4 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
8 sudoers.ldap - sudo LDAP configuration
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 In addition to the standard _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, s
\bsu
\bud
\bdo
\bo may be configured via
12 LDAP. This can be especially useful for synchronizing _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in a
13 large, distributed environment.
15 Using LDAP for _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs has several benefits:
17 +
\bo s
\bsu
\bud
\bdo
\bo no longer needs to read _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs in its entirety. When LDAP is
18 used, there are only two or three LDAP queries per invocation.
19 This makes it especially fast and particularly usable in LDAP
22 +
\bo s
\bsu
\bud
\bdo
\bo no longer exits if there is a typo in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. It is not
23 possible to load LDAP data into the server that does not conform to
24 the sudoers schema, so proper syntax is guaranteed. It is still
25 possible to have typos in a user or host name, but this will not
26 prevent s
\bsu
\bud
\bdo
\bo from running.
28 +
\bo It is possible to specify per-entry options that override the
29 global default options. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs only supports default options
30 and limited options associated with user/host/commands/aliases.
31 The syntax is complicated and can be difficult for users to
32 understand. Placing the options directly in the entry is more
35 +
\bo The v
\bvi
\bis
\bsu
\bud
\bdo
\bo program is no longer needed. v
\bvi
\bis
\bsu
\bud
\bdo
\bo provides locking
36 and syntax checking of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Since LDAP updates
37 are atomic, locking is no longer necessary. Because syntax is
38 checked when the data is inserted into LDAP, there is no need for a
39 specialized tool to check syntax.
41 Another major difference between LDAP and file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is that in
42 LDAP, s
\bsu
\bud
\bdo
\bo-specific Aliases are not supported.
44 For the most part, there is really no need for s
\bsu
\bud
\bdo
\bo-specific Aliases.
45 Unix groups or user netgroups can be used in place of User_Aliases and
46 Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
47 Since Unix groups and netgroups can also be stored in LDAP there is no
48 real need for s
\bsu
\bud
\bdo
\bo-specific aliases.
50 Cmnd_Aliases are not really required either since it is possible to
51 have multiple users listed in a sudoRole. Instead of defining a
52 Cmnd_Alias that is referenced by multiple users, one can create a
53 sudoRole that contains the commands and assign multiple users to it.
55 S
\bSU
\bUD
\bDO
\bOe
\ber
\brs
\bs L
\bLD
\bDA
\bAP
\bP c
\bco
\bon
\bnt
\bta
\bai
\bin
\bne
\ber
\br
56 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs configuration is contained in the ou=SUDOers LDAP
59 Sudo first looks for the cn=default entry in the SUDOers container. If
60 found, the multi-valued sudoOption attribute is parsed in the same
70 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
73 manner as a global Defaults line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. In the following
74 example, the SSH_AUTH_SOCK variable will be preserved in the
75 environment for all users.
77 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
81 description: Default sudoOption's go here
82 sudoOption: env_keep+=SSH_AUTH_SOCK
84 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
87 s
\bsu
\bud
\bdo
\boU
\bUs
\bse
\ber
\br
88 A user name, uid (prefixed with '#'), Unix group (prefixed with a
89 '%') or user netgroup (prefixed with a '+').
91 s
\bsu
\bud
\bdo
\boH
\bHo
\bos
\bst
\bt
92 A host name, IP address, IP network, or host netgroup (prefixed
93 with a '+'). The special value ALL will match any host.
95 s
\bsu
\bud
\bdo
\boC
\bCo
\bom
\bmm
\bma
\ban
\bnd
\bd
96 A Unix command with optional command line arguments, potentially
97 including globbing characters (aka wild cards). The special value
98 ALL will match any command. If a command is prefixed with an
99 exclamation point '!', the user will be prohibited from running
102 s
\bsu
\bud
\bdo
\boO
\bOp
\bpt
\bti
\bio
\bon
\bn
103 Identical in function to the global options described above, but
104 specific to the sudoRole in which it resides.
106 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsU
\bUs
\bse
\ber
\br
107 A user name or uid (prefixed with '#') that commands may be run as
108 or a Unix group (prefixed with a '%') or user netgroup (prefixed
109 with a '+') that contains a list of users that commands may be run
110 as. The special value ALL will match any user.
