpenLDAP libraries.
                    457: Netscape-derived LDAP libraries use the same certificate
                    458: database for CA and client certificates (see B<TLS_CERT>).
                    459: 
                    460: =item B<TLS_CACERTDIR> directory
                    461: 
                    462: Similar to B<TLS_CACERTFILE> but instead of a file, it is a
                    463: directory containing individual Certificate Authority certificates,
                    464: e.g. F</etc/ssl/certs>.
                    465: The directory specified by B<TLS_CACERTDIR> is checked after
                    466: B<TLS_CACERTFILE>.
                    467: This option is only supported by the OpenLDAP libraries.
                    468: 
                    469: =item B<TLS_CERT> file name
                    470: 
                    471: The path to a file containing the client certificate which can
                    472: be used to authenticate the client to the LDAP server.
                    473: The certificate type depends on the LDAP libraries used.
                    474: 
                    475: OpenLDAP:
                    476:     C<tls_cert /etc/ssl/client_cert.pem>
                    477: 
                    478: Netscape-derived:
                    479:     C<tls_cert /var/ldap/cert7.db>
                    480: 
                    481: When using Netscape-derived libraries, this file may also contain
                    482: Certificate Authority certificates.
                    483: 
                    484: =item B<TLS_KEY> file name
                    485: 
                    486: The path to a file containing the private key which matches the
                    487: certificate specified by B<TLS_CERT>.  The private key must not be
                    488: password-protected.  The key type depends on the LDAP libraries
                    489: used.
                    490: 
                    491: OpenLDAP:
                    492:     C<tls_key /etc/ssl/client_key.pem>
                    493: 
                    494: Netscape-derived:
                    495:     C<tls_key /var/ldap/key3.db>
                    496: 
                    497: =item B<TLS_RANDFILE> file name
                    498: 
                    499: The B<TLS_RANDFILE> parameter specifies the path to an entropy
                    500: source for systems that lack a random device.  It is generally used
                    501: in conjunction with I<prngd> or I<egd>.
                    502: This option is only supported by the OpenLDAP libraries.
                    503: 
                    504: =item B<TLS_CIPHERS> cipher list
                    505: 
                    506: The B<TLS_CIPHERS> parameter allows the administer to restrict
                    507: which encryption algorithms may be used for TLS (SSL) connections.
                    508: See the OpenSSL manual for a list of valid ciphers.
                    509: This option is only supported by the OpenLDAP libraries.
                    510: 
                    511: =item B<USE_SASL> on/true/yes/off/false/no
                    512: 
                    513: Enable B<USE_SASL> for LDAP servers that support SASL authentication.
                    514: 
                    515: =item B<SASL_AUTH_ID> identity
                    516: 
                    517: The SASL user name to use when connecting to the LDAP server.
                    518: By default, B<sudo> will use an anonymous connection.
                    519: 
                    520: =item B<ROOTUSE_SASL> on/true/yes/off/false/no
                    521: 
                    522: Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
                    523: to an LDAP server from a privileged process, such as B<sudo>.
                    524: 
                    525: =item B<ROOTSASL_AUTH_ID> identity
                    526: 
                    527: The SASL user name to use when B<ROOTUSE_SASL> is enabled.
                    528: 
                    529: =item B<SASL_SECPROPS> none/properties
                    530: 
                    531: SASL security properties or I<none> for no properties.  See the
                    532: SASL programmer's manual for details.
                    533: 
                    534: =item B<KRB5_CCNAME> file name
                    535: 
                    536: The path to the Kerberos 5 credential cache to use when authenticating
                    537: with the remote server.
                    538: 
                    539: =item B<DEREF> never/searching/finding/always
                    540: 
                    541: How alias dereferencing is to be performed when searching.  See the
                    542: L<ldap.conf(5)> manual for a full description of this option.
                    543: 
                    544: =back
                    545: 
                    546: See the C<ldap.conf> entry in the L<EXAMPLES> section.
                    547: 
                    548: =head2 Configuring nsswitch.conf
                    549: 
                    550: Unless it is disabled at build time, B<sudo> consults the Name
                    551: Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
                    552: search order.  Sudo looks for a line beginning with C<sudoers>: and
                    553: uses this to determine the search order.  Note that B<sudo> does
                    554: not stop searching after the first match and later matches take
                    555: precedence over earlier ones.
