4 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
8 sudoers.ldap - sudo LDAP configuration
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
12 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
13 large, distributed environment.
15 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
17 +
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
18 used, there are only two or three LDAP queries per invocation.
19 This makes it especially fast and particularly usable in LDAP
22 +
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
23 possible to load LDAP data into the server that does not conform to
24 the sudoers schema, so proper syntax is guaranteed. It is still
25 possible to have typos in a user or host name, but this will not
26 prevent s
\bsu
\bud
\bdo
\bo from running.
28 +
\bo It is possible to specify per-entry options that override the
29 global default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options
30 and limited options associated with user/host/commands/aliases.
31 The syntax is complicated and can be difficult for users to
32 understand. Placing the options directly in the entry is more
35 +
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking
36 and syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates
37 are atomic, locking is no longer necessary. Because syntax is
38 checked when the data is inserted into LDAP, there is no need for a
39 specialized tool to check syntax.
41 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
42 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
44 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
45 Unix groups or user netgroups can be used in place of User_Aliases and
46 RunasAliases. Host netgroups can be used in place of HostAliases.
47 Since Unix groups and netgroups can also be stored in LDAP there is no
48 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
50 Cmnd_Aliases are not really required either since it is possible to
51 have multiple users listed in a sudoRole. Instead of defining a
52 Cmnd_Alias that is referenced by multiple users, one can create a
53 sudoRole that contains the commands and assign multiple users to it.
55 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
56 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP
59 Sudo first looks for the cn=default entry in the SUDOers container. If
60 found, the multi-valued sudoOption attribute is parsed in the same
70 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
73 manner as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following
74 example, the SSH_AUTH_SOCK variable will be preserved in the
75 environment for all users.
77 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
81 description: Default sudoOption's go here
82 sudoOption: env_keep+=SSH_AUTH_SOCK
84 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
87 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
88 A user name, uid (prefixed with '#'), Unix group (prefixed with a
89 '%') or user netgroup (prefixed with a '+').
91 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
92 A host name, IP address, IP network, or host netgroup (prefixed
93 with a '+'). The special value ALL will match any host.
95 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
96 A Unix command with optional command line arguments, potentially
97 including globbing characters (aka wild cards). The special value
98 ALL will match any command. If a command is prefixed with an
99 exclamation point '!', the user will be prohibited from running
102 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
103 Identical in function to the global options described above, but
104 specific to the sudoRole in which it resides.
106 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
107 A user name or uid (prefixed with '#') that commands may be run as
108 or a Unix group (prefixed with a '%') or user netgroup (prefixed
109 with a '+') that contains a list of users that commands may be run
110 as. The special value ALL will match any user.
112 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
113 A Unix group or gid (prefixed with '#') that commands may be run
114 as. The special value ALL will match any group.
116 Each component listed above should contain a single value, but there
117 may be multiple instances of each component type. A sudoRole must
118 contain at least one sudoUser, sudoHost and sudoCommand.
120 The following example allows users in group wheel to run any command on
121 any host via s
\bsu
\bud
\bdo
\bo:
130 1.7.4 July 12, 2010 2
136 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
139 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
141 objectClass: sudoRole
147 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
148 When looking up a sudoer using LDAP there are only two or three LDAP
149 queries per invocation. The first query is to parse the global
150 options. The second is to match against the user's name and the groups
151 that the user belongs to. (The special ALL tag is matched in this
152 query too.) If no match is returned for the user's name and groups, a
153 third query returns all entries containing user netgroups and checks to
154 see if the user belongs to any of them.
156 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
157 There are some subtle differences in the way sudoers is handled once in
158 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
159 is arbitrary and you cannot expect that Attributes and Entries are
160 returned in any specific order. If there are conflicting command rules
161 on an entry, the negative takes precedence. This is called paranoid
162 behavior (not necessarily the most specific match).
167 # Allow all commands except shell
168 johnny ALL=(root) ALL,!/bin/sh
169 # Always allows all commands because ALL is matched last
170 puddles ALL=(root) !/bin/sh,ALL
172 # LDAP equivalent of johnny
173 # Allows all commands except shell
174 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
175 objectClass: sudoRole
181 sudoCommand: !/bin/sh
183 # LDAP equivalent of puddles
184 # Notice that even though ALL comes last, it still behaves like
185 # role1 since the LDAP code assumes the more paranoid configuration
186 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
187 objectClass: sudoRole
192 sudoCommand: !/bin/sh
196 1.7.4 July 12, 2010 3
202 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
207 Another difference is that negations on the Host, User or Runas are
208 currently ignorred. For example, the following attributes do not
209 behave the way one might expect.
