1 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
6 sudoers.ldap - sudo LDAP configuration
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
10 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
11 large, distributed environment.
13 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
15 +
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
16 used, there are only two or three LDAP queries per invocation.
17 This makes it especially fast and particularly usable in LDAP
20 +
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
21 possible to load LDAP data into the server that does not conform to
22 the sudoers schema, so proper syntax is guaranteed. It is still
23 possible to have typos in a user or host name, but this will not
24 prevent s
\bsu
\bud
\bdo
\bo from running.
26 +
\bo It is possible to specify per-entry options that override the
27 global default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options
28 and limited options associated with user/host/commands/aliases.
29 The syntax is complicated and can be difficult for users to
30 understand. Placing the options directly in the entry is more
33 +
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking
34 and syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates
35 are atomic, locking is no longer necessary. Because syntax is
36 checked when the data is inserted into LDAP, there is no need for a
37 specialized tool to check syntax.
39 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
40 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
42 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
43 Unix groups or user netgroups can be used in place of User_Aliases and
44 Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
45 Since Unix groups and netgroups can also be stored in LDAP there is no
46 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
48 Cmnd_Aliases are not really required either since it is possible to
49 have multiple users listed in a sudoRole. Instead of defining a
50 Cmnd_Alias that is referenced by multiple users, one can create a
51 sudoRole that contains the commands and assign multiple users to it.
53 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
54 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP
57 Sudo first looks for the cn=default entry in the SUDOers container. If
58 found, the multi-valued sudoOption attribute is parsed in the same
59 manner as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following
60 example, the SSH_AUTH_SOCK variable will be preserved in the
61 environment for all users.
63 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
67 description: Default sudoOption's go here
68 sudoOption: env_keep+=SSH_AUTH_SOCK
70 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
73 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
74 A user name, user ID (prefixed with '#'), Unix group (prefixed with
75 '%'), Unix group ID (prefixed with '%#'), or user netgroup
78 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
79 A host name, IP address, IP network, or host netgroup (prefixed
80 with a '+'). The special value ALL will match any host.
82 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
83 A Unix command with optional command line arguments, potentially
84 including globbing characters (aka wild cards). The special value
85 ALL will match any command. If a command is prefixed with an
86 exclamation point '!', the user will be prohibited from running
89 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
90 Identical in function to the global options described above, but
91 specific to the sudoRole in which it resides.
93 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
94 A user name or uid (prefixed with '#') that commands may be run as
95 or a Unix group (prefixed with a '%') or user netgroup (prefixed
96 with a '+') that contains a list of users that commands may be run
97 as. The special value ALL will match any user.
99 The sudoRunAsUser attribute is only available in s
\bsu
\bud
\bdo
\bo versions
100 1.7.0 and higher. Older versions of s
\bsu
\bud
\bdo
\bo use the sudoRunAs
103 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
104 A Unix group or gid (prefixed with '#') that commands may be run
105 as. The special value ALL will match any group.
107 The sudoRunAsGroup attribute is only available in s
\bsu
\bud
\bdo
\bo versions
110 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btB
\bBe
\bef
\bfo
\bor
\bre
\be
111 A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
112 a start date/time for when the sudoRole will be valid. If multiple
113 sudoNotBefore entries are present, the earliest is used. Note that
114 timestamps must be in Coordinated Universal Time (UTC), not the
115 local timezone. The minute and seconds portions are optional, but
116 some LDAP servers require that they be present (contrary to the
119 The sudoNotBefore attribute is only available in s
\bsu
\bud
\bdo
\bo versions
120 1.7.5 and higher and must be explicitly enabled via the
121 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
123 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btA
\bAf
\bft
\bte
\ber
\br
124 A timestamp in the form yyyymmddHHMMSSZ that indicates an
125 expiration date/time, after which the sudoRole will no longer be
126 valid. If multiple sudoNotBefore entries are present, the last one
127 is used. Note that timestamps must be in Coordinated Universal
128 Time (UTC), not the local timezone. The minute and seconds
129 portions are optional, but some LDAP servers require that they be
130 present (contrary to the RFC).
