Annotation of embedaddon/sudo/doc/sudoers.ldap.pod, revision 1.1.1.2
1.1 misho 1: Copyright (c) 2003-2011
2: Todd C. Miller <Todd.Miller@courtesan.com>
3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: =pod
18:
19: =head1 NAME
20:
21: sudoers.ldap - sudo LDAP configuration
22:
23: =head1 DESCRIPTION
24:
25: In addition to the standard I<sudoers> file, B<sudo> may be configured
26: via LDAP. This can be especially useful for synchronizing I<sudoers>
27: in a large, distributed environment.
28:
29: Using LDAP for I<sudoers> has several benefits:
30:
31: =over 4
32:
33: =item *
34:
35: B<sudo> no longer needs to read I<sudoers> in its entirety. When
36: LDAP is used, there are only two or three LDAP queries per invocation.
37: This makes it especially fast and particularly usable in LDAP
38: environments.
39:
40: =item *
41:
42: B<sudo> no longer exits if there is a typo in I<sudoers>.
43: It is not possible to load LDAP data into the server that does
44: not conform to the sudoers schema, so proper syntax is guaranteed.
45: It is still possible to have typos in a user or host name, but
46: this will not prevent B<sudo> from running.
47:
48: =item *
49:
50: It is possible to specify per-entry options that override the global
51: default options. F<@sysconfdir@/sudoers> only supports default options and
52: limited options associated with user/host/commands/aliases. The
53: syntax is complicated and can be difficult for users to understand.
54: Placing the options directly in the entry is more natural.
55:
56: =item *
57:
58: The B<visudo> program is no longer needed. B<visudo> provides
59: locking and syntax checking of the F<@sysconfdir@/sudoers> file.
60: Since LDAP updates are atomic, locking is no longer necessary.
61: Because syntax is checked when the data is inserted into LDAP, there
62: is no need for a specialized tool to check syntax.
63:
64: =back
65:
66: Another major difference between LDAP and file-based I<sudoers>
67: is that in LDAP, B<sudo>-specific Aliases are not supported.
68:
69: For the most part, there is really no need for B<sudo>-specific
70: Aliases. Unix groups or user netgroups can be used in place of
71: User_Aliases and Runas_Aliases. Host netgroups can be used in place
72: of Host_Aliases. Since Unix groups and netgroups can also be stored
73: in LDAP there is no real need for B<sudo>-specific aliases.
74:
75: Cmnd_Aliases are not really required either since it is possible
76: to have multiple users listed in a C<sudoRole>. Instead of defining
77: a Cmnd_Alias that is referenced by multiple users, one can create
78: a C<sudoRole> that contains the commands and assign multiple users
79: to it.
80:
81: =head2 SUDOers LDAP container
82:
83: The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
84: container.
85:
86: Sudo first looks for the C<cn=default> entry in the SUDOers container.
87: If found, the multi-valued C<sudoOption> attribute is parsed in the
88: same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
89: the following example, the C<SSH_AUTH_SOCK> variable will be preserved
90: in the environment for all users.
91:
92: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
93: objectClass: top
94: objectClass: sudoRole
95: cn: defaults
96: description: Default sudoOption's go here
97: sudoOption: env_keep+=SSH_AUTH_SOCK
98:
99: The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
100: the following attributes:
101:
102: =over 4
103:
104: =item B<sudoUser>
105:
1.1.1.2 ! misho 106: A user name, user ID (prefixed with C<'#'>), Unix group (prefixed with
! 107: C<'%'>), Unix group ID (prefixed with C<'%#'>), or user netgroup
! 108: (prefixed with C<'+'>).
1.1 misho 109:
110: =item B<sudoHost>
111:
112: A host name, IP address, IP network, or host netgroup (prefixed
113: with a C<'+'>).
114: The special value C<ALL> will match any host.
115:
116: =item B<sudoCommand>
117:
118: A Unix command with optional command line arguments, potentially
119: including globbing characters (aka wild cards).
120: The special value C<ALL> will match any command.
121: If a command is prefixed with an exclamation point C<'!'>, the
122: user will be prohibited from running that command.
123:
124: =item B<sudoOption>
125:
126: Identical in function to the global options described above, but
127: specific to the C<sudoRole> in which it resides.
