2 .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
4 .\" Permission to use, copy, modify, and distribute this software for any
5 .\" purpose with or without fee is hereby granted, provided that the above
6 .\" copyright notice and this permission notice appear in all copies.
8 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18 .Dt SUDOERS.LDAP @mansectsu@
19 .Os Sudo @PACKAGE_VERSION@
22 .Nd sudo LDAP configuration
24 In addition to the standard
30 This can be especially useful for synchronizing
32 in a large, distributed environment.
40 no longer needs to read
43 When LDAP is used, there are only two or three LDAP queries per invocation.
44 This makes it especially fast and particularly usable in LDAP environments.
47 no longer exits if there is a typo in
49 It is not possible to load LDAP data into the server that does
50 not conform to the sudoers schema, so proper syntax is guaranteed.
51 It is still possible to have typos in a user or host name, but
56 It is possible to specify per-entry options that override the global
58 .Pa @sysconfdir@/sudoers
59 only supports default options and limited options associated with
60 user/host/commands/aliases.
61 The syntax is complicated and can be difficult for users to understand.
62 Placing the options directly in the entry is more natural.
66 program is no longer needed.
68 provides locking and syntax checking of the
69 .Pa @sysconfdir@/sudoers
71 Since LDAP updates are atomic, locking is no longer necessary.
72 Because syntax is checked when the data is inserted into LDAP, there
73 is no need for a specialized tool to check syntax.
76 Another major difference between LDAP and file-based
79 .Nm sudo Ns No -specific
80 Aliases are not supported.
82 For the most part, there is really no need for
83 .Nm sudo Ns No -specific
85 Unix groups or user netgroups can be used in place of User_Aliases and
87 Host netgroups can be used in place of Host_Aliases.
88 Since Unix groups and netgroups can also be stored in LDAP there is no
90 .Nm sudo Ns No -specific
93 Cmnd_Aliases are not really required either since it is possible
94 to have multiple users listed in a
96 Instead of defining a Cmnd_Alias that is referenced by multiple users,
99 that contains the commands and assign multiple users to it.
100 .Ss SUDOers LDAP container
103 configuration is contained in the
107 Sudo first looks for the
109 entry in the SUDOers container.
110 If found, the multi-valued
112 attribute is parsed in the same manner as a global
115 .Pa @sysconfdir@/sudoers .
116 In the following example, the
118 variable will be preserved in the environment for all users.
119 .Bd -literal -offset 4n
120 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
122 objectClass: sudoRole
124 description: Default sudoOption's go here
125 sudoOption: env_keep+=SSH_AUTH_SOCK
128 The equivalent of a sudoer in LDAP is a
130 It consists of the following attributes:
133 A user name, user ID (prefixed with
135 Unix group (prefixed with
137 Unix group ID (prefixed with
139 or user netgroup (prefixed with
142 A host name, IP address, IP network, or host netgroup (prefixed with a
148 A Unix command with optional command line arguments, potentially
149 including globbing characters (aka wild cards).
152 will match any command.
153 If a command is prefixed with an exclamation point
155 the user will be prohibited from running that command.
157 Identical in function to the global options described above, but
162 A user name or uid (prefixed with
164 that commands may be run as or a Unix group (prefixed with a
166 or user netgroup (prefixed with a
168 that contains a list of users that commands may be run as.
175 attribute is only available in
184 .It Sy sudoRunAsGroup
185 A Unix group or gid (prefixed with
187 that commands may be run as.
190 will match any group.
194 attribute is only available in
199 A timestamp in the form
201 that can be used to provide a start date/time for when the
206 entries are present, the earliest is used.
207 Note that timestamps must be in Coordinated Universal Time (UTC),
208 not the local timezone.
209 The minute and seconds portions are optional, but some LDAP servers
210 require that they be present (contrary to the RFC).
214 attribute is only available in
216 versions 1.7.5 and higher and must be explicitly enabled via the
221 A timestamp in the form
223 that indicates an expiration date/time, after which the
225 will no longer be valid.
228 entries are present, the last one is used.
229 Note that timestamps must be in Coordinated Universal Time (UTC),
230 not the local timezone.
