1 SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
4 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs.
\b.l
\bld
\bda
\bap
\bp - sudo LDAP configuration
6 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
7 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
8 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
9 large, distributed environment.
11 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
13 o
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
14 used, there are only two or three LDAP queries per invocation. This
15 makes it especially fast and particularly usable in LDAP
18 o
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
19 possible to load LDAP data into the server that does not conform to
20 the sudoers schema, so proper syntax is guaranteed. It is still
21 possible to have typos in a user or host name, but this will not
22 prevent s
\bsu
\bud
\bdo
\bo from running.
24 o
\bo It is possible to specify per-entry options that override the global
25 default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options and
26 limited options associated with user/host/commands/aliases. The
27 syntax is complicated and can be difficult for users to understand.
28 Placing the options directly in the entry is more natural.
30 o
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking and
31 syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates are
32 atomic, locking is no longer necessary. Because syntax is checked
33 when the data is inserted into LDAP, there is no need for a
34 specialized tool to check syntax.
36 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
37 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
39 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
40 Unix groups or user netgroups can be used in place of User_Aliases and
41 Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
42 Since Unix groups and netgroups can also be stored in LDAP there is no
43 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
45 Cmnd_Aliases are not really required either since it is possible to have
46 multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
47 that is referenced by multiple users, one can create a sudoRole that
48 contains the commands and assign multiple users to it.
50 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
51 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP container.
53 Sudo first looks for the cn=default entry in the SUDOers container. If
54 found, the multi-valued sudoOption attribute is parsed in the same manner
55 as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following example, the
56 SSH_AUTH_SOCK variable will be preserved in the environment for all
59 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
63 description: Default sudoOption's go here
64 sudoOption: env_keep+=SSH_AUTH_SOCK
66 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
69 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
70 A user name, user ID (prefixed with `#'), Unix group (prefixed with
71 `%'), Unix group ID (prefixed with `%#'), or user netgroup
74 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
75 A host name, IP address, IP network, or host netgroup (prefixed
76 with a `+'). The special value ALL will match any host.
78 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
79 A Unix command with optional command line arguments, potentially
80 including globbing characters (aka wild cards). The special value
81 ALL will match any command. If a command is prefixed with an
82 exclamation point `!', the user will be prohibited from running
85 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
86 Identical in function to the global options described above, but
87 specific to the sudoRole in which it resides.
89 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
90 A user name or uid (prefixed with `#') that commands may be run as
91 or a Unix group (prefixed with a `%') or user netgroup (prefixed
92 with a `+') that contains a list of users that commands may be run
93 as. The special value ALL will match any user.
95 The sudoRunAsUser attribute is only available in s
\bsu
\bud
\bdo
\bo versions
96 1.7.0 and higher. Older versions of s
\bsu
\bud
\bdo
\bo use the sudoRunAs
99 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
100 A Unix group or gid (prefixed with `#') that commands may be run
101 as. The special value ALL will match any group.
103 The sudoRunAsGroup attribute is only available in s
\bsu
\bud
\bdo
\bo versions
106 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btB
\bBe
\bef
\bfo
\bor
\bre
\be
107 A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
108 a start date/time for when the sudoRole will be valid. If multiple
109 sudoNotBefore entries are present, the earliest is used. Note that
110 timestamps must be in Coordinated Universal Time (UTC), not the
111 local timezone. The minute and seconds portions are optional, but
112 some LDAP servers require that they be present (contrary to the
115 The sudoNotBefore attribute is only available in s
\bsu
\bud
\bdo
\bo versions
116 1.7.5 and higher and must be explicitly enabled via the
117 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
119 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btA
\bAf
\bft
\bte
\ber
\br
120 A timestamp in the form yyyymmddHHMMSSZ that indicates an
121 expiration date/time, after which the sudoRole will no longer be
122 valid. If multiple sudoNotBefore entries are present, the last one
123 is used. Note that timestamps must be in Coordinated Universal
124 Time (UTC), not the local timezone. The minute and seconds
125 portions are optional, but some LDAP servers require that they be
126 present (contrary to the RFC).