128:
129: =item B<sudoRunAsUser>
130:
131: A user name or uid (prefixed with C<'#'>) that commands may be run
132: as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
133: with a C<'+'>) that contains a list of users that commands may be
134: run as.
135: The special value C<ALL> will match any user.
136:
137: The C<sudoRunAsUser> attribute is only available in B<sudo> versions
138: 1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
139: attribute instead.
140:
141: =item B<sudoRunAsGroup>
142:
143: A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
144: The special value C<ALL> will match any group.
145:
146: The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
147: 1.7.0 and higher.
148:
149: =item B<sudoNotBefore>
150:
151: A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
152: a start date/time for when the C<sudoRole> will be valid. If
153: multiple C<sudoNotBefore> entries are present, the earliest is used.
154: Note that timestamps must be in Coordinated Universal Time (UTC),
155: not the local timezone. The minute and seconds portions are optional,
156: but some LDAP servers require that they be present (contrary to the RFC).
157:
158: The C<sudoNotBefore> attribute is only available in B<sudo> versions
159: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
160: option in F<@ldap_conf@>.
161:
162: =item B<sudoNotAfter>
163:
164: A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
165: date/time, after which the C<sudoRole> will no longer be valid. If
166: multiple C<sudoNotBefore> entries are present, the last one is used.
167: Note that timestamps must be in Coordinated Universal Time (UTC),
168: not the local timezone. The minute and seconds portions are optional,
169: but some LDAP servers require that they be present (contrary to the RFC).
170:
171: The C<sudoNotAfter> attribute is only available in B<sudo> versions
172: 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
173: option in F<@ldap_conf@>.
174:
175: =item B<sudoOrder>
176:
177: The C<sudoRole> entries retrieved from the LDAP directory have no
178: inherent order. The C<sudoOrder> attribute is an integer (or
179: floating point value for LDAP servers that support it) that is used
180: to sort the matching entries. This allows LDAP-based sudoers entries
181: to more closely mimic the behaviour of the sudoers file, where the
182: of the entries influences the result. If multiple entries match,
183: the entry with the highest C<sudoOrder> attribute is chosen. This
184: corresponds to the "last match" behavior of the sudoers file. If
185: the C<sudoOrder> attribute is not present, a value of 0 is assumed.
186:
187: The C<sudoOrder> attribute is only available in B<sudo> versions
188: 1.7.5 and higher.
189:
190: =back
191:
192: Each attribute listed above should contain a single value, but there
193: may be multiple instances of each attribute type. A C<sudoRole> must
194: contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
195:
196: The following example allows users in group wheel to run any command
197: on any host via B<sudo>:
198:
199: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
200: objectClass: top
201: objectClass: sudoRole
202: cn: %wheel
203: sudoUser: %wheel
204: sudoHost: ALL
205: sudoCommand: ALL
206:
207: =head2 Anatomy of LDAP sudoers lookup
208:
209: When looking up a sudoer using LDAP there are only two or three
210: LDAP queries per invocation. The first query is to parse the global
211: options. The second is to match against the user's name and the
212: groups that the user belongs to. (The special ALL tag is matched
213: in this query too.) If no match is returned for the user's name
214: and groups, a third query returns all entries containing user
215: netgroups and checks to see if the user belongs to any of them.
216:
217: If timed entries are enabled with the B<SUDOERS_TIMED> configuration
218: directive, the LDAP queries include a subfilter that limits retrieval
219: to entries that satisfy the time constraints, if any.
220:
221: =head2 Differences between LDAP and non-LDAP sudoers
222:
223: There are some subtle differences in the way sudoers is handled
224: once in LDAP. Probably the biggest is that according to the RFC,
225: LDAP ordering is arbitrary and you cannot expect that Attributes
226: and Entries are returned in any specific order.
227:
228: The order in which different entries are applied can be controlled
229: using the C<sudoOrder> attribute, but there is no way to guarantee
230: the order of attributes within a specific entry. If there are
231: conflicting command rules in an entry, the negative takes precedence.
232: This is called paranoid behavior (not necessarily the most specific
233: match).
