2 .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
4 .\" Permission to use, copy, modify, and distribute this software for any
5 .\" purpose with or without fee is hereby granted, provided that the above
6 .\" copyright notice and this permission notice appear in all copies.
8 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18 .Dt SUDOERS.LDAP @mansectsu@
19 .Os Sudo @PACKAGE_VERSION@
22 .Nd sudo LDAP configuration
24 In addition to the standard
30 This can be especially useful for synchronizing
32 in a large, distributed environment.
40 no longer needs to read
43 When LDAP is used, there are only two or three LDAP queries per invocation.
44 This makes it especially fast and particularly usable in LDAP environments.
47 no longer exits if there is a typo in
49 It is not possible to load LDAP data into the server that does
50 not conform to the sudoers schema, so proper syntax is guaranteed.
51 It is still possible to have typos in a user or host name, but
56 It is possible to specify per-entry options that override the global
58 .Pa @sysconfdir@/sudoers
59 only supports default options and limited options associated with
60 user/host/commands/aliases.
61 The syntax is complicated and can be difficult for users to understand.
62 Placing the options directly in the entry is more natural.
66 program is no longer needed.
68 provides locking and syntax checking of the
69 .Pa @sysconfdir@/sudoers
71 Since LDAP updates are atomic, locking is no longer necessary.
72 Because syntax is checked when the data is inserted into LDAP, there
73 is no need for a specialized tool to check syntax.
76 Another major difference between LDAP and file-based
79 .Nm sudo Ns No -specific
80 Aliases are not supported.
82 For the most part, there is really no need for
83 .Nm sudo Ns No -specific
85 Unix groups, non-Unix groups (via the
87 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
88 Host netgroups can be used in place of Host_Aliases.
89 Since groups and netgroups can also be stored in LDAP there is no real need for
90 .Nm sudo Ns No -specific
93 Cmnd_Aliases are not really required either since it is possible
94 to have multiple users listed in a
96 Instead of defining a Cmnd_Alias that is referenced by multiple users,
99 that contains the commands and assign multiple users to it.
100 .Ss SUDOers LDAP container
103 configuration is contained in the
107 Sudo first looks for the
109 entry in the SUDOers container.
110 If found, the multi-valued
112 attribute is parsed in the same manner as a global
115 .Pa @sysconfdir@/sudoers .
116 In the following example, the
118 variable will be preserved in the environment for all users.
119 .Bd -literal -offset 4n
120 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
122 objectClass: sudoRole
124 description: Default sudoOption's go here
125 sudoOption: env_keep+=SSH_AUTH_SOCK
128 The equivalent of a sudoer in LDAP is a
130 It consists of the following attributes:
133 A user name, user ID (prefixed with
135 Unix group name or ID (prefixed with
139 respectively), user netgroup (prefixed with
141 or non-Unix group name or ID (prefixed with
146 Non-Unix group support is only available when an appropriate
148 is defined in the global
153 A host name, IP address, IP network, or host netgroup (prefixed with a
159 A fully-qualified Unix command name with optional command line arguments,
160 potentially including globbing characters (aka wild cards).
161 If a command name is preceded by an exclamation point,
163 the user will be prohibited from running that command.
167 is used to permit a user to run
173 It may take command line arguments just as a normal command does.
176 is a command built into
178 itself and must be specified in without a leading path.
182 will match any command.
184 If a command name is prefixed with a SHA-2 digest, it will
185 only be allowed if the digest matches.
186 This may be useful in situations where the user invoking
188 has write access to the command or its parent directory.
189 The following digest formats are supported: sha224, sha256, sha384 and sha512.
190 The digest name must be followed by a colon
192 and then the actual digest, in either hex or base64 format.
193 For example, given the following value for sudoCommand:
194 .Bd -literal -offset 4n
195 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
198 The user may only run
200 if its sha224 digest matches the specified value.
201 Command digests are only supported by version 1.8.7 or higher.
203 Identical in function to the global options described above, but
208 A user name or uid (prefixed with
210 that commands may be run as or a Unix group (prefixed with a
212 or user netgroup (prefixed with a
214 that contains a list of users that commands may be run as.
221 attribute is only available in
230 .It Sy sudoRunAsGroup
231 A Unix group or gid (prefixed with
233 that commands may be run as.
236 will match any group.
240 attribute is only available in
245 A timestamp in the form
247 that can be used to provide a start date/time for when the
252 entries are present, the earliest is used.
