1 Copyright (c) 2003-2011
2 Todd C. Miller <Todd.Miller@courtesan.com>
4 Permission to use, copy, modify, and distribute this software for any
5 purpose with or without fee is hereby granted, provided that the above
6 copyright notice and this permission notice appear in all copies.
8 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
21 sudoers.ldap - sudo LDAP configuration
25 In addition to the standard I<sudoers> file, B<sudo> may be configured
26 via LDAP. This can be especially useful for synchronizing I<sudoers>
27 in a large, distributed environment.
29 Using LDAP for I<sudoers> has several benefits:
35 B<sudo> no longer needs to read I<sudoers> in its entirety. When
36 LDAP is used, there are only two or three LDAP queries per invocation.
37 This makes it especially fast and particularly usable in LDAP
42 B<sudo> no longer exits if there is a typo in I<sudoers>.
43 It is not possible to load LDAP data into the server that does
44 not conform to the sudoers schema, so proper syntax is guaranteed.
45 It is still possible to have typos in a user or host name, but
46 this will not prevent B<sudo> from running.
50 It is possible to specify per-entry options that override the global
51 default options. F<@sysconfdir@/sudoers> only supports default options and
52 limited options associated with user/host/commands/aliases. The
53 syntax is complicated and can be difficult for users to understand.
54 Placing the options directly in the entry is more natural.
58 The B<visudo> program is no longer needed. B<visudo> provides
59 locking and syntax checking of the F<@sysconfdir@/sudoers> file.
60 Since LDAP updates are atomic, locking is no longer necessary.
61 Because syntax is checked when the data is inserted into LDAP, there
62 is no need for a specialized tool to check syntax.
66 Another major difference between LDAP and file-based I<sudoers>
67 is that in LDAP, B<sudo>-specific Aliases are not supported.
69 For the most part, there is really no need for B<sudo>-specific
70 Aliases. Unix groups or user netgroups can be used in place of
71 User_Aliases and Runas_Aliases. Host netgroups can be used in place
72 of Host_Aliases. Since Unix groups and netgroups can also be stored
73 in LDAP there is no real need for B<sudo>-specific aliases.
75 Cmnd_Aliases are not really required either since it is possible
76 to have multiple users listed in a C<sudoRole>. Instead of defining
77 a Cmnd_Alias that is referenced by multiple users, one can create
78 a C<sudoRole> that contains the commands and assign multiple users
81 =head2 SUDOers LDAP container
83 The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
86 Sudo first looks for the C<cn=default> entry in the SUDOers container.
87 If found, the multi-valued C<sudoOption> attribute is parsed in the
88 same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
89 the following example, the C<SSH_AUTH_SOCK> variable will be preserved
90 in the environment for all users.
92 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
96 description: Default sudoOption's go here
97 sudoOption: env_keep+=SSH_AUTH_SOCK
99 The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
100 the following attributes:
106 A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
107 a C<'%'>) or user netgroup (prefixed with a C<'+'>).
111 A host name, IP address, IP network, or host netgroup (prefixed
113 The special value C<ALL> will match any host.
117 A Unix command with optional command line arguments, potentially
118 including globbing characters (aka wild cards).
119 The special value C<ALL> will match any command.
120 If a command is prefixed with an exclamation point C<'!'>, the
121 user will be prohibited from running that command.
125 Identical in function to the global options described above, but
126 specific to the C<sudoRole> in which it resides.
128 =item B<sudoRunAsUser>
130 A user name or uid (prefixed with C<'#'>) that commands may be run
131 as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
132 with a C<'+'>) that contains a list of users that commands may be
134 The special value C<ALL> will match any user.
136 The C<sudoRunAsUser> attribute is only available in B<sudo> versions
137 1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
140 =item B<sudoRunAsGroup>
142 A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
143 The special value C<ALL> will match any group.
145 The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
148 =item B<sudoNotBefore>
150 A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
151 a start date/time for when the C<sudoRole> will be valid. If
152 multiple C<sudoNotBefore> entries are present, the earliest is used.
153 Note that timestamps must be in Coordinated Universal Time (UTC),
154 not the local timezone. The minute and seconds portions are optional,
155 but some LDAP servers require that they be present (contrary to the RFC).