                    556: 
                    557: The following sources are recognized:
                    558: 
                    559:     files      read sudoers from F<@sysconfdir@/sudoers>
                    560:     ldap       read sudoers from LDAP
                    561: 
                    562: In addition, the entry C<[NOTFOUND=return]> will short-circuit the
                    563: search if the user was not found in the preceding source.
                    564: 
                    565: To consult LDAP first followed by the local sudoers file (if it
                    566: exists), use:
                    567: 
                    568:     sudoers: ldap files
                    569: 
                    570: The local I<sudoers> file can be ignored completely by using:
                    571: 
                    572:     sudoers: ldap
                    573: 
                    574: If the F<@nsswitch_conf@> file is not present or there is no
                    575: sudoers line, the following default is assumed:
                    576: 
                    577:     sudoers: files
                    578: 
                    579: Note that F<@nsswitch_conf@> is supported even when the underlying
                    580: operating system does not use an nsswitch.conf file.
                    581: 
                    582: =head2 Configuring netsvc.conf
                    583: 
                    584: On AIX systems, the F<@netsvc_conf@> file is consulted instead of
                    585: F<@nsswitch_conf@>.  B<sudo> simply treats I<netsvc.conf> as a
                    586: variant of I<nsswitch.conf>; information in the previous section
                    587: unrelated to the file format itself still applies.
                    588: 
                    589: To consult LDAP first followed by the local sudoers file (if it
                    590: exists), use:
                    591: 
                    592:     sudoers = ldap, files
                    593: 
                    594: The local I<sudoers> file can be ignored completely by using:
                    595: 
                    596:     sudoers = ldap
                    597: 
                    598: To treat LDAP as authoratative and only use the local sudoers file
                    599: if the user is not present in LDAP, use:
                    600: 
                    601:     sudoers = ldap = auth, files
                    602: 
                    603: Note that in the above example, the C<auth> qualfier only affects
                    604: user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
                    605: entries.
                    606: 
                    607: If the F<@netsvc_conf@> file is not present or there is no
                    608: sudoers line, the following default is assumed:
                    609: 
                    610:     sudoers = files
                    611: 
                    612: =head1 FILES
                    613: 
                    614: =over 24
                    615: 
                    616: =item F<@ldap_conf@>
                    617: 
                    618: LDAP configuration file
                    619: 
                    620: =item F<@nsswitch_conf@>
                    621: 
                    622: determines sudoers source order
                    623: 
                    624: =item F<@netsvc_conf@>
                    625: 
                    626: determines sudoers source order on AIX
                    627: 
                    628: =back
                    629: 
                    630: =head1 EXAMPLES
                    631: 
                    632: =head2 Example ldap.conf
                    633: 
                    634:   # Either specify one or more URIs or one or more host:port pairs.
                    635:   # If neither is specified sudo will default to localhost, port 389.
                    636:   #
                    637:   #host          ldapserver
                    638:   #host          ldapserver1 ldapserver2:390
                    639:   #
                    640:   # Default port if host is specified without one, defaults to 389.
                    641:   #port          389
                    642:   #
                    643:   # URI will override the host and port settings.
                    644:   uri            ldap://ldapserver
                    645:   #uri            ldaps://secureldapserver
                    646:   #uri            ldaps://secureldapserver ldap://ldapserver
                    647:   #
                    648:   # The amount of time, in seconds, to wait while trying to connect to
                    649:   # an LDAP server.
                    650:   bind_timelimit 30
                    651:   #
                    652:   # The amount of time, in seconds, to wait while performing an LDAP query.
                    653:   timelimit 30
                    654:   #
                    655:   # Must be set or sudo will ignore LDAP; may be specified multiple times.
                    656:   sudoers_base   ou=SUDOers,dc=example,dc=com
                    657:   #
                    658:   # verbose sudoers matching from ldap
                    659:   #sudoers_debug 2
                    660:   #
                    661:   # Enable support for time-based entries in sudoers.