253 Note that timestamps must be in Coordinated Universal Time (UTC),
254 not the local timezone.
255 The minute and seconds portions are optional, but some LDAP servers
256 require that they be present (contrary to the RFC).
260 attribute is only available in
262 versions 1.7.5 and higher and must be explicitly enabled via the
267 A timestamp in the form
269 that indicates an expiration date/time, after which the
271 will no longer be valid.
274 entries are present, the last one is used.
275 Note that timestamps must be in Coordinated Universal Time (UTC),
276 not the local timezone.
277 The minute and seconds portions are optional, but some LDAP servers
278 require that they be present (contrary to the RFC).
282 attribute is only available in
285 1.7.5 and higher and must be explicitly enabled via the
292 entries retrieved from the LDAP directory have no inherent order.
295 attribute is an integer (or floating point value for LDAP servers
296 that support it) that is used to sort the matching entries.
297 This allows LDAP-based sudoers entries to more closely mimic the behavior
298 of the sudoers file, where the of the entries influences the result.
299 If multiple entries match, the entry with the highest
302 This corresponds to the
304 behavior of the sudoers file.
307 attribute is not present, a value of 0 is assumed.
311 attribute is only available in
313 versions 1.7.5 and higher.
316 Each attribute listed above should contain a single value, but there
317 may be multiple instances of each attribute type.
320 must contain at least one
326 The following example allows users in group wheel to run any command
329 .Bd -literal -offset 4n
330 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
332 objectClass: sudoRole
338 .Ss Anatomy of LDAP sudoers lookup
339 When looking up a sudoer using LDAP there are only two or three
340 LDAP queries per invocation.
341 The first query is to parse the global options.
342 The second is to match against the user's name and the groups that
346 tag is matched in this query too.)
347 If no match is returned for the user's name and groups, a third
348 query returns all entries containing user netgroups and checks
349 to see if the user belongs to any of them.
351 If timed entries are enabled with the
353 configuration directive, the LDAP queries include a sub-filter that
354 limits retrieval to entries that satisfy the time constraints, if any.
355 .Ss Differences between LDAP and non-LDAP sudoers
356 There are some subtle differences in the way sudoers is handled
358 Probably the biggest is that according to the RFC, LDAP ordering
359 is arbitrary and you cannot expect that Attributes and Entries are
360 returned in any specific order.
362 The order in which different entries are applied can be controlled
365 attribute, but there is no way to guarantee the order of attributes
366 within a specific entry.
367 If there are conflicting command rules in an entry, the negative
369 This is called paranoid behavior (not necessarily the most specific
373 .Bd -literal -offset 4n
375 # Allow all commands except shell
376 johnny ALL=(root) ALL,!/bin/sh
377 # Always allows all commands because ALL is matched last
378 puddles ALL=(root) !/bin/sh,ALL
380 # LDAP equivalent of johnny
381 # Allows all commands except shell
382 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
383 objectClass: sudoRole
389 sudoCommand: !/bin/sh
391 # LDAP equivalent of puddles
392 # Notice that even though ALL comes last, it still behaves like
393 # role1 since the LDAP code assumes the more paranoid configuration
394 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
395 objectClass: sudoRole
400 sudoCommand: !/bin/sh
404 Another difference is that negations on the Host, User or Runas are
406 For example, the following attributes do not behave the way one might expect.
407 .Bd -literal -offset 4n
408 # does not match all but joe
409 # rather, does not match anyone
412 # does not match all but joe
413 # rather, matches everyone including Joe
417 # does not match all but web01
418 # rather, matches all hosts including web01
428 installed on your LDAP server.
429 In addition, be sure to index the
433 Three versions of the schema: one for OpenLDAP servers
434 .Pq Pa schema.OpenLDAP ,
435 one for Netscape-derived servers
436 .Pq Pa schema.iPlanet ,
437 and one for Microsoft Active Directory
438 .Pq Pa schema.ActiveDirectory
445 in OpenLDAP form is also included in the
448 .Ss Configuring ldap.conf
451 file for LDAP-specific configuration.
452 Typically, this file is shared between different LDAP-aware clients.
453 As such, most of the settings are not
454 .Nm sudo Ns No -specific.
459 itself and may support options that differ from those described in the
461 .Xr ldap.conf @mansectsu@
465 may be overridden via the
468 .Xr sudo.conf @mansectform@ .