234:
235: Here is an example:
236:
237: # /etc/sudoers:
238: # Allow all commands except shell
239: johnny ALL=(root) ALL,!/bin/sh
240: # Always allows all commands because ALL is matched last
241: puddles ALL=(root) !/bin/sh,ALL
242:
243: # LDAP equivalent of johnny
244: # Allows all commands except shell
245: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
246: objectClass: sudoRole
247: objectClass: top
248: cn: role1
249: sudoUser: johnny
250: sudoHost: ALL
251: sudoCommand: ALL
252: sudoCommand: !/bin/sh
253:
254: # LDAP equivalent of puddles
255: # Notice that even though ALL comes last, it still behaves like
256: # role1 since the LDAP code assumes the more paranoid configuration
257: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
258: objectClass: sudoRole
259: objectClass: top
260: cn: role2
261: sudoUser: puddles
262: sudoHost: ALL
263: sudoCommand: !/bin/sh
264: sudoCommand: ALL
265:
266: Another difference is that negations on the Host, User or Runas are
267: currently ignored. For example, the following attributes do not
268: behave the way one might expect.
269:
270: # does not match all but joe
271: # rather, does not match anyone
272: sudoUser: !joe
273:
274: # does not match all but joe
275: # rather, matches everyone including Joe
276: sudoUser: ALL
277: sudoUser: !joe
278:
279: # does not match all but web01
280: # rather, matches all hosts including web01
281: sudoHost: ALL
282: sudoHost: !web01
283:
284: =head2 Sudoers Schema
285:
286: In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
287: installed on your LDAP server. In addition, be sure to index the
288: 'sudoUser' attribute.
289:
290: Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
291: one for Netscape-derived servers (F<schema.iPlanet>), and one for
292: Microsoft Active Directory (F<schema.ActiveDirectory>) may
293: be found in the B<sudo> distribution.
294:
295: The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
296: section.
297:
298: =head2 Configuring ldap.conf
299:
300: Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
301: Typically, this file is shared amongst different LDAP-aware clients.
302: As such, most of the settings are not B<sudo>-specific. Note that
303: B<sudo> parses F<@ldap_conf@> itself and may support options
304: that differ from those described in the L<ldap.conf(5)> manual.
305:
306: Also note that on systems using the OpenLDAP libraries, default
307: values specified in F</etc/openldap/ldap.conf> or the user's
308: F<.ldaprc> files are not used.
309:
310: Only those options explicitly listed in F<@ldap_conf@> as being
311: supported by B<sudo> are honored. Configuration options are listed
312: below in upper case but are parsed in a case-independent manner.
313:
314: =over 4
315:
316: =item B<URI> ldap[s]://[hostname[:port]] ...
317:
318: Specifies a whitespace-delimited list of one or more URIs describing
319: the LDAP server(s) to connect to. The I<protocol> may be either
320: B<ldap> or B<ldaps>, the latter being for servers that support TLS
321: (SSL) encryption. If no I<port> is specified, the default is port
322: 389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
323: is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
324: lines are treated identically to a B<URI> line containing multiple
325: entries. Only systems using the OpenSSL libraries support the
326: mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
327: libraries used on most commercial versions of Unix are only capable
328: of supporting one or the other.
329:
330: =item B<HOST> name[:port] ...
331:
332: If no B<URI> is specified, the B<HOST> parameter specifies a
333: whitespace-delimited list of LDAP servers to connect to. Each host
334: may include an optional I<port> separated by a colon (':'). The
335: B<HOST> parameter is deprecated in favor of the B<URI> specification
336: and is included for backwards compatibility.
337:
338: =item B<PORT> port_number
339:
340: If no B<URI> is specified, the B<PORT> parameter specifies the
341: default port to connect to on the LDAP server if a B<HOST> parameter
342: does not specify the port itself. If no B<PORT> parameter is used,
343: the default is port 389 for LDAP and port 636 for LDAP over TLS
344: (SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
345: specification and is included for backwards compatibility.
346:
347: =item B<BIND_TIMELIMIT> seconds
348:
349: The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
350: to wait while trying to connect to an LDAP server. If multiple B<URI>s or
351: B<HOST>s are specified, this is the amount of time to wait before trying
352: the next one in the list.
353:
354: =item B<NETWORK_TIMEOUT> seconds
355:
356: An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
357:
358: =item B<TIMELIMIT> seconds
359:
360: The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
361: to wait for a response to an LDAP query.
362:
363: =item B<TIMEOUT> seconds
364:
365: The B<TIMEOUT> parameter specifies the amount of time, in seconds,
366: to wait for a response from the various LDAP APIs.
