1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
4 .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 .TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
24 \- sudo LDAP configuration
26 In addition to the standard
32 This can be especially useful for synchronizing
34 in a large, distributed environment.
42 no longer needs to read
45 When LDAP is used, there are only two or three LDAP queries per invocation.
46 This makes it especially fast and particularly usable in LDAP environments.
50 no longer exits if there is a typo in
52 It is not possible to load LDAP data into the server that does
53 not conform to the sudoers schema, so proper syntax is guaranteed.
54 It is still possible to have typos in a user or host name, but
60 It is possible to specify per-entry options that override the global
62 \fI@sysconfdir@/sudoers\fR
63 only supports default options and limited options associated with
64 user/host/commands/aliases.
65 The syntax is complicated and can be difficult for users to understand.
66 Placing the options directly in the entry is more natural.
71 program is no longer needed.
73 provides locking and syntax checking of the
74 \fI@sysconfdir@/sudoers\fR
76 Since LDAP updates are atomic, locking is no longer necessary.
77 Because syntax is checked when the data is inserted into LDAP, there
78 is no need for a specialized tool to check syntax.
80 Another major difference between LDAP and file-based
84 Aliases are not supported.
86 For the most part, there is really no need for
89 Unix groups or user netgroups can be used in place of User_Aliases and
91 Host netgroups can be used in place of Host_Aliases.
92 Since Unix groups and netgroups can also be stored in LDAP there is no
97 Cmnd_Aliases are not really required either since it is possible
98 to have multiple users listed in a
100 Instead of defining a Cmnd_Alias that is referenced by multiple users,
103 that contains the commands and assign multiple users to it.
104 .SS "SUDOers LDAP container"
107 configuration is contained in the
111 Sudo first looks for the
113 entry in the SUDOers container.
114 If found, the multi-valued
116 attribute is parsed in the same manner as a global
119 \fI@sysconfdir@/sudoers\fR.
120 In the following example, the
122 variable will be preserved in the environment for all users.
126 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
128 objectClass: sudoRole
130 description: Default sudoOption's go here
131 sudoOption: env_keep+=SSH_AUTH_SOCK
135 The equivalent of a sudoer in LDAP is a
137 It consists of the following attributes:
140 A user name, user ID (prefixed with
142 Unix group (prefixed with
144 Unix group ID (prefixed with
146 or user netgroup (prefixed with
150 A host name, IP address, IP network, or host netgroup (prefixed with a
157 A Unix command with optional command line arguments, potentially
158 including globbing characters (aka wild cards).
161 will match any command.
162 If a command is prefixed with an exclamation point
164 the user will be prohibited from running that command.
167 Identical in function to the global options described above, but
173 A user name or uid (prefixed with
175 that commands may be run as or a Unix group (prefixed with a
177 or user netgroup (prefixed with a
179 that contains a list of users that commands may be run as.
186 attribute is only available in
197 A Unix group or gid (prefixed with
199 that commands may be run as.
202 will match any group.
206 attribute is only available in
212 A timestamp in the form
213 \fRyyyymmddHHMMSSZ\fR
214 that can be used to provide a start date/time for when the
219 entries are present, the earliest is used.
220 Note that timestamps must be in Coordinated Universal Time (UTC),
221 not the local timezone.
222 The minute and seconds portions are optional, but some LDAP servers
223 require that they be present (contrary to the RFC).
227 attribute is only available in
229 versions 1.7.5 and higher and must be explicitly enabled via the
235 A timestamp in the form
236 \fRyyyymmddHHMMSSZ\fR
237 that indicates an expiration date/time, after which the
239 will no longer be valid.
242 entries are present, the last one is used.
243 Note that timestamps must be in Coordinated Universal Time (UTC),
244 not the local timezone.
245 The minute and seconds portions are optional, but some LDAP servers
246 require that they be present (contrary to the RFC).
250 attribute is only available in
253 1.7.5 and higher and must be explicitly enabled via the
261 entries retrieved from the LDAP directory have no inherent order.