211 # does not match all but joe
212 # rather, does not match anyone
215 # does not match all but joe
216 # rather, matches everyone including Joe
220 # does not match all but web01
221 # rather, matches all hosts including web01
225 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs S
\bSc
\bch
\bhe
\bem
\bma
\ba
226 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed
227 on your LDAP server. In addition, be sure to index the 'sudoUser'
230 Three versions of the schema: one for OpenLDAP servers
231 (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP), one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt),
232 and one for Microsoft Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be
233 found in the s
\bsu
\bud
\bdo
\bo distribution.
235 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is included in the EXAMPLES
238 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
239 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
240 Typically, this file is shared amongst different LDAP-aware clients.
241 As such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo
242 parses _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from
243 those described in the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual.
245 Also note that on systems using the OpenLDAP libraries, default values
246 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are
249 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf that are
250 supported by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below
251 in upper case but are parsed in a case-independent manner.
253 U
\bUR
\bRI
\bI ldap[s]://[hostname[:port]] ...
254 Specifies a whitespace-delimited list of one or more URIs
255 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
256 either l
\bld
\bda
\bap
\bp or l
\bld
\bda
\bap
\bps
\bs, the latter being for servers that support TLS
257 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
258 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
262 1.7.4 July 12, 2010 4
268 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
271 s
\bsu
\bud
\bdo
\bo will connect to l
\blo
\boc
\bca
\bal
\blh
\bho
\bos
\bst
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
272 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
273 systems using the OpenSSL libraries support the mixing of ldap://
274 and ldaps:// URIs. The Netscape-derived libraries used on most
275 commercial versions of Unix are only capable of supporting one or
278 H
\bHO
\bOS
\bST
\bT name[:port] ...
279 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
280 delimited list of LDAP servers to connect to. Each host may
281 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (':'). The H
\bHO
\bOS
\bST
\bT
282 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
283 included for backwards compatibility.
285 P
\bPO
\bOR
\bRT
\bT port_number
286 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
287 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
288 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
289 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
290 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
291 is included for backwards compatibility.
293 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
294 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
295 seconds, to wait while trying to connect to an LDAP server. If
296 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
297 wait before trying the next one in the list.
299 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
300 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
301 to wait for a response to an LDAP query.
303 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE base
304 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
305 this is of the form ou=SUDOers,dc=example,dc=com for the domain
306 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
307 which case they are queried in the order specified.
309 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG debug_level
310 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
311 information is printed to the standard error. A value of 1 results
312 in a moderate amount of debugging information. A value of 2 shows
313 the results of the matches themselves. This parameter should not
314 be set in a production environment as the extra information is
315 likely to confuse users.
317 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
318 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
319 Distinguished Name (DN), to use when performing LDAP operations.
320 If not specified, LDAP operations are performed with an anonymous
321 identity. By default, most LDAP servers will allow anonymous
328 1.7.4 July 12, 2010 5
334 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
337 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW secret
338 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
339 LDAP operations. This is typically used in conjunction with the
340 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
342 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
343 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
344 Distinguished Name (DN), to use when performing privileged LDAP
345 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
346 the identity should be stored in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If not
347 specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
349 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN number
350 The version of the LDAP protocol to use when connecting to the
351 server. The default value is protocol version 3.
353 S
\bSS
\bSL
\bL on/true/yes/off/false/no
354 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
355 encryption is always used when communicating with the LDAP server.
356 Typically, this involves connecting to the server on port 636
359 S
\bSS
\bSL
\bL start_tls
360 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
361 connection is initiated normally and TLS encryption is begun before
362 the bind credentials are sent. This has the advantage of not
363 requiring a dedicated port for encrypted communications. This
364 parameter is only supported by LDAP servers that honor the
365 start_tls extension, such as the OpenLDAP server.
367 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR on/true/yes/off/false/no
368 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
369 certificated to be verified. If the server's TLS certificate
370 cannot be verified (usually because it is signed by an unknown
371 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
372 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
373 the check creates an opportunity for man-in-the-middle attacks
374 since the server's identity will not be authenticated. If
375 possible, the CA's certificate should be installed locally so it
378 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT file name
379 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE.