367:
368: =item B<SUDOERS_BASE> base
369:
370: The base DN to use when performing B<sudo> LDAP queries. Typically
371: this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
372: C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
373: in which case they are queried in the order specified.
374:
375: =item B<SUDOERS_SEARCH_FILTER> ldap_filter
376:
377: An LDAP filter which is used to restrict the set of records returned
378: when performing a B<sudo> LDAP query. Typically, this is of the
379: form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
380:
381: =item B<SUDOERS_TIMED> on/true/yes/off/false/no
382:
383: Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
384: attributes that implement time-dependent sudoers entries.
385:
386: =item B<SUDOERS_DEBUG> debug_level
387:
388: This sets the debug level for B<sudo> LDAP queries. Debugging
389: information is printed to the standard error. A value of 1 results
390: in a moderate amount of debugging information. A value of 2 shows
391: the results of the matches themselves. This parameter should not
392: be set in a production environment as the extra information is
393: likely to confuse users.
394:
395: =item B<BINDDN> DN
396:
397: The B<BINDDN> parameter specifies the identity, in the form of a
398: Distinguished Name (DN), to use when performing LDAP operations.
399: If not specified, LDAP operations are performed with an anonymous
400: identity. By default, most LDAP servers will allow anonymous access.
401:
402: =item B<BINDPW> secret
403:
404: The B<BINDPW> parameter specifies the password to use when performing
405: LDAP operations. This is typically used in conjunction with the
406: B<BINDDN> parameter.
407:
408: =item B<ROOTBINDDN> DN
409:
410: The B<ROOTBINDDN> parameter specifies the identity, in the form of
411: a Distinguished Name (DN), to use when performing privileged LDAP
412: operations, such as I<sudoers> queries. The password corresponding
413: to the identity should be stored in F<@ldap_secret@>.
414: If not specified, the B<BINDDN> identity is used (if any).
415:
416: =item B<LDAP_VERSION> number
417:
418: The version of the LDAP protocol to use when connecting to the server.
419: The default value is protocol version 3.
420:
421: =item B<SSL> on/true/yes/off/false/no
422:
423: If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
424: (SSL) encryption is always used when communicating with the LDAP
425: server. Typically, this involves connecting to the server on port
426: 636 (ldaps).
427:
428: =item B<SSL> start_tls
429:
430: If the B<SSL> parameter is set to C<start_tls>, the LDAP server
431: connection is initiated normally and TLS encryption is begun before
432: the bind credentials are sent. This has the advantage of not
433: requiring a dedicated port for encrypted communications. This
434: parameter is only supported by LDAP servers that honor the C<start_tls>
435: extension, such as the OpenLDAP server.
436:
437: =item B<TLS_CHECKPEER> on/true/yes/off/false/no
438:
439: If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
440: certificated to be verified. If the server's TLS certificate cannot
441: be verified (usually because it is signed by an unknown certificate
442: authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
443: is disabled, no check is made. Note that disabling the check creates
444: an opportunity for man-in-the-middle attacks since the server's
445: identity will not be authenticated. If possible, the CA's certificate
446: should be installed locally so it can be verified.
447:
448: =item B<TLS_CACERT> file name
449:
450: An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
451:
452: =item B<TLS_CACERTFILE> file name
453:
454: The path to a certificate authority bundle which contains the certificates
455: for all the Certificate Authorities the client knows to be valid,
456: e.g. F</etc/ssl/ca-bundle.pem>.
457: This option is only supported by the OpenLDAP libraries.
458: Netscape-derived LDAP libraries use the same certificate
459: database for CA and client certificates (see B<TLS_CERT>).
460:
461: =item B<TLS_CACERTDIR> directory
462:
463: Similar to B<TLS_CACERTFILE> but instead of a file, it is a
464: directory containing individual Certificate Authority certificates,
465: e.g. F</etc/ssl/certs>.
466: The directory specified by B<TLS_CACERTDIR> is checked after
467: B<TLS_CACERTFILE>.
468: This option is only supported by the OpenLDAP libraries.
469:
470: =item B<TLS_CERT> file name
471:
472: The path to a file containing the client certificate which can
473: be used to authenticate the client to the LDAP server.
474: The certificate type depends on the LDAP libraries used.