231 The minute and seconds portions are optional, but some LDAP servers
232 require that they be present (contrary to the RFC).
236 attribute is only available in
239 1.7.5 and higher and must be explicitly enabled via the
246 entries retrieved from the LDAP directory have no inherent order.
249 attribute is an integer (or floating point value for LDAP servers
250 that support it) that is used to sort the matching entries.
251 This allows LDAP-based sudoers entries to more closely mimic the behaviour
252 of the sudoers file, where the of the entries influences the result.
253 If multiple entries match, the entry with the highest
256 This corresponds to the
258 behavior of the sudoers file.
261 attribute is not present, a value of 0 is assumed.
265 attribute is only available in
267 versions 1.7.5 and higher.
270 Each attribute listed above should contain a single value, but there
271 may be multiple instances of each attribute type.
274 must contain at least one
280 The following example allows users in group wheel to run any command
283 .Bd -literal -offset 4n
284 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
286 objectClass: sudoRole
292 .Ss Anatomy of LDAP sudoers lookup
293 When looking up a sudoer using LDAP there are only two or three
294 LDAP queries per invocation.
295 The first query is to parse the global options.
296 The second is to match against the user's name and the groups that
300 tag is matched in this query too.)
301 If no match is returned for the user's name and groups, a third
302 query returns all entries containing user netgroups and checks
303 to see if the user belongs to any of them.
305 If timed entries are enabled with the
307 configuration directive, the LDAP queries include a subfilter that
308 limits retrieval to entries that satisfy the time constraints, if any.
309 .Ss Differences between LDAP and non-LDAP sudoers
310 There are some subtle differences in the way sudoers is handled
312 Probably the biggest is that according to the RFC, LDAP ordering
313 is arbitrary and you cannot expect that Attributes and Entries are
314 returned in any specific order.
316 The order in which different entries are applied can be controlled
319 attribute, but there is no way to guarantee the order of attributes
320 within a specific entry.
321 If there are conflicting command rules in an entry, the negative
323 This is called paranoid behavior (not necessarily the most specific
327 .Bd -literal -offset 4n
329 # Allow all commands except shell
330 johnny ALL=(root) ALL,!/bin/sh
331 # Always allows all commands because ALL is matched last
332 puddles ALL=(root) !/bin/sh,ALL
334 # LDAP equivalent of johnny
335 # Allows all commands except shell
336 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
337 objectClass: sudoRole
343 sudoCommand: !/bin/sh
345 # LDAP equivalent of puddles
346 # Notice that even though ALL comes last, it still behaves like
347 # role1 since the LDAP code assumes the more paranoid configuration
348 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
349 objectClass: sudoRole
354 sudoCommand: !/bin/sh
358 Another difference is that negations on the Host, User or Runas are
360 For example, the following attributes do not behave the way one might expect.
361 .Bd -literal -offset 4n
362 # does not match all but joe
363 # rather, does not match anyone
366 # does not match all but joe
367 # rather, matches everyone including Joe
371 # does not match all but web01
372 # rather, matches all hosts including web01
382 installed on your LDAP server.
383 In addition, be sure to index the
387 Three versions of the schema: one for OpenLDAP servers
388 .Pq Pa schema.OpenLDAP ,
389 one for Netscape-derived servers
390 .Pq Pa schema.iPlanet ,
391 and one for Microsoft Active Directory
392 .Pq Pa schema.ActiveDirectory
399 in OpenLDAP form is also included in the
402 .Ss Configuring ldap.conf
405 file for LDAP-specific configuration.
406 Typically, this file is shared amongst different LDAP-aware clients.
407 As such, most of the settings are not
408 .Nm sudo Ns No -specific.
413 itself and may support options that differ from those described in the
415 .Xr ldap.conf @mansectsu@
418 Also note that on systems using the OpenLDAP libraries, default
420 .Pa /etc/openldap/ldap.conf
425 Only those options explicitly listed in
427 as being supported by
430 Configuration options are listed below in upper case but are parsed
431 in a case-independent manner.
433 .It Sy URI Ar ldap[s]://[hostname[:port]] ...