381 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE file name
382 The path to a certificate authority bundle which contains the
383 certificates for all the Certificate Authorities the client knows
384 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
385 supported by the OpenLDAP libraries. Netscape-derived LDAP
386 libraries use the same certificate database for CA and client
387 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
389 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR directory
390 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
394 1.7.4 July 12, 2010 6
400 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
403 containing individual Certificate Authority certificates, e.g.
404 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
405 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
408 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT file name
409 The path to a file containing the client certificate which can be
410 used to authenticate the client to the LDAP server. The
411 certificate type depends on the LDAP libraries used.
414 tls_cert /etc/ssl/client_cert.pem
417 tls_cert /var/ldap/cert7.db
419 When using Netscape-derived libraries, this file may also contain
420 Certificate Authority certificates.
422 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY file name
423 The path to a file containing the private key which matches the
424 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
425 password-protected. The key type depends on the LDAP libraries
429 tls_key /etc/ssl/client_key.pem
432 tls_key /var/ldap/key3.db
434 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE file name
435 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
436 for systems that lack a random device. It is generally used in
437 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
438 the OpenLDAP libraries.
440 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS cipher list
441 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
442 encryption algorithms may be used for TLS (SSL) connections. See
443 the OpenSSL manual for a list of valid ciphers. This option is
444 only supported by the OpenLDAP libraries.
446 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
447 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
449 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
450 The SASL user name to use when connecting to the LDAP server. By
451 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
453 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
454 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
455 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
460 1.7.4 July 12, 2010 7
466 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
469 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
470 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
472 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS none/properties
473 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
474 programmer's manual for details.
476 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE file name
477 The path to the Kerberos 5 credential cache to use when
478 authenticating with the remote server.
480 See the ldap.conf entry in the EXAMPLES section.
482 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
483 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
484 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
485 Sudo looks for a line beginning with sudoers: and uses this to
486 determine the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching
487 after the first match and later matches take precedence over earlier
490 The following sources are recognized:
492 files read sudoers from F</etc/sudoers>
493 ldap read sudoers from LDAP
495 In addition, the entry [NOTFOUND=return] will short-circuit the search
496 if the user was not found in the preceding source.
498 To consult LDAP first followed by the local sudoers file (if it
503 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
507 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
508 line, the following default is assumed:
512 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
513 operating system does not use an nsswitch.conf file.
515 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
516 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
517 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
518 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the
519 file format itself still applies.
521 To consult LDAP first followed by the local sudoers file (if it
526 1.7.4 July 12, 2010 8
532 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
535 sudoers = ldap, files
537 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
541 To treat LDAP as authoratative and only use the local sudoers file if
542 the user is not present in LDAP, use:
544 sudoers = ldap = auth, files
546 Note that in the above example, the auth qualfier only affects user
547 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
549 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
550 line, the following default is assumed:
555 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
557 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
559 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
561 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
562 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
563 # Either specify one or more URIs or one or more host:port pairs.
564 # If neither is specified sudo will default to localhost, port 389.
567 #host ldapserver1 ldapserver2:390
569 # Default port if host is specified without one, defaults to 389.
572 # URI will override the host and port settings.
573 uri ldap://ldapserver
574 #uri ldaps://secureldapserver
575 #uri ldaps://secureldapserver ldap://ldapserver
577 # The amount of time, in seconds, to wait while trying to connect to
581 # The amount of time, in seconds, to wait while performing an LDAP query.
584 # Must be set or sudo will ignore LDAP; may be specified multiple times.
585 sudoers_base ou=SUDOers,dc=example,dc=com
587 # verbose sudoers matching from ldap
592 1.7.4 July 12, 2010 9
598 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
602 # optional proxy credentials
603 #binddn <who to search as>
605 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
607 # LDAP protocol version, defaults to 3
610 # Define if you want to use an encrypted LDAP connection.
611 # Typically, you must also set the port to 636 (ldaps).
614 # Define if you want to use port 389 and switch to
615 # encryption before the bind credentials are sent.
616 # Only supported by LDAP servers that support the start_tls
617 # extension such as OpenLDAP.
620 # Additional TLS options follow that allow tweaking of the
621 # SSL/TLS connection.