132 The sudoNotAfter attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
133 and higher and must be explicitly enabled via the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD
134 option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
136 s
\bsu
\bud
\bdo
\boO
\bOr
\brd
\bde
\ber
\br
137 The sudoRole entries retrieved from the LDAP directory have no
138 inherent order. The sudoOrder attribute is an integer (or floating
139 point value for LDAP servers that support it) that is used to sort
140 the matching entries. This allows LDAP-based sudoers entries to
141 more closely mimic the behaviour of the sudoers file, where the of
142 the entries influences the result. If multiple entries match, the
143 entry with the highest sudoOrder attribute is chosen. This
144 corresponds to the "last match" behavior of the sudoers file. If
145 the sudoOrder attribute is not present, a value of 0 is assumed.
147 The sudoOrder attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
150 Each attribute listed above should contain a single value, but there
151 may be multiple instances of each attribute type. A sudoRole must
152 contain at least one sudoUser, sudoHost and sudoCommand.
154 The following example allows users in group wheel to run any command on
155 any host via s
\bsu
\bud
\bdo
\bo:
157 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
159 objectClass: sudoRole
165 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
166 When looking up a sudoer using LDAP there are only two or three LDAP
167 queries per invocation. The first query is to parse the global
168 options. The second is to match against the user's name and the groups
169 that the user belongs to. (The special ALL tag is matched in this
170 query too.) If no match is returned for the user's name and groups, a
171 third query returns all entries containing user netgroups and checks to
172 see if the user belongs to any of them.
174 If timed entries are enabled with the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD configuration
175 directive, the LDAP queries include a subfilter that limits retrieval
176 to entries that satisfy the time constraints, if any.
178 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
179 There are some subtle differences in the way sudoers is handled once in
180 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
181 is arbitrary and you cannot expect that Attributes and Entries are
182 returned in any specific order.
184 The order in which different entries are applied can be controlled
185 using the sudoOrder attribute, but there is no way to guarantee the
186 order of attributes within a specific entry. If there are conflicting
187 command rules in an entry, the negative takes precedence. This is
188 called paranoid behavior (not necessarily the most specific match).
193 # Allow all commands except shell
194 johnny ALL=(root) ALL,!/bin/sh
195 # Always allows all commands because ALL is matched last
196 puddles ALL=(root) !/bin/sh,ALL
198 # LDAP equivalent of johnny
199 # Allows all commands except shell
200 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
201 objectClass: sudoRole
207 sudoCommand: !/bin/sh
209 # LDAP equivalent of puddles
210 # Notice that even though ALL comes last, it still behaves like
211 # role1 since the LDAP code assumes the more paranoid configuration
212 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
213 objectClass: sudoRole
218 sudoCommand: !/bin/sh
221 Another difference is that negations on the Host, User or Runas are
222 currently ignored. For example, the following attributes do not behave
223 the way one might expect.
225 # does not match all but joe
226 # rather, does not match anyone
229 # does not match all but joe
230 # rather, matches everyone including Joe
234 # does not match all but web01
235 # rather, matches all hosts including web01
239 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs S
\bSc
\bch
\bhe
\bem
\bma
\ba
240 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed
241 on your LDAP server. In addition, be sure to index the 'sudoUser'
244 Three versions of the schema: one for OpenLDAP servers
245 (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP), one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt),
246 and one for Microsoft Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be
247 found in the s
\bsu
\bud
\bdo
\bo distribution.
249 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is included in the EXAMPLES
252 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
253 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
254 Typically, this file is shared amongst different LDAP-aware clients.
255 As such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo
256 parses _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from
257 those described in the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual.
259 Also note that on systems using the OpenLDAP libraries, default values
260 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are
263 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf as being
264 supported by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below
265 in upper case but are parsed in a case-independent manner.
267 U
\bUR
\bRI
\bI ldap[s]://[hostname[:port]] ...
268 Specifies a whitespace-delimited list of one or more URIs
269 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
270 either l
\bld
\bda
\bap
\bp or l
\bld
\bda
\bap
\bps
\bs, the latter being for servers that support TLS
271 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
272 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
273 s
\bsu
\bud
\bdo
\bo will connect to l
\blo
\boc
\bca
\bal
\blh
\bho
\bos
\bst
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
274 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
275 systems using the OpenSSL libraries support the mixing of ldap://
276 and ldaps:// URIs. The Netscape-derived libraries used on most
277 commercial versions of Unix are only capable of supporting one or
280 H
\bHO
\bOS
\bST
\bT name[:port] ...
