4 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
8 sudoers.ldap - sudo LDAP configuration
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
12 LAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
13 large, distributed environment.
15 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
17 +
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
18 used, there are only two or three LDAP queries per invocation.
19 This makes it especially fast and particularly usable in LDAP
22 +
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
23 possible to load LDAP data into the server that does not conform to
24 the sudoers schema, so proper syntax is guaranteed. It is still
25 possible to have typos in a user or host name, but this will not
26 prevent s
\bsu
\bud
\bdo
\bo from running.
28 +
\bo It is possible to specify per-entry options that override the
29 global default options. _
\b@_
\bs_
\by_
\bs_
\bc_
\bo_
\bn_
\bf_
\bd_
\bi_
\br_
\b@_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default
30 options and limited options associated with
31 user/host/commands/aliases. The syntax is complicated and can be
32 difficult for users to understand. Placing the options directly in
33 the entry is more natural.
35 +
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking
36 and syntax checking of the _
\b@_
\bs_
\by_
\bs_
\bc_
\bo_
\bn_
\bf_
\bd_
\bi_
\br_
\b@_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP
37 updates are atomic, locking is no longer necessary. Because syntax
38 is checked when the data is inserted into LDAP, there is no need
39 for a specialized tool to check syntax.
41 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
42 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
44 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
45 Unix groups or user netgroups can be used in place of User_Aliases and
46 RunasAliases. Host netgroups can be used in place of HostAliases.
47 Since Unix groups and netgroups can also be stored in LDAP there is no
48 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
50 Cmnd_Aliases are not really required either since it is possible to
51 have multiple users listed in a sudoRole. Instead of defining a
52 Cmnd_Alias that is referenced by multiple users, one can create a
53 sudoRole that contains the commands and assign multiple users to it.
55 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
57 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP
60 Sudo first looks for the cn=default entry in the SUDOers container. If
64 1.7.0 October 24, 2008 1
70 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
73 found, the multi-valued sudoOption attribute is parsed in the same
74 manner as a global Defaults line in _
\b@_
\bs_
\by_
\bs_
\bc_
\bo_
\bn_
\bf_
\bd_
\bi_
\br_
\b@_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the
75 following example, the SSH_AUTH_SOCK variable will be preserved in the
76 environment for all users.
78 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
82 description: Default sudoOption's go here
83 sudoOption: env_keep+=SSH_AUTH_SOCK
85 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
88 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
89 A user name, uid (prefixed with '#'), Unix group (prefixed with a
90 '%') or user netgroup (prefixed with a '+').
92 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
93 A host name, IP address, IP network, or host netgroup (prefixed
94 with a '+'). The special value ALL will match any host.
96 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
97 A Unix command with optional command line arguments, potentially
98 including globbing characters (aka wild cards). The special value
99 ALL will match any command. If a command is prefixed with an
100 exclamation point '!', the user will be prohibited from running
103 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
104 Identical in function to the global options described above, but
105 specific to the sudoRole in which it resides.
107 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
108 A user name or uid (prefixed with '#') that commands may be run as
109 or a Unix group (prefixed with a '%') or user netgroup (prefixed
110 with a '+') that contains a list of users that commands may be run
111 as. The special value ALL will match any user.
113 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
114 A Unix group or gid (prefixed with '#') that commands may be run
115 as. The special value ALL will match any group.
117 Each component listed above should contain a single value, but there
118 may be multiple instances of each component type. A sudoRole must
119 contain at least one sudoUser, sudoHost and sudoCommand.
121 The following example allows users in group wheel to run any command on
122 any host via s
\bsu
\bud
\bdo
\bo:
130 1.7.0 October 24, 2008 2
136 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
139 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
141 objectClass: sudoRole
147 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
149 When looking up a sudoer using LDAP there are only two or three LDAP
150 queries per invocation. The first query is to parse the global
151 options. The second is to match against the user's name and the groups
152 that the user belongs to. (The special ALL tag is matched in this
153 query too.) If no match is returned for the user's name and groups, a
154 third query returns all entries containing user netgroups and checks to
155 see if the user belongs to any of them.
157 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
159 There are some subtle differences in the way sudoers is handled once in
160 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
161 is arbitrary and you cannot expect that Attributes and Entries are
162 returned in any specific order. If there are conflicting command rules
163 on an entry, the negative takes precedence. This is called paranoid
164 behavior (not necessarily the most specific match).