434 Specifies a whitespace-delimited list of one or more URIs describing
435 the LDAP server(s) to connect to.
441 the latter being for servers that support TLS (SSL) encryption.
444 is specified, the default is port 389 for
456 lines are treated identically to a
458 line containing multiple entries.
459 Only systems using the OpenSSL libraries support the mixing of
464 Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
465 versions of Unix are only capable of supporting one or the other.
466 .It Sy HOST Ar name[:port] ...
471 parameter specifies a whitespace-delimited list of LDAP servers to connect to.
472 Each host may include an optional
478 parameter is deprecated in favor of the
480 specification and is included for backwards compatibility.
481 .It Sy PORT Ar port_number
486 parameter specifies the default port to connect to on the LDAP server if a
488 parameter does not specify the port itself.
491 parameter is used, the default is port 389 for LDAP and port 636 for LDAP
495 parameter is deprecated in favor of the
497 specification and is included for backwards compatibility.
498 .It Sy BIND_TIMELIMIT Ar seconds
501 parameter specifies the amount of time, in seconds, to wait while trying
502 to connect to an LDAP server.
507 are specified, this is the amount of time to wait before trying
508 the next one in the list.
509 .It Sy NETWORK_TIMEOUT Ar seconds
512 for OpenLDAP compatibility.
513 .It Sy TIMELIMIT Ar seconds
516 parameter specifies the amount of time, in seconds, to wait for a
517 response to an LDAP query.
518 .It Sy TIMEOUT Ar seconds
521 parameter specifies the amount of time, in seconds, to wait for a
522 response from the various LDAP APIs.
523 .It Sy SUDOERS_BASE Ar base
524 The base DN to use when performing
527 Typically this is of the form
528 .Li ou=SUDOers,dc=example,dc=com
533 lines may be specified, in which case they are queried in the order specified.
534 .It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
535 An LDAP filter which is used to restrict the set of records returned
539 Typically, this is of the
543 .Li (&(attribute=value)(attribute2=value2)) .
544 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
545 Whether or not to evaluate the
549 attributes that implement time-dependent sudoers entries.
550 .It Sy SUDOERS_DEBUG Ar debug_level
551 This sets the debug level for
554 Debugging information is printed to the standard error.
555 A value of 1 results in a moderate amount of debugging information.
556 A value of 2 shows the results of the matches themselves.
557 This parameter should not be set in a production environment as the
558 extra information is likely to confuse users.
562 parameter specifies the identity, in the form of a Distinguished Name (DN),
563 to use when performing LDAP operations.
564 If not specified, LDAP operations are performed with an anonymous identity.
565 By default, most LDAP servers will allow anonymous access.
566 .It Sy BINDPW Ar secret
569 parameter specifies the password to use when performing LDAP operations.
570 This is typically used in conjunction with the
573 .It Sy ROOTBINDDN Ar DN
576 parameter specifies the identity, in the form of a Distinguished Name (DN),
577 to use when performing privileged LDAP operations, such as
580 The password corresponding
581 to the identity should be stored in
583 If not specified, the
585 identity is used (if any).
586 .It Sy LDAP_VERSION Ar number
587 The version of the LDAP protocol to use when connecting to the server.
588 The default value is protocol version 3.
589 .It Sy SSL Ar on/true/yes/off/false/no
597 TLS (SSL) encryption is always used when communicating with the LDAP server.
598 Typically, this involves connecting to the server on port 636 (ldaps).
599 .It Sy SSL Ar start_tls
604 the LDAP server connection is initiated normally and TLS encryption is
605 begun before the bind credentials are sent.
606 This has the advantage of not requiring a dedicated port for encrypted
608 This parameter is only supported by LDAP servers that honor the
610 extension, such as the OpenLDAP and Tivoli Directory servers.
611 .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
614 will cause the LDAP server's TLS certificated to be verified.
615 If the server's TLS certificate cannot be verified (usually because it
616 is signed by an unknown certificate authority),
618 will be unable to connect to it.
621 is disabled, no check is made.
622 Note that disabling the check creates an opportunity for man-in-the-middle
623 attacks since the server's identity will not be authenticated.