623 #tls_checkpeer yes # verify server SSL certificate
624 #tls_checkpeer no # ignore server SSL certificate
626 # If you enable tls_checkpeer, specify either tls_cacertfile
627 # or tls_cacertdir. Only supported when using OpenLDAP.
629 #tls_cacertfile /etc/certs/trusted_signers.pem
630 #tls_cacertdir /etc/certs
632 # For systems that don't have /dev/random
633 # use this along with PRNGD or EGD.pl to seed the
634 # random number pool to generate cryptographic session keys.
635 # Only supported when using OpenLDAP.
637 #tls_randfile /etc/egd-pool
639 # You may restrict which ciphers are used. Consult your SSL
640 # documentation for which options go here.
641 # Only supported when using OpenLDAP.
643 #tls_ciphers <cipher-list>
645 # Sudo can provide a client certificate when communicating to
648 # * Enable both lines at the same time.
649 # * Do not password protect the key file.
650 # * Ensure the keyfile is only readable by root.
653 #tls_cert /etc/certs/client_cert.pem
654 #tls_key /etc/certs/client_key.pem
658 1.7.4 July 12, 2010 10
664 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
668 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
669 # a directory, in which case the files in the directory must have the
670 # default names (e.g. cert8.db and key4.db), or the path to the cert
671 # and key files themselves. However, a bug in version 5.0 of the LDAP
672 # SDK will prevent specific file names from working. For this reason
673 # it is suggested that tls_cert and tls_key be set to a directory,
676 # The certificate database specified by tls_cert may contain CA certs
677 # and/or the client's cert. If the client's cert is included, tls_key
678 # should be specified as well.
679 # For backward compatibility, "sslpath" may be used in place of tls_cert.
683 # If using SASL authentication for LDAP (OpenSSL)
685 # sasl_auth_id <SASL user name>
687 # rootsasl_auth_id <SASL user name for root access>
689 # krb5_ccname /etc/.ldapcache
691 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
692 The following schema is in OpenLDAP format. Simply copy it to the
693 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include
694 line in slapd.conf and restart s
\bsl
\bla
\bap
\bpd
\bd.
696 attributetype ( 1.3.6.1.4.1.15953.9.1.1
698 DESC 'User(s) who may run sudo'
699 EQUALITY caseExactIA5Match
700 SUBSTR caseExactIA5SubstringsMatch
701 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
703 attributetype ( 1.3.6.1.4.1.15953.9.1.2
705 DESC 'Host(s) who may run sudo'
706 EQUALITY caseExactIA5Match
707 SUBSTR caseExactIA5SubstringsMatch
708 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
710 attributetype ( 1.3.6.1.4.1.15953.9.1.3
712 DESC 'Command(s) to be executed by sudo'
713 EQUALITY caseExactIA5Match
714 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
716 attributetype ( 1.3.6.1.4.1.15953.9.1.4
718 DESC 'User(s) impersonated by sudo'
719 EQUALITY caseExactIA5Match
720 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
724 1.7.4 July 12, 2010 11
730 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
734 attributetype ( 1.3.6.1.4.1.15953.9.1.5
736 DESC 'Options(s) followed by sudo'
737 EQUALITY caseExactIA5Match
738 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
740 attributetype ( 1.3.6.1.4.1.15953.9.1.6
742 DESC 'User(s) impersonated by sudo'
743 EQUALITY caseExactIA5Match
744 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
746 attributetype ( 1.3.6.1.4.1.15953.9.1.7
747 NAME 'sudoRunAsGroup'
748 DESC 'Group(s) impersonated by sudo'
749 EQUALITY caseExactIA5Match
750 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
752 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
753 DESC 'Sudoer Entries'
755 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
756 sudoRunAsGroup $ sudoOption $ description )
759 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
760 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(5)
762 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
763 The way that _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is parsed differs between Note that there are
764 differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is parsed compared to
765 file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the "Differences between LDAP and non-LDAP
766 sudoers" section for more information.
769 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
770 http://www.sudo.ws/sudo/bugs/
772 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
773 Limited free support is available via the sudo-users mailing list, see
774 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
777 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
778 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
779 including, but not limited to, the implied warranties of
780 merchantability and fitness for a particular purpose are disclaimed.
781 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
782 http://www.sudo.ws/sudo/license.html for complete details.
790 1.7.4 July 12, 2010 12