157 The C<sudoNotBefore> attribute is only available in B<sudo> versions
158 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
159 option in F<@ldap_conf@>.
161 =item B<sudoNotAfter>
163 A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
164 date/time, after which the C<sudoRole> will no longer be valid. If
165 multiple C<sudoNotBefore> entries are present, the last one is used.
166 Note that timestamps must be in Coordinated Universal Time (UTC),
167 not the local timezone. The minute and seconds portions are optional,
168 but some LDAP servers require that they be present (contrary to the RFC).
170 The C<sudoNotAfter> attribute is only available in B<sudo> versions
171 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
172 option in F<@ldap_conf@>.
176 The C<sudoRole> entries retrieved from the LDAP directory have no
177 inherent order. The C<sudoOrder> attribute is an integer (or
178 floating point value for LDAP servers that support it) that is used
179 to sort the matching entries. This allows LDAP-based sudoers entries
180 to more closely mimic the behaviour of the sudoers file, where the
181 of the entries influences the result. If multiple entries match,
182 the entry with the highest C<sudoOrder> attribute is chosen. This
183 corresponds to the "last match" behavior of the sudoers file. If
184 the C<sudoOrder> attribute is not present, a value of 0 is assumed.
186 The C<sudoOrder> attribute is only available in B<sudo> versions
191 Each attribute listed above should contain a single value, but there
192 may be multiple instances of each attribute type. A C<sudoRole> must
193 contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
195 The following example allows users in group wheel to run any command
196 on any host via B<sudo>:
198 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
200 objectClass: sudoRole
206 =head2 Anatomy of LDAP sudoers lookup
208 When looking up a sudoer using LDAP there are only two or three
209 LDAP queries per invocation. The first query is to parse the global
210 options. The second is to match against the user's name and the
211 groups that the user belongs to. (The special ALL tag is matched
212 in this query too.) If no match is returned for the user's name
213 and groups, a third query returns all entries containing user
214 netgroups and checks to see if the user belongs to any of them.
216 If timed entries are enabled with the B<SUDOERS_TIMED> configuration
217 directive, the LDAP queries include a subfilter that limits retrieval
218 to entries that satisfy the time constraints, if any.
220 =head2 Differences between LDAP and non-LDAP sudoers
222 There are some subtle differences in the way sudoers is handled
223 once in LDAP. Probably the biggest is that according to the RFC,
224 LDAP ordering is arbitrary and you cannot expect that Attributes
225 and Entries are returned in any specific order.
227 The order in which different entries are applied can be controlled
228 using the C<sudoOrder> attribute, but there is no way to guarantee
229 the order of attributes within a specific entry. If there are
230 conflicting command rules in an entry, the negative takes precedence.
231 This is called paranoid behavior (not necessarily the most specific
237 # Allow all commands except shell
238 johnny ALL=(root) ALL,!/bin/sh
239 # Always allows all commands because ALL is matched last
240 puddles ALL=(root) !/bin/sh,ALL
242 # LDAP equivalent of johnny
243 # Allows all commands except shell
244 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
245 objectClass: sudoRole
251 sudoCommand: !/bin/sh
253 # LDAP equivalent of puddles
254 # Notice that even though ALL comes last, it still behaves like
255 # role1 since the LDAP code assumes the more paranoid configuration
256 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
257 objectClass: sudoRole
262 sudoCommand: !/bin/sh
265 Another difference is that negations on the Host, User or Runas are
266 currently ignored. For example, the following attributes do not
267 behave the way one might expect.
269 # does not match all but joe
270 # rather, does not match anyone
273 # does not match all but joe
274 # rather, matches everyone including Joe
278 # does not match all but web01
279 # rather, matches all hosts including web01
283 =head2 Sudoers Schema
285 In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
286 installed on your LDAP server. In addition, be sure to index the
287 'sudoUser' attribute.
289 Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
290 one for Netscape-derived servers (F<schema.iPlanet>), and one for
291 Microsoft Active Directory (F<schema.ActiveDirectory>) may
292 be found in the B<sudo> distribution.
