1 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
6 sudoers.ldap - sudo LDAP configuration
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
10 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
11 large, distributed environment.
13 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
15 +
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
16 used, there are only two or three LDAP queries per invocation.
17 This makes it especially fast and particularly usable in LDAP
20 +
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
21 possible to load LDAP data into the server that does not conform to
22 the sudoers schema, so proper syntax is guaranteed. It is still
23 possible to have typos in a user or host name, but this will not
24 prevent s
\bsu
\bud
\bdo
\bo from running.
26 +
\bo It is possible to specify per-entry options that override the
27 global default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options
28 and limited options associated with user/host/commands/aliases.
29 The syntax is complicated and can be difficult for users to
30 understand. Placing the options directly in the entry is more
33 +
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking
34 and syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates
35 are atomic, locking is no longer necessary. Because syntax is
36 checked when the data is inserted into LDAP, there is no need for a
37 specialized tool to check syntax.
39 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
40 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
42 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
43 Unix groups or user netgroups can be used in place of User_Aliases and
44 Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
45 Since Unix groups and netgroups can also be stored in LDAP there is no
46 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
48 Cmnd_Aliases are not really required either since it is possible to
49 have multiple users listed in a sudoRole. Instead of defining a
50 Cmnd_Alias that is referenced by multiple users, one can create a
51 sudoRole that contains the commands and assign multiple users to it.
53 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
54 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP
57 Sudo first looks for the cn=default entry in the SUDOers container. If
58 found, the multi-valued sudoOption attribute is parsed in the same
59 manner as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following
60 example, the SSH_AUTH_SOCK variable will be preserved in the
61 environment for all users.
63 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
67 description: Default sudoOption's go here
68 sudoOption: env_keep+=SSH_AUTH_SOCK
70 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
73 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
74 A user name, uid (prefixed with '#'), Unix group (prefixed with a
75 '%') or user netgroup (prefixed with a '+').
77 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
78 A host name, IP address, IP network, or host netgroup (prefixed
79 with a '+'). The special value ALL will match any host.
81 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
82 A Unix command with optional command line arguments, potentially
83 including globbing characters (aka wild cards). The special value
84 ALL will match any command. If a command is prefixed with an
85 exclamation point '!', the user will be prohibited from running
88 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
89 Identical in function to the global options described above, but
90 specific to the sudoRole in which it resides.
92 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
93 A user name or uid (prefixed with '#') that commands may be run as
94 or a Unix group (prefixed with a '%') or user netgroup (prefixed
95 with a '+') that contains a list of users that commands may be run
96 as. The special value ALL will match any user.
98 The sudoRunAsUser attribute is only available in s
\bsu
\bud
\bdo
\bo versions
99 1.7.0 and higher. Older versions of s
\bsu
\bud
\bdo
\bo use the sudoRunAs
102 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
103 A Unix group or gid (prefixed with '#') that commands may be run
104 as. The special value ALL will match any group.
106 The sudoRunAsGroup attribute is only available in s
\bsu
\bud
\bdo
\bo versions
109 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btB
\bBe
\bef
\bfo
\bor
\bre
\be
110 A timestamp in the form yyyymmddHHMMZ that can be used to provide a
111 start date/time for when the sudoRole will be valid. If multiple
112 sudoNotBefore entries are present, the earliest is used. Note that
113 timestamps must be in Coordinated Universal Time (UTC), not the
116 The sudoNotBefore attribute is only available in s
\bsu
\bud
\bdo
\bo versions
117 1.7.5 and higher and must be explicitly enabled via the
118 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
120 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btA
\bAf
\bft
\bte
\ber
\br
121 A timestamp in the form yyyymmddHHMMZ that indicates an expiration
122 date/time, after which the sudoRole will no longer be valid. If
123 multiple sudoNotBefore entries are present, the last one is used.
124 Note that timestamps must be in Coordinated Universal Time (UTC),
125 not the local timezone.