281 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
282 delimited list of LDAP servers to connect to. Each host may
283 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (':'). The H
\bHO
\bOS
\bST
\bT
284 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
285 included for backwards compatibility.
287 P
\bPO
\bOR
\bRT
\bT port_number
288 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
289 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
290 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
291 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
292 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
293 is included for backwards compatibility.
295 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
296 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
297 seconds, to wait while trying to connect to an LDAP server. If
298 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
299 wait before trying the next one in the list.
301 N
\bNE
\bET
\bTW
\bWO
\bOR
\bRK
\bK_
\b_T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
302 An alias for B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT for OpenLDAP compatibility.
304 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
305 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
306 to wait for a response to an LDAP query.
308 T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
309 The T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT parameter specifies the amount of time, in seconds, to
310 wait for a response from the various LDAP APIs.
312 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE base
313 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
314 this is of the form ou=SUDOers,dc=example,dc=com for the domain
315 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
316 which case they are queried in the order specified.
318 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_S
\bSE
\bEA
\bAR
\bRC
\bCH
\bH_
\b_F
\bFI
\bIL
\bLT
\bTE
\bER
\bR ldap_filter
319 An LDAP filter which is used to restrict the set of records
320 returned when performing a s
\bsu
\bud
\bdo
\bo LDAP query. Typically, this is of
321 the form attribute=value or
322 (&(attribute=value)(attribute2=value2)).
324 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD on/true/yes/off/false/no
325 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
326 attributes that implement time-dependent sudoers entries.
328 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG debug_level
329 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
330 information is printed to the standard error. A value of 1 results
331 in a moderate amount of debugging information. A value of 2 shows
332 the results of the matches themselves. This parameter should not
333 be set in a production environment as the extra information is
334 likely to confuse users.
336 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
337 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
338 Distinguished Name (DN), to use when performing LDAP operations.
339 If not specified, LDAP operations are performed with an anonymous
340 identity. By default, most LDAP servers will allow anonymous
343 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW secret
344 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
345 LDAP operations. This is typically used in conjunction with the
346 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
348 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
349 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
350 Distinguished Name (DN), to use when performing privileged LDAP
351 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
352 the identity should be stored in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If not
353 specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
355 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN number
356 The version of the LDAP protocol to use when connecting to the
357 server. The default value is protocol version 3.
359 S
\bSS
\bSL
\bL on/true/yes/off/false/no
360 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
361 encryption is always used when communicating with the LDAP server.
362 Typically, this involves connecting to the server on port 636
365 S
\bSS
\bSL
\bL start_tls
366 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
367 connection is initiated normally and TLS encryption is begun before
368 the bind credentials are sent. This has the advantage of not
369 requiring a dedicated port for encrypted communications. This
370 parameter is only supported by LDAP servers that honor the
371 start_tls extension, such as the OpenLDAP server.
373 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR on/true/yes/off/false/no
374 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
375 certificated to be verified. If the server's TLS certificate
376 cannot be verified (usually because it is signed by an unknown
377 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
378 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
379 the check creates an opportunity for man-in-the-middle attacks
380 since the server's identity will not be authenticated. If
381 possible, the CA's certificate should be installed locally so it
384 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT file name
385 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE for OpenLDAP compatibility.
387 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE file name
388 The path to a certificate authority bundle which contains the
389 certificates for all the Certificate Authorities the client knows
390 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
391 supported by the OpenLDAP libraries. Netscape-derived LDAP
392 libraries use the same certificate database for CA and client
393 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
395 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR directory
396 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
397 containing individual Certificate Authority certificates, e.g.
398 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
399 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
402 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT file name
403 The path to a file containing the client certificate which can be
404 used to authenticate the client to the LDAP server. The
405 certificate type depends on the LDAP libraries used.