475:
476: OpenLDAP:
477: C<tls_cert /etc/ssl/client_cert.pem>
478:
479: Netscape-derived:
480: C<tls_cert /var/ldap/cert7.db>
481:
482: When using Netscape-derived libraries, this file may also contain
483: Certificate Authority certificates.
484:
485: =item B<TLS_KEY> file name
486:
487: The path to a file containing the private key which matches the
488: certificate specified by B<TLS_CERT>. The private key must not be
489: password-protected. The key type depends on the LDAP libraries
490: used.
491:
492: OpenLDAP:
493: C<tls_key /etc/ssl/client_key.pem>
494:
495: Netscape-derived:
496: C<tls_key /var/ldap/key3.db>
497:
498: =item B<TLS_RANDFILE> file name
499:
500: The B<TLS_RANDFILE> parameter specifies the path to an entropy
501: source for systems that lack a random device. It is generally used
502: in conjunction with I<prngd> or I<egd>.
503: This option is only supported by the OpenLDAP libraries.
504:
505: =item B<TLS_CIPHERS> cipher list
506:
507: The B<TLS_CIPHERS> parameter allows the administer to restrict
508: which encryption algorithms may be used for TLS (SSL) connections.
509: See the OpenSSL manual for a list of valid ciphers.
510: This option is only supported by the OpenLDAP libraries.
511:
512: =item B<USE_SASL> on/true/yes/off/false/no
513:
514: Enable B<USE_SASL> for LDAP servers that support SASL authentication.
515:
516: =item B<SASL_AUTH_ID> identity
517:
518: The SASL user name to use when connecting to the LDAP server.
519: By default, B<sudo> will use an anonymous connection.
520:
521: =item B<ROOTUSE_SASL> on/true/yes/off/false/no
522:
523: Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
524: to an LDAP server from a privileged process, such as B<sudo>.
525:
526: =item B<ROOTSASL_AUTH_ID> identity
527:
528: The SASL user name to use when B<ROOTUSE_SASL> is enabled.
529:
530: =item B<SASL_SECPROPS> none/properties
531:
532: SASL security properties or I<none> for no properties. See the
533: SASL programmer's manual for details.
534:
535: =item B<KRB5_CCNAME> file name
536:
537: The path to the Kerberos 5 credential cache to use when authenticating
538: with the remote server.
539:
540: =item B<DEREF> never/searching/finding/always
541:
542: How alias dereferencing is to be performed when searching. See the
543: L<ldap.conf(5)> manual for a full description of this option.
544:
545: =back
546:
547: See the C<ldap.conf> entry in the L<EXAMPLES> section.
548:
549: =head2 Configuring nsswitch.conf
550:
551: Unless it is disabled at build time, B<sudo> consults the Name
552: Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
553: search order. Sudo looks for a line beginning with C<sudoers>: and
554: uses this to determine the search order. Note that B<sudo> does
555: not stop searching after the first match and later matches take
556: precedence over earlier ones.
557:
558: The following sources are recognized:
559:
560: files read sudoers from F<@sysconfdir@/sudoers>
561: ldap read sudoers from LDAP
562:
563: In addition, the entry C<[NOTFOUND=return]> will short-circuit the
564: search if the user was not found in the preceding source.
565:
566: To consult LDAP first followed by the local sudoers file (if it
567: exists), use:
568:
569: sudoers: ldap files
570:
571: The local I<sudoers> file can be ignored completely by using:
572:
573: sudoers: ldap
574:
575: If the F<@nsswitch_conf@> file is not present or there is no
576: sudoers line, the following default is assumed:
577:
578: sudoers: files
579:
580: Note that F<@nsswitch_conf@> is supported even when the underlying
581: operating system does not use an nsswitch.conf file.
582:
583: =head2 Configuring netsvc.conf
584:
585: On AIX systems, the F<@netsvc_conf@> file is consulted instead of
586: F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
587: variant of I<nsswitch.conf>; information in the previous section
588: unrelated to the file format itself still applies.
589:
590: To consult LDAP first followed by the local sudoers file (if it
591: exists), use:
592:
593: sudoers = ldap, files
594:
595: The local I<sudoers> file can be ignored completely by using:
596:
597: sudoers = ldap
598:
599: To treat LDAP as authoratative and only use the local sudoers file
600: if the user is not present in LDAP, use:
601:
602: sudoers = ldap = auth, files
603:
604: Note that in the above example, the C<auth> qualfier only affects
605: user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
606: entries.