624 If possible, the CA's certificate should be installed locally so it can
626 This option is not supported by the Tivoli Directory Server LDAP libraries.
627 .It Sy TLS_CACERT Ar file name
630 for OpenLDAP compatibility.
631 .It Sy TLS_CACERTFILE Ar file name
632 The path to a certificate authority bundle which contains the certificates
633 for all the Certificate Authorities the client knows to be valid, e.g.\&
634 .Pa /etc/ssl/ca-bundle.pem .
635 This option is only supported by the OpenLDAP libraries.
636 Netscape-derived LDAP libraries use the same certificate
637 database for CA and client certificates (see
639 .It Sy TLS_CACERTDIR Ar directory
642 but instead of a file, it is a directory containing individual
643 Certificate Authority certificates, e.g.\&
645 The directory specified by
649 This option is only supported by the OpenLDAP libraries.
650 .It Sy TLS_CERT Ar file name
651 The path to a file containing the client certificate which can
652 be used to authenticate the client to the LDAP server.
653 The certificate type depends on the LDAP libraries used.
656 .Li tls_cert /etc/ssl/client_cert.pem
657 .It Netscape-derived:
658 .Li tls_cert /var/ldap/cert7.db
659 .It Tivoli Directory Server:
660 Unused, the key database specified by
662 contains both keys and certificates.
664 When using Netscape-derived libraries, this file may also contain
665 Certificate Authority certificates.
667 .It Sy TLS_KEY Ar file name
668 The path to a file containing the private key which matches the
669 certificate specified by
671 The private key must not be password-protected.
672 The key type depends on the LDAP libraries used.
675 .Li tls_key /etc/ssl/client_key.pem
676 .It Netscape-derived:
677 .Li tls_key /var/ldap/key3.db
678 .It Tivoli Directory Server:
679 .Li tls_cert /usr/ldap/ldapkey.kdb
681 When using Tivoli LDAP libraries, this file may also contain
682 Certificate Authority and client certificates and may be encrypted.
683 .It Sy TLS_KEYPW Ar secret
686 contains the password used to decrypt the key database on clients
687 using the Tivoli Directory Server LDAP library.
692 will be used if it exists.
695 must have the same path as the file specified by
699 file extension instead of
705 that ships with Tivoli Directory Server is encrypted with the password
707 This option is only supported by the Tivoli LDAP libraries.
708 .It Sy TLS_RANDFILE Ar file name
711 parameter specifies the path to an entropy source for systems that lack
713 It is generally used in conjunction with
717 This option is only supported by the OpenLDAP libraries.
718 .It Sy TLS_CIPHERS Ar cipher list
721 parameter allows the administer to restrict which encryption algorithms
722 may be used for TLS (SSL) connections.
723 See the OpenLDAP or Tivoli Directory Server manual for a list of valid
725 This option is not supported by Netscape-derived libraries.
726 .It Sy USE_SASL Ar on/true/yes/off/false/no
729 for LDAP servers that support SASL authentication.
730 .It Sy SASL_AUTH_ID Ar identity
731 The SASL user name to use when connecting to the LDAP server.
734 will use an anonymous connection.
735 .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
738 to enable SASL authentication when connecting
739 to an LDAP server from a privileged process, such as
741 .It Sy ROOTSASL_AUTH_ID Ar identity
742 The SASL user name to use when
745 .It Sy SASL_SECPROPS Ar none/properties
746 SASL security properties or
749 See the SASL programmer's manual for details.
750 .It Sy KRB5_CCNAME Ar file name
751 The path to the Kerberos 5 credential cache to use when authenticating
752 with the remote server.
753 .It Sy DEREF Ar never/searching/finding/always
754 How alias dereferencing is to be performed when searching.
756 .Xr ldap.conf @mansectsu@
757 manual for a full description of this option.
765 .Ss Configuring nsswitch.conf
766 Unless it is disabled at build time,
768 consults the Name Service Switch file,
769 .Pa @nsswitch_conf@ ,
773 Sudo looks for a line beginning with
775 and uses this to determine the search order.
779 not stop searching after the first match and later matches take
780 precedence over earlier ones.