112 The sudoRunAsUser attribute is only available in s
\bsu
\bud
\bdo
\bo versions
113 1.7.0 and higher. Older versions of s
\bsu
\bud
\bdo
\bo use the sudoRunAs
116 s
\bsu
\bud
\bdo
\boR
\bRu
\bun
\bnA
\bAs
\bsG
\bGr
\bro
\bou
\bup
\bp
117 A Unix group or gid (prefixed with '#') that commands may be run
118 as. The special value ALL will match any group.
120 The sudoRunAsGroup attribute is only available in s
\bsu
\bud
\bdo
\bo versions
123 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btB
\bBe
\bef
\bfo
\bor
\bre
\be
124 A timestamp in the form yyyymmddHHMMZ that can be used to provide a
125 start date/time for when the sudoRole will be valid. If multiple
126 sudoNotBefore entries are present, the earliest is used. Note that
130 1.7.6 April 9, 2011 2
136 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
139 timestamps must be in Coordinated Universal Time (UTC), not the
142 The sudoNotBefore attribute is only available in s
\bsu
\bud
\bdo
\bo versions
143 1.7.5 and higher and must be explicitly enabled via the
144 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
146 s
\bsu
\bud
\bdo
\boN
\bNo
\bot
\btA
\bAf
\bft
\bte
\ber
\br
147 A timestamp in the form yyyymmddHHMMZ that indicates an expiration
148 date/time, after which the sudoRole will no longer be valid. If
149 multiple sudoNotBefore entries are present, the last one is used.
150 Note that timestamps must be in Coordinated Universal Time (UTC),
151 not the local timezone.
153 The sudoNotAfter attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
154 and higher and must be explicitly enabled via the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD
155 option in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf.
157 s
\bsu
\bud
\bdo
\boO
\bOr
\brd
\bde
\ber
\br
158 The sudoRole entries retrieved from the LDAP directory have no
159 inherent order. The sudoOrder attribute is an integer (or floating
160 point value for LDAP servers that support it) that is used to sort
161 the matching entries. This allows LDAP-based sudoers entries to
162 more closely mimic the behaviour of the sudoers file, where the of
163 the entries influences the result. If multiple entries match, the
164 entry with the highest sudoOrder attribute is chosen. This
165 corresponds to the "last match" behavior of the sudoers file. If
166 the sudoOrder attribute is not present, a value of 0 is assumed.
168 The sudoOrder attribute is only available in s
\bsu
\bud
\bdo
\bo versions 1.7.5
171 Each attribute listed above should contain a single value, but there
172 may be multiple instances of each attribute type. A sudoRole must
173 contain at least one sudoUser, sudoHost and sudoCommand.
175 The following example allows users in group wheel to run any command on
176 any host via s
\bsu
\bud
\bdo
\bo:
178 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
180 objectClass: sudoRole
186 A
\bAn
\bna
\bat
\bto
\bom
\bmy
\by o
\bof
\bf L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs l
\blo
\boo
\bok
\bku
\bup
\bp
187 When looking up a sudoer using LDAP there are only two or three LDAP
188 queries per invocation. The first query is to parse the global
189 options. The second is to match against the user's name and the groups
190 that the user belongs to. (The special ALL tag is matched in this
191 query too.) If no match is returned for the user's name and groups, a
192 third query returns all entries containing user netgroups and checks to
196 1.7.6 April 9, 2011 3
202 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
205 see if the user belongs to any of them.
207 If timed entries are enabled with the S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD configuration
208 directive, the LDAP queries include a subfilter that limits retrieval
209 to entries that satisfy the time constraints, if any.
211 D
\bDi
\bif
\bff
\bfe
\ber
\bre
\ben
\bnc
\bce
\bes
\bs b
\bbe
\bet
\btw
\bwe
\bee
\ben
\bn L
\bLD
\bDA
\bAP
\bP a
\ban
\bnd
\bd n
\bno
\bon
\bn-
\b-L
\bLD
\bDA
\bAP
\bP s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
212 There are some subtle differences in the way sudoers is handled once in
213 LDAP. Probably the biggest is that according to the RFC, LDAP ordering
214 is arbitrary and you cannot expect that Attributes and Entries are
215 returned in any specific order.
