1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
4 .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 .TH "SUDOERS.LDAP" "8" "April 25, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
24 \- sudo LDAP configuration
26 In addition to the standard
32 This can be especially useful for synchronizing
34 in a large, distributed environment.
42 no longer needs to read
45 When LDAP is used, there are only two or three LDAP queries per invocation.
46 This makes it especially fast and particularly usable in LDAP environments.
50 no longer exits if there is a typo in
52 It is not possible to load LDAP data into the server that does
53 not conform to the sudoers schema, so proper syntax is guaranteed.
54 It is still possible to have typos in a user or host name, but
60 It is possible to specify per-entry options that override the global
62 \fI@sysconfdir@/sudoers\fR
63 only supports default options and limited options associated with
64 user/host/commands/aliases.
65 The syntax is complicated and can be difficult for users to understand.
66 Placing the options directly in the entry is more natural.
71 program is no longer needed.
73 provides locking and syntax checking of the
74 \fI@sysconfdir@/sudoers\fR
76 Since LDAP updates are atomic, locking is no longer necessary.
77 Because syntax is checked when the data is inserted into LDAP, there
78 is no need for a specialized tool to check syntax.
80 Another major difference between LDAP and file-based
84 Aliases are not supported.
86 For the most part, there is really no need for
89 Unix groups, non-Unix groups (via the
91 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
92 Host netgroups can be used in place of Host_Aliases.
93 Since groups and netgroups can also be stored in LDAP there is no real need for
97 Cmnd_Aliases are not really required either since it is possible
98 to have multiple users listed in a
100 Instead of defining a Cmnd_Alias that is referenced by multiple users,
103 that contains the commands and assign multiple users to it.
104 .SS "SUDOers LDAP container"
107 configuration is contained in the
111 Sudo first looks for the
113 entry in the SUDOers container.
114 If found, the multi-valued
116 attribute is parsed in the same manner as a global
119 \fI@sysconfdir@/sudoers\fR.
120 In the following example, the
122 variable will be preserved in the environment for all users.
126 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
128 objectClass: sudoRole
130 description: Default sudoOption's go here
131 sudoOption: env_keep+=SSH_AUTH_SOCK
135 The equivalent of a sudoer in LDAP is a
137 It consists of the following attributes:
140 A user name, user ID (prefixed with
142 Unix group name or ID (prefixed with
146 respectively), user netgroup (prefixed with
148 or non-Unix group name or ID (prefixed with
153 Non-Unix group support is only available when an appropriate
155 is defined in the global
161 A host name, IP address, IP network, or host netgroup (prefixed with a
168 A fully-qualified Unix command name with optional command line arguments,
169 potentially including globbing characters (aka wild cards).
170 If a command name is preceded by an exclamation point,
172 the user will be prohibited from running that command.
176 is used to permit a user to run
182 It may take command line arguments just as a normal command does.
185 is a command built into
187 itself and must be specified in without a leading path.
191 will match any command.
193 If a command name is prefixed with a SHA-2 digest, it will
194 only be allowed if the digest matches.
195 This may be useful in situations where the user invoking
197 has write access to the command or its parent directory.
198 The following digest formats are supported: sha224, sha256, sha384 and sha512.
199 The digest name must be followed by a colon
201 and then the actual digest, in either hex or base64 format.
202 For example, given the following value for sudoCommand:
207 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
211 The user may only run
213 if its sha224 digest matches the specified value.
214 Command digests are only supported by version 1.8.7 or higher.
220 Identical in function to the global options described above, but
227 A user name or uid (prefixed with
229 that commands may be run as or a Unix group (prefixed with a
231 or user netgroup (prefixed with a
233 that contains a list of users that commands may be run as.
240 attribute is only available in
251 A Unix group or gid (prefixed with
253 that commands may be run as.
256 will match any group.
260 attribute is only available in
266 A timestamp in the form
267 \fRyyyymmddHHMMSSZ\fR
268 that can be used to provide a start date/time for when the
273 entries are present, the earliest is used.
274 Note that timestamps must be in Coordinated Universal Time (UTC),
275 not the local timezone.
276 The minute and seconds portions are optional, but some LDAP servers
277 require that they be present (contrary to the RFC).