607:
608: If the F<@netsvc_conf@> file is not present or there is no
609: sudoers line, the following default is assumed:
610:
611: sudoers = files
612:
613: =head1 FILES
614:
615: =over 24
616:
617: =item F<@ldap_conf@>
618:
619: LDAP configuration file
620:
621: =item F<@nsswitch_conf@>
622:
623: determines sudoers source order
624:
625: =item F<@netsvc_conf@>
626:
627: determines sudoers source order on AIX
628:
629: =back
630:
631: =head1 EXAMPLES
632:
633: =head2 Example ldap.conf
634:
635: # Either specify one or more URIs or one or more host:port pairs.
636: # If neither is specified sudo will default to localhost, port 389.
637: #
638: #host ldapserver
639: #host ldapserver1 ldapserver2:390
640: #
641: # Default port if host is specified without one, defaults to 389.
642: #port 389
643: #
644: # URI will override the host and port settings.
645: uri ldap://ldapserver
646: #uri ldaps://secureldapserver
647: #uri ldaps://secureldapserver ldap://ldapserver
648: #
649: # The amount of time, in seconds, to wait while trying to connect to
650: # an LDAP server.
651: bind_timelimit 30
652: #
653: # The amount of time, in seconds, to wait while performing an LDAP query.
654: timelimit 30
655: #
656: # Must be set or sudo will ignore LDAP; may be specified multiple times.
657: sudoers_base ou=SUDOers,dc=example,dc=com
658: #
659: # verbose sudoers matching from ldap
660: #sudoers_debug 2
661: #
662: # Enable support for time-based entries in sudoers.
663: #sudoers_timed yes
664: #
665: # optional proxy credentials
666: #binddn <who to search as>
667: #bindpw <password>
668: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
669: #
670: # LDAP protocol version, defaults to 3
671: #ldap_version 3
672: #
673: # Define if you want to use an encrypted LDAP connection.
674: # Typically, you must also set the port to 636 (ldaps).
675: #ssl on
676: #
677: # Define if you want to use port 389 and switch to
678: # encryption before the bind credentials are sent.
679: # Only supported by LDAP servers that support the start_tls
680: # extension such as OpenLDAP.
681: #ssl start_tls
682: #
683: # Additional TLS options follow that allow tweaking of the
684: # SSL/TLS connection.
685: #
686: #tls_checkpeer yes # verify server SSL certificate
687: #tls_checkpeer no # ignore server SSL certificate
688: #
689: # If you enable tls_checkpeer, specify either tls_cacertfile
690: # or tls_cacertdir. Only supported when using OpenLDAP.
691: #
692: #tls_cacertfile /etc/certs/trusted_signers.pem
693: #tls_cacertdir /etc/certs
694: #
695: # For systems that don't have /dev/random
696: # use this along with PRNGD or EGD.pl to seed the
697: # random number pool to generate cryptographic session keys.
698: # Only supported when using OpenLDAP.
699: #
700: #tls_randfile /etc/egd-pool
701: #
702: # You may restrict which ciphers are used. Consult your SSL
703: # documentation for which options go here.
704: # Only supported when using OpenLDAP.
705: #
706: #tls_ciphers <cipher-list>
707: #
708: # Sudo can provide a client certificate when communicating to
709: # the LDAP server.
710: # Tips:
711: # * Enable both lines at the same time.
712: # * Do not password protect the key file.
713: # * Ensure the keyfile is only readable by root.
714: #
715: # For OpenLDAP:
716: #tls_cert /etc/certs/client_cert.pem
717: #tls_key /etc/certs/client_key.pem
718: #
719: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
720: # a directory, in which case the files in the directory must have the
721: # default names (e.g. cert8.db and key4.db), or the path to the cert
722: # and key files themselves. However, a bug in version 5.0 of the LDAP
723: # SDK will prevent specific file names from working. For this reason
724: # it is suggested that tls_cert and tls_key be set to a directory,
725: # not a file name.
726: #
727: # The certificate database specified by tls_cert may contain CA certs
728: # and/or the client's cert. If the client's cert is included, tls_key
729: # should be specified as well.
730: # For backward compatibility, "sslpath" may be used in place of tls_cert.