470 Also note that on systems using the OpenLDAP libraries, default
472 .Pa /etc/openldap/ldap.conf
477 Only those options explicitly listed in
479 as being supported by
482 Configuration options are listed below in upper case but are parsed
483 in a case-independent manner.
485 Long lines can be continued with a backslash
487 as the last character on the line.
488 Note that leading white space is removed from the beginning of lines
489 even when the continuation character is used.
491 .It Sy URI Ar ldap[s]://[hostname[:port]] ...
492 Specifies a white space-delimited list of one or more URIs describing
493 the LDAP server(s) to connect to.
499 the latter being for servers that support TLS (SSL) encryption.
502 is specified, the default is port 389 for
514 lines are treated identically to a
516 line containing multiple entries.
517 Only systems using the OpenSSL libraries support the mixing of
522 Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
523 versions of Unix are only capable of supporting one or the other.
524 .It Sy HOST Ar name[:port] ...
529 parameter specifies a white space-delimited list of LDAP servers to connect to.
530 Each host may include an optional
536 parameter is deprecated in favor of the
538 specification and is included for backwards compatibility.
539 .It Sy PORT Ar port_number
544 parameter specifies the default port to connect to on the LDAP server if a
546 parameter does not specify the port itself.
549 parameter is used, the default is port 389 for LDAP and port 636 for LDAP
553 parameter is deprecated in favor of the
555 specification and is included for backwards compatibility.
556 .It Sy BIND_TIMELIMIT Ar seconds
559 parameter specifies the amount of time, in seconds, to wait while trying
560 to connect to an LDAP server.
565 are specified, this is the amount of time to wait before trying
566 the next one in the list.
567 .It Sy NETWORK_TIMEOUT Ar seconds
570 for OpenLDAP compatibility.
571 .It Sy TIMELIMIT Ar seconds
574 parameter specifies the amount of time, in seconds, to wait for a
575 response to an LDAP query.
576 .It Sy TIMEOUT Ar seconds
579 parameter specifies the amount of time, in seconds, to wait for a
580 response from the various LDAP APIs.
581 .It Sy SUDOERS_BASE Ar base
582 The base DN to use when performing
585 Typically this is of the form
586 .Li ou=SUDOers,dc=example,dc=com
591 lines may be specified, in which case they are queried in the order specified.
592 .It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
593 An LDAP filter which is used to restrict the set of records returned
597 Typically, this is of the
601 .Li (&(attribute=value)(attribute2=value2)) .
602 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
603 Whether or not to evaluate the
607 attributes that implement time-dependent sudoers entries.
608 .It Sy SUDOERS_DEBUG Ar debug_level
609 This sets the debug level for
612 Debugging information is printed to the standard error.
613 A value of 1 results in a moderate amount of debugging information.
614 A value of 2 shows the results of the matches themselves.
615 This parameter should not be set in a production environment as the
616 extra information is likely to confuse users.
620 parameter is deprecated and will be removed in a future release.
621 The same information is now logged via the
623 debugging framework using the
625 subsystem at priorities
631 values 1 and 2 respectively.
633 .Xr sudo.conf @mansectform@
634 manual for details on how to configure
640 parameter specifies the identity, in the form of a Distinguished Name (DN),
641 to use when performing LDAP operations.
642 If not specified, LDAP operations are performed with an anonymous identity.
643 By default, most LDAP servers will allow anonymous access.
644 .It Sy BINDPW Ar secret
647 parameter specifies the password to use when performing LDAP operations.
648 This is typically used in conjunction with the
651 .It Sy ROOTBINDDN Ar DN
654 parameter specifies the identity, in the form of a Distinguished Name (DN),
655 to use when performing privileged LDAP operations, such as
658 The password corresponding to the identity should be stored in the
659 or the path specified by the
662 .Xr sudo.conf @mansectform@ ,
669 identity is used (if any).
670 .It Sy LDAP_VERSION Ar number
671 The version of the LDAP protocol to use when connecting to the server.
672 The default value is protocol version 3.
673 .It Sy SSL Ar on/true/yes/off/false/no
681 TLS (SSL) encryption is always used when communicating with the LDAP server.
682 Typically, this involves connecting to the server on port 636 (ldaps).
683 .It Sy SSL Ar start_tls
688 the LDAP server connection is initiated normally and TLS encryption is
689 begun before the bind credentials are sent.