281 attribute is only available in
283 versions 1.7.5 and higher and must be explicitly enabled via the
289 A timestamp in the form
290 \fRyyyymmddHHMMSSZ\fR
291 that indicates an expiration date/time, after which the
293 will no longer be valid.
296 entries are present, the last one is used.
297 Note that timestamps must be in Coordinated Universal Time (UTC),
298 not the local timezone.
299 The minute and seconds portions are optional, but some LDAP servers
300 require that they be present (contrary to the RFC).
304 attribute is only available in
307 1.7.5 and higher and must be explicitly enabled via the
315 entries retrieved from the LDAP directory have no inherent order.
318 attribute is an integer (or floating point value for LDAP servers
319 that support it) that is used to sort the matching entries.
320 This allows LDAP-based sudoers entries to more closely mimic the behavior
321 of the sudoers file, where the of the entries influences the result.
322 If multiple entries match, the entry with the highest
325 This corresponds to the
327 behavior of the sudoers file.
330 attribute is not present, a value of 0 is assumed.
334 attribute is only available in
336 versions 1.7.5 and higher.
338 Each attribute listed above should contain a single value, but there
339 may be multiple instances of each attribute type.
342 must contain at least one
348 The following example allows users in group wheel to run any command
354 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
356 objectClass: sudoRole
363 .SS "Anatomy of LDAP sudoers lookup"
364 When looking up a sudoer using LDAP there are only two or three
365 LDAP queries per invocation.
366 The first query is to parse the global options.
367 The second is to match against the user's name and the groups that
371 tag is matched in this query too.)
372 If no match is returned for the user's name and groups, a third
373 query returns all entries containing user netgroups and checks
374 to see if the user belongs to any of them.
376 If timed entries are enabled with the
378 configuration directive, the LDAP queries include a sub-filter that
379 limits retrieval to entries that satisfy the time constraints, if any.
380 .SS "Differences between LDAP and non-LDAP sudoers"
381 There are some subtle differences in the way sudoers is handled
383 Probably the biggest is that according to the RFC, LDAP ordering
384 is arbitrary and you cannot expect that Attributes and Entries are
385 returned in any specific order.
387 The order in which different entries are applied can be controlled
390 attribute, but there is no way to guarantee the order of attributes
391 within a specific entry.
392 If there are conflicting command rules in an entry, the negative
394 This is called paranoid behavior (not necessarily the most specific
402 # Allow all commands except shell
403 johnny ALL=(root) ALL,!/bin/sh
404 # Always allows all commands because ALL is matched last
405 puddles ALL=(root) !/bin/sh,ALL
407 # LDAP equivalent of johnny
408 # Allows all commands except shell
409 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
410 objectClass: sudoRole
416 sudoCommand: !/bin/sh
418 # LDAP equivalent of puddles
419 # Notice that even though ALL comes last, it still behaves like
420 # role1 since the LDAP code assumes the more paranoid configuration
421 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
422 objectClass: sudoRole
427 sudoCommand: !/bin/sh
432 Another difference is that negations on the Host, User or Runas are
434 For example, the following attributes do not behave the way one might expect.
438 # does not match all but joe
439 # rather, does not match anyone
442 # does not match all but joe
443 # rather, matches everyone including Joe
447 # does not match all but web01
448 # rather, matches all hosts including web01
459 installed on your LDAP server.
460 In addition, be sure to index the
464 Three versions of the schema: one for OpenLDAP servers
465 (\fIschema.OpenLDAP\fR),
466 one for Netscape-derived servers
467 (\fIschema.iPlanet\fR),
468 and one for Microsoft Active Directory
469 (\fIschema.ActiveDirectory\fR)
476 in OpenLDAP form is also included in the
479 .SS "Configuring ldap.conf"
482 file for LDAP-specific configuration.
483 Typically, this file is shared between different LDAP-aware clients.
484 As such, most of the settings are not
490 itself and may support options that differ from those described in the
492 ldap.conf(@mansectsu@)
496 may be overridden via the
499 sudo.conf(@mansectform@).
501 Also note that on systems using the OpenLDAP libraries, default
503 \fI/etc/openldap/ldap.conf\fR
508 Only those options explicitly listed in
510 as being supported by
513 Configuration options are listed below in upper case but are parsed
514 in a case-independent manner.
516 Long lines can be continued with a backslash
518 as the last character on the line.