                    662:   #sudoers_timed yes
                    663:   #
                    664:   # optional proxy credentials
                    665:   #binddn        <who to search as>
                    666:   #bindpw        <password>
                    667:   #rootbinddn    <who to search as, uses /etc/ldap.secret for bindpw>
                    668:   #
                    669:   # LDAP protocol version, defaults to 3
                    670:   #ldap_version 3
                    671:   #
                    672:   # Define if you want to use an encrypted LDAP connection.
                    673:   # Typically, you must also set the port to 636 (ldaps).
                    674:   #ssl on
                    675:   #
                    676:   # Define if you want to use port 389 and switch to
                    677:   # encryption before the bind credentials are sent.
                    678:   # Only supported by LDAP servers that support the start_tls
                    679:   # extension such as OpenLDAP.
                    680:   #ssl start_tls
                    681:   #
                    682:   # Additional TLS options follow that allow tweaking of the
                    683:   # SSL/TLS connection.
                    684:   #
                    685:   #tls_checkpeer yes # verify server SSL certificate
                    686:   #tls_checkpeer no  # ignore server SSL certificate
                    687:   #
                    688:   # If you enable tls_checkpeer, specify either tls_cacertfile
                    689:   # or tls_cacertdir.  Only supported when using OpenLDAP.
                    690:   #
                    691:   #tls_cacertfile /etc/certs/trusted_signers.pem
                    692:   #tls_cacertdir  /etc/certs
                    693:   #
                    694:   # For systems that don't have /dev/random
                    695:   # use this along with PRNGD or EGD.pl to seed the
                    696:   # random number pool to generate cryptographic session keys.
                    697:   # Only supported when using OpenLDAP.
                    698:   #
                    699:   #tls_randfile /etc/egd-pool
                    700:   #
                    701:   # You may restrict which ciphers are used.  Consult your SSL
                    702:   # documentation for which options go here.
                    703:   # Only supported when using OpenLDAP.
                    704:   #
                    705:   #tls_ciphers <cipher-list>
                    706:   #
                    707:   # Sudo can provide a client certificate when communicating to
                    708:   # the LDAP server.
                    709:   # Tips:
                    710:   #   * Enable both lines at the same time.
                    711:   #   * Do not password protect the key file.
                    712:   #   * Ensure the keyfile is only readable by root.
                    713:   #
                    714:   # For OpenLDAP:
                    715:   #tls_cert /etc/certs/client_cert.pem
                    716:   #tls_key  /etc/certs/client_key.pem
                    717:   #
                    718:   # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
                    719:   # a directory, in which case the files in the directory must have the
                    720:   # default names (e.g. cert8.db and key4.db), or the path to the cert
                    721:   # and key files themselves.  However, a bug in version 5.0 of the LDAP
                    722:   # SDK will prevent specific file names from working.  For this reason
                    723:   # it is suggested that tls_cert and tls_key be set to a directory,
                    724:   # not a file name.
                    725:   #
                    726:   # The certificate database specified by tls_cert may contain CA certs
                    727:   # and/or the client's cert.  If the client's cert is included, tls_key
                    728:   # should be specified as well.
                    729:   # For backward compatibility, "sslpath" may be used in place of tls_cert.
                    730:   #tls_cert /var/ldap
                    731:   #tls_key /var/ldap
                    732:   #
                    733:   # If using SASL authentication for LDAP (OpenSSL)
                    734:   # use_sasl yes
                    735:   # sasl_auth_id <SASL user name>
                    736:   # rootuse_sasl yes
                    737:   # rootsasl_auth_id <SASL user name for root access>
                    738:   # sasl_secprops none
                    739:   # krb5_ccname /etc/.ldapcache
                    740: 
                    741: =head2 Sudo schema for OpenLDAP 
                    742: 
                    743: The following schema, in OpenLDAP format, is included with B<sudo>
                    744: source and binary distributions as F<schema.OpenLDAP>.  Simply copy
                    745: it to the schema directory (e.g. F</etc/openldap/schema>), add the
                    746: proper C<include> line in C<slapd.conf> and restart B<slapd>.