781 The following sources are recognized:
783 .Bl -tag -width 8n -offset 4n -compact
786 .Pa @sysconfdir@/sudoers
788 read sudoers from LDAP
791 In addition, the entry
792 .Li [NOTFOUND=return]
793 will short-circuit the search if the user was not found in the
796 To consult LDAP first followed by the local sudoers file (if it
798 .Bd -literal -offset 4n
804 file can be ignored completely by using:
805 .Bd -literal -offset 4n
811 file is not present or there is no sudoers line, the following
813 .Bd -literal -offset 4n
819 is supported even when the underlying operating system does not use
820 an nsswitch.conf file, except on AIX (see below).
821 .Ss Configuring netsvc.conf
824 file is consulted instead of
825 .Pa @nsswitch_conf@ .
831 information in the previous section unrelated to the file format
832 itself still applies.
834 To consult LDAP first followed by the local sudoers file (if it
836 .Bd -literal -offset 4n
837 sudoers = ldap, files
842 file can be ignored completely by using:
843 .Bd -literal -offset 4n
847 To treat LDAP as authoratative and only use the local sudoers file
848 if the user is not present in LDAP, use:
849 .Bd -literal -offset 4n
850 sudoers = ldap = auth, files
853 Note that in the above example, the
855 qualfier only affects user lookups; both LDAP and
863 file is not present or there is no sudoers line, the following
865 .Bd -literal -offset 4n
871 LDAP configuration file
872 .It Pa @nsswitch_conf@
873 determines sudoers source order
875 determines sudoers source order on AIX
878 .Ss Example ldap.conf
879 .Bd -literal -offset 2n
880 # Either specify one or more URIs or one or more host:port pairs.
881 # If neither is specified sudo will default to localhost, port 389.
884 #host ldapserver1 ldapserver2:390
886 # Default port if host is specified without one, defaults to 389.
889 # URI will override the host and port settings.
890 uri ldap://ldapserver
891 #uri ldaps://secureldapserver
892 #uri ldaps://secureldapserver ldap://ldapserver
894 # The amount of time, in seconds, to wait while trying to connect to
898 # The amount of time, in seconds, to wait while performing an LDAP query.
901 # Must be set or sudo will ignore LDAP; may be specified multiple times.
902 sudoers_base ou=SUDOers,dc=example,dc=com
904 # verbose sudoers matching from ldap
907 # Enable support for time-based entries in sudoers.
910 # optional proxy credentials
911 #binddn <who to search as>
913 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
915 # LDAP protocol version, defaults to 3
918 # Define if you want to use an encrypted LDAP connection.
919 # Typically, you must also set the port to 636 (ldaps).
922 # Define if you want to use port 389 and switch to
923 # encryption before the bind credentials are sent.
924 # Only supported by LDAP servers that support the start_tls
925 # extension such as OpenLDAP.
928 # Additional TLS options follow that allow tweaking of the
929 # SSL/TLS connection.
931 #tls_checkpeer yes # verify server SSL certificate
932 #tls_checkpeer no # ignore server SSL certificate
934 # If you enable tls_checkpeer, specify either tls_cacertfile
935 # or tls_cacertdir. Only supported when using OpenLDAP.
937 #tls_cacertfile /etc/certs/trusted_signers.pem
938 #tls_cacertdir /etc/certs
940 # For systems that don't have /dev/random
941 # use this along with PRNGD or EGD.pl to seed the
942 # random number pool to generate cryptographic session keys.
943 # Only supported when using OpenLDAP.
945 #tls_randfile /etc/egd-pool
947 # You may restrict which ciphers are used. Consult your SSL
948 # documentation for which options go here.
949 # Only supported when using OpenLDAP.
951 #tls_ciphers <cipher-list>
953 # Sudo can provide a client certificate when communicating to
956 # * Enable both lines at the same time.
957 # * Do not password protect the key file.
958 # * Ensure the keyfile is only readable by root.