519 Note that leading white space is removed from the beginning of lines
520 even when the continuation character is used.
522 \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
523 Specifies a white space-delimited list of one or more URIs describing
524 the LDAP server(s) to connect to.
530 the latter being for servers that support TLS (SSL) encryption.
533 is specified, the default is port 389 for
545 lines are treated identically to a
547 line containing multiple entries.
548 Only systems using the OpenSSL libraries support the mixing of
553 Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
554 versions of Unix are only capable of supporting one or the other.
556 \fBHOST\fR \fIname[:port] ...\fR
561 parameter specifies a white space-delimited list of LDAP servers to connect to.
562 Each host may include an optional
568 parameter is deprecated in favor of the
570 specification and is included for backwards compatibility.
572 \fBPORT\fR \fIport_number\fR
577 parameter specifies the default port to connect to on the LDAP server if a
579 parameter does not specify the port itself.
582 parameter is used, the default is port 389 for LDAP and port 636 for LDAP
586 parameter is deprecated in favor of the
588 specification and is included for backwards compatibility.
590 \fBBIND_TIMELIMIT\fR \fIseconds\fR
593 parameter specifies the amount of time, in seconds, to wait while trying
594 to connect to an LDAP server.
599 are specified, this is the amount of time to wait before trying
600 the next one in the list.
602 \fBNETWORK_TIMEOUT\fR \fIseconds\fR
605 for OpenLDAP compatibility.
607 \fBTIMELIMIT\fR \fIseconds\fR
610 parameter specifies the amount of time, in seconds, to wait for a
611 response to an LDAP query.
613 \fBTIMEOUT\fR \fIseconds\fR
616 parameter specifies the amount of time, in seconds, to wait for a
617 response from the various LDAP APIs.
619 \fBSUDOERS_BASE\fR \fIbase\fR
620 The base DN to use when performing
623 Typically this is of the form
624 \fRou=SUDOers,dc=example,dc=com\fR
629 lines may be specified, in which case they are queried in the order specified.
631 \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
632 An LDAP filter which is used to restrict the set of records returned
636 Typically, this is of the
638 \fRattribute=value\fR
640 \fR(&(attribute=value)(attribute2=value2))\fR.
642 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
643 Whether or not to evaluate the
647 attributes that implement time-dependent sudoers entries.
649 \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
650 This sets the debug level for
653 Debugging information is printed to the standard error.
654 A value of 1 results in a moderate amount of debugging information.
655 A value of 2 shows the results of the matches themselves.
656 This parameter should not be set in a production environment as the
657 extra information is likely to confuse users.
661 parameter is deprecated and will be removed in a future release.
662 The same information is now logged via the
664 debugging framework using the
666 subsystem at priorities
672 values 1 and 2 respectively.
674 sudo.conf(@mansectform@)
675 manual for details on how to configure
679 \fBBINDDN\fR \fIDN\fR
682 parameter specifies the identity, in the form of a Distinguished Name (DN),
683 to use when performing LDAP operations.
684 If not specified, LDAP operations are performed with an anonymous identity.
685 By default, most LDAP servers will allow anonymous access.
687 \fBBINDPW\fR \fIsecret\fR
690 parameter specifies the password to use when performing LDAP operations.
691 This is typically used in conjunction with the
695 \fBROOTBINDDN\fR \fIDN\fR
698 parameter specifies the identity, in the form of a Distinguished Name (DN),
699 to use when performing privileged LDAP operations, such as
702 The password corresponding to the identity should be stored in the
703 or the path specified by the
706 sudo.conf(@mansectform@),
713 identity is used (if any).
715 \fBLDAP_VERSION\fR \fInumber\fR
716 The version of the LDAP protocol to use when connecting to the server.
717 The default value is protocol version 3.
719 \fBSSL\fR \fIon/true/yes/off/false/no\fR
727 TLS (SSL) encryption is always used when communicating with the LDAP server.
728 Typically, this involves connecting to the server on port 636 (ldaps).
730 \fBSSL\fR \fIstart_tls\fR
735 the LDAP server connection is initiated normally and TLS encryption is
736 begun before the bind credentials are sent.
737 This has the advantage of not requiring a dedicated port for encrypted
739 This parameter is only supported by LDAP servers that honor the
741 extension, such as the OpenLDAP and Tivoli Directory servers.
