-.\" Copyright (c) 2003-2008
+.\" Copyright (c) 2003-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $Sudo: sudoers.ldap.man.in,v 1.11 2008/10/24 13:52:19 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "October 24, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
-via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
+via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
this will not prevent \fBsudo\fR from running.
.IP "\(bu" 4
It is possible to specify per-entry options that override the global
-default options. \fI\f(CI@sysconfdir\fI@/sudoers\fR only supports default options and
+default options. \fI@sysconfdir@/sudoers\fR only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
.IP "\(bu" 4
The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
-locking and syntax checking of the \fI\f(CI@sysconfdir\fI@/sudoers\fR file.
+locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
is no need for a specialized tool to check syntax.
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
-.Sh "SUDOers \s-1LDAP\s0 container"
+.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
.PP
Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
-same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI\f(CI@sysconfdir\fI@/sudoers\fR. In
+same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
in the environment for all users.
.PP
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
-.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup"
+.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
-.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
-.Sh "Sudoers Schema"
+.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
-.Sh "Configuring ldap.conf"
+.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
-Sudo reads the \fI\f(CI@ldap_conf\fI@\fR file for LDAP-specific configuration.
+Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI\f(CI@ldap_conf\fI@\fR itself and may support options
+\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
-Only those options explicitly listed in \fI\f(CI@ldap_conf\fI@\fR that are
+Only those options explicitly listed in \fI@ldap_conf@\fR that are
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
.IX Item "URI ldap[s]://[hostname[:port]] ..."
Specifies a whitespace-delimited list of one or more URIs describing
-the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR
-or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
-encryption. If no \fIport\fR is specified, the default is port 389 for
-\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
-\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
-libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
-The Netscape-derived libraries used on most commercial versions of
-Unix are only capable of supporting one or the other.
+the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
+\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
+(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
+389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
+is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
+lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
.IX Item "SUDOERS_BASE base"
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
-\&\f(CW\*(C`example.com\*(C'\fR.
+\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
+in which case they are queried in the order specified.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
operations, such as \fIsudoers\fR queries. The password corresponding
-to the identity should be stored in \fI\f(CI@ldap_secret\fI@\fR.
+to the identity should be stored in \fI@ldap_secret@\fR.
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
.IX Item "LDAP_VERSION number"
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
-is disabled, no check is made.
+is disabled, no check is made. Note that disabling the check creates
+an opportunity for man-in-the-middle attacks since the server's
+identity will not be authenticated. If possible, the \s-1CA\s0's certificate
+should be installed locally so it can be verified.
+.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
+.IX Item "TLS_CACERT file name"
+An alias for \fB\s-1TLS_CACERTFILE\s0\fR.
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
.IX Item "TLS_CACERTFILE file name"
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
+Netscape-derived \s-1LDAP\s0 libraries use the same certificate
+database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
.IX Item "TLS_CACERTDIR directory"
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
with the remote server.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
-.Sh "Configuring nsswitch.conf"
+.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
-Service Switch file, \fI\f(CI@nsswitch_conf\fI@\fR, to specify the \fIsudoers\fR
-search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers:\*(C'\fR and
+Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
+search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
uses this to determine the search order. Note that \fBsudo\fR does
not stop searching after the first match and later matches take
precedence over earlier ones.
\& sudoers: ldap
.Ve
.PP
-If the \fI\f(CI@nsswitch_conf\fI@\fR file is not present or there is no
+If the \fI@nsswitch_conf@\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\& sudoers: files
.Ve
.PP
-Note that \fI\f(CI@nsswitch_conf\fI@\fR is supported even when the underlying
+Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
+.SS "Configuring netsvc.conf"
+.IX Subsection "Configuring netsvc.conf"
+On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
+\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
+variant of \fInsswitch.conf\fR; information in the previous section
+unrelated to the file format itself still applies.
+.PP
+To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+exists), use:
+.PP
+.Vb 1
+\& sudoers = ldap, files
+.Ve
+.PP
+The local \fIsudoers\fR file can be ignored completely by using:
+.PP
+.Vb 1
+\& sudoers = ldap
+.Ve
+.PP
+To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
+if the user is not present in \s-1LDAP\s0, use:
+.PP
+.Vb 1
+\& sudoers = ldap = auth, files
+.Ve
+.PP
+Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
+user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
+entries.
+.PP
+If the \fI@netsvc_conf@\fR file is not present or there is no
+sudoers line, the following default is assumed:
+.PP
+.Vb 1
+\& sudoers = files
+.Ve
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI\fI@ldap_conf\fI@\fR" 24
-.el .IP "\fI\f(CI@ldap_conf\fI@\fR" 24
+.ie n .IP "\fI@ldap_conf@\fR" 24
+.el .IP "\fI@ldap_conf@\fR" 24
.IX Item "@ldap_conf@"
\&\s-1LDAP\s0 configuration file
-.ie n .IP "\fI\fI@nsswitch_conf\fI@\fR" 24
-.el .IP "\fI\f(CI@nsswitch_conf\fI@\fR" 24
+.ie n .IP "\fI@nsswitch_conf@\fR" 24
+.el .IP "\fI@nsswitch_conf@\fR" 24
.IX Item "@nsswitch_conf@"
determines sudoers source order
+.ie n .IP "\fI@netsvc_conf@\fR" 24
+.el .IP "\fI@netsvc_conf@\fR" 24
+.IX Item "@netsvc_conf@"
+determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-.Sh "Example ldap.conf"
+.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& # The amount of time, in seconds, to wait while performing an LDAP query.
\& timelimit 30
\& #
-\& # must be set or sudo will ignore LDAP
+\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
\& sudoers_base ou=SUDOers,dc=example,dc=com
\& #
\& # verbose sudoers matching from ldap
\& #tls_cert /etc/certs/client_cert.pem
\& #tls_key /etc/certs/client_key.pem
\& #
-\& # For SunONE or iPlanet LDAP, the file specified by tls_cert may
-\& # contain CA certs and/or the client\*(Aqs cert. If the client\*(Aqs
-\& # cert is included, tls_key should be specified as well.
-\& # For backward compatibility, sslpath may be used in place of tls_cert.
-\& #tls_cert /var/ldap/cert7.db
-\& #tls_key /var/ldap/key3.db
+\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+\& # a directory, in which case the files in the directory must have the
+\& # default names (e.g. cert8.db and key4.db), or the path to the cert
+\& # and key files themselves. However, a bug in version 5.0 of the LDAP
+\& # SDK will prevent specific file names from working. For this reason
+\& # it is suggested that tls_cert and tls_key be set to a directory,
+\& # not a file name.
+\& #
+\& # The certificate database specified by tls_cert may contain CA certs
+\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
+\& # should be specified as well.
+\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
+\& #tls_cert /var/ldap
+\& #tls_key /var/ldap
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
-\& # sasl_auth_id <SASL username>
+\& # sasl_auth_id <SASL user name>
\& # rootuse_sasl yes
-\& # rootsasl_auth_id <SASL username for root access>
+\& # rootsasl_auth_id <SASL user name for root access>
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
-.Sh "Sudo schema for OpenLDAP"
+.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
\& sudoRunAsGroup $ sudoOption $ description )
\& )
.Ve
-.PP
-Add nsswitch.conf example?
-Add more exhaustive sudoers ldif example?
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
projects / debian / sudo / blobdiff