128 The sudoNotAfter attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
129 and higher and must be explicitly enabled via the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD
130 option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
132 s
\bsu
\bud
\bdo
\boO
\bOr
\brd
\bde
\ber
\br
133 The sudoRole entries retrieved from the LDAP directory have no
134 inherent order. The sudoOrder attribute is an integer (or floating
135 point value for LDAP servers that support it) that is used to sort
136 the matching entries. This allows LDAP-based sudoers entries to
137 more closely mimic the behaviour of the sudoers file, where the of
138 the entries influences the result. If multiple entries match, the
139 entry with the highest sudoOrder attribute is chosen. This
140 corresponds to the ``last match'' behavior of the sudoers file. If
141 the sudoOrder attribute is not present, a value of 0 is assumed.
143 The sudoOrder attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
146 Each attribute listed above should contain a single value, but there may
147 be multiple instances of each attribute type. A sudoRole must contain at
148 least one sudoUser, sudoHost and sudoCommand.
150 The following example allows users in group wheel to run any command on
151 any host via s
\bsu
\bud
\bdo
\bo:
153 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
155 objectClass: sudoRole
161 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
162 When looking up a sudoer using LDAP there are only two or three LDAP
163 queries per invocation. The first query is to parse the global options.
164 The second is to match against the user's name and the groups that the
165 user belongs to. (The special ALL tag is matched in this query too.) If
166 no match is returned for the user's name and groups, a third query
167 returns all entries containing user netgroups and checks to see if the
168 user belongs to any of them.
170 If timed entries are enabled with the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD configuration
171 directive, the LDAP queries include a subfilter that limits retrieval to
172 entries that satisfy the time constraints, if any.
174 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
175 There are some subtle differences in the way sudoers is handled once in
176 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
177 is arbitrary and you cannot expect that Attributes and Entries are
178 returned in any specific order.
180 The order in which different entries are applied can be controlled using
181 the sudoOrder attribute, but there is no way to guarantee the order of
182 attributes within a specific entry. If there are conflicting command
183 rules in an entry, the negative takes precedence. This is called
184 paranoid behavior (not necessarily the most specific match).
189 # Allow all commands except shell
190 johnny ALL=(root) ALL,!/bin/sh
191 # Always allows all commands because ALL is matched last
192 puddles ALL=(root) !/bin/sh,ALL
194 # LDAP equivalent of johnny
195 # Allows all commands except shell
196 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
197 objectClass: sudoRole
203 sudoCommand: !/bin/sh
205 # LDAP equivalent of puddles
206 # Notice that even though ALL comes last, it still behaves like
207 # role1 since the LDAP code assumes the more paranoid configuration
208 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
209 objectClass: sudoRole
214 sudoCommand: !/bin/sh
217 Another difference is that negations on the Host, User or Runas are
218 currently ignored. For example, the following attributes do not behave
219 the way one might expect.
221 # does not match all but joe
222 # rather, does not match anyone
225 # does not match all but joe
226 # rather, matches everyone including Joe
230 # does not match all but web01
231 # rather, matches all hosts including web01
235 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs s
\bsc
\bch
\bhe
\bem
\bma
\ba
236 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed on
237 your LDAP server. In addition, be sure to index the sudoUser attribute.
239 Three versions of the schema: one for OpenLDAP servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP),
240 one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt), and one for Microsoft
241 Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be found in the s
\bsu
\bud
\bdo
\bo
244 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is also included in the _
\bE_
\bX_
\bA_
\bM_
\bP_
\bL_
\bE_
\bS
247 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
248 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
249 Typically, this file is shared amongst different LDAP-aware clients. As
250 such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo parses
251 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from those
252 described in the system's ldap.conf(1m) manual.
254 Also note that on systems using the OpenLDAP libraries, default values
255 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are not
258 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf as being supported
259 by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below in upper
260 case but are parsed in a case-independent manner.
262 U
\bUR
\bRI
\bI _
\bl_
\bd_
\ba_
\bp_
\b[_
\bs_
\b]_
\b:_
\b/_
\b/_
\b[_
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]_
\b] _
\b._
\b._
\b.