961 #tls_cert /etc/certs/client_cert.pem
962 #tls_key /etc/certs/client_key.pem
964 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
965 # a directory, in which case the files in the directory must have the
966 # default names (e.g. cert8.db and key4.db), or the path to the cert
967 # and key files themselves. However, a bug in version 5.0 of the LDAP
968 # SDK will prevent specific file names from working. For this reason
969 # it is suggested that tls_cert and tls_key be set to a directory,
972 # The certificate database specified by tls_cert may contain CA certs
973 # and/or the client's cert. If the client's cert is included, tls_key
974 # should be specified as well.
975 # For backward compatibility, "sslpath" may be used in place of tls_cert.
979 # If using SASL authentication for LDAP (OpenSSL)
981 # sasl_auth_id <SASL user name>
983 # rootsasl_auth_id <SASL user name for root access>
985 # krb5_ccname /etc/.ldapcache
987 .Ss Sudo schema for OpenLDAP
988 The following schema, in OpenLDAP format, is included with
990 source and binary distributions as
991 .Pa schema.OpenLDAP .
993 it to the schema directory (e.g.\&
994 .Pa /etc/openldap/schema ) ,
1001 .Bd -literal -offset 2n
1002 attributetype ( 1.3.6.1.4.1.15953.9.1.1
1004 DESC 'User(s) who may run sudo'
1005 EQUALITY caseExactIA5Match
1006 SUBSTR caseExactIA5SubstringsMatch
1007 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1009 attributetype ( 1.3.6.1.4.1.15953.9.1.2
1011 DESC 'Host(s) who may run sudo'
1012 EQUALITY caseExactIA5Match
1013 SUBSTR caseExactIA5SubstringsMatch
1014 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1016 attributetype ( 1.3.6.1.4.1.15953.9.1.3
1018 DESC 'Command(s) to be executed by sudo'
1019 EQUALITY caseExactIA5Match
1020 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1022 attributetype ( 1.3.6.1.4.1.15953.9.1.4
1024 DESC 'User(s) impersonated by sudo'
1025 EQUALITY caseExactIA5Match
1026 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1028 attributetype ( 1.3.6.1.4.1.15953.9.1.5
1030 DESC 'Options(s) followed by sudo'
1031 EQUALITY caseExactIA5Match
1032 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1034 attributetype ( 1.3.6.1.4.1.15953.9.1.6
1035 NAME 'sudoRunAsUser'
1036 DESC 'User(s) impersonated by sudo'
1037 EQUALITY caseExactIA5Match
1038 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1040 attributetype ( 1.3.6.1.4.1.15953.9.1.7
1041 NAME 'sudoRunAsGroup'
1042 DESC 'Group(s) impersonated by sudo'
1043 EQUALITY caseExactIA5Match
1044 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1046 attributetype ( 1.3.6.1.4.1.15953.9.1.8
1047 NAME 'sudoNotBefore'
1048 DESC 'Start of time interval for which the entry is valid'
1049 EQUALITY generalizedTimeMatch
1050 ORDERING generalizedTimeOrderingMatch
1051 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1053 attributetype ( 1.3.6.1.4.1.15953.9.1.9
1055 DESC 'End of time interval for which the entry is valid'
1056 EQUALITY generalizedTimeMatch
1057 ORDERING generalizedTimeOrderingMatch
1058 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1060 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1062 DESC 'an integer to order the sudoRole entries'
1063 EQUALITY integerMatch
1064 ORDERING integerOrderingMatch
1065 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1067 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1068 DESC 'Sudoer Entries'
1070 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1071 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1072 sudoOrder $ description )
1076 .Xr ldap.conf @mansectsu@ ,
1077 .Xr sudoers @mansectsu@
1079 Note that there are differences in the way that LDAP-based
1081 is parsed compared to file-based
1084 .Sx Differences between LDAP and non-LDAP sudoers
1085 section for more information.
1087 If you feel you have found a bug in
1089 please submit a bug report at http://www.sudo.ws/sudo/bugs/
1091 Limited free support is available via the sudo-users mailing list,
1092 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1093 search the archives.
1098 and any express or implied warranties, including, but not limited
1099 to, the implied warranties of merchantability and fitness for a
1100 particular purpose are disclaimed.
1101 See the LICENSE file distributed with
1103 or http://www.sudo.ws/sudo/license.html for complete details.