294 The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
297 =head2 Configuring ldap.conf
299 Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
300 Typically, this file is shared amongst different LDAP-aware clients.
301 As such, most of the settings are not B<sudo>-specific. Note that
302 B<sudo> parses F<@ldap_conf@> itself and may support options
303 that differ from those described in the L<ldap.conf(5)> manual.
305 Also note that on systems using the OpenLDAP libraries, default
306 values specified in F</etc/openldap/ldap.conf> or the user's
307 F<.ldaprc> files are not used.
309 Only those options explicitly listed in F<@ldap_conf@> as being
310 supported by B<sudo> are honored. Configuration options are listed
311 below in upper case but are parsed in a case-independent manner.
315 =item B<URI> ldap[s]://[hostname[:port]] ...
317 Specifies a whitespace-delimited list of one or more URIs describing
318 the LDAP server(s) to connect to. The I<protocol> may be either
319 B<ldap> or B<ldaps>, the latter being for servers that support TLS
320 (SSL) encryption. If no I<port> is specified, the default is port
321 389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
322 is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
323 lines are treated identically to a B<URI> line containing multiple
324 entries. Only systems using the OpenSSL libraries support the
325 mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
326 libraries used on most commercial versions of Unix are only capable
327 of supporting one or the other.
329 =item B<HOST> name[:port] ...
331 If no B<URI> is specified, the B<HOST> parameter specifies a
332 whitespace-delimited list of LDAP servers to connect to. Each host
333 may include an optional I<port> separated by a colon (':'). The
334 B<HOST> parameter is deprecated in favor of the B<URI> specification
335 and is included for backwards compatibility.
337 =item B<PORT> port_number
339 If no B<URI> is specified, the B<PORT> parameter specifies the
340 default port to connect to on the LDAP server if a B<HOST> parameter
341 does not specify the port itself. If no B<PORT> parameter is used,
342 the default is port 389 for LDAP and port 636 for LDAP over TLS
343 (SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
344 specification and is included for backwards compatibility.
346 =item B<BIND_TIMELIMIT> seconds
348 The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
349 to wait while trying to connect to an LDAP server. If multiple B<URI>s or
350 B<HOST>s are specified, this is the amount of time to wait before trying
351 the next one in the list.
353 =item B<NETWORK_TIMEOUT> seconds
355 An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
357 =item B<TIMELIMIT> seconds
359 The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
360 to wait for a response to an LDAP query.
362 =item B<TIMEOUT> seconds
364 The B<TIMEOUT> parameter specifies the amount of time, in seconds,
365 to wait for a response from the various LDAP APIs.
367 =item B<SUDOERS_BASE> base
369 The base DN to use when performing B<sudo> LDAP queries. Typically
370 this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
371 C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
372 in which case they are queried in the order specified.
374 =item B<SUDOERS_SEARCH_FILTER> ldap_filter
376 An LDAP filter which is used to restrict the set of records returned
377 when performing a B<sudo> LDAP query. Typically, this is of the
378 form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
380 =item B<SUDOERS_TIMED> on/true/yes/off/false/no
382 Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
383 attributes that implement time-dependent sudoers entries.
385 =item B<SUDOERS_DEBUG> debug_level
387 This sets the debug level for B<sudo> LDAP queries. Debugging
388 information is printed to the standard error. A value of 1 results
389 in a moderate amount of debugging information. A value of 2 shows
390 the results of the matches themselves. This parameter should not
391 be set in a production environment as the extra information is
392 likely to confuse users.
396 The B<BINDDN> parameter specifies the identity, in the form of a
397 Distinguished Name (DN), to use when performing LDAP operations.
398 If not specified, LDAP operations are performed with an anonymous
399 identity. By default, most LDAP servers will allow anonymous access.
401 =item B<BINDPW> secret
403 The B<BINDPW> parameter specifies the password to use when performing
404 LDAP operations. This is typically used in conjunction with the
407 =item B<ROOTBINDDN> DN
409 The B<ROOTBINDDN> parameter specifies the identity, in the form of
410 a Distinguished Name (DN), to use when performing privileged LDAP
411 operations, such as I<sudoers> queries. The password corresponding
412 to the identity should be stored in F<@ldap_secret@>.