169 # Allow all commands except shell
170 johnny ALL=(root) ALL,!/bin/sh
171 # Always allows all commands because ALL is matched last
172 puddles ALL=(root) !/bin/sh,ALL
174 # LDAP equivalent of johnny
175 # Allows all commands except shell
176 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
177 objectClass: sudoRole
183 sudoCommand: !/bin/sh
185 # LDAP equivalent of puddles
186 # Notice that even though ALL comes last, it still behaves like
187 # role1 since the LDAP code assumes the more paranoid configuration
188 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
189 objectClass: sudoRole
196 1.7.0 October 24, 2008 3
202 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
206 sudoCommand: !/bin/sh
209 Another difference is that negations on the Host, User or Runas are
210 currently ignorred. For example, the following attributes do not
211 behave the way one might expect.
213 # does not match all but joe
214 # rather, does not match anyone
217 # does not match all but joe
218 # rather, matches everyone including Joe
222 # does not match all but web01
223 # rather, matches all hosts including web01
227 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs S
\bSc
\bch
\bhe
\bem
\bma
\ba
229 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed
230 on your LDAP server. In addition, be sure to index the 'sudoUser'
233 Three versions of the schema: one for OpenLDAP servers
234 (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP), one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt),
235 and one for Microsoft Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be
236 found in the s
\bsu
\bud
\bdo
\bo distribution.
238 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is included in the EXAMPLES
241 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
243 Sudo reads the _
\b@_
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ file for LDAP-specific configuration.
244 Typically, this file is shared amongst different LDAP-aware clients.
245 As such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo
246 parses _
\b@_
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ itself and may support options that differ from
247 those described in the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual.
249 Also note that on systems using the OpenLDAP libraries, default values
250 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are
253 Only those options explicitly listed in _
\b@_
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ that are supported
254 by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below in upper
255 case but are parsed in a case-independent manner.
257 U
\bUR
\bRI
\bI ldap[s]://[hostname[:port]] ...
258 Specifies a whitespace-delimited list of one or more URIs
262 1.7.0 October 24, 2008 4
268 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
271 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
272 either l
\bld
\bda
\bap
\bp or l
\bld
\bda
\bap
\bps
\bs, the latter being for servers that support TLS
273 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
274 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
275 s
\bsu
\bud
\bdo
\bo will connect to l
\blo
\boc
\bca
\bal
\blh
\bho
\bos
\bst
\bt. Only systems using the OpenSSL
276 libraries support the mixing of ldap:// and ldaps:// URIs. The
277 Netscape-derived libraries used on most commercial versions of Unix
278 are only capable of supporting one or the other.
280 H
\bHO
\bOS
\bST
\bT name[:port] ...
281 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
282 delimited list of LDAP servers to connect to. Each host may
283 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (':'). The H
\bHO
\bOS
\bST
\bT
284 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
285 included for backwards compatibility.
287 P
\bPO
\bOR
\bRT
\bT port_number
288 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
289 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
290 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
291 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
292 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
293 is included for backwards compatibility.
295 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
296 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
297 seconds, to wait while trying to connect to an LDAP server. If
298 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
299 wait before trying the next one in the list.
301 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
302 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
303 to wait for a response to an LDAP query.
305 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE base
306 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
307 this is of the form ou=SUDOers,dc=example,dc=com for the domain
310 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG debug_level
311 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
312 information is printed to the standard error. A value of 1 results
313 in a moderate amount of debugging information. A value of 2 shows
314 the results of the matches themselves. This parameter should not
315 be set in a production environment as the extra information is
316 likely to confuse users.
318 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
319 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
320 Distinguished Name (DN), to use when performing LDAP operations.
321 If not specified, LDAP operations are performed with an anonymous
322 identity. By default, most LDAP servers will allow anonymous
328 1.7.0 October 24, 2008 5
334 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
337 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW secret
338 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
339 LDAP operations. This is typically used in conjunction with the
340 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
342 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
343 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
344 Distinguished Name (DN), to use when performing privileged LDAP
345 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
346 the identity should be stored in _
\b@_
\bl_
\bd_
\ba_
\bp_
\b__
\bs_
\be_
\bc_
\br_
\be_
\bt_
\b@. If not specified,
347 the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
349 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN number
350 The version of the LDAP protocol to use when connecting to the
351 server. The default value is protocol version 3.
353 S
\bSS
\bSL
\bL on/true/yes/off/false/no
354 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
355 encryption is always used when communicating with the LDAP server.