408 tls_cert /etc/ssl/client_cert.pem
411 tls_cert /var/ldap/cert7.db
413 When using Netscape-derived libraries, this file may also contain
414 Certificate Authority certificates.
416 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY file name
417 The path to a file containing the private key which matches the
418 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
419 password-protected. The key type depends on the LDAP libraries
423 tls_key /etc/ssl/client_key.pem
426 tls_key /var/ldap/key3.db
428 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE file name
429 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
430 for systems that lack a random device. It is generally used in
431 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
432 the OpenLDAP libraries.
434 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS cipher list
435 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
436 encryption algorithms may be used for TLS (SSL) connections. See
437 the OpenSSL manual for a list of valid ciphers. This option is
438 only supported by the OpenLDAP libraries.
440 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
441 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
443 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
444 The SASL user name to use when connecting to the LDAP server. By
445 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
447 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
448 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
449 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
451 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
452 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
454 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS none/properties
455 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
456 programmer's manual for details.
458 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE file name
459 The path to the Kerberos 5 credential cache to use when
460 authenticating with the remote server.
462 D
\bDE
\bER
\bRE
\bEF
\bF never/searching/finding/always
463 How alias dereferencing is to be performed when searching. See the
464 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual for a full description of this option.
466 See the ldap.conf entry in the EXAMPLES section.
468 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
469 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
470 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
471 Sudo looks for a line beginning with sudoers: and uses this to
472 determine the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching
473 after the first match and later matches take precedence over earlier
476 The following sources are recognized:
478 files read sudoers from F</etc/sudoers>
479 ldap read sudoers from LDAP
481 In addition, the entry [NOTFOUND=return] will short-circuit the search
482 if the user was not found in the preceding source.
484 To consult LDAP first followed by the local sudoers file (if it
489 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
493 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
494 line, the following default is assumed:
498 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
499 operating system does not use an nsswitch.conf file.
501 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
502 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
503 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
504 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the
505 file format itself still applies.
507 To consult LDAP first followed by the local sudoers file (if it
510 sudoers = ldap, files
512 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
516 To treat LDAP as authoratative and only use the local sudoers file if
517 the user is not present in LDAP, use:
519 sudoers = ldap = auth, files
521 Note that in the above example, the auth qualfier only affects user
522 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
524 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
525 line, the following default is assumed:
530 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
532 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
534 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
536 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
537 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
538 # Either specify one or more URIs or one or more host:port pairs.
539 # If neither is specified sudo will default to localhost, port 389.
542 #host ldapserver1 ldapserver2:390
544 # Default port if host is specified without one, defaults to 389.
547 # URI will override the host and port settings.
548 uri ldap://ldapserver
549 #uri ldaps://secureldapserver
550 #uri ldaps://secureldapserver ldap://ldapserver
552 # The amount of time, in seconds, to wait while trying to connect to
556 # The amount of time, in seconds, to wait while performing an LDAP query.
559 # Must be set or sudo will ignore LDAP; may be specified multiple times.
560 sudoers_base ou=SUDOers,dc=example,dc=com
562 # verbose sudoers matching from ldap
565 # Enable support for time-based entries in sudoers.
568 # optional proxy credentials
569 #binddn <who to search as>
571 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
573 # LDAP protocol version, defaults to 3
576 # Define if you want to use an encrypted LDAP connection.
577 # Typically, you must also set the port to 636 (ldaps).
580 # Define if you want to use port 389 and switch to
581 # encryption before the bind credentials are sent.
582 # Only supported by LDAP servers that support the start_tls
583 # extension such as OpenLDAP.
586 # Additional TLS options follow that allow tweaking of the
587 # SSL/TLS connection.
589 #tls_checkpeer yes # verify server SSL certificate
590 #tls_checkpeer no # ignore server SSL certificate
592 # If you enable tls_checkpeer, specify either tls_cacertfile
593 # or tls_cacertdir. Only supported when using OpenLDAP.
595 #tls_cacertfile /etc/certs/trusted_signers.pem
596 #tls_cacertdir /etc/certs
598 # For systems that don't have /dev/random
599 # use this along with PRNGD or EGD.pl to seed the
600 # random number pool to generate cryptographic session keys.
601 # Only supported when using OpenLDAP.
603 #tls_randfile /etc/egd-pool
605 # You may restrict which ciphers are used. Consult your SSL
606 # documentation for which options go here.
607 # Only supported when using OpenLDAP.