690 This has the advantage of not requiring a dedicated port for encrypted
692 This parameter is only supported by LDAP servers that honor the
694 extension, such as the OpenLDAP and Tivoli Directory servers.
695 .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
698 will cause the LDAP server's TLS certificated to be verified.
699 If the server's TLS certificate cannot be verified (usually because it
700 is signed by an unknown certificate authority),
702 will be unable to connect to it.
705 is disabled, no check is made.
706 Note that disabling the check creates an opportunity for man-in-the-middle
707 attacks since the server's identity will not be authenticated.
708 If possible, the CA's certificate should be installed locally so it can
710 This option is not supported by the Tivoli Directory Server LDAP libraries.
711 .It Sy TLS_CACERT Ar file name
714 for OpenLDAP compatibility.
715 .It Sy TLS_CACERTFILE Ar file name
716 The path to a certificate authority bundle which contains the certificates
717 for all the Certificate Authorities the client knows to be valid, e.g.\&
718 .Pa /etc/ssl/ca-bundle.pem .
719 This option is only supported by the OpenLDAP libraries.
720 Netscape-derived LDAP libraries use the same certificate
721 database for CA and client certificates (see
723 .It Sy TLS_CACERTDIR Ar directory
726 but instead of a file, it is a directory containing individual
727 Certificate Authority certificates, e.g.\&
729 The directory specified by
733 This option is only supported by the OpenLDAP libraries.
734 .It Sy TLS_CERT Ar file name
735 The path to a file containing the client certificate which can
736 be used to authenticate the client to the LDAP server.
737 The certificate type depends on the LDAP libraries used.
740 .Li tls_cert /etc/ssl/client_cert.pem
741 .It Netscape-derived:
742 .Li tls_cert /var/ldap/cert7.db
743 .It Tivoli Directory Server:
744 Unused, the key database specified by
746 contains both keys and certificates.
748 When using Netscape-derived libraries, this file may also contain
749 Certificate Authority certificates.
751 .It Sy TLS_KEY Ar file name
752 The path to a file containing the private key which matches the
753 certificate specified by
755 The private key must not be password-protected.
756 The key type depends on the LDAP libraries used.
759 .Li tls_key /etc/ssl/client_key.pem
760 .It Netscape-derived:
761 .Li tls_key /var/ldap/key3.db
762 .It Tivoli Directory Server:
763 .Li tls_cert /usr/ldap/ldapkey.kdb
765 When using Tivoli LDAP libraries, this file may also contain
766 Certificate Authority and client certificates and may be encrypted.
767 .It Sy TLS_KEYPW Ar secret
770 contains the password used to decrypt the key database on clients
771 using the Tivoli Directory Server LDAP library.
776 will be used if it exists.
779 must have the same path as the file specified by
783 file extension instead of
789 that ships with Tivoli Directory Server is encrypted with the password
791 This option is only supported by the Tivoli LDAP libraries.
792 .It Sy TLS_RANDFILE Ar file name
795 parameter specifies the path to an entropy source for systems that lack
797 It is generally used in conjunction with
801 This option is only supported by the OpenLDAP libraries.
802 .It Sy TLS_CIPHERS Ar cipher list
805 parameter allows the administer to restrict which encryption algorithms
806 may be used for TLS (SSL) connections.
807 See the OpenLDAP or Tivoli Directory Server manual for a list of valid
809 This option is not supported by Netscape-derived libraries.
810 .It Sy USE_SASL Ar on/true/yes/off/false/no
813 for LDAP servers that support SASL authentication.
814 .It Sy SASL_AUTH_ID Ar identity
815 The SASL user name to use when connecting to the LDAP server.
818 will use an anonymous connection.
819 .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
822 to enable SASL authentication when connecting
823 to an LDAP server from a privileged process, such as
825 .It Sy ROOTSASL_AUTH_ID Ar identity
826 The SASL user name to use when
829 .It Sy SASL_SECPROPS Ar none/properties
830 SASL security properties or
833 See the SASL programmer's manual for details.
834 .It Sy KRB5_CCNAME Ar file name
835 The path to the Kerberos 5 credential cache to use when authenticating
836 with the remote server.
837 .It Sy DEREF Ar never/searching/finding/always
838 How alias dereferencing is to be performed when searching.
840 .Xr ldap.conf @mansectsu@
841 manual for a full description of this option.