263 Specifies a whitespace-delimited list of one or more URIs
264 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
265 either _
\bl_
\bd_
\ba_
\bp _
\bl_
\bd_
\ba_
\bp_
\bs, the latter being for servers that support TLS
266 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
267 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
268 s
\bsu
\bud
\bdo
\bo will connect to _
\bl_
\bo_
\bc_
\ba_
\bl_
\bh_
\bo_
\bs_
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
269 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
270 systems using the OpenSSL libraries support the mixing of ldap://
271 and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
272 libraries used on most commercial versions of Unix are only capable
273 of supporting one or the other.
275 H
\bHO
\bOS
\bST
\bT _
\bn_
\ba_
\bm_
\be_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b] _
\b._
\b._
\b.
276 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
277 delimited list of LDAP servers to connect to. Each host may
278 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (`:'). The H
\bHO
\bOS
\bST
\bT
279 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
280 included for backwards compatibility.
282 P
\bPO
\bOR
\bRT
\bT _
\bp_
\bo_
\br_
\bt_
\b__
\bn_
\bu_
\bm_
\bb_
\be_
\br
283 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
284 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
285 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
286 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
287 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
288 is included for backwards compatibility.
290 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
291 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
292 seconds, to wait while trying to connect to an LDAP server. If
293 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
294 wait before trying the next one in the list.
296 N
\bNE
\bET
\bTW
\bWO
\bOR
\bRK
\bK_
\b_T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
297 An alias for B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT for OpenLDAP compatibility.
299 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
300 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
301 to wait for a response to an LDAP query.
303 T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
304 The T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT parameter specifies the amount of time, in seconds, to
305 wait for a response from the various LDAP APIs.
307 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE _
\bb_
\ba_
\bs_
\be
308 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
309 this is of the form ou=SUDOers,dc=example,dc=com for the domain
310 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
311 which case they are queried in the order specified.
313 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_S
\bSE
\bEA
\bAR
\bRC
\bCH
\bH_
\b_F
\bFI
\bIL
\bLT
\bTE
\bER
\bR _
\bl_
\bd_
\ba_
\bp_
\b__
\bf_
\bi_
\bl_
\bt_
\be_
\br
314 An LDAP filter which is used to restrict the set of records
315 returned when performing a s
\bsu
\bud
\bdo
\bo LDAP query. Typically, this is of
316 the form attribute=value or
317 (&(attribute=value)(attribute2=value2)).
319 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
320 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
321 attributes that implement time-dependent sudoers entries.
323 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG _
\bd_
\be_
\bb_
\bu_
\bg_
\b__
\bl_
\be_
\bv_
\be_
\bl
324 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
325 information is printed to the standard error. A value of 1 results
326 in a moderate amount of debugging information. A value of 2 shows
327 the results of the matches themselves. This parameter should not
328 be set in a production environment as the extra information is
329 likely to confuse users.
331 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN _
\bD_
\bN
332 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
333 Distinguished Name (DN), to use when performing LDAP operations.
334 If not specified, LDAP operations are performed with an anonymous
335 identity. By default, most LDAP servers will allow anonymous
338 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW _
\bs_
\be_
\bc_
\br_
\be_
\bt
339 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
340 LDAP operations. This is typically used in conjunction with the
341 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
343 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN _
\bD_
\bN
344 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
345 Distinguished Name (DN), to use when performing privileged LDAP
346 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
347 the identity should be stored in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If not
348 specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
350 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN _
\bn_
\bu_
\bm_
\bb_
\be_
\br
351 The version of the LDAP protocol to use when connecting to the
352 server. The default value is protocol version 3.
354 S
\bSS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
355 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
356 encryption is always used when communicating with the LDAP server.