413 If not specified, the B<BINDDN> identity is used (if any).
415 =item B<LDAP_VERSION> number
417 The version of the LDAP protocol to use when connecting to the server.
418 The default value is protocol version 3.
420 =item B<SSL> on/true/yes/off/false/no
422 If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
423 (SSL) encryption is always used when communicating with the LDAP
424 server. Typically, this involves connecting to the server on port
427 =item B<SSL> start_tls
429 If the B<SSL> parameter is set to C<start_tls>, the LDAP server
430 connection is initiated normally and TLS encryption is begun before
431 the bind credentials are sent. This has the advantage of not
432 requiring a dedicated port for encrypted communications. This
433 parameter is only supported by LDAP servers that honor the C<start_tls>
434 extension, such as the OpenLDAP server.
436 =item B<TLS_CHECKPEER> on/true/yes/off/false/no
438 If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
439 certificated to be verified. If the server's TLS certificate cannot
440 be verified (usually because it is signed by an unknown certificate
441 authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
442 is disabled, no check is made. Note that disabling the check creates
443 an opportunity for man-in-the-middle attacks since the server's
444 identity will not be authenticated. If possible, the CA's certificate
445 should be installed locally so it can be verified.
447 =item B<TLS_CACERT> file name
449 An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
451 =item B<TLS_CACERTFILE> file name
453 The path to a certificate authority bundle which contains the certificates
454 for all the Certificate Authorities the client knows to be valid,
455 e.g. F</etc/ssl/ca-bundle.pem>.
456 This option is only supported by the OpenLDAP libraries.
457 Netscape-derived LDAP libraries use the same certificate
458 database for CA and client certificates (see B<TLS_CERT>).
460 =item B<TLS_CACERTDIR> directory
462 Similar to B<TLS_CACERTFILE> but instead of a file, it is a
463 directory containing individual Certificate Authority certificates,
464 e.g. F</etc/ssl/certs>.
465 The directory specified by B<TLS_CACERTDIR> is checked after
467 This option is only supported by the OpenLDAP libraries.
469 =item B<TLS_CERT> file name
471 The path to a file containing the client certificate which can
472 be used to authenticate the client to the LDAP server.
473 The certificate type depends on the LDAP libraries used.
476 C<tls_cert /etc/ssl/client_cert.pem>
479 C<tls_cert /var/ldap/cert7.db>
481 When using Netscape-derived libraries, this file may also contain
482 Certificate Authority certificates.
484 =item B<TLS_KEY> file name
486 The path to a file containing the private key which matches the
487 certificate specified by B<TLS_CERT>. The private key must not be
488 password-protected. The key type depends on the LDAP libraries
492 C<tls_key /etc/ssl/client_key.pem>
495 C<tls_key /var/ldap/key3.db>
497 =item B<TLS_RANDFILE> file name
499 The B<TLS_RANDFILE> parameter specifies the path to an entropy
500 source for systems that lack a random device. It is generally used
501 in conjunction with I<prngd> or I<egd>.
502 This option is only supported by the OpenLDAP libraries.
504 =item B<TLS_CIPHERS> cipher list
506 The B<TLS_CIPHERS> parameter allows the administer to restrict
507 which encryption algorithms may be used for TLS (SSL) connections.
508 See the OpenSSL manual for a list of valid ciphers.
509 This option is only supported by the OpenLDAP libraries.
511 =item B<USE_SASL> on/true/yes/off/false/no
513 Enable B<USE_SASL> for LDAP servers that support SASL authentication.
515 =item B<SASL_AUTH_ID> identity
517 The SASL user name to use when connecting to the LDAP server.
518 By default, B<sudo> will use an anonymous connection.
520 =item B<ROOTUSE_SASL> on/true/yes/off/false/no
522 Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
523 to an LDAP server from a privileged process, such as B<sudo>.
525 =item B<ROOTSASL_AUTH_ID> identity
527 The SASL user name to use when B<ROOTUSE_SASL> is enabled.
529 =item B<SASL_SECPROPS> none/properties
531 SASL security properties or I<none> for no properties. See the
532 SASL programmer's manual for details.
534 =item B<KRB5_CCNAME> file name
536 The path to the Kerberos 5 credential cache to use when authenticating
537 with the remote server.