264 attribute is an integer (or floating point value for LDAP servers
265 that support it) that is used to sort the matching entries.
266 This allows LDAP-based sudoers entries to more closely mimic the behaviour
267 of the sudoers file, where the of the entries influences the result.
268 If multiple entries match, the entry with the highest
271 This corresponds to the
273 behavior of the sudoers file.
276 attribute is not present, a value of 0 is assumed.
280 attribute is only available in
282 versions 1.7.5 and higher.
284 Each attribute listed above should contain a single value, but there
285 may be multiple instances of each attribute type.
288 must contain at least one
294 The following example allows users in group wheel to run any command
300 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
302 objectClass: sudoRole
309 .SS "Anatomy of LDAP sudoers lookup"
310 When looking up a sudoer using LDAP there are only two or three
311 LDAP queries per invocation.
312 The first query is to parse the global options.
313 The second is to match against the user's name and the groups that
317 tag is matched in this query too.)
318 If no match is returned for the user's name and groups, a third
319 query returns all entries containing user netgroups and checks
320 to see if the user belongs to any of them.
322 If timed entries are enabled with the
324 configuration directive, the LDAP queries include a subfilter that
325 limits retrieval to entries that satisfy the time constraints, if any.
326 .SS "Differences between LDAP and non-LDAP sudoers"
327 There are some subtle differences in the way sudoers is handled
329 Probably the biggest is that according to the RFC, LDAP ordering
330 is arbitrary and you cannot expect that Attributes and Entries are
331 returned in any specific order.
333 The order in which different entries are applied can be controlled
336 attribute, but there is no way to guarantee the order of attributes
337 within a specific entry.
338 If there are conflicting command rules in an entry, the negative
340 This is called paranoid behavior (not necessarily the most specific
348 # Allow all commands except shell
349 johnny ALL=(root) ALL,!/bin/sh
350 # Always allows all commands because ALL is matched last
351 puddles ALL=(root) !/bin/sh,ALL
353 # LDAP equivalent of johnny
354 # Allows all commands except shell
355 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
356 objectClass: sudoRole
362 sudoCommand: !/bin/sh
364 # LDAP equivalent of puddles
365 # Notice that even though ALL comes last, it still behaves like
366 # role1 since the LDAP code assumes the more paranoid configuration
367 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
368 objectClass: sudoRole
373 sudoCommand: !/bin/sh
378 Another difference is that negations on the Host, User or Runas are
380 For example, the following attributes do not behave the way one might expect.
384 # does not match all but joe
385 # rather, does not match anyone
388 # does not match all but joe
389 # rather, matches everyone including Joe
393 # does not match all but web01
394 # rather, matches all hosts including web01
405 installed on your LDAP server.
406 In addition, be sure to index the
410 Three versions of the schema: one for OpenLDAP servers
411 (\fIschema.OpenLDAP\fR),
412 one for Netscape-derived servers
413 (\fIschema.iPlanet\fR),
414 and one for Microsoft Active Directory
415 (\fIschema.ActiveDirectory\fR)
422 in OpenLDAP form is also included in the
425 .SS "Configuring ldap.conf"
428 file for LDAP-specific configuration.
429 Typically, this file is shared amongst different LDAP-aware clients.
430 As such, most of the settings are not
436 itself and may support options that differ from those described in the
438 ldap.conf(@mansectsu@)
441 Also note that on systems using the OpenLDAP libraries, default
443 \fI/etc/openldap/ldap.conf\fR
448 Only those options explicitly listed in
450 as being supported by
453 Configuration options are listed below in upper case but are parsed
454 in a case-independent manner.
456 \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
457 Specifies a whitespace-delimited list of one or more URIs describing
458 the LDAP server(s) to connect to.
464 the latter being for servers that support TLS (SSL) encryption.
467 is specified, the default is port 389 for
479 lines are treated identically to a
481 line containing multiple entries.
482 Only systems using the OpenSSL libraries support the mixing of
487 Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
488 versions of Unix are only capable of supporting one or the other.
490 \fBHOST\fR \fIname[:port] ...\fR
495 parameter specifies a whitespace-delimited list of LDAP servers to connect to.