127 The sudoNotAfter attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
128 and higher and must be explicitly enabled via the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD
129 option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
131 s
\bsu
\bud
\bdo
\boO
\bOr
\brd
\bde
\ber
\br
132 The sudoRole entries retrieved from the LDAP directory have no
133 inherent order. The sudoOrder attribute is an integer (or floating
134 point value for LDAP servers that support it) that is used to sort
135 the matching entries. This allows LDAP-based sudoers entries to
136 more closely mimic the behaviour of the sudoers file, where the of
137 the entries influences the result. If multiple entries match, the
138 entry with the highest sudoOrder attribute is chosen. This
139 corresponds to the "last match" behavior of the sudoers file. If
140 the sudoOrder attribute is not present, a value of 0 is assumed.
142 The sudoOrder attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
145 Each attribute listed above should contain a single value, but there
146 may be multiple instances of each attribute type. A sudoRole must
147 contain at least one sudoUser, sudoHost and sudoCommand.
149 The following example allows users in group wheel to run any command on
150 any host via s
\bsu
\bud
\bdo
\bo:
152 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
154 objectClass: sudoRole
160 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
161 When looking up a sudoer using LDAP there are only two or three LDAP
162 queries per invocation. The first query is to parse the global
163 options. The second is to match against the user's name and the groups
164 that the user belongs to. (The special ALL tag is matched in this
165 query too.) If no match is returned for the user's name and groups, a
166 third query returns all entries containing user netgroups and checks to
167 see if the user belongs to any of them.
169 If timed entries are enabled with the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD configuration
170 directive, the LDAP queries include a subfilter that limits retrieval
171 to entries that satisfy the time constraints, if any.
173 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
174 There are some subtle differences in the way sudoers is handled once in
175 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
176 is arbitrary and you cannot expect that Attributes and Entries are
177 returned in any specific order.
179 The order in which different entries are applied can be controlled
180 using the sudoOrder attribute, but there is no way to guarantee the
181 order of attributes within a specific entry. If there are conflicting
182 command rules in an entry, the negative takes precedence. This is
183 called paranoid behavior (not necessarily the most specific match).
188 # Allow all commands except shell
189 johnny ALL=(root) ALL,!/bin/sh
190 # Always allows all commands because ALL is matched last
191 puddles ALL=(root) !/bin/sh,ALL
193 # LDAP equivalent of johnny
194 # Allows all commands except shell
195 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
196 objectClass: sudoRole
202 sudoCommand: !/bin/sh
204 # LDAP equivalent of puddles
205 # Notice that even though ALL comes last, it still behaves like
206 # role1 since the LDAP code assumes the more paranoid configuration
207 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
208 objectClass: sudoRole
213 sudoCommand: !/bin/sh
216 Another difference is that negations on the Host, User or Runas are
217 currently ignored. For example, the following attributes do not behave
218 the way one might expect.
220 # does not match all but joe
221 # rather, does not match anyone
224 # does not match all but joe
225 # rather, matches everyone including Joe
229 # does not match all but web01
230 # rather, matches all hosts including web01
234 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs S
\bSc
\bch
\bhe
\bem
\bma
\ba
235 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed
236 on your LDAP server. In addition, be sure to index the 'sudoUser'
239 Three versions of the schema: one for OpenLDAP servers
240 (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP), one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt),
241 and one for Microsoft Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be
242 found in the s
\bsu
\bud
\bdo
\bo distribution.
244 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is included in the EXAMPLES
247 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
248 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
249 Typically, this file is shared amongst different LDAP-aware clients.
250 As such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo
251 parses _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from
252 those described in the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual.
254 Also note that on systems using the OpenLDAP libraries, default values
255 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are
258 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf as being
259 supported by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below
260 in upper case but are parsed in a case-independent manner.
262 U
\bUR
\bRI
\bI ldap[s]://[hostname[:port]] ...
263 Specifies a whitespace-delimited list of one or more URIs
264 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
265 either l
\bld
\bda
\bap
\bp or l
\bld
\bda
\bap
\bps
\bs, the latter being for servers that support TLS
266 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
267 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
268 s
\bsu
\bud
\bdo
\bo will connect to l
\blo
\boc
\bca
\bal
\blh
\bho
\bos
\bst
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
269 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
270 systems using the OpenSSL libraries support the mixing of ldap://
271 and ldaps:// URIs. The Netscape-derived libraries used on most
272 commercial versions of Unix are only capable of supporting one or
275 H
\bHO
\bOS
\bST
\bT name[:port] ...