                    747: 
                    748:  attributetype ( 1.3.6.1.4.1.15953.9.1.1
                    749:     NAME 'sudoUser'
                    750:     DESC 'User(s) who may  run sudo'
                    751:     EQUALITY caseExactIA5Match
                    752:     SUBSTR caseExactIA5SubstringsMatch
                    753:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    754: 
                    755:  attributetype ( 1.3.6.1.4.1.15953.9.1.2
                    756:     NAME 'sudoHost'
                    757:     DESC 'Host(s) who may run sudo'
                    758:     EQUALITY caseExactIA5Match
                    759:     SUBSTR caseExactIA5SubstringsMatch
                    760:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    761: 
                    762:  attributetype ( 1.3.6.1.4.1.15953.9.1.3
                    763:     NAME 'sudoCommand'
                    764:     DESC 'Command(s) to be executed by sudo'
                    765:     EQUALITY caseExactIA5Match
                    766:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    767: 
                    768:  attributetype ( 1.3.6.1.4.1.15953.9.1.4
                    769:     NAME 'sudoRunAs'
                    770:     DESC 'User(s) impersonated by sudo'
                    771:     EQUALITY caseExactIA5Match
                    772:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    773: 
                    774:  attributetype ( 1.3.6.1.4.1.15953.9.1.5
                    775:     NAME 'sudoOption'
                    776:     DESC 'Options(s) followed by sudo'
                    777:     EQUALITY caseExactIA5Match
                    778:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    779: 
                    780:  attributetype ( 1.3.6.1.4.1.15953.9.1.6
                    781:     NAME 'sudoRunAsUser'
                    782:     DESC 'User(s) impersonated by sudo'
                    783:     EQUALITY caseExactIA5Match
                    784:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    785: 
                    786:  attributetype ( 1.3.6.1.4.1.15953.9.1.7
                    787:     NAME 'sudoRunAsGroup'
                    788:     DESC 'Group(s) impersonated by sudo'
                    789:     EQUALITY caseExactIA5Match
                    790:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
                    791: 
                    792:  attributetype ( 1.3.6.1.4.1.15953.9.1.8
                    793:     NAME 'sudoNotBefore'
                    794:     DESC 'Start of time interval for which the entry is valid'
                    795:     EQUALITY generalizedTimeMatch
                    796:     ORDERING generalizedTimeOrderingMatch
                    797:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                    798: 
                    799:  attributetype ( 1.3.6.1.4.1.15953.9.1.9
                    800:     NAME 'sudoNotAfter'
                    801:     DESC 'End of time interval for which the entry is valid'
                    802:     EQUALITY generalizedTimeMatch
                    803:     ORDERING generalizedTimeOrderingMatch
                    804:     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
                    805: 
                    806:  attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
                    807:      NAME 'sudoOrder'
                    808:      DESC 'an integer to order the sudoRole entries'
                    809:      EQUALITY integerMatch
                    810:      ORDERING integerOrderingMatch
                    811:      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
                    812: 
                    813:  objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
                    814:     DESC 'Sudoer Entries'
                    815:     MUST ( cn )
                    816:     MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
                    817:          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
                    818:          sudoOrder $ description )
                    819:     )
                    820: 
                    821: =head1 SEE ALSO
                    822: 
                    823: L<ldap.conf(5)>, L<sudoers(5)>
                    824: 
                    825: =head1 CAVEATS
                    826: 
                    827: Note that there are differences in the way that LDAP-based I<sudoers>
                    828: is parsed compared to file-based I<sudoers>.  See the L<Differences
                    829: between LDAP and non-LDAP sudoers> section for more information.
                    830: 
                    831: =head1 BUGS
                    832: 
                    833: If you feel you have found a bug in B<sudo>, please submit a bug report
                    834: at http://www.sudo.ws/sudo/bugs/
                    835: 
                    836: =head1 SUPPORT
                    837: 
                    838: Limited free support is available via the sudo-users mailing list,
                    839: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
                    840: search the archives.
                    841: 
                    842: =head1 DISCLAIMER
                    843: 
                    844: B<sudo> is provided ``AS IS'' and any express or implied warranties,
                    845: including, but not limited to, the implied warranties of merchantability
                    846: and fitness for a particular purpose are disclaimed.  See the LICENSE
                    847: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
                    848: for complete details.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>