496 Each host may include an optional
502 parameter is deprecated in favor of the
504 specification and is included for backwards compatibility.
506 \fBPORT\fR \fIport_number\fR
511 parameter specifies the default port to connect to on the LDAP server if a
513 parameter does not specify the port itself.
516 parameter is used, the default is port 389 for LDAP and port 636 for LDAP
520 parameter is deprecated in favor of the
522 specification and is included for backwards compatibility.
524 \fBBIND_TIMELIMIT\fR \fIseconds\fR
527 parameter specifies the amount of time, in seconds, to wait while trying
528 to connect to an LDAP server.
533 are specified, this is the amount of time to wait before trying
534 the next one in the list.
536 \fBNETWORK_TIMEOUT\fR \fIseconds\fR
539 for OpenLDAP compatibility.
541 \fBTIMELIMIT\fR \fIseconds\fR
544 parameter specifies the amount of time, in seconds, to wait for a
545 response to an LDAP query.
547 \fBTIMEOUT\fR \fIseconds\fR
550 parameter specifies the amount of time, in seconds, to wait for a
551 response from the various LDAP APIs.
553 \fBSUDOERS_BASE\fR \fIbase\fR
554 The base DN to use when performing
557 Typically this is of the form
558 \fRou=SUDOers,dc=example,dc=com\fR
563 lines may be specified, in which case they are queried in the order specified.
565 \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
566 An LDAP filter which is used to restrict the set of records returned
570 Typically, this is of the
572 \fRattribute=value\fR
574 \fR(&(attribute=value)(attribute2=value2))\fR.
576 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
577 Whether or not to evaluate the
581 attributes that implement time-dependent sudoers entries.
583 \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
584 This sets the debug level for
587 Debugging information is printed to the standard error.
588 A value of 1 results in a moderate amount of debugging information.
589 A value of 2 shows the results of the matches themselves.
590 This parameter should not be set in a production environment as the
591 extra information is likely to confuse users.
593 \fBBINDDN\fR \fIDN\fR
596 parameter specifies the identity, in the form of a Distinguished Name (DN),
597 to use when performing LDAP operations.
598 If not specified, LDAP operations are performed with an anonymous identity.
599 By default, most LDAP servers will allow anonymous access.
601 \fBBINDPW\fR \fIsecret\fR
604 parameter specifies the password to use when performing LDAP operations.
605 This is typically used in conjunction with the
609 \fBROOTBINDDN\fR \fIDN\fR
612 parameter specifies the identity, in the form of a Distinguished Name (DN),
613 to use when performing privileged LDAP operations, such as
616 The password corresponding
617 to the identity should be stored in
619 If not specified, the
621 identity is used (if any).
623 \fBLDAP_VERSION\fR \fInumber\fR
624 The version of the LDAP protocol to use when connecting to the server.
625 The default value is protocol version 3.
627 \fBSSL\fR \fIon/true/yes/off/false/no\fR
635 TLS (SSL) encryption is always used when communicating with the LDAP server.
636 Typically, this involves connecting to the server on port 636 (ldaps).
638 \fBSSL\fR \fIstart_tls\fR
643 the LDAP server connection is initiated normally and TLS encryption is
644 begun before the bind credentials are sent.
645 This has the advantage of not requiring a dedicated port for encrypted
647 This parameter is only supported by LDAP servers that honor the
649 extension, such as the OpenLDAP and Tivoli Directory servers.
651 \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
654 will cause the LDAP server's TLS certificated to be verified.
655 If the server's TLS certificate cannot be verified (usually because it
656 is signed by an unknown certificate authority),
658 will be unable to connect to it.
661 is disabled, no check is made.
662 Note that disabling the check creates an opportunity for man-in-the-middle
663 attacks since the server's identity will not be authenticated.
664 If possible, the CA's certificate should be installed locally so it can
666 This option is not supported by the Tivoli Directory Server LDAP libraries.
668 \fBTLS_CACERT\fR \fIfile name\fR
671 for OpenLDAP compatibility.