276 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
277 delimited list of LDAP servers to connect to. Each host may
278 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (':'). The H
\bHO
\bOS
\bST
\bT
279 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
280 included for backwards compatibility.
282 P
\bPO
\bOR
\bRT
\bT port_number
283 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
284 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
285 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
286 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
287 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
288 is included for backwards compatibility.
290 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
291 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
292 seconds, to wait while trying to connect to an LDAP server. If
293 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
294 wait before trying the next one in the list.
296 N
\bNE
\bET
\bTW
\bWO
\bOR
\bRK
\bK_
\b_T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
297 An alias for B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT for OpenLDAP compatibility.
299 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
300 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
301 to wait for a response to an LDAP query.
303 T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
304 The T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT parameter specifies the amount of time, in seconds, to
305 wait for a response from the various LDAP APIs.
307 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE base
308 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
309 this is of the form ou=SUDOers,dc=example,dc=com for the domain
310 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
311 which case they are queried in the order specified.
313 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_S
\bSE
\bEA
\bAR
\bRC
\bCH
\bH_
\b_F
\bFI
\bIL
\bLT
\bTE
\bER
\bR ldap_filter
314 An LDAP filter which is used to restrict the set of records
315 returned when performing a s
\bsu
\bud
\bdo
\bo LDAP query. Typically, this is of
316 the form attribute=value or
317 (&(attribute=value)(attribute2=value2)).
319 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD on/true/yes/off/false/no
320 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
321 attributes that implement time-dependent sudoers entries.
323 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG debug_level
324 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
325 information is printed to the standard error. A value of 1 results
326 in a moderate amount of debugging information. A value of 2 shows
327 the results of the matches themselves. This parameter should not
328 be set in a production environment as the extra information is
329 likely to confuse users.
331 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
332 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
333 Distinguished Name (DN), to use when performing LDAP operations.
334 If not specified, LDAP operations are performed with an anonymous
335 identity. By default, most LDAP servers will allow anonymous
338 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW secret
339 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
340 LDAP operations. This is typically used in conjunction with the
341 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
343 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
344 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
345 Distinguished Name (DN), to use when performing privileged LDAP
346 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
347 the identity should be stored in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If not
348 specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
350 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN number
351 The version of the LDAP protocol to use when connecting to the
352 server. The default value is protocol version 3.
354 S
\bSS
\bSL
\bL on/true/yes/off/false/no
355 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
356 encryption is always used when communicating with the LDAP server.
357 Typically, this involves connecting to the server on port 636
360 S
\bSS
\bSL
\bL start_tls
361 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
362 connection is initiated normally and TLS encryption is begun before
363 the bind credentials are sent. This has the advantage of not
364 requiring a dedicated port for encrypted communications. This
365 parameter is only supported by LDAP servers that honor the
366 start_tls extension, such as the OpenLDAP server.
368 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR on/true/yes/off/false/no
369 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
370 certificated to be verified. If the server's TLS certificate
371 cannot be verified (usually because it is signed by an unknown
372 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
373 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
374 the check creates an opportunity for man-in-the-middle attacks
375 since the server's identity will not be authenticated. If
376 possible, the CA's certificate should be installed locally so it
379 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT file name
380 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE for OpenLDAP compatibility.
382 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE file name
383 The path to a certificate authority bundle which contains the
384 certificates for all the Certificate Authorities the client knows
385 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
386 supported by the OpenLDAP libraries. Netscape-derived LDAP
387 libraries use the same certificate database for CA and client
388 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
390 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR directory
391 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
392 containing individual Certificate Authority certificates, e.g.
393 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
394 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
397 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT file name
398 The path to a file containing the client certificate which can be
399 used to authenticate the client to the LDAP server. The
400 certificate type depends on the LDAP libraries used.