539 =item B<DEREF> never/searching/finding/always
541 How alias dereferencing is to be performed when searching. See the
542 L<ldap.conf(5)> manual for a full description of this option.
546 See the C<ldap.conf> entry in the L<EXAMPLES> section.
548 =head2 Configuring nsswitch.conf
550 Unless it is disabled at build time, B<sudo> consults the Name
551 Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
552 search order. Sudo looks for a line beginning with C<sudoers>: and
553 uses this to determine the search order. Note that B<sudo> does
554 not stop searching after the first match and later matches take
555 precedence over earlier ones.
557 The following sources are recognized:
559 files read sudoers from F<@sysconfdir@/sudoers>
560 ldap read sudoers from LDAP
562 In addition, the entry C<[NOTFOUND=return]> will short-circuit the
563 search if the user was not found in the preceding source.
565 To consult LDAP first followed by the local sudoers file (if it
570 The local I<sudoers> file can be ignored completely by using:
574 If the F<@nsswitch_conf@> file is not present or there is no
575 sudoers line, the following default is assumed:
579 Note that F<@nsswitch_conf@> is supported even when the underlying
580 operating system does not use an nsswitch.conf file.
582 =head2 Configuring netsvc.conf
584 On AIX systems, the F<@netsvc_conf@> file is consulted instead of
585 F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
586 variant of I<nsswitch.conf>; information in the previous section
587 unrelated to the file format itself still applies.
589 To consult LDAP first followed by the local sudoers file (if it
592 sudoers = ldap, files
594 The local I<sudoers> file can be ignored completely by using:
598 To treat LDAP as authoratative and only use the local sudoers file
599 if the user is not present in LDAP, use:
601 sudoers = ldap = auth, files
603 Note that in the above example, the C<auth> qualfier only affects
604 user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
607 If the F<@netsvc_conf@> file is not present or there is no
608 sudoers line, the following default is assumed:
618 LDAP configuration file
620 =item F<@nsswitch_conf@>
622 determines sudoers source order
624 =item F<@netsvc_conf@>
626 determines sudoers source order on AIX
632 =head2 Example ldap.conf
634 # Either specify one or more URIs or one or more host:port pairs.
635 # If neither is specified sudo will default to localhost, port 389.
638 #host ldapserver1 ldapserver2:390
640 # Default port if host is specified without one, defaults to 389.
643 # URI will override the host and port settings.
644 uri ldap://ldapserver
645 #uri ldaps://secureldapserver
646 #uri ldaps://secureldapserver ldap://ldapserver
648 # The amount of time, in seconds, to wait while trying to connect to
652 # The amount of time, in seconds, to wait while performing an LDAP query.
655 # Must be set or sudo will ignore LDAP; may be specified multiple times.
656 sudoers_base ou=SUDOers,dc=example,dc=com
658 # verbose sudoers matching from ldap
661 # Enable support for time-based entries in sudoers.
664 # optional proxy credentials
665 #binddn <who to search as>
667 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
669 # LDAP protocol version, defaults to 3
672 # Define if you want to use an encrypted LDAP connection.
673 # Typically, you must also set the port to 636 (ldaps).
676 # Define if you want to use port 389 and switch to
677 # encryption before the bind credentials are sent.
678 # Only supported by LDAP servers that support the start_tls
679 # extension such as OpenLDAP.
682 # Additional TLS options follow that allow tweaking of the
683 # SSL/TLS connection.
685 #tls_checkpeer yes # verify server SSL certificate
686 #tls_checkpeer no # ignore server SSL certificate
688 # If you enable tls_checkpeer, specify either tls_cacertfile
689 # or tls_cacertdir. Only supported when using OpenLDAP.
691 #tls_cacertfile /etc/certs/trusted_signers.pem
692 #tls_cacertdir /etc/certs
694 # For systems that don't have /dev/random
695 # use this along with PRNGD or EGD.pl to seed the
696 # random number pool to generate cryptographic session keys.
697 # Only supported when using OpenLDAP.
699 #tls_randfile /etc/egd-pool
701 # You may restrict which ciphers are used. Consult your SSL
702 # documentation for which options go here.
703 # Only supported when using OpenLDAP.
705 #tls_ciphers <cipher-list>
707 # Sudo can provide a client certificate when communicating to
710 # * Enable both lines at the same time.