673 \fBTLS_CACERTFILE\fR \fIfile name\fR
674 The path to a certificate authority bundle which contains the certificates
675 for all the Certificate Authorities the client knows to be valid, e.g.\&
676 \fI/etc/ssl/ca-bundle.pem\fR.
677 This option is only supported by the OpenLDAP libraries.
678 Netscape-derived LDAP libraries use the same certificate
679 database for CA and client certificates (see
682 \fBTLS_CACERTDIR\fR \fIdirectory\fR
685 but instead of a file, it is a directory containing individual
686 Certificate Authority certificates, e.g.\&
687 \fI/etc/ssl/certs\fR.
688 The directory specified by
691 \fBTLS_CACERTFILE\fR.
692 This option is only supported by the OpenLDAP libraries.
694 \fBTLS_CERT\fR \fIfile name\fR
695 The path to a file containing the client certificate which can
696 be used to authenticate the client to the LDAP server.
697 The certificate type depends on the LDAP libraries used.
701 \fRtls_cert /etc/ssl/client_cert.pem\fR
704 \fRtls_cert /var/ldap/cert7.db\fR
706 Tivoli Directory Server:
707 Unused, the key database specified by
709 contains both keys and certificates.
711 When using Netscape-derived libraries, this file may also contain
712 Certificate Authority certificates.
717 \fBTLS_KEY\fR \fIfile name\fR
718 The path to a file containing the private key which matches the
719 certificate specified by
721 The private key must not be password-protected.
722 The key type depends on the LDAP libraries used.
727 \fRtls_key /etc/ssl/client_key.pem\fR
730 \fRtls_key /var/ldap/key3.db\fR
732 Tivoli Directory Server:
733 \fRtls_cert /usr/ldap/ldapkey.kdb\fR
737 When using Tivoli LDAP libraries, this file may also contain
738 Certificate Authority and client certificates and may be encrypted.
743 \fBTLS_KEYPW\fR \fIsecret\fR
746 contains the password used to decrypt the key database on clients
747 using the Tivoli Directory Server LDAP library.
752 will be used if it exists.
755 must have the same path as the file specified by
759 file extension instead of
765 that ships with Tivoli Directory Server is encrypted with the password
767 This option is only supported by the Tivoli LDAP libraries.
770 \fBTLS_RANDFILE\fR \fIfile name\fR
773 parameter specifies the path to an entropy source for systems that lack
775 It is generally used in conjunction with
779 This option is only supported by the OpenLDAP libraries.
781 \fBTLS_CIPHERS\fR \fIcipher list\fR
784 parameter allows the administer to restrict which encryption algorithms
785 may be used for TLS (SSL) connections.
786 See the OpenLDAP or Tivoli Directory Server manual for a list of valid
788 This option is not supported by Netscape-derived libraries.
790 \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
793 for LDAP servers that support SASL authentication.
795 \fBSASL_AUTH_ID\fR \fIidentity\fR
796 The SASL user name to use when connecting to the LDAP server.
799 will use an anonymous connection.
801 \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
804 to enable SASL authentication when connecting
805 to an LDAP server from a privileged process, such as
808 \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
809 The SASL user name to use when
813 \fBSASL_SECPROPS\fR \fInone/properties\fR
814 SASL security properties or
817 See the SASL programmer's manual for details.
819 \fBKRB5_CCNAME\fR \fIfile name\fR
820 The path to the Kerberos 5 credential cache to use when authenticating
821 with the remote server.
823 \fBDEREF\fR \fInever/searching/finding/always\fR
824 How alias dereferencing is to be performed when searching.
826 ldap.conf(@mansectsu@)
827 manual for a full description of this option.
834 .SS "Configuring nsswitch.conf"
835 Unless it is disabled at build time,
837 consults the Name Service Switch file,
838 \fI@nsswitch_conf@\fR,
842 Sudo looks for a line beginning with
844 and uses this to determine the search order.
848 not stop searching after the first match and later matches take
849 precedence over earlier ones.