356 Typically, this involves connecting to the server on port 636
359 S
\bSS
\bSL
\bL start_tls
360 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
361 connection is initiated normally and TLS encryption is begun before
362 the bind credentials are sent. This has the advantage of not
363 requiring a dedicated port for encrypted communications. This
364 parameter is only supported by LDAP servers that honor the
365 start_tls extension, such as the OpenLDAP server.
367 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR on/true/yes/off/false/no
368 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
369 certificated to be verified. If the server's TLS certificate
370 cannot be verified (usually because it is signed by an unknown
371 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
372 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made.
374 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE file name
375 The path to a certificate authority bundle which contains the
376 certificates for all the Certificate Authorities the client knows
377 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
378 supported by the OpenLDAP libraries.
380 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR directory
381 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
382 containing individual Certificate Authority certificates, e.g.
383 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
384 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
387 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT file name
388 The path to a file containing the client certificate which can be
389 used to authenticate the client to the LDAP server. The
390 certificate type depends on the LDAP libraries used.
394 1.7.0 October 24, 2008 6
400 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
404 tls_cert /etc/ssl/client_cert.pem
407 tls_cert /var/ldap/cert7.db
409 When using Netscape-derived libraries, this file may also contain
410 Certificate Authority certificates.
412 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY file name
413 The path to a file containing the private key which matches the
414 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
415 password-protected. The key type depends on the LDAP libraries
419 tls_key /etc/ssl/client_key.pem
422 tls_key /var/ldap/key3.db
424 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE file name
425 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
426 for systems that lack a random device. It is generally used in
427 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
428 the OpenLDAP libraries.
430 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS cipher list
431 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
432 encryption algorithms may be used for TLS (SSL) connections. See
433 the OpenSSL manual for a list of valid ciphers. This option is
434 only supported by the OpenLDAP libraries.
436 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
437 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
439 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
440 The SASL user name to use when connecting to the LDAP server. By
441 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
443 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
444 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
445 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
447 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
448 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
450 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS none/properties
451 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
452 programmer's manual for details.
454 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE file name
455 The path to the Kerberos 5 credential cache to use when
456 authenticating with the remote server.
460 1.7.0 October 24, 2008 7
466 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
469 See the ldap.conf entry in the EXAMPLES section.
471 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
473 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
474 Switch file, _
\b@_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b__
\bc_
\bo_
\bn_
\bf_
\b@, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
475 Sudo looks for a line beginning with sudoers: and uses this to
476 determine the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching
477 after the first match and later matches take precedence over earlier
480 The following sources are recognized:
482 files read sudoers from F</etc/sudoers>
483 ldap read sudoers from LDAP
485 In addition, the entry [NOTFOUND=return] will short-circuit the search
486 if the user was not found in the preceding source.
488 To consult LDAP first followed by the local sudoers file (if it
493 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
497 If the _
\b@_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ file is not present or there is no sudoers line,
498 the following default is assumed:
502 Note that _
\b@_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ is supported even when the underlying
503 operating system does not use an nsswitch.conf file.
506 _
\b@_
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ LDAP configuration file
508 _
\b@_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b__
\bc_
\bo_
\bn_
\bf_
\b@ determines sudoers source order
510 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
511 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
513 # Either specify one or more URIs or one or more host:port pairs.
514 # If neither is specified sudo will default to localhost, port 389.
517 #host ldapserver1 ldapserver2:390
519 # Default port if host is specified without one, defaults to 389.
522 # URI will override the host and port settings.
526 1.7.0 October 24, 2008 8
532 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
535 uri ldap://ldapserver
536 #uri ldaps://secureldapserver
537 #uri ldaps://secureldapserver ldap://ldapserver
539 # The amount of time, in seconds, to wait while trying to connect to
543 # The amount of time, in seconds, to wait while performing an LDAP query.
546 # must be set or sudo will ignore LDAP
547 sudoers_base ou=SUDOers,dc=example,dc=com
549 # verbose sudoers matching from ldap
552 # optional proxy credentials
553 #binddn <who to search as>
555 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
557 # LDAP protocol version, defaults to 3
560 # Define if you want to use an encrypted LDAP connection.
561 # Typically, you must also set the port to 636 (ldaps).
564 # Define if you want to use port 389 and switch to
565 # encryption before the bind credentials are sent.
566 # Only supported by LDAP servers that support the start_tls
567 # extension such as OpenLDAP.