711 # * Do not password protect the key file.
712 # * Ensure the keyfile is only readable by root.
715 #tls_cert /etc/certs/client_cert.pem
716 #tls_key /etc/certs/client_key.pem
718 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
719 # a directory, in which case the files in the directory must have the
720 # default names (e.g. cert8.db and key4.db), or the path to the cert
721 # and key files themselves. However, a bug in version 5.0 of the LDAP
722 # SDK will prevent specific file names from working. For this reason
723 # it is suggested that tls_cert and tls_key be set to a directory,
726 # The certificate database specified by tls_cert may contain CA certs
727 # and/or the client's cert. If the client's cert is included, tls_key
728 # should be specified as well.
729 # For backward compatibility, "sslpath" may be used in place of tls_cert.
733 # If using SASL authentication for LDAP (OpenSSL)
735 # sasl_auth_id <SASL user name>
737 # rootsasl_auth_id <SASL user name for root access>
739 # krb5_ccname /etc/.ldapcache
741 =head2 Sudo schema for OpenLDAP
743 The following schema, in OpenLDAP format, is included with B<sudo>
744 source and binary distributions as F<schema.OpenLDAP>. Simply copy
745 it to the schema directory (e.g. F</etc/openldap/schema>), add the
746 proper C<include> line in C<slapd.conf> and restart B<slapd>.
748 attributetype ( 1.3.6.1.4.1.15953.9.1.1
750 DESC 'User(s) who may run sudo'
751 EQUALITY caseExactIA5Match
752 SUBSTR caseExactIA5SubstringsMatch
753 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
755 attributetype ( 1.3.6.1.4.1.15953.9.1.2
757 DESC 'Host(s) who may run sudo'
758 EQUALITY caseExactIA5Match
759 SUBSTR caseExactIA5SubstringsMatch
760 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
762 attributetype ( 1.3.6.1.4.1.15953.9.1.3
764 DESC 'Command(s) to be executed by sudo'
765 EQUALITY caseExactIA5Match
766 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
768 attributetype ( 1.3.6.1.4.1.15953.9.1.4
770 DESC 'User(s) impersonated by sudo'
771 EQUALITY caseExactIA5Match
772 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
774 attributetype ( 1.3.6.1.4.1.15953.9.1.5
776 DESC 'Options(s) followed by sudo'
777 EQUALITY caseExactIA5Match
778 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
780 attributetype ( 1.3.6.1.4.1.15953.9.1.6
782 DESC 'User(s) impersonated by sudo'
783 EQUALITY caseExactIA5Match
784 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
786 attributetype ( 1.3.6.1.4.1.15953.9.1.7
787 NAME 'sudoRunAsGroup'
788 DESC 'Group(s) impersonated by sudo'
789 EQUALITY caseExactIA5Match
790 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
792 attributetype ( 1.3.6.1.4.1.15953.9.1.8
794 DESC 'Start of time interval for which the entry is valid'
795 EQUALITY generalizedTimeMatch
796 ORDERING generalizedTimeOrderingMatch
797 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
799 attributetype ( 1.3.6.1.4.1.15953.9.1.9
801 DESC 'End of time interval for which the entry is valid'
802 EQUALITY generalizedTimeMatch
803 ORDERING generalizedTimeOrderingMatch
804 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
806 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
808 DESC 'an integer to order the sudoRole entries'
809 EQUALITY integerMatch
810 ORDERING integerOrderingMatch
811 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
813 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
814 DESC 'Sudoer Entries'
816 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
817 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
818 sudoOrder $ description )
823 L<ldap.conf(5)>, L<sudoers(5)>
827 Note that there are differences in the way that LDAP-based I<sudoers>
828 is parsed compared to file-based I<sudoers>. See the L<Differences
829 between LDAP and non-LDAP sudoers> section for more information.
833 If you feel you have found a bug in B<sudo>, please submit a bug report
834 at http://www.sudo.ws/sudo/bugs/
838 Limited free support is available via the sudo-users mailing list,
839 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
844 B<sudo> is provided ``AS IS'' and any express or implied warranties,
845 including, but not limited to, the implied warranties of merchantability
846 and fitness for a particular purpose are disclaimed. See the LICENSE
847 file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
848 for complete details.