217 The order in which different entries are applied can be controlled
218 using the sudoOrder attribute, but there is no way to guarantee the
219 order of attributes within a specific entry. If there are conflicting
220 command rules in an entry, the negative takes precedence. This is
221 called paranoid behavior (not necessarily the most specific match).
226 # Allow all commands except shell
227 johnny ALL=(root) ALL,!/bin/sh
228 # Always allows all commands because ALL is matched last
229 puddles ALL=(root) !/bin/sh,ALL
231 # LDAP equivalent of johnny
232 # Allows all commands except shell
233 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
234 objectClass: sudoRole
240 sudoCommand: !/bin/sh
242 # LDAP equivalent of puddles
243 # Notice that even though ALL comes last, it still behaves like
244 # role1 since the LDAP code assumes the more paranoid configuration
245 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
246 objectClass: sudoRole
251 sudoCommand: !/bin/sh
254 Another difference is that negations on the Host, User or Runas are
255 currently ignored. For example, the following attributes do not behave
256 the way one might expect.
262 1.7.6 April 9, 2011 4
268 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
271 # does not match all but joe
272 # rather, does not match anyone
275 # does not match all but joe
276 # rather, matches everyone including Joe
280 # does not match all but web01
281 # rather, matches all hosts including web01
285 S
\bSu
\bud
\bdo
\boe
\ber
\brs
\bs S
\bSc
\bch
\bhe
\bem
\bma
\ba
286 In order to use s
\bsu
\bud
\bdo
\bo's LDAP support, the s
\bsu
\bud
\bdo
\bo schema must be installed
287 on your LDAP server. In addition, be sure to index the 'sudoUser'
290 Three versions of the schema: one for OpenLDAP servers
291 (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP), one for Netscape-derived servers (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bi_
\bP_
\bl_
\ba_
\bn_
\be_
\bt),
292 and one for Microsoft Active Directory (_
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bA_
\bc_
\bt_
\bi_
\bv_
\be_
\bD_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by) may be
293 found in the s
\bsu
\bud
\bdo
\bo distribution.
295 The schema for s
\bsu
\bud
\bdo
\bo in OpenLDAP form is included in the EXAMPLES
298 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
299 Sudo reads the _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf file for LDAP-specific configuration.
300 Typically, this file is shared amongst different LDAP-aware clients.
301 As such, most of the settings are not s
\bsu
\bud
\bdo
\bo-specific. Note that s
\bsu
\bud
\bdo
\bo
302 parses _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf itself and may support options that differ from
303 those described in the _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4) manual.
305 Also note that on systems using the OpenLDAP libraries, default values
306 specified in _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf or the user's _
\b._
\bl_
\bd_
\ba_
\bp_
\br_
\bc files are
309 Only those options explicitly listed in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf as being
310 supported by s
\bsu
\bud
\bdo
\bo are honored. Configuration options are listed below
311 in upper case but are parsed in a case-independent manner.
313 U
\bUR
\bRI
\bI ldap[s]://[hostname[:port]] ...
314 Specifies a whitespace-delimited list of one or more URIs
315 describing the LDAP server(s) to connect to. The _
\bp_
\br_
\bo_
\bt_
\bo_
\bc_
\bo_
\bl may be
316 either l
\bld
\bda
\bap
\bp or l
\bld
\bda
\bap
\bps
\bs, the latter being for servers that support TLS
317 (SSL) encryption. If no _
\bp_
\bo_
\br_
\bt is specified, the default is port 389
318 for ldap:// or port 636 for ldaps://. If no _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be is specified,
319 s
\bsu
\bud
\bdo
\bo will connect to l
\blo
\boc
\bca
\bal
\blh
\bho
\bos
\bst
\bt. Multiple U
\bUR
\bRI
\bI lines are treated
320 identically to a U
\bUR
\bRI
\bI line containing multiple entries. Only
321 systems using the OpenSSL libraries support the mixing of ldap://
322 and ldaps:// URIs. The Netscape-derived libraries used on most
323 commercial versions of Unix are only capable of supporting one or
328 1.7.6 April 9, 2011 5
334 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
337 H
\bHO
\bOS
\bST
\bT name[:port] ...