403 tls_cert /etc/ssl/client_cert.pem
406 tls_cert /var/ldap/cert7.db
408 When using Netscape-derived libraries, this file may also contain
409 Certificate Authority certificates.
411 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY file name
412 The path to a file containing the private key which matches the
413 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
414 password-protected. The key type depends on the LDAP libraries
418 tls_key /etc/ssl/client_key.pem
421 tls_key /var/ldap/key3.db
423 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE file name
424 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
425 for systems that lack a random device. It is generally used in
426 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
427 the OpenLDAP libraries.
429 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS cipher list
430 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
431 encryption algorithms may be used for TLS (SSL) connections. See
432 the OpenSSL manual for a list of valid ciphers. This option is
433 only supported by the OpenLDAP libraries.
435 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
436 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
438 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
439 The SASL user name to use when connecting to the LDAP server. By
440 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
442 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
443 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
444 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
446 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
447 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
449 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS none/properties
450 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
451 programmer's manual for details.
453 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE file name
454 The path to the Kerberos 5 credential cache to use when
455 authenticating with the remote server.
457 See the ldap.conf entry in the EXAMPLES section.
459 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
460 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
461 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
462 Sudo looks for a line beginning with sudoers: and uses this to
463 determine the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching
464 after the first match and later matches take precedence over earlier
467 The following sources are recognized:
469 files read sudoers from F</etc/sudoers>
470 ldap read sudoers from LDAP
472 In addition, the entry [NOTFOUND=return] will short-circuit the search
473 if the user was not found in the preceding source.
475 To consult LDAP first followed by the local sudoers file (if it
480 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
484 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
485 line, the following default is assumed:
489 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
490 operating system does not use an nsswitch.conf file.
492 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
493 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
494 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
495 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the
496 file format itself still applies.
498 To consult LDAP first followed by the local sudoers file (if it
501 sudoers = ldap, files
503 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
507 To treat LDAP as authoratative and only use the local sudoers file if
508 the user is not present in LDAP, use:
510 sudoers = ldap = auth, files
512 Note that in the above example, the auth qualfier only affects user
513 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
515 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
516 line, the following default is assumed:
521 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
523 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
525 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
527 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
528 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
529 # Either specify one or more URIs or one or more host:port pairs.
530 # If neither is specified sudo will default to localhost, port 389.
533 #host ldapserver1 ldapserver2:390
535 # Default port if host is specified without one, defaults to 389.
538 # URI will override the host and port settings.
539 uri ldap://ldapserver
540 #uri ldaps://secureldapserver
541 #uri ldaps://secureldapserver ldap://ldapserver
543 # The amount of time, in seconds, to wait while trying to connect to
547 # The amount of time, in seconds, to wait while performing an LDAP query.
550 # Must be set or sudo will ignore LDAP; may be specified multiple times.
551 sudoers_base ou=SUDOers,dc=example,dc=com
553 # verbose sudoers matching from ldap
556 # Enable support for time-based entries in sudoers.
559 # optional proxy credentials
560 #binddn <who to search as>
562 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
564 # LDAP protocol version, defaults to 3
567 # Define if you want to use an encrypted LDAP connection.
568 # Typically, you must also set the port to 636 (ldaps).
571 # Define if you want to use port 389 and switch to
572 # encryption before the bind credentials are sent.
573 # Only supported by LDAP servers that support the start_tls
574 # extension such as OpenLDAP.
577 # Additional TLS options follow that allow tweaking of the
578 # SSL/TLS connection.
580 #tls_checkpeer yes # verify server SSL certificate
581 #tls_checkpeer no # ignore server SSL certificate
583 # If you enable tls_checkpeer, specify either tls_cacertfile
584 # or tls_cacertdir. Only supported when using OpenLDAP.
586 #tls_cacertfile /etc/certs/trusted_signers.pem
587 #tls_cacertdir /etc/certs
589 # For systems that don't have /dev/random
590 # use this along with PRNGD or EGD.pl to seed the
591 # random number pool to generate cryptographic session keys.
592 # Only supported when using OpenLDAP.
594 #tls_randfile /etc/egd-pool
596 # You may restrict which ciphers are used. Consult your SSL
597 # documentation for which options go here.
598 # Only supported when using OpenLDAP.