849 .Ss Configuring nsswitch.conf
850 Unless it is disabled at build time,
852 consults the Name Service Switch file,
853 .Pa @nsswitch_conf@ ,
857 Sudo looks for a line beginning with
859 and uses this to determine the search order.
863 not stop searching after the first match and later matches take
864 precedence over earlier ones.
865 The following sources are recognized:
867 .Bl -tag -width 8n -offset 4n -compact
870 .Pa @sysconfdir@/sudoers
872 read sudoers from LDAP
875 In addition, the entry
876 .Li [NOTFOUND=return]
877 will short-circuit the search if the user was not found in the
880 To consult LDAP first followed by the local sudoers file (if it
882 .Bd -literal -offset 4n
888 file can be ignored completely by using:
889 .Bd -literal -offset 4n
895 file is not present or there is no sudoers line, the following
897 .Bd -literal -offset 4n
903 is supported even when the underlying operating system does not use
904 an nsswitch.conf file, except on AIX (see below).
905 .Ss Configuring netsvc.conf
908 file is consulted instead of
909 .Pa @nsswitch_conf@ .
915 information in the previous section unrelated to the file format
916 itself still applies.
918 To consult LDAP first followed by the local sudoers file (if it
920 .Bd -literal -offset 4n
921 sudoers = ldap, files
926 file can be ignored completely by using:
927 .Bd -literal -offset 4n
931 To treat LDAP as authoritative and only use the local sudoers file
932 if the user is not present in LDAP, use:
933 .Bd -literal -offset 4n
934 sudoers = ldap = auth, files
937 Note that in the above example, the
939 qualifier only affects user lookups; both LDAP and
947 file is not present or there is no sudoers line, the following
949 .Bd -literal -offset 4n
955 LDAP configuration file
956 .It Pa @nsswitch_conf@
957 determines sudoers source order
959 determines sudoers source order on AIX
962 .Ss Example ldap.conf
963 .Bd -literal -offset 2n
964 # Either specify one or more URIs or one or more host:port pairs.
965 # If neither is specified sudo will default to localhost, port 389.
968 #host ldapserver1 ldapserver2:390
970 # Default port if host is specified without one, defaults to 389.
973 # URI will override the host and port settings.
974 uri ldap://ldapserver
975 #uri ldaps://secureldapserver
976 #uri ldaps://secureldapserver ldap://ldapserver
978 # The amount of time, in seconds, to wait while trying to connect to
982 # The amount of time, in seconds, to wait while performing an LDAP query.
985 # Must be set or sudo will ignore LDAP; may be specified multiple times.
986 sudoers_base ou=SUDOers,dc=example,dc=com
988 # verbose sudoers matching from ldap
991 # Enable support for time-based entries in sudoers.
994 # optional proxy credentials
995 #binddn <who to search as>
997 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
999 # LDAP protocol version, defaults to 3
1002 # Define if you want to use an encrypted LDAP connection.
1003 # Typically, you must also set the port to 636 (ldaps).
1006 # Define if you want to use port 389 and switch to
1007 # encryption before the bind credentials are sent.
1008 # Only supported by LDAP servers that support the start_tls
1009 # extension such as OpenLDAP.
1012 # Additional TLS options follow that allow tweaking of the
1013 # SSL/TLS connection.
1015 #tls_checkpeer yes # verify server SSL certificate
1016 #tls_checkpeer no # ignore server SSL certificate
1018 # If you enable tls_checkpeer, specify either tls_cacertfile
1019 # or tls_cacertdir. Only supported when using OpenLDAP.
1021 #tls_cacertfile /etc/certs/trusted_signers.pem
1022 #tls_cacertdir /etc/certs
1024 # For systems that don't have /dev/random
1025 # use this along with PRNGD or EGD.pl to seed the
1026 # random number pool to generate cryptographic session keys.
1027 # Only supported when using OpenLDAP.
1029 #tls_randfile /etc/egd-pool
1031 # You may restrict which ciphers are used. Consult your SSL
1032 # documentation for which options go here.
1033 # Only supported when using OpenLDAP.
1035 #tls_ciphers <cipher-list>
1037 # Sudo can provide a client certificate when communicating to
1040 # * Enable both lines at the same time.
1041 # * Do not password protect the key file.
1042 # * Ensure the keyfile is only readable by root.