338 If no U
\bUR
\bRI
\bI is specified, the H
\bHO
\bOS
\bST
\bT parameter specifies a whitespace-
339 delimited list of LDAP servers to connect to. Each host may
340 include an optional _
\bp_
\bo_
\br_
\bt separated by a colon (':'). The H
\bHO
\bOS
\bST
\bT
341 parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and is
342 included for backwards compatibility.
344 P
\bPO
\bOR
\bRT
\bT port_number
345 If no U
\bUR
\bRI
\bI is specified, the P
\bPO
\bOR
\bRT
\bT parameter specifies the default
346 port to connect to on the LDAP server if a H
\bHO
\bOS
\bST
\bT parameter does not
347 specify the port itself. If no P
\bPO
\bOR
\bRT
\bT parameter is used, the default
348 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
349 P
\bPO
\bOR
\bRT
\bT parameter is deprecated in favor of the U
\bUR
\bRI
\bI specification and
350 is included for backwards compatibility.
352 B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
353 The B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in
354 seconds, to wait while trying to connect to an LDAP server. If
355 multiple U
\bUR
\bRI
\bIs or H
\bHO
\bOS
\bST
\bTs are specified, this is the amount of time to
356 wait before trying the next one in the list.
358 N
\bNE
\bET
\bTW
\bWO
\bOR
\bRK
\bK_
\b_T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
359 An alias for B
\bBI
\bIN
\bND
\bD_
\b_T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT for OpenLDAP compatibility.
361 T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT seconds
362 The T
\bTI
\bIM
\bME
\bEL
\bLI
\bIM
\bMI
\bIT
\bT parameter specifies the amount of time, in seconds,
363 to wait for a response to an LDAP query.
365 T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT seconds
366 The T
\bTI
\bIM
\bME
\bEO
\bOU
\bUT
\bT parameter specifies the amount of time, in seconds, to
367 wait for a response from the various LDAP APIs.
369 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE base
370 The base DN to use when performing s
\bsu
\bud
\bdo
\bo LDAP queries. Typically
371 this is of the form ou=SUDOers,dc=example,dc=com for the domain
372 example.com. Multiple S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_B
\bBA
\bAS
\bSE
\bE lines may be specified, in
373 which case they are queried in the order specified.
375 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_S
\bSE
\bEA
\bAR
\bRC
\bCH
\bH_
\b_F
\bFI
\bIL
\bLT
\bTE
\bER
\bR ldap_filter
376 An LDAP filter which is used to restrict the set of records
377 returned when performing a s
\bsu
\bud
\bdo
\bo LDAP query. Typically, this is of
378 the form attribute=value or
379 (&(attribute=value)(attribute2=value2)).
381 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_T
\bTI
\bIM
\bME
\bED
\bD on/true/yes/off/false/no
382 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
383 attributes that implement time-dependent sudoers entries.
385 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS_
\b_D
\bDE
\bEB
\bBU
\bUG
\bG debug_level
386 This sets the debug level for s
\bsu
\bud
\bdo
\bo LDAP queries. Debugging
387 information is printed to the standard error. A value of 1 results
388 in a moderate amount of debugging information. A value of 2 shows
389 the results of the matches themselves. This parameter should not
390 be set in a production environment as the extra information is
394 1.7.6 April 9, 2011 6
400 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
403 likely to confuse users.
405 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
406 The B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
407 Distinguished Name (DN), to use when performing LDAP operations.
408 If not specified, LDAP operations are performed with an anonymous
409 identity. By default, most LDAP servers will allow anonymous
412 B
\bBI
\bIN
\bND
\bDP
\bPW
\bW secret
413 The B
\bBI
\bIN
\bND
\bDP
\bPW
\bW parameter specifies the password to use when performing
414 LDAP operations. This is typically used in conjunction with the
415 B
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter.
417 R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN DN
418 The R
\bRO
\bOO
\bOT
\bTB
\bBI
\bIN
\bND
\bDD
\bDN
\bN parameter specifies the identity, in the form of a
419 Distinguished Name (DN), to use when performing privileged LDAP
420 operations, such as _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs queries. The password corresponding to
421 the identity should be stored in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bs_
\be_
\bc_
\br_
\be_
\bt. If not
422 specified, the B
\bBI
\bIN
\bND
\bDD
\bDN
\bN identity is used (if any).