743 \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
746 will cause the LDAP server's TLS certificated to be verified.
747 If the server's TLS certificate cannot be verified (usually because it
748 is signed by an unknown certificate authority),
750 will be unable to connect to it.
753 is disabled, no check is made.
754 Note that disabling the check creates an opportunity for man-in-the-middle
755 attacks since the server's identity will not be authenticated.
756 If possible, the CA's certificate should be installed locally so it can
758 This option is not supported by the Tivoli Directory Server LDAP libraries.
760 \fBTLS_CACERT\fR \fIfile name\fR
763 for OpenLDAP compatibility.
765 \fBTLS_CACERTFILE\fR \fIfile name\fR
766 The path to a certificate authority bundle which contains the certificates
767 for all the Certificate Authorities the client knows to be valid, e.g.\&
768 \fI/etc/ssl/ca-bundle.pem\fR.
769 This option is only supported by the OpenLDAP libraries.
770 Netscape-derived LDAP libraries use the same certificate
771 database for CA and client certificates (see
774 \fBTLS_CACERTDIR\fR \fIdirectory\fR
777 but instead of a file, it is a directory containing individual
778 Certificate Authority certificates, e.g.\&
779 \fI/etc/ssl/certs\fR.
780 The directory specified by
783 \fBTLS_CACERTFILE\fR.
784 This option is only supported by the OpenLDAP libraries.
786 \fBTLS_CERT\fR \fIfile name\fR
787 The path to a file containing the client certificate which can
788 be used to authenticate the client to the LDAP server.
789 The certificate type depends on the LDAP libraries used.
793 \fRtls_cert /etc/ssl/client_cert.pem\fR
796 \fRtls_cert /var/ldap/cert7.db\fR
798 Tivoli Directory Server:
799 Unused, the key database specified by
801 contains both keys and certificates.
803 When using Netscape-derived libraries, this file may also contain
804 Certificate Authority certificates.
809 \fBTLS_KEY\fR \fIfile name\fR
810 The path to a file containing the private key which matches the
811 certificate specified by
813 The private key must not be password-protected.
814 The key type depends on the LDAP libraries used.
819 \fRtls_key /etc/ssl/client_key.pem\fR
822 \fRtls_key /var/ldap/key3.db\fR
824 Tivoli Directory Server:
825 \fRtls_cert /usr/ldap/ldapkey.kdb\fR
829 When using Tivoli LDAP libraries, this file may also contain
830 Certificate Authority and client certificates and may be encrypted.
835 \fBTLS_KEYPW\fR \fIsecret\fR
838 contains the password used to decrypt the key database on clients
839 using the Tivoli Directory Server LDAP library.
844 will be used if it exists.
847 must have the same path as the file specified by
851 file extension instead of
857 that ships with Tivoli Directory Server is encrypted with the password
859 This option is only supported by the Tivoli LDAP libraries.
862 \fBTLS_RANDFILE\fR \fIfile name\fR
865 parameter specifies the path to an entropy source for systems that lack
867 It is generally used in conjunction with
871 This option is only supported by the OpenLDAP libraries.
873 \fBTLS_CIPHERS\fR \fIcipher list\fR
876 parameter allows the administer to restrict which encryption algorithms
877 may be used for TLS (SSL) connections.
878 See the OpenLDAP or Tivoli Directory Server manual for a list of valid
880 This option is not supported by Netscape-derived libraries.
882 \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
885 for LDAP servers that support SASL authentication.
887 \fBSASL_AUTH_ID\fR \fIidentity\fR
888 The SASL user name to use when connecting to the LDAP server.
891 will use an anonymous connection.
893 \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
896 to enable SASL authentication when connecting
897 to an LDAP server from a privileged process, such as
900 \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
901 The SASL user name to use when
905 \fBSASL_SECPROPS\fR \fInone/properties\fR
906 SASL security properties or
909 See the SASL programmer's manual for details.
911 \fBKRB5_CCNAME\fR \fIfile name\fR
912 The path to the Kerberos 5 credential cache to use when authenticating
913 with the remote server.
915 \fBDEREF\fR \fInever/searching/finding/always\fR
916 How alias dereferencing is to be performed when searching.
918 ldap.conf(@mansectsu@)
919 manual for a full description of this option.