357 Typically, this involves connecting to the server on port 636
360 S
\bSS
\bSL
\bL _
\bs_
\bt_
\ba_
\br_
\bt_
\b__
\bt_
\bl_
\bs
361 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
362 connection is initiated normally and TLS encryption is begun before
363 the bind credentials are sent. This has the advantage of not
364 requiring a dedicated port for encrypted communications. This
365 parameter is only supported by LDAP servers that honor the
366 _
\bs_
\bt_
\ba_
\br_
\bt_
\b__
\bt_
\bl_
\bs extension, such as the OpenLDAP and Tivoli Directory
369 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
370 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
371 certificated to be verified. If the server's TLS certificate
372 cannot be verified (usually because it is signed by an unknown
373 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
374 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
375 the check creates an opportunity for man-in-the-middle attacks
376 since the server's identity will not be authenticated. If
377 possible, the CA's certificate should be installed locally so it
378 can be verified. This option is not supported by the Tivoli
379 Directory Server LDAP libraries.
381 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
382 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE for OpenLDAP compatibility.
384 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
385 The path to a certificate authority bundle which contains the
386 certificates for all the Certificate Authorities the client knows
387 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
388 supported by the OpenLDAP libraries. Netscape-derived LDAP
389 libraries use the same certificate database for CA and client
390 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
392 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
393 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
394 containing individual Certificate Authority certificates, e.g.
395 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
396 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
399 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
400 The path to a file containing the client certificate which can be
401 used to authenticate the client to the LDAP server. The
402 certificate type depends on the LDAP libraries used.
405 tls_cert /etc/ssl/client_cert.pem
408 tls_cert /var/ldap/cert7.db
410 Tivoli Directory Server:
411 Unused, the key database specified by T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY contains both
412 keys and certificates.
414 When using Netscape-derived libraries, this file may also
415 contain Certificate Authority certificates.
417 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
418 The path to a file containing the private key which matches the
419 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
420 password-protected. The key type depends on the LDAP libraries
424 tls_key /etc/ssl/client_key.pem
427 tls_key /var/ldap/key3.db
429 Tivoli Directory Server:
430 tls_cert /usr/ldap/ldapkey.kdb
431 When using Tivoli LDAP libraries, this file may also contain
432 Certificate Authority and client certificates and may be encrypted.
434 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW _
\bs_
\be_
\bc_
\br_
\be_
\bt
435 The T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW contains the password used to decrypt the key
436 database on clients using the Tivoli Directory Server LDAP library.
437 If no T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW is specified, a _
\bs_
\bt_
\ba_
\bs_
\bh _
\bf_
\bi_
\bl_
\be will be used if it
438 exists. The _
\bs_
\bt_
\ba_
\bs_
\bh _
\bf_
\bi_
\bl_
\be must have the same path as the file
439 specified by T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY, but use a .sth file extension instead of
440 .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
441 Tivoli Directory Server is encrypted with the password
442 ssl_password. This option is only supported by the Tivoli LDAP
445 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
446 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
447 for systems that lack a random device. It is generally used in
448 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
449 the OpenLDAP libraries.
451 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS _
\bc_
\bi_
\bp_
\bh_
\be_
\br _
\bl_
\bi_
\bs_
\bt
452 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
453 encryption algorithms may be used for TLS (SSL) connections. See
454 the OpenLDAP or Tivoli Directory Server manual for a list of valid
455 ciphers. This option is not supported by Netscape-derived
458 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
459 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
461 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD _
\bi_
\bd_
\be_
\bn_
\bt_
\bi_
\bt_
\by
462 The SASL user name to use when connecting to the LDAP server. By
463 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
465 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
466 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
467 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
469 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD _
\bi_
\bd_
\be_
\bn_
\bt_
\bi_
\bt_
\by
470 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
472 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS _
\bn_
\bo_
\bn_
\be_
\b/_
\bp_
\br_
\bo_
\bp_
\be_
\br_
\bt_
\bi_
\be_
\bs
473 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
474 programmer's manual for details.
476 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
477 The path to the Kerberos 5 credential cache to use when
478 authenticating with the remote server.
480 D
\bDE
\bER
\bRE
\bEF
\bF _
\bn_
\be_
\bv_
\be_
\br_
\b/_
\bs_
\be_
\ba_
\br_
\bc_
\bh_
\bi_
\bn_
\bg_
\b/_
\bf_
\bi_
\bn_
\bd_
\bi_
\bn_
\bg_
\b/_
\ba_
\bl_
\bw_
\ba_
\by_
\bs
481 How alias dereferencing is to be performed when searching. See the
482 ldap.conf(1m) manual for a full description of this option.