850 The following sources are recognized:
854 \fI@sysconfdir@/sudoers\fR
858 read sudoers from LDAP
861 In addition, the entry
862 \fR[NOTFOUND=return]\fR
863 will short-circuit the search if the user was not found in the
866 To consult LDAP first followed by the local sudoers file (if it
877 file can be ignored completely by using:
886 \fI@nsswitch_conf@\fR
887 file is not present or there is no sudoers line, the following
897 \fI@nsswitch_conf@\fR
898 is supported even when the underlying operating system does not use
899 an nsswitch.conf file, except on AIX (see below).
900 .SS "Configuring netsvc.conf"
903 file is consulted instead of
904 \fI@nsswitch_conf@\fR.
910 information in the previous section unrelated to the file format
911 itself still applies.
913 To consult LDAP first followed by the local sudoers file (if it
918 sudoers = ldap, files
924 file can be ignored completely by using:
932 To treat LDAP as authoratative and only use the local sudoers file
933 if the user is not present in LDAP, use:
937 sudoers = ldap = auth, files
941 Note that in the above example, the
943 qualfier only affects user lookups; both LDAP and
951 file is not present or there is no sudoers line, the following
962 LDAP configuration file
964 \fI@nsswitch_conf@\fR
965 determines sudoers source order
968 determines sudoers source order on AIX
970 .SS "Example ldap.conf"
973 # Either specify one or more URIs or one or more host:port pairs.
974 # If neither is specified sudo will default to localhost, port 389.
977 #host ldapserver1 ldapserver2:390
979 # Default port if host is specified without one, defaults to 389.
982 # URI will override the host and port settings.
983 uri ldap://ldapserver
984 #uri ldaps://secureldapserver
985 #uri ldaps://secureldapserver ldap://ldapserver
987 # The amount of time, in seconds, to wait while trying to connect to
991 # The amount of time, in seconds, to wait while performing an LDAP query.
994 # Must be set or sudo will ignore LDAP; may be specified multiple times.
995 sudoers_base ou=SUDOers,dc=example,dc=com
997 # verbose sudoers matching from ldap
1000 # Enable support for time-based entries in sudoers.
1003 # optional proxy credentials
1004 #binddn <who to search as>
1006 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1008 # LDAP protocol version, defaults to 3
1011 # Define if you want to use an encrypted LDAP connection.
1012 # Typically, you must also set the port to 636 (ldaps).
1015 # Define if you want to use port 389 and switch to
1016 # encryption before the bind credentials are sent.
1017 # Only supported by LDAP servers that support the start_tls
1018 # extension such as OpenLDAP.
1021 # Additional TLS options follow that allow tweaking of the
1022 # SSL/TLS connection.
1024 #tls_checkpeer yes # verify server SSL certificate
1025 #tls_checkpeer no # ignore server SSL certificate
1027 # If you enable tls_checkpeer, specify either tls_cacertfile
1028 # or tls_cacertdir. Only supported when using OpenLDAP.
1030 #tls_cacertfile /etc/certs/trusted_signers.pem
1031 #tls_cacertdir /etc/certs
1033 # For systems that don't have /dev/random
1034 # use this along with PRNGD or EGD.pl to seed the
1035 # random number pool to generate cryptographic session keys.
1036 # Only supported when using OpenLDAP.
1038 #tls_randfile /etc/egd-pool
1040 # You may restrict which ciphers are used. Consult your SSL
1041 # documentation for which options go here.
1042 # Only supported when using OpenLDAP.
1044 #tls_ciphers <cipher-list>
1046 # Sudo can provide a client certificate when communicating to
1049 # * Enable both lines at the same time.
1050 # * Do not password protect the key file.
1051 # * Ensure the keyfile is only readable by root.
1054 #tls_cert /etc/certs/client_cert.pem
1055 #tls_key /etc/certs/client_key.pem
1057 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1058 # a directory, in which case the files in the directory must have the
1059 # default names (e.g. cert8.db and key4.db), or the path to the cert
1060 # and key files themselves. However, a bug in version 5.0 of the LDAP
1061 # SDK will prevent specific file names from working. For this reason
1062 # it is suggested that tls_cert and tls_key be set to a directory,
1065 # The certificate database specified by tls_cert may contain CA certs
1066 # and/or the client's cert. If the client's cert is included, tls_key
1067 # should be specified as well.