609 #tls_ciphers <cipher-list>
611 # Sudo can provide a client certificate when communicating to
614 # * Enable both lines at the same time.
615 # * Do not password protect the key file.
616 # * Ensure the keyfile is only readable by root.
619 #tls_cert /etc/certs/client_cert.pem
620 #tls_key /etc/certs/client_key.pem
622 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
623 # a directory, in which case the files in the directory must have the
624 # default names (e.g. cert8.db and key4.db), or the path to the cert
625 # and key files themselves. However, a bug in version 5.0 of the LDAP
626 # SDK will prevent specific file names from working. For this reason
627 # it is suggested that tls_cert and tls_key be set to a directory,
630 # The certificate database specified by tls_cert may contain CA certs
631 # and/or the client's cert. If the client's cert is included, tls_key
632 # should be specified as well.
633 # For backward compatibility, "sslpath" may be used in place of tls_cert.
637 # If using SASL authentication for LDAP (OpenSSL)
639 # sasl_auth_id <SASL user name>
641 # rootsasl_auth_id <SASL user name for root access>
643 # krb5_ccname /etc/.ldapcache
645 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
646 The following schema, in OpenLDAP format, is included with s
\bsu
\bud
\bdo
\bo source
647 and binary distributions as _
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP. Simply copy it to the
648 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include
649 line in slapd.conf and restart s
\bsl
\bla
\bap
\bpd
\bd.
651 attributetype ( 1.3.6.1.4.1.15953.9.1.1
653 DESC 'User(s) who may run sudo'
654 EQUALITY caseExactIA5Match
655 SUBSTR caseExactIA5SubstringsMatch
656 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
658 attributetype ( 1.3.6.1.4.1.15953.9.1.2
660 DESC 'Host(s) who may run sudo'
661 EQUALITY caseExactIA5Match
662 SUBSTR caseExactIA5SubstringsMatch
663 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
665 attributetype ( 1.3.6.1.4.1.15953.9.1.3
667 DESC 'Command(s) to be executed by sudo'
668 EQUALITY caseExactIA5Match
669 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
671 attributetype ( 1.3.6.1.4.1.15953.9.1.4
673 DESC 'User(s) impersonated by sudo'
674 EQUALITY caseExactIA5Match
675 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
677 attributetype ( 1.3.6.1.4.1.15953.9.1.5
679 DESC 'Options(s) followed by sudo'
680 EQUALITY caseExactIA5Match
681 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
683 attributetype ( 1.3.6.1.4.1.15953.9.1.6
685 DESC 'User(s) impersonated by sudo'
686 EQUALITY caseExactIA5Match
687 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
689 attributetype ( 1.3.6.1.4.1.15953.9.1.7
690 NAME 'sudoRunAsGroup'
691 DESC 'Group(s) impersonated by sudo'
692 EQUALITY caseExactIA5Match
693 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
695 attributetype ( 1.3.6.1.4.1.15953.9.1.8
697 DESC 'Start of time interval for which the entry is valid'
698 EQUALITY generalizedTimeMatch
699 ORDERING generalizedTimeOrderingMatch
700 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
702 attributetype ( 1.3.6.1.4.1.15953.9.1.9
704 DESC 'End of time interval for which the entry is valid'
705 EQUALITY generalizedTimeMatch
706 ORDERING generalizedTimeOrderingMatch
707 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
709 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
711 DESC 'an integer to order the sudoRole entries'
712 EQUALITY integerMatch
713 ORDERING integerOrderingMatch
714 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
716 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
717 DESC 'Sudoer Entries'
719 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
720 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
721 sudoOrder $ description )
724 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
725 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
727 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
728 Note that there are differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is
729 parsed compared to file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the "Differences between
730 LDAP and non-LDAP sudoers" section for more information.
733 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
734 http://www.sudo.ws/sudo/bugs/
736 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
737 Limited free support is available via the sudo-users mailing list, see
738 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
741 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
742 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
743 including, but not limited to, the implied warranties of
744 merchantability and fitness for a particular purpose are disclaimed.
745 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
746 http://www.sudo.ws/sudo/license.html for complete details.
750 1.8.4 January 6, 2012 SUDOERS.LDAP(4)