484 See the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf entry in the _
\bE_
\bX_
\bA_
\bM_
\bP_
\bL_
\bE_
\bS section.
486 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
487 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
488 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
489 Sudo looks for a line beginning with sudoers: and uses this to determine
490 the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching after the first
491 match and later matches take precedence over earlier ones. The following
492 sources are recognized:
494 files read sudoers from _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
495 ldap read sudoers from LDAP
497 In addition, the entry [NOTFOUND=return] will short-circuit the search if
498 the user was not found in the preceding source.
500 To consult LDAP first followed by the local sudoers file (if it exists),
505 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
509 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
510 line, the following default is assumed:
514 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
515 operating system does not use an nsswitch.conf file, except on AIX (see
518 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
519 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
520 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
521 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the file
522 format itself still applies.
524 To consult LDAP first followed by the local sudoers file (if it exists),
527 sudoers = ldap, files
529 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
533 To treat LDAP as authoratative and only use the local sudoers file if the
534 user is not present in LDAP, use:
536 sudoers = ldap = auth, files
538 Note that in the above example, the auth qualfier only affects user
539 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
541 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers line,
542 the following default is assumed:
547 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
549 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
551 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
553 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
554 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
555 # Either specify one or more URIs or one or more host:port pairs.
556 # If neither is specified sudo will default to localhost, port 389.
559 #host ldapserver1 ldapserver2:390
561 # Default port if host is specified without one, defaults to 389.
564 # URI will override the host and port settings.
565 uri ldap://ldapserver
566 #uri ldaps://secureldapserver
567 #uri ldaps://secureldapserver ldap://ldapserver
569 # The amount of time, in seconds, to wait while trying to connect to
573 # The amount of time, in seconds, to wait while performing an LDAP query.
576 # Must be set or sudo will ignore LDAP; may be specified multiple times.
577 sudoers_base ou=SUDOers,dc=example,dc=com
579 # verbose sudoers matching from ldap
582 # Enable support for time-based entries in sudoers.
585 # optional proxy credentials
586 #binddn <who to search as>
588 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
590 # LDAP protocol version, defaults to 3
593 # Define if you want to use an encrypted LDAP connection.
594 # Typically, you must also set the port to 636 (ldaps).
597 # Define if you want to use port 389 and switch to
598 # encryption before the bind credentials are sent.
599 # Only supported by LDAP servers that support the start_tls
600 # extension such as OpenLDAP.
603 # Additional TLS options follow that allow tweaking of the
604 # SSL/TLS connection.
606 #tls_checkpeer yes # verify server SSL certificate
607 #tls_checkpeer no # ignore server SSL certificate
609 # If you enable tls_checkpeer, specify either tls_cacertfile
610 # or tls_cacertdir. Only supported when using OpenLDAP.
612 #tls_cacertfile /etc/certs/trusted_signers.pem
613 #tls_cacertdir /etc/certs
615 # For systems that don't have /dev/random
616 # use this along with PRNGD or EGD.pl to seed the
617 # random number pool to generate cryptographic session keys.
618 # Only supported when using OpenLDAP.
620 #tls_randfile /etc/egd-pool
622 # You may restrict which ciphers are used. Consult your SSL
623 # documentation for which options go here.
624 # Only supported when using OpenLDAP.
626 #tls_ciphers <cipher-list>
628 # Sudo can provide a client certificate when communicating to
631 # * Enable both lines at the same time.
632 # * Do not password protect the key file.
633 # * Ensure the keyfile is only readable by root.
636 #tls_cert /etc/certs/client_cert.pem
637 #tls_key /etc/certs/client_key.pem
639 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
640 # a directory, in which case the files in the directory must have the
641 # default names (e.g. cert8.db and key4.db), or the path to the cert
642 # and key files themselves. However, a bug in version 5.0 of the LDAP
643 # SDK will prevent specific file names from working. For this reason
644 # it is suggested that tls_cert and tls_key be set to a directory,
647 # The certificate database specified by tls_cert may contain CA certs
648 # and/or the client's cert. If the client's cert is included, tls_key
649 # should be specified as well.