570 # Additional TLS options follow that allow tweaking of the
571 # SSL/TLS connection.
573 #tls_checkpeer yes # verify server SSL certificate
574 #tls_checkpeer no # ignore server SSL certificate
576 # If you enable tls_checkpeer, specify either tls_cacertfile
577 # or tls_cacertdir. Only supported when using OpenLDAP.
579 #tls_cacertfile /etc/certs/trusted_signers.pem
580 #tls_cacertdir /etc/certs
582 # For systems that don't have /dev/random
583 # use this along with PRNGD or EGD.pl to seed the
584 # random number pool to generate cryptographic session keys.
585 # Only supported when using OpenLDAP.
587 #tls_randfile /etc/egd-pool
592 1.7.0 October 24, 2008 9
598 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
601 # You may restrict which ciphers are used. Consult your SSL
602 # documentation for which options go here.
603 # Only supported when using OpenLDAP.
605 #tls_ciphers <cipher-list>
607 # Sudo can provide a client certificate when communicating to
610 # * Enable both lines at the same time.
611 # * Do not password protect the key file.
612 # * Ensure the keyfile is only readable by root.
615 #tls_cert /etc/certs/client_cert.pem
616 #tls_key /etc/certs/client_key.pem
618 # For SunONE or iPlanet LDAP, the file specified by tls_cert may
619 # contain CA certs and/or the client's cert. If the client's
620 # cert is included, tls_key should be specified as well.
621 # For backward compatibility, sslpath may be used in place of tls_cert.
622 #tls_cert /var/ldap/cert7.db
623 #tls_key /var/ldap/key3.db
625 # If using SASL authentication for LDAP (OpenSSL)
627 # sasl_auth_id <SASL username>
629 # rootsasl_auth_id <SASL username for root access>
631 # krb5_ccname /etc/.ldapcache
633 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
635 The following schema is in OpenLDAP format. Simply copy it to the
636 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include
637 line in slapd.conf and restart s
\bsl
\bla
\bap
\bpd
\bd.
639 attributetype ( 1.3.6.1.4.1.15953.9.1.1
641 DESC 'User(s) who may run sudo'
642 EQUALITY caseExactIA5Match
643 SUBSTR caseExactIA5SubstringsMatch
644 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
646 attributetype ( 1.3.6.1.4.1.15953.9.1.2
648 DESC 'Host(s) who may run sudo'
649 EQUALITY caseExactIA5Match
650 SUBSTR caseExactIA5SubstringsMatch
651 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
653 attributetype ( 1.3.6.1.4.1.15953.9.1.3
658 1.7.0 October 24, 2008 10
664 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
667 DESC 'Command(s) to be executed by sudo'
668 EQUALITY caseExactIA5Match
669 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
671 attributetype ( 1.3.6.1.4.1.15953.9.1.4
673 DESC 'User(s) impersonated by sudo'
674 EQUALITY caseExactIA5Match
675 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
677 attributetype ( 1.3.6.1.4.1.15953.9.1.5
679 DESC 'Options(s) followed by sudo'
680 EQUALITY caseExactIA5Match
681 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
683 attributetype ( 1.3.6.1.4.1.15953.9.1.6
685 DESC 'User(s) impersonated by sudo'
686 EQUALITY caseExactIA5Match
687 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
689 attributetype ( 1.3.6.1.4.1.15953.9.1.7
690 NAME 'sudoRunAsGroup'
691 DESC 'Group(s) impersonated by sudo'
692 EQUALITY caseExactIA5Match
693 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
695 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
696 DESC 'Sudoer Entries'
698 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
699 sudoRunAsGroup $ sudoOption $ description )
702 Add nsswitch.conf example? Add more exhaustive sudoers ldif example?
704 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
705 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(5)
707 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
708 The way that _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is parsed differs between Note that there are
709 differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is parsed compared to
710 file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the "Differences between LDAP and non-LDAP
711 sudoers" section for more information.
714 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
715 http://www.sudo.ws/sudo/bugs/
717 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
718 Limited free support is available via the sudo-users mailing list, see
719 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
724 1.7.0 October 24, 2008 11
730 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
733 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
734 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
735 including, but not limited to, the implied warranties of
736 merchantability and fitness for a particular purpose are disclaimed.
737 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
738 http://www.sudo.ws/sudo/license.html for complete details.
790 1.7.0 October 24, 2008 12