731: #tls_cert /var/ldap
732: #tls_key /var/ldap
733: #
734: # If using SASL authentication for LDAP (OpenSSL)
735: # use_sasl yes
736: # sasl_auth_id <SASL user name>
737: # rootuse_sasl yes
738: # rootsasl_auth_id <SASL user name for root access>
739: # sasl_secprops none
740: # krb5_ccname /etc/.ldapcache
741:
742: =head2 Sudo schema for OpenLDAP
743:
744: The following schema, in OpenLDAP format, is included with B<sudo>
745: source and binary distributions as F<schema.OpenLDAP>. Simply copy
746: it to the schema directory (e.g. F</etc/openldap/schema>), add the
747: proper C<include> line in C<slapd.conf> and restart B<slapd>.
748:
749: attributetype ( 1.3.6.1.4.1.15953.9.1.1
750: NAME 'sudoUser'
751: DESC 'User(s) who may run sudo'
752: EQUALITY caseExactIA5Match
753: SUBSTR caseExactIA5SubstringsMatch
754: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
755:
756: attributetype ( 1.3.6.1.4.1.15953.9.1.2
757: NAME 'sudoHost'
758: DESC 'Host(s) who may run sudo'
759: EQUALITY caseExactIA5Match
760: SUBSTR caseExactIA5SubstringsMatch
761: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
762:
763: attributetype ( 1.3.6.1.4.1.15953.9.1.3
764: NAME 'sudoCommand'
765: DESC 'Command(s) to be executed by sudo'
766: EQUALITY caseExactIA5Match
767: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
768:
769: attributetype ( 1.3.6.1.4.1.15953.9.1.4
770: NAME 'sudoRunAs'
771: DESC 'User(s) impersonated by sudo'
772: EQUALITY caseExactIA5Match
773: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
774:
775: attributetype ( 1.3.6.1.4.1.15953.9.1.5
776: NAME 'sudoOption'
777: DESC 'Options(s) followed by sudo'
778: EQUALITY caseExactIA5Match
779: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
780:
781: attributetype ( 1.3.6.1.4.1.15953.9.1.6
782: NAME 'sudoRunAsUser'
783: DESC 'User(s) impersonated by sudo'
784: EQUALITY caseExactIA5Match
785: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
786:
787: attributetype ( 1.3.6.1.4.1.15953.9.1.7
788: NAME 'sudoRunAsGroup'
789: DESC 'Group(s) impersonated by sudo'
790: EQUALITY caseExactIA5Match
791: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
792:
793: attributetype ( 1.3.6.1.4.1.15953.9.1.8
794: NAME 'sudoNotBefore'
795: DESC 'Start of time interval for which the entry is valid'
796: EQUALITY generalizedTimeMatch
797: ORDERING generalizedTimeOrderingMatch
798: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
799:
800: attributetype ( 1.3.6.1.4.1.15953.9.1.9
801: NAME 'sudoNotAfter'
802: DESC 'End of time interval for which the entry is valid'
803: EQUALITY generalizedTimeMatch
804: ORDERING generalizedTimeOrderingMatch
805: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
806:
807: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
808: NAME 'sudoOrder'
809: DESC 'an integer to order the sudoRole entries'
810: EQUALITY integerMatch
811: ORDERING integerOrderingMatch
812: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
813:
814: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
815: DESC 'Sudoer Entries'
816: MUST ( cn )
817: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
818: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
819: sudoOrder $ description )
820: )
821:
822: =head1 SEE ALSO
823:
824: L<ldap.conf(5)>, L<sudoers(5)>
825:
826: =head1 CAVEATS
827:
828: Note that there are differences in the way that LDAP-based I<sudoers>
829: is parsed compared to file-based I<sudoers>. See the L<Differences
830: between LDAP and non-LDAP sudoers> section for more information.
831:
832: =head1 BUGS
833:
834: If you feel you have found a bug in B<sudo>, please submit a bug report
835: at http://www.sudo.ws/sudo/bugs/
836:
837: =head1 SUPPORT
838:
839: Limited free support is available via the sudo-users mailing list,
840: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
841: search the archives.
842:
843: =head1 DISCLAIMER
844:
845: B<sudo> is provided ``AS IS'' and any express or implied warranties,
846: including, but not limited to, the implied warranties of merchantability
847: and fitness for a particular purpose are disclaimed. See the LICENSE
848: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
849: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.pod CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc