1 SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
4 s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs.
\b.l
\bld
\bda
\bap
\bp - sudo LDAP configuration
6 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
7 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
8 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
9 large, distributed environment.
11 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
13 o
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
14 used, there are only two or three LDAP queries per invocation. This
15 makes it especially fast and particularly usable in LDAP
18 o
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
19 possible to load LDAP data into the server that does not conform to
20 the sudoers schema, so proper syntax is guaranteed. It is still
21 possible to have typos in a user or host name, but this will not
22 prevent s
\bsu
\bud
\bdo
\bo from running.
24 o
\bo It is possible to specify per-entry options that override the global
25 default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options and
26 limited options associated with user/host/commands/aliases. The
27 syntax is complicated and can be difficult for users to understand.
28 Placing the options directly in the entry is more natural.
30 o
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking and
31 syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates are
32 atomic, locking is no longer necessary. Because syntax is checked
33 when the data is inserted into LDAP, there is no need for a
34 specialized tool to check syntax.
36 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
37 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
39 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
40 Unix groups, non-Unix groups (via the _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn) or user netgroups can
41 be used in place of User_Aliases and Runas_Aliases. Host netgroups can
42 be used in place of Host_Aliases. Since groups and netgroups can also be
43 stored in LDAP there is no real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
45 Cmnd_Aliases are not really required either since it is possible to have
46 multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
47 that is referenced by multiple users, one can create a sudoRole that
48 contains the commands and assign multiple users to it.
50 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
51 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP container.
53 Sudo first looks for the cn=default entry in the SUDOers container. If
54 found, the multi-valued sudoOption attribute is parsed in the same manner
55 as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following example, the
56 SSH_AUTH_SOCK variable will be preserved in the environment for all
59 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
63 description: Default sudoOption's go here
64 sudoOption: env_keep+=SSH_AUTH_SOCK
66 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
69 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
70 A user name, user ID (prefixed with `#'), Unix group name or ID
71 (prefixed with `%' or `%#' respectively), user netgroup (prefixed
72 with `+'), or non-Unix group name or ID (prefixed with `%:' or
73 `%:#' respectively). Non-Unix group support is only available when
74 an appropriate _
\bg_
\br_
\bo_
\bu_
\bp_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn is defined in the global _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs
77 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
78 A host name, IP address, IP network, or host netgroup (prefixed
79 with a `+'). The special value ALL will match any host.
81 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
82 A fully-qualified Unix command name with optional command line
83 arguments, potentially including globbing characters (aka wild
84 cards). If a command name is preceded by an exclamation point,
85 `!', the user will be prohibited from running that command.
87 The built-in command ``sudoedit'' is used to permit a user to run
88 s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It may take command line
89 arguments just as a normal command does. Note that ``sudoedit'' is
90 a command built into s
\bsu
\bud
\bdo
\bo itself and must be specified in without a
93 The special value ALL will match any command.
95 If a command name is prefixed with a SHA-2 digest, it will only be
96 allowed if the digest matches. This may be useful in situations
97 where the user invoking s
\bsu
\bud
\bdo
\bo has write access to the command or its
98 parent directory. The following digest formats are supported:
99 sha224, sha256, sha384 and sha512. The digest name must be
100 followed by a colon (`:') and then the actual digest, in either hex
101 or base64 format. For example, given the following value for
104 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
106 The user may only run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs if its sha224 digest matches the
107 specified value. Command digests are only supported by version
110 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
111 Identical in function to the global options described above, but
112 specific to the sudoRole in which it resides.
114 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
115 A user name or uid (prefixed with `#') that commands may be run as
116 or a Unix group (prefixed with a `%') or user netgroup (prefixed
117 with a `+') that contains a list of users that commands may be run
118 as. The special value ALL will match any user.
120 The sudoRunAsUser attribute is only available in s
\bsu
\bud
\bdo
\bo versions
121 1.7.0 and higher. Older versions of s
\bsu
\bud
\bdo
\bo use the sudoRunAs
124 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
125 A Unix group or gid (prefixed with `#') that commands may be run
126 as. The special value ALL will match any group.
128 The sudoRunAsGroup attribute is only available in s
\bsu
\bud
\bdo
\bo versions
131 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btB
\bBe
\bef
\bfo
\bor
\bre
\be
132 A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
133 a start date/time for when the sudoRole will be valid. If multiple
134 sudoNotBefore entries are present, the earliest is used. Note that
135 timestamps must be in Coordinated Universal Time (UTC), not the
136 local timezone. The minute and seconds portions are optional, but
137 some LDAP servers require that they be present (contrary to the
140 The sudoNotBefore attribute is only available in s
\bsu
\bud
\bdo
\bo versions
141 1.7.5 and higher and must be explicitly enabled via the
142 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
144 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btA
\bAf
\bft
\bte
\ber
\br
145 A timestamp in the form yyyymmddHHMMSSZ that indicates an
146 expiration date/time, after which the sudoRole will no longer be
147 valid. If multiple sudoNotBefore entries are present, the last one
148 is used. Note that timestamps must be in Coordinated Universal
149 Time (UTC), not the local timezone. The minute and seconds
150 portions are optional, but some LDAP servers require that they be
151 present (contrary to the RFC).
153 The sudoNotAfter attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
154 and higher and must be explicitly enabled via the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD
155 option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
157 s
\bsu
\bud
\bdo
\boO
\bOr
\brd
\bde
\ber
\br
158 The sudoRole entries retrieved from the LDAP directory have no
159 inherent order. The sudoOrder attribute is an integer (or floating
160 point value for LDAP servers that support it) that is used to sort
161 the matching entries. This allows LDAP-based sudoers entries to
162 more closely mimic the behavior of the sudoers file, where the of
163 the entries influences the result. If multiple entries match, the
164 entry with the highest sudoOrder attribute is chosen. This
165 corresponds to the ``last match'' behavior of the sudoers file. If
166 the sudoOrder attribute is not present, a value of 0 is assumed.
168 The sudoOrder attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
171 Each attribute listed above should contain a single value, but there may
172 be multiple instances of each attribute type. A sudoRole must contain at
173 least one sudoUser, sudoHost and sudoCommand.
175 The following example allows users in group wheel to run any command on
176 any host via s
\bsu
\bud
\bdo
\bo:
178 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
180 objectClass: sudoRole
186 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
187 When looking up a sudoer using LDAP there are only two or three LDAP
188 queries per invocation. The first query is to parse the global options.
189 The second is to match against the user's name and the groups that the
190 user belongs to. (The special ALL tag is matched in this query too.) If
191 no match is returned for the user's name and groups, a third query
192 returns all entries containing user netgroups and checks to see if the
193 user belongs to any of them.
195 If timed entries are enabled with the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD configuration
196 directive, the LDAP queries include a sub-filter that limits retrieval to
197 entries that satisfy the time constraints, if any.
199 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
200 There are some subtle differences in the way sudoers is handled once in
201 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
202 is arbitrary and you cannot expect that Attributes and Entries are
203 returned in any specific order.
205 The order in which different entries are applied can be controlled using
206 the sudoOrder attribute, but there is no way to guarantee the order of
207 attributes within a specific entry. If there are conflicting command
208 rules in an entry, the negative takes precedence. This is called
209 paranoid behavior (not necessarily the most specific match).
214 # Allow all commands except shell
215 johnny ALL=(root) ALL,!/bin/sh
216 # Always allows all commands because ALL is matched last
217 puddles ALL=(root) !/bin/sh,ALL
219 # LDAP equivalent of johnny
220 # Allows all commands except shell
221 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
222 objectClass: sudoRole
228 sudoCommand: !/bin/sh
230 # LDAP equivalent of puddles
231 # Notice that even though ALL comes last, it still behaves like
232 # role1 since the LDAP code assumes the more paranoid configuration
233 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
234 objectClass: sudoRole
239 sudoCommand: !/bin/sh
242 Another difference is that negations on the Host, User or Runas are
243 currently ignored. For example, the following attributes do not behave
244 the way one might expect.
246 # does not match all but joe
247 # rather, does not match anyone
250 # does not match all but joe
251 # rather, matches everyone including Joe
255 # does not match all but web01
256 # rather, matches all hosts including web01
260 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs s
\bsc
\bch
\bhe
\bem
\bma
\ba
261 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed on
262 your LDAP server. In addition, be sure to index the sudoUser attribute.
264 Three versions of the schema: one for OpenLDAP servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP),
265 one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt), and one for Microsoft
266 Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be found in the s
\bsu
\bud
\bdo
\bo
269 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is also included in the _
\bE_
\bX_
\bA_
\bM_
\bP_
\bL_
\bE_
\bS
272 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
273 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
274 Typically, this file is shared between different LDAP-aware clients. As
275 such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo parses
276 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from those
277 described in the system's ldap.conf(1m) manual. The path to _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf may
278 be overridden via the _
\bl_
\bd_
\ba_
\bp_
\b__
\bc_
\bo_
\bn_
\bf plugin argument in sudo.conf(4).
280 Also note that on systems using the OpenLDAP libraries, default values
281 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are not
284 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf as being supported
285 by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below in upper
286 case but are parsed in a case-independent manner.
288 Long lines can be continued with a backslash (`\') as the last character
289 on the line. Note that leading white space is removed from the beginning
290 of lines even when the continuation character is used.
292 U
\bUR
\bRI
\bI _
\bl_
\bd_
\ba_
\bp_
\b[_
\bs_
\b]_
\b:_
\b/_
\b/_
\b[_
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]_
\b] _
\b._
\b._
\b.
293 Specifies a white space-delimited list of one or more URIs
294 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
295 either _
\bl_
\bd_
\ba_
\bp _
\bl_
\bd_
\ba_
\bp_
\bs, the latter being for servers that support TLS
296 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
297 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
298 s
\bsu
\bud
\bdo
\bo will connect to _
\bl_
\bo_
\bc_
\ba_
\bl_
\bh_
\bo_
\bs_
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
299 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
300 systems using the OpenSSL libraries support the mixing of ldap://
301 and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
302 libraries used on most commercial versions of Unix are only capable
303 of supporting one or the other.
305 H
\bHO
\bOS
\bST
\bT _
\bn_
\ba_
\bm_
\be_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b] _
\b._
\b._
\b.
306 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a white space-
307 delimited list of LDAP servers to connect to. Each host may
308 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (`:'). The H
\bHO
\bOS
\bST
\bT
309 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
310 included for backwards compatibility.
312 P
\bPO
\bOR
\bRT
\bT _
\bp_
\bo_
\br_
\bt_
\b__
\bn_
\bu_
\bm_
\bb_
\be_
\br
313 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
314 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
315 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
316 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
317 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
318 is included for backwards compatibility.
320 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
321 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
322 seconds, to wait while trying to connect to an LDAP server. If
323 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
324 wait before trying the next one in the list.
326 N
\bNE
\bET
\bTW
\bWO
\bOR
\bRK
\bK_
\b_T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
327 An alias for B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT for OpenLDAP compatibility.
329 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
330 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
331 to wait for a response to an LDAP query.
333 T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT _
\bs_
\be_
\bc_
\bo_
\bn_
\bd_
\bs
334 The T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT parameter specifies the amount of time, in seconds, to
335 wait for a response from the various LDAP APIs.
337 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE _
\bb_
\ba_
\bs_
\be
338 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
339 this is of the form ou=SUDOers,dc=example,dc=com for the domain
340 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
341 which case they are queried in the order specified.
343 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_S
\bSE
\bEA
\bAR
\bRC
\bCH
\bH_
\b_F
\bFI
\bIL
\bLT
\bTE
\bER
\bR _
\bl_
\bd_
\ba_
\bp_
\b__
\bf_
\bi_
\bl_
\bt_
\be_
\br
344 An LDAP filter which is used to restrict the set of records
345 returned when performing a s
\bsu
\bud
\bdo
\bo LDAP query. Typically, this is of
346 the form attribute=value or
347 (&(attribute=value)(attribute2=value2)).
349 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
350 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
351 attributes that implement time-dependent sudoers entries.
353 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG _
\bd_
\be_
\bb_
\bu_
\bg_
\b__
\bl_
\be_
\bv_
\be_
\bl
354 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
355 information is printed to the standard error. A value of 1 results
356 in a moderate amount of debugging information. A value of 2 shows
357 the results of the matches themselves. This parameter should not
358 be set in a production environment as the extra information is
359 likely to confuse users.
361 The S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG parameter is deprecated and will be removed in a
362 future release. The same information is now logged via the s
\bsu
\bud
\bdo
\bo
363 debugging framework using the ``ldap'' subsystem at priorities _
\bd_
\bi_
\ba_
\bg
364 and _
\bi_
\bn_
\bf_
\bo for _
\bd_
\be_
\bb_
\bu_
\bg_
\b__
\bl_
\be_
\bv_
\be_
\bl values 1 and 2 respectively. See the
365 sudo.conf(4) manual for details on how to configure s
\bsu
\bud
\bdo
\bo debugging.
367 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN _
\bD_
\bN
368 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
369 Distinguished Name (DN), to use when performing LDAP operations.
370 If not specified, LDAP operations are performed with an anonymous
371 identity. By default, most LDAP servers will allow anonymous
374 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW _
\bs_
\be_
\bc_
\br_
\be_
\bt
375 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
376 LDAP operations. This is typically used in conjunction with the
377 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
379 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN _
\bD_
\bN
380 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
381 Distinguished Name (DN), to use when performing privileged LDAP
382 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
383 the identity should be stored in the or the path specified by the
384 _
\bl_
\bd_
\ba_
\bp_
\b__
\bs_
\be_
\bc_
\br_
\be_
\bt plugin argument in sudo.conf(4), which defaults to
385 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If no R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN is specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN
386 identity is used (if any).
388 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN _
\bn_
\bu_
\bm_
\bb_
\be_
\br
389 The version of the LDAP protocol to use when connecting to the
390 server. The default value is protocol version 3.
392 S
\bSS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
393 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
394 encryption is always used when communicating with the LDAP server.
395 Typically, this involves connecting to the server on port 636
398 S
\bSS
\bSL
\bL _
\bs_
\bt_
\ba_
\br_
\bt_
\b__
\bt_
\bl_
\bs
399 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
400 connection is initiated normally and TLS encryption is begun before
401 the bind credentials are sent. This has the advantage of not
402 requiring a dedicated port for encrypted communications. This
403 parameter is only supported by LDAP servers that honor the
404 _
\bs_
\bt_
\ba_
\br_
\bt_
\b__
\bt_
\bl_
\bs extension, such as the OpenLDAP and Tivoli Directory
407 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
408 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
409 certificated to be verified. If the server's TLS certificate
410 cannot be verified (usually because it is signed by an unknown
411 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
412 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
413 the check creates an opportunity for man-in-the-middle attacks
414 since the server's identity will not be authenticated. If
415 possible, the CA's certificate should be installed locally so it
416 can be verified. This option is not supported by the Tivoli
417 Directory Server LDAP libraries.
419 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
420 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE for OpenLDAP compatibility.
422 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
423 The path to a certificate authority bundle which contains the
424 certificates for all the Certificate Authorities the client knows
425 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
426 supported by the OpenLDAP libraries. Netscape-derived LDAP
427 libraries use the same certificate database for CA and client
428 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
430 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
431 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
432 containing individual Certificate Authority certificates, e.g.
433 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
434 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
437 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
438 The path to a file containing the client certificate which can be
439 used to authenticate the client to the LDAP server. The
440 certificate type depends on the LDAP libraries used.
443 tls_cert /etc/ssl/client_cert.pem
446 tls_cert /var/ldap/cert7.db
448 Tivoli Directory Server:
449 Unused, the key database specified by T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY contains both
450 keys and certificates.
452 When using Netscape-derived libraries, this file may also
453 contain Certificate Authority certificates.
455 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
456 The path to a file containing the private key which matches the
457 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
458 password-protected. The key type depends on the LDAP libraries
462 tls_key /etc/ssl/client_key.pem
465 tls_key /var/ldap/key3.db
467 Tivoli Directory Server:
468 tls_cert /usr/ldap/ldapkey.kdb
469 When using Tivoli LDAP libraries, this file may also contain
470 Certificate Authority and client certificates and may be encrypted.
472 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW _
\bs_
\be_
\bc_
\br_
\be_
\bt
473 The T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW contains the password used to decrypt the key
474 database on clients using the Tivoli Directory Server LDAP library.
475 If no T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bYP
\bPW
\bW is specified, a _
\bs_
\bt_
\ba_
\bs_
\bh _
\bf_
\bi_
\bl_
\be will be used if it
476 exists. The _
\bs_
\bt_
\ba_
\bs_
\bh _
\bf_
\bi_
\bl_
\be must have the same path as the file
477 specified by T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY, but use a .sth file extension instead of
478 .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
479 Tivoli Directory Server is encrypted with the password
480 ssl_password. This option is only supported by the Tivoli LDAP
483 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
484 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
485 for systems that lack a random device. It is generally used in
486 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
487 the OpenLDAP libraries.
489 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS _
\bc_
\bi_
\bp_
\bh_
\be_
\br _
\bl_
\bi_
\bs_
\bt
490 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
491 encryption algorithms may be used for TLS (SSL) connections. See
492 the OpenLDAP or Tivoli Directory Server manual for a list of valid
493 ciphers. This option is not supported by Netscape-derived
496 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
497 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
499 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD _
\bi_
\bd_
\be_
\bn_
\bt_
\bi_
\bt_
\by
500 The SASL user name to use when connecting to the LDAP server. By
501 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
503 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL _
\bo_
\bn_
\b/_
\bt_
\br_
\bu_
\be_
\b/_
\by_
\be_
\bs_
\b/_
\bo_
\bf_
\bf_
\b/_
\bf_
\ba_
\bl_
\bs_
\be_
\b/_
\bn_
\bo
504 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
505 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
507 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD _
\bi_
\bd_
\be_
\bn_
\bt_
\bi_
\bt_
\by
508 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
510 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS _
\bn_
\bo_
\bn_
\be_
\b/_
\bp_
\br_
\bo_
\bp_
\be_
\br_
\bt_
\bi_
\be_
\bs
511 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
512 programmer's manual for details.
514 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE _
\bf_
\bi_
\bl_
\be _
\bn_
\ba_
\bm_
\be
515 The path to the Kerberos 5 credential cache to use when
516 authenticating with the remote server.
518 D
\bDE
\bER
\bRE
\bEF
\bF _
\bn_
\be_
\bv_
\be_
\br_
\b/_
\bs_
\be_
\ba_
\br_
\bc_
\bh_
\bi_
\bn_
\bg_
\b/_
\bf_
\bi_
\bn_
\bd_
\bi_
\bn_
\bg_
\b/_
\ba_
\bl_
\bw_
\ba_
\by_
\bs
519 How alias dereferencing is to be performed when searching. See the
520 ldap.conf(1m) manual for a full description of this option.
522 See the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf entry in the _
\bE_
\bX_
\bA_
\bM_
\bP_
\bL_
\bE_
\bS section.
524 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
525 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
526 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
527 Sudo looks for a line beginning with sudoers: and uses this to determine
528 the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching after the first
529 match and later matches take precedence over earlier ones. The following
530 sources are recognized:
532 files read sudoers from _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
533 ldap read sudoers from LDAP
535 In addition, the entry [NOTFOUND=return] will short-circuit the search if
536 the user was not found in the preceding source.
538 To consult LDAP first followed by the local sudoers file (if it exists),
543 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
547 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
548 line, the following default is assumed:
552 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
553 operating system does not use an nsswitch.conf file, except on AIX (see
556 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
557 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
558 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
559 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the file
560 format itself still applies.
562 To consult LDAP first followed by the local sudoers file (if it exists),
565 sudoers = ldap, files
567 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
571 To treat LDAP as authoritative and only use the local sudoers file if the
572 user is not present in LDAP, use:
574 sudoers = ldap = auth, files
576 Note that in the above example, the auth qualifier only affects user
577 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
579 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers line,
580 the following default is assumed:
585 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
587 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
589 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
591 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
592 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
593 # Either specify one or more URIs or one or more host:port pairs.
594 # If neither is specified sudo will default to localhost, port 389.
597 #host ldapserver1 ldapserver2:390
599 # Default port if host is specified without one, defaults to 389.
602 # URI will override the host and port settings.
603 uri ldap://ldapserver
604 #uri ldaps://secureldapserver
605 #uri ldaps://secureldapserver ldap://ldapserver
607 # The amount of time, in seconds, to wait while trying to connect to
611 # The amount of time, in seconds, to wait while performing an LDAP query.
614 # Must be set or sudo will ignore LDAP; may be specified multiple times.
615 sudoers_base ou=SUDOers,dc=example,dc=com
617 # verbose sudoers matching from ldap
620 # Enable support for time-based entries in sudoers.
623 # optional proxy credentials
624 #binddn <who to search as>
626 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
628 # LDAP protocol version, defaults to 3
631 # Define if you want to use an encrypted LDAP connection.
632 # Typically, you must also set the port to 636 (ldaps).
635 # Define if you want to use port 389 and switch to
636 # encryption before the bind credentials are sent.
637 # Only supported by LDAP servers that support the start_tls
638 # extension such as OpenLDAP.
641 # Additional TLS options follow that allow tweaking of the
642 # SSL/TLS connection.
644 #tls_checkpeer yes # verify server SSL certificate
645 #tls_checkpeer no # ignore server SSL certificate
647 # If you enable tls_checkpeer, specify either tls_cacertfile
648 # or tls_cacertdir. Only supported when using OpenLDAP.
650 #tls_cacertfile /etc/certs/trusted_signers.pem
651 #tls_cacertdir /etc/certs
653 # For systems that don't have /dev/random
654 # use this along with PRNGD or EGD.pl to seed the
655 # random number pool to generate cryptographic session keys.
656 # Only supported when using OpenLDAP.
658 #tls_randfile /etc/egd-pool
660 # You may restrict which ciphers are used. Consult your SSL
661 # documentation for which options go here.
662 # Only supported when using OpenLDAP.
664 #tls_ciphers <cipher-list>
666 # Sudo can provide a client certificate when communicating to
669 # * Enable both lines at the same time.
670 # * Do not password protect the key file.
671 # * Ensure the keyfile is only readable by root.
674 #tls_cert /etc/certs/client_cert.pem
675 #tls_key /etc/certs/client_key.pem
677 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
678 # a directory, in which case the files in the directory must have the
679 # default names (e.g. cert8.db and key4.db), or the path to the cert
680 # and key files themselves. However, a bug in version 5.0 of the LDAP
681 # SDK will prevent specific file names from working. For this reason
682 # it is suggested that tls_cert and tls_key be set to a directory,
685 # The certificate database specified by tls_cert may contain CA certs
686 # and/or the client's cert. If the client's cert is included, tls_key
687 # should be specified as well.
688 # For backward compatibility, "sslpath" may be used in place of tls_cert.
692 # If using SASL authentication for LDAP (OpenSSL)
694 # sasl_auth_id <SASL user name>
696 # rootsasl_auth_id <SASL user name for root access>
698 # krb5_ccname /etc/.ldapcache
700 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
701 The following schema, in OpenLDAP format, is included with s
\bsu
\bud
\bdo
\bo source
702 and binary distributions as _
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP. Simply copy it to the
703 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include line
704 in _
\bs_
\bl_
\ba_
\bp_
\bd_
\b._
\bc_
\bo_
\bn_
\bf and restart s
\bsl
\bla
\bap
\bpd
\bd.
706 attributetype ( 1.3.6.1.4.1.15953.9.1.1
708 DESC 'User(s) who may run sudo'
709 EQUALITY caseExactIA5Match
710 SUBSTR caseExactIA5SubstringsMatch
711 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
713 attributetype ( 1.3.6.1.4.1.15953.9.1.2
715 DESC 'Host(s) who may run sudo'
716 EQUALITY caseExactIA5Match
717 SUBSTR caseExactIA5SubstringsMatch
718 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
720 attributetype ( 1.3.6.1.4.1.15953.9.1.3
722 DESC 'Command(s) to be executed by sudo'
723 EQUALITY caseExactIA5Match
724 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
726 attributetype ( 1.3.6.1.4.1.15953.9.1.4
728 DESC 'User(s) impersonated by sudo'
729 EQUALITY caseExactIA5Match
730 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
732 attributetype ( 1.3.6.1.4.1.15953.9.1.5
734 DESC 'Options(s) followed by sudo'
735 EQUALITY caseExactIA5Match
736 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
738 attributetype ( 1.3.6.1.4.1.15953.9.1.6
740 DESC 'User(s) impersonated by sudo'
741 EQUALITY caseExactIA5Match
742 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
744 attributetype ( 1.3.6.1.4.1.15953.9.1.7
745 NAME 'sudoRunAsGroup'
746 DESC 'Group(s) impersonated by sudo'
747 EQUALITY caseExactIA5Match
748 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
750 attributetype ( 1.3.6.1.4.1.15953.9.1.8
752 DESC 'Start of time interval for which the entry is valid'
753 EQUALITY generalizedTimeMatch
754 ORDERING generalizedTimeOrderingMatch
755 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
757 attributetype ( 1.3.6.1.4.1.15953.9.1.9
759 DESC 'End of time interval for which the entry is valid'
760 EQUALITY generalizedTimeMatch
761 ORDERING generalizedTimeOrderingMatch
762 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
764 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
766 DESC 'an integer to order the sudoRole entries'
767 EQUALITY integerMatch
768 ORDERING integerOrderingMatch
769 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
771 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
772 DESC 'Sudoer Entries'
774 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
775 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
776 sudoOrder $ description )
779 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
780 ldap.conf(4), sudo.conf(4), sudoers(1m)
782 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
783 Note that there are differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is
784 parsed compared to file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the _
\bD_
\bi_
\bf_
\bf_
\be_
\br_
\be_
\bn_
\bc_
\be_
\bs _
\bb_
\be_
\bt_
\bw_
\be_
\be_
\bn _
\bL_
\bD_
\bA_
\bP
785 _
\ba_
\bn_
\bd _
\bn_
\bo_
\bn_
\b-_
\bL_
\bD_
\bA_
\bP _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs section for more information.
788 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
789 http://www.sudo.ws/sudo/bugs/
791 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
792 Limited free support is available via the sudo-users mailing list, see
793 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
796 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
797 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
798 including, but not limited to, the implied warranties of merchantability
799 and fitness for a particular purpose are disclaimed. See the LICENSE
800 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
803 Sudo 1.8.7 April 25, 2013 Sudo 1.8.7