1068 # For backward compatibility, "sslpath" may be used in place of tls_cert.
1072 # If using SASL authentication for LDAP (OpenSSL)
1074 # sasl_auth_id <SASL user name>
1076 # rootsasl_auth_id <SASL user name for root access>
1077 # sasl_secprops none
1078 # krb5_ccname /etc/.ldapcache
1081 .SS "Sudo schema for OpenLDAP"
1082 The following schema, in OpenLDAP format, is included with
1084 source and binary distributions as
1085 \fIschema.OpenLDAP\fR.
1087 it to the schema directory (e.g.\&
1088 \fI/etc/openldap/schema\fR),
1098 attributetype ( 1.3.6.1.4.1.15953.9.1.1
1100 DESC 'User(s) who may run sudo'
1101 EQUALITY caseExactIA5Match
1102 SUBSTR caseExactIA5SubstringsMatch
1103 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1105 attributetype ( 1.3.6.1.4.1.15953.9.1.2
1107 DESC 'Host(s) who may run sudo'
1108 EQUALITY caseExactIA5Match
1109 SUBSTR caseExactIA5SubstringsMatch
1110 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1112 attributetype ( 1.3.6.1.4.1.15953.9.1.3
1114 DESC 'Command(s) to be executed by sudo'
1115 EQUALITY caseExactIA5Match
1116 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1118 attributetype ( 1.3.6.1.4.1.15953.9.1.4
1120 DESC 'User(s) impersonated by sudo'
1121 EQUALITY caseExactIA5Match
1122 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1124 attributetype ( 1.3.6.1.4.1.15953.9.1.5
1126 DESC 'Options(s) followed by sudo'
1127 EQUALITY caseExactIA5Match
1128 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1130 attributetype ( 1.3.6.1.4.1.15953.9.1.6
1131 NAME 'sudoRunAsUser'
1132 DESC 'User(s) impersonated by sudo'
1133 EQUALITY caseExactIA5Match
1134 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1136 attributetype ( 1.3.6.1.4.1.15953.9.1.7
1137 NAME 'sudoRunAsGroup'
1138 DESC 'Group(s) impersonated by sudo'
1139 EQUALITY caseExactIA5Match
1140 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1142 attributetype ( 1.3.6.1.4.1.15953.9.1.8
1143 NAME 'sudoNotBefore'
1144 DESC 'Start of time interval for which the entry is valid'
1145 EQUALITY generalizedTimeMatch
1146 ORDERING generalizedTimeOrderingMatch
1147 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1149 attributetype ( 1.3.6.1.4.1.15953.9.1.9
1151 DESC 'End of time interval for which the entry is valid'
1152 EQUALITY generalizedTimeMatch
1153 ORDERING generalizedTimeOrderingMatch
1154 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1156 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1158 DESC 'an integer to order the sudoRole entries'
1159 EQUALITY integerMatch
1160 ORDERING integerOrderingMatch
1161 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1163 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1164 DESC 'Sudoer Entries'
1166 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1167 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1168 sudoOrder $ description )
1173 ldap.conf(@mansectsu@),
1174 sudoers(@mansectsu@)
1176 Note that there are differences in the way that LDAP-based
1178 is parsed compared to file-based
1181 \fIDifferences between LDAP and non-LDAP sudoers\fR
1182 section for more information.
1184 If you feel you have found a bug in
1186 please submit a bug report at http://www.sudo.ws/sudo/bugs/
1188 Limited free support is available via the sudo-users mailing list,
1189 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1190 search the archives.
1195 and any express or implied warranties, including, but not limited
1196 to, the implied warranties of merchantability and fitness for a
1197 particular purpose are disclaimed.
1198 See the LICENSE file distributed with
1200 or http://www.sudo.ws/sudo/license.html for complete details.