926 .SS "Configuring nsswitch.conf"
927 Unless it is disabled at build time,
929 consults the Name Service Switch file,
930 \fI@nsswitch_conf@\fR,
934 Sudo looks for a line beginning with
936 and uses this to determine the search order.
940 not stop searching after the first match and later matches take
941 precedence over earlier ones.
942 The following sources are recognized:
946 \fI@sysconfdir@/sudoers\fR
950 read sudoers from LDAP
953 In addition, the entry
954 \fR[NOTFOUND=return]\fR
955 will short-circuit the search if the user was not found in the
958 To consult LDAP first followed by the local sudoers file (if it
969 file can be ignored completely by using:
978 \fI@nsswitch_conf@\fR
979 file is not present or there is no sudoers line, the following
989 \fI@nsswitch_conf@\fR
990 is supported even when the underlying operating system does not use
991 an nsswitch.conf file, except on AIX (see below).
992 .SS "Configuring netsvc.conf"
995 file is consulted instead of
996 \fI@nsswitch_conf@\fR.
1001 \fInsswitch.conf\fR;
1002 information in the previous section unrelated to the file format
1003 itself still applies.
1005 To consult LDAP first followed by the local sudoers file (if it
1010 sudoers = ldap, files
1016 file can be ignored completely by using:
1024 To treat LDAP as authoritative and only use the local sudoers file
1025 if the user is not present in LDAP, use:
1029 sudoers = ldap = auth, files
1033 Note that in the above example, the
1035 qualifier only affects user lookups; both LDAP and
1043 file is not present or there is no sudoers line, the following
1054 LDAP configuration file
1056 \fI@nsswitch_conf@\fR
1057 determines sudoers source order
1060 determines sudoers source order on AIX
1062 .SS "Example ldap.conf"
1065 # Either specify one or more URIs or one or more host:port pairs.
1066 # If neither is specified sudo will default to localhost, port 389.
1069 #host ldapserver1 ldapserver2:390
1071 # Default port if host is specified without one, defaults to 389.
1074 # URI will override the host and port settings.
1075 uri ldap://ldapserver
1076 #uri ldaps://secureldapserver
1077 #uri ldaps://secureldapserver ldap://ldapserver
1079 # The amount of time, in seconds, to wait while trying to connect to
1083 # The amount of time, in seconds, to wait while performing an LDAP query.
1086 # Must be set or sudo will ignore LDAP; may be specified multiple times.
1087 sudoers_base ou=SUDOers,dc=example,dc=com
1089 # verbose sudoers matching from ldap
1092 # Enable support for time-based entries in sudoers.
1095 # optional proxy credentials
1096 #binddn <who to search as>
1098 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1100 # LDAP protocol version, defaults to 3
1103 # Define if you want to use an encrypted LDAP connection.
1104 # Typically, you must also set the port to 636 (ldaps).
1107 # Define if you want to use port 389 and switch to
1108 # encryption before the bind credentials are sent.
1109 # Only supported by LDAP servers that support the start_tls
1110 # extension such as OpenLDAP.
1113 # Additional TLS options follow that allow tweaking of the
1114 # SSL/TLS connection.
1116 #tls_checkpeer yes # verify server SSL certificate
1117 #tls_checkpeer no # ignore server SSL certificate
1119 # If you enable tls_checkpeer, specify either tls_cacertfile
1120 # or tls_cacertdir. Only supported when using OpenLDAP.
1122 #tls_cacertfile /etc/certs/trusted_signers.pem
1123 #tls_cacertdir /etc/certs
1125 # For systems that don't have /dev/random
1126 # use this along with PRNGD or EGD.pl to seed the
1127 # random number pool to generate cryptographic session keys.
1128 # Only supported when using OpenLDAP.
1130 #tls_randfile /etc/egd-pool
1132 # You may restrict which ciphers are used. Consult your SSL
1133 # documentation for which options go here.
1134 # Only supported when using OpenLDAP.
1136 #tls_ciphers <cipher-list>
1138 # Sudo can provide a client certificate when communicating to
1141 # * Enable both lines at the same time.
1142 # * Do not password protect the key file.
1143 # * Ensure the keyfile is only readable by root.