600 #tls_ciphers <cipher-list>
602 # Sudo can provide a client certificate when communicating to
605 # * Enable both lines at the same time.
606 # * Do not password protect the key file.
607 # * Ensure the keyfile is only readable by root.
610 #tls_cert /etc/certs/client_cert.pem
611 #tls_key /etc/certs/client_key.pem
613 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
614 # a directory, in which case the files in the directory must have the
615 # default names (e.g. cert8.db and key4.db), or the path to the cert
616 # and key files themselves. However, a bug in version 5.0 of the LDAP
617 # SDK will prevent specific file names from working. For this reason
618 # it is suggested that tls_cert and tls_key be set to a directory,
621 # The certificate database specified by tls_cert may contain CA certs
622 # and/or the client's cert. If the client's cert is included, tls_key
623 # should be specified as well.
624 # For backward compatibility, "sslpath" may be used in place of tls_cert.
628 # If using SASL authentication for LDAP (OpenSSL)
630 # sasl_auth_id <SASL user name>
632 # rootsasl_auth_id <SASL user name for root access>
634 # krb5_ccname /etc/.ldapcache
636 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
637 The following schema, in OpenLDAP format, is included with s
\bsu
\bud
\bdo
\bo source
638 and binary distributions as _
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP. Simply copy it to the
639 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include
640 line in slapd.conf and restart s
\bsl
\bla
\bap
\bpd
\bd.
642 attributetype ( 1.3.6.1.4.1.15953.9.1.1
644 DESC 'User(s) who may run sudo'
645 EQUALITY caseExactIA5Match
646 SUBSTR caseExactIA5SubstringsMatch
647 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
649 attributetype ( 1.3.6.1.4.1.15953.9.1.2
651 DESC 'Host(s) who may run sudo'
652 EQUALITY caseExactIA5Match
653 SUBSTR caseExactIA5SubstringsMatch
654 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
656 attributetype ( 1.3.6.1.4.1.15953.9.1.3
658 DESC 'Command(s) to be executed by sudo'
659 EQUALITY caseExactIA5Match
660 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
662 attributetype ( 1.3.6.1.4.1.15953.9.1.4
664 DESC 'User(s) impersonated by sudo'
665 EQUALITY caseExactIA5Match
666 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
668 attributetype ( 1.3.6.1.4.1.15953.9.1.5
670 DESC 'Options(s) followed by sudo'
671 EQUALITY caseExactIA5Match
672 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
674 attributetype ( 1.3.6.1.4.1.15953.9.1.6
676 DESC 'User(s) impersonated by sudo'
677 EQUALITY caseExactIA5Match
678 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
680 attributetype ( 1.3.6.1.4.1.15953.9.1.7
681 NAME 'sudoRunAsGroup'
682 DESC 'Group(s) impersonated by sudo'
683 EQUALITY caseExactIA5Match
684 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
686 attributetype ( 1.3.6.1.4.1.15953.9.1.8
688 DESC 'Start of time interval for which the entry is valid'
689 EQUALITY generalizedTimeMatch
690 ORDERING generalizedTimeOrderingMatch
691 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
693 attributetype ( 1.3.6.1.4.1.15953.9.1.9
695 DESC 'End of time interval for which the entry is valid'
696 EQUALITY generalizedTimeMatch
697 ORDERING generalizedTimeOrderingMatch
698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
700 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
702 DESC 'an integer to order the sudoRole entries'
703 EQUALITY integerMatch
704 ORDERING integerOrderingMatch
705 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
707 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
708 DESC 'Sudoer Entries'
710 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
711 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
712 sudoOrder $ description )
715 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
716 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
718 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
719 Note that there are differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is
720 parsed compared to file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the "Differences between
721 LDAP and non-LDAP sudoers" section for more information.
724 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
725 http://www.sudo.ws/sudo/bugs/
727 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
728 Limited free support is available via the sudo-users mailing list, see
729 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
732 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
733 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
734 including, but not limited to, the implied warranties of
735 merchantability and fitness for a particular purpose are disclaimed.
736 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
737 http://www.sudo.ws/sudo/license.html for complete details.
741 1.8.1p2 May 16, 2011 SUDOERS.LDAP(4)