650 # For backward compatibility, "sslpath" may be used in place of tls_cert.
654 # If using SASL authentication for LDAP (OpenSSL)
656 # sasl_auth_id <SASL user name>
658 # rootsasl_auth_id <SASL user name for root access>
660 # krb5_ccname /etc/.ldapcache
662 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
663 The following schema, in OpenLDAP format, is included with s
\bsu
\bud
\bdo
\bo source
664 and binary distributions as _
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP. Simply copy it to the
665 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include line
666 in _
\bs_
\bl_
\ba_
\bp_
\bd_
\b._
\bc_
\bo_
\bn_
\bf and restart s
\bsl
\bla
\bap
\bpd
\bd.
668 attributetype ( 1.3.6.1.4.1.15953.9.1.1
670 DESC 'User(s) who may run sudo'
671 EQUALITY caseExactIA5Match
672 SUBSTR caseExactIA5SubstringsMatch
673 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
675 attributetype ( 1.3.6.1.4.1.15953.9.1.2
677 DESC 'Host(s) who may run sudo'
678 EQUALITY caseExactIA5Match
679 SUBSTR caseExactIA5SubstringsMatch
680 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
682 attributetype ( 1.3.6.1.4.1.15953.9.1.3
684 DESC 'Command(s) to be executed by sudo'
685 EQUALITY caseExactIA5Match
686 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
688 attributetype ( 1.3.6.1.4.1.15953.9.1.4
690 DESC 'User(s) impersonated by sudo'
691 EQUALITY caseExactIA5Match
692 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
694 attributetype ( 1.3.6.1.4.1.15953.9.1.5
696 DESC 'Options(s) followed by sudo'
697 EQUALITY caseExactIA5Match
698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
700 attributetype ( 1.3.6.1.4.1.15953.9.1.6
702 DESC 'User(s) impersonated by sudo'
703 EQUALITY caseExactIA5Match
704 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
706 attributetype ( 1.3.6.1.4.1.15953.9.1.7
707 NAME 'sudoRunAsGroup'
708 DESC 'Group(s) impersonated by sudo'
709 EQUALITY caseExactIA5Match
710 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
712 attributetype ( 1.3.6.1.4.1.15953.9.1.8
714 DESC 'Start of time interval for which the entry is valid'
715 EQUALITY generalizedTimeMatch
716 ORDERING generalizedTimeOrderingMatch
717 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
719 attributetype ( 1.3.6.1.4.1.15953.9.1.9
721 DESC 'End of time interval for which the entry is valid'
722 EQUALITY generalizedTimeMatch
723 ORDERING generalizedTimeOrderingMatch
724 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
726 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
728 DESC 'an integer to order the sudoRole entries'
729 EQUALITY integerMatch
730 ORDERING integerOrderingMatch
731 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
733 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
734 DESC 'Sudoer Entries'
736 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
737 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
738 sudoOrder $ description )
741 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
742 ldap.conf(1m), sudoers(1m)
744 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
745 Note that there are differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is
746 parsed compared to file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the _
\bD_
\bi_
\bf_
\bf_
\be_
\br_
\be_
\bn_
\bc_
\be_
\bs _
\bb_
\be_
\bt_
\bw_
\be_
\be_
\bn _
\bL_
\bD_
\bA_
\bP
747 _
\ba_
\bn_
\bd _
\bn_
\bo_
\bn_
\b-_
\bL_
\bD_
\bA_
\bP _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs section for more information.
750 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
751 http://www.sudo.ws/sudo/bugs/
753 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
754 Limited free support is available via the sudo-users mailing list, see
755 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
758 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
759 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
760 including, but not limited to, the implied warranties of merchantability
761 and fitness for a particular purpose are disclaimed. See the LICENSE
762 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
765 Sudo 1.8.6 July 12, 2012 Sudo 1.8.6