1045 #tls_cert /etc/certs/client_cert.pem
1046 #tls_key /etc/certs/client_key.pem
1048 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1049 # a directory, in which case the files in the directory must have the
1050 # default names (e.g. cert8.db and key4.db), or the path to the cert
1051 # and key files themselves. However, a bug in version 5.0 of the LDAP
1052 # SDK will prevent specific file names from working. For this reason
1053 # it is suggested that tls_cert and tls_key be set to a directory,
1056 # The certificate database specified by tls_cert may contain CA certs
1057 # and/or the client's cert. If the client's cert is included, tls_key
1058 # should be specified as well.
1059 # For backward compatibility, "sslpath" may be used in place of tls_cert.
1063 # If using SASL authentication for LDAP (OpenSSL)
1065 # sasl_auth_id <SASL user name>
1067 # rootsasl_auth_id <SASL user name for root access>
1068 # sasl_secprops none
1069 # krb5_ccname /etc/.ldapcache
1071 .Ss Sudo schema for OpenLDAP
1072 The following schema, in OpenLDAP format, is included with
1074 source and binary distributions as
1075 .Pa schema.OpenLDAP .
1077 it to the schema directory (e.g.\&
1078 .Pa /etc/openldap/schema ) ,
1085 .Bd -literal -offset 2n
1086 attributetype ( 1.3.6.1.4.1.15953.9.1.1
1088 DESC 'User(s) who may run sudo'
1089 EQUALITY caseExactIA5Match
1090 SUBSTR caseExactIA5SubstringsMatch
1091 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1093 attributetype ( 1.3.6.1.4.1.15953.9.1.2
1095 DESC 'Host(s) who may run sudo'
1096 EQUALITY caseExactIA5Match
1097 SUBSTR caseExactIA5SubstringsMatch
1098 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1100 attributetype ( 1.3.6.1.4.1.15953.9.1.3
1102 DESC 'Command(s) to be executed by sudo'
1103 EQUALITY caseExactIA5Match
1104 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1106 attributetype ( 1.3.6.1.4.1.15953.9.1.4
1108 DESC 'User(s) impersonated by sudo'
1109 EQUALITY caseExactIA5Match
1110 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1112 attributetype ( 1.3.6.1.4.1.15953.9.1.5
1114 DESC 'Options(s) followed by sudo'
1115 EQUALITY caseExactIA5Match
1116 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1118 attributetype ( 1.3.6.1.4.1.15953.9.1.6
1119 NAME 'sudoRunAsUser'
1120 DESC 'User(s) impersonated by sudo'
1121 EQUALITY caseExactIA5Match
1122 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1124 attributetype ( 1.3.6.1.4.1.15953.9.1.7
1125 NAME 'sudoRunAsGroup'
1126 DESC 'Group(s) impersonated by sudo'
1127 EQUALITY caseExactIA5Match
1128 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1130 attributetype ( 1.3.6.1.4.1.15953.9.1.8
1131 NAME 'sudoNotBefore'
1132 DESC 'Start of time interval for which the entry is valid'
1133 EQUALITY generalizedTimeMatch
1134 ORDERING generalizedTimeOrderingMatch
1135 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1137 attributetype ( 1.3.6.1.4.1.15953.9.1.9
1139 DESC 'End of time interval for which the entry is valid'
1140 EQUALITY generalizedTimeMatch
1141 ORDERING generalizedTimeOrderingMatch
1142 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1144 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1146 DESC 'an integer to order the sudoRole entries'
1147 EQUALITY integerMatch
1148 ORDERING integerOrderingMatch
1149 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1151 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1152 DESC 'Sudoer Entries'
1154 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1155 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1156 sudoOrder $ description )
1160 .Xr ldap.conf @mansectform@ ,
1161 .Xr sudo.conf @mansectform@ ,
1162 .Xr sudoers @mansectsu@
1164 Note that there are differences in the way that LDAP-based
1166 is parsed compared to file-based
1169 .Sx Differences between LDAP and non-LDAP sudoers
1170 section for more information.
1172 If you feel you have found a bug in
1174 please submit a bug report at http://www.sudo.ws/sudo/bugs/
1176 Limited free support is available via the sudo-users mailing list,
1177 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1178 search the archives.
1183 and any express or implied warranties, including, but not limited
1184 to, the implied warranties of merchantability and fitness for a
1185 particular purpose are disclaimed.
1186 See the LICENSE file distributed with
1188 or http://www.sudo.ws/sudo/license.html for complete details.