1146 #tls_cert /etc/certs/client_cert.pem
1147 #tls_key /etc/certs/client_key.pem
1149 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1150 # a directory, in which case the files in the directory must have the
1151 # default names (e.g. cert8.db and key4.db), or the path to the cert
1152 # and key files themselves. However, a bug in version 5.0 of the LDAP
1153 # SDK will prevent specific file names from working. For this reason
1154 # it is suggested that tls_cert and tls_key be set to a directory,
1157 # The certificate database specified by tls_cert may contain CA certs
1158 # and/or the client's cert. If the client's cert is included, tls_key
1159 # should be specified as well.
1160 # For backward compatibility, "sslpath" may be used in place of tls_cert.
1164 # If using SASL authentication for LDAP (OpenSSL)
1166 # sasl_auth_id <SASL user name>
1168 # rootsasl_auth_id <SASL user name for root access>
1169 # sasl_secprops none
1170 # krb5_ccname /etc/.ldapcache
1173 .SS "Sudo schema for OpenLDAP"
1174 The following schema, in OpenLDAP format, is included with
1176 source and binary distributions as
1177 \fIschema.OpenLDAP\fR.
1179 it to the schema directory (e.g.\&
1180 \fI/etc/openldap/schema\fR),
1190 attributetype ( 1.3.6.1.4.1.15953.9.1.1
1192 DESC 'User(s) who may run sudo'
1193 EQUALITY caseExactIA5Match
1194 SUBSTR caseExactIA5SubstringsMatch
1195 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1197 attributetype ( 1.3.6.1.4.1.15953.9.1.2
1199 DESC 'Host(s) who may run sudo'
1200 EQUALITY caseExactIA5Match
1201 SUBSTR caseExactIA5SubstringsMatch
1202 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1204 attributetype ( 1.3.6.1.4.1.15953.9.1.3
1206 DESC 'Command(s) to be executed by sudo'
1207 EQUALITY caseExactIA5Match
1208 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1210 attributetype ( 1.3.6.1.4.1.15953.9.1.4
1212 DESC 'User(s) impersonated by sudo'
1213 EQUALITY caseExactIA5Match
1214 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1216 attributetype ( 1.3.6.1.4.1.15953.9.1.5
1218 DESC 'Options(s) followed by sudo'
1219 EQUALITY caseExactIA5Match
1220 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1222 attributetype ( 1.3.6.1.4.1.15953.9.1.6
1223 NAME 'sudoRunAsUser'
1224 DESC 'User(s) impersonated by sudo'
1225 EQUALITY caseExactIA5Match
1226 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1228 attributetype ( 1.3.6.1.4.1.15953.9.1.7
1229 NAME 'sudoRunAsGroup'
1230 DESC 'Group(s) impersonated by sudo'
1231 EQUALITY caseExactIA5Match
1232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1234 attributetype ( 1.3.6.1.4.1.15953.9.1.8
1235 NAME 'sudoNotBefore'
1236 DESC 'Start of time interval for which the entry is valid'
1237 EQUALITY generalizedTimeMatch
1238 ORDERING generalizedTimeOrderingMatch
1239 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1241 attributetype ( 1.3.6.1.4.1.15953.9.1.9
1243 DESC 'End of time interval for which the entry is valid'
1244 EQUALITY generalizedTimeMatch
1245 ORDERING generalizedTimeOrderingMatch
1246 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1248 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1250 DESC 'an integer to order the sudoRole entries'
1251 EQUALITY integerMatch
1252 ORDERING integerOrderingMatch
1253 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1255 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1256 DESC 'Sudoer Entries'
1258 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1259 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1260 sudoOrder $ description )
1265 ldap.conf(@mansectform@),
1266 sudo.conf(@mansectform@),
1267 sudoers(@mansectsu@)
1269 Note that there are differences in the way that LDAP-based
1271 is parsed compared to file-based
1274 \fIDifferences between LDAP and non-LDAP sudoers\fR
1275 section for more information.
1277 If you feel you have found a bug in
1279 please submit a bug report at http://www.sudo.ws/sudo/bugs/
1281 Limited free support is available via the sudo-users mailing list,
1282 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1283 search the archives.
1288 and any express or implied warranties, including, but not limited
1289 to, the implied warranties of merchantability and fitness for a
1290 particular purpose are disclaimed.
1291 See the LICENSE file distributed with
1293 or http://www.sudo.ws/sudo/license.html for complete details.