424 L
\bLD
\bDA
\bAP
\bP_
\b_V
\bVE
\bER
\bRS
\bSI
\bIO
\bON
\bN number
425 The version of the LDAP protocol to use when connecting to the
426 server. The default value is protocol version 3.
428 S
\bSS
\bSL
\bL on/true/yes/off/false/no
429 If the S
\bSS
\bSL
\bL parameter is set to on, true or yes, TLS (SSL)
430 encryption is always used when communicating with the LDAP server.
431 Typically, this involves connecting to the server on port 636
434 S
\bSS
\bSL
\bL start_tls
435 If the S
\bSS
\bSL
\bL parameter is set to start_tls, the LDAP server
436 connection is initiated normally and TLS encryption is begun before
437 the bind credentials are sent. This has the advantage of not
438 requiring a dedicated port for encrypted communications. This
439 parameter is only supported by LDAP servers that honor the
440 start_tls extension, such as the OpenLDAP server.
442 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR on/true/yes/off/false/no
443 If enabled, T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR will cause the LDAP server's TLS
444 certificated to be verified. If the server's TLS certificate
445 cannot be verified (usually because it is signed by an unknown
446 certificate authority), s
\bsu
\bud
\bdo
\bo will be unable to connect to it. If
447 T
\bTL
\bLS
\bS_
\b_C
\bCH
\bHE
\bEC
\bCK
\bKP
\bPE
\bEE
\bER
\bR is disabled, no check is made. Note that disabling
448 the check creates an opportunity for man-in-the-middle attacks
449 since the server's identity will not be authenticated. If
450 possible, the CA's certificate should be installed locally so it
453 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bT file name
454 An alias for T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE for OpenLDAP compatibility.
460 1.7.6 April 9, 2011 7
466 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
469 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE file name
470 The path to a certificate authority bundle which contains the
471 certificates for all the Certificate Authorities the client knows
472 to be valid, e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\ba_
\b-_
\bb_
\bu_
\bn_
\bd_
\bl_
\be_
\b._
\bp_
\be_
\bm. This option is only
473 supported by the OpenLDAP libraries. Netscape-derived LDAP
474 libraries use the same certificate database for CA and client
475 certificates (see T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT).
477 T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR directory
478 Similar to T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE but instead of a file, it is a directory
479 containing individual Certificate Authority certificates, e.g.
480 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bs_
\bl_
\b/_
\bc_
\be_
\br_
\bt_
\bs. The directory specified by T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTD
\bDI
\bIR
\bR is
481 checked after T
\bTL
\bLS
\bS_
\b_C
\bCA
\bAC
\bCE
\bER
\bRT
\bTF
\bFI
\bIL
\bLE
\bE. This option is only supported by the
484 T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT file name
485 The path to a file containing the client certificate which can be
486 used to authenticate the client to the LDAP server. The
487 certificate type depends on the LDAP libraries used.
490 tls_cert /etc/ssl/client_cert.pem
493 tls_cert /var/ldap/cert7.db
495 When using Netscape-derived libraries, this file may also contain
496 Certificate Authority certificates.
498 T
\bTL
\bLS
\bS_
\b_K
\bKE
\bEY
\bY file name
499 The path to a file containing the private key which matches the
500 certificate specified by T
\bTL
\bLS
\bS_
\b_C
\bCE
\bER
\bRT
\bT. The private key must not be
501 password-protected. The key type depends on the LDAP libraries
505 tls_key /etc/ssl/client_key.pem
508 tls_key /var/ldap/key3.db
510 T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE file name
511 The T
\bTL
\bLS
\bS_
\b_R
\bRA
\bAN
\bND
\bDF
\bFI
\bIL
\bLE
\bE parameter specifies the path to an entropy source
512 for systems that lack a random device. It is generally used in
513 conjunction with _
\bp_
\br_
\bn_
\bg_
\bd or _
\be_
\bg_
\bd. This option is only supported by
514 the OpenLDAP libraries.
516 T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS cipher list
517 The T
\bTL
\bLS
\bS_
\b_C
\bCI
\bIP
\bPH
\bHE
\bER
\bRS
\bS parameter allows the administer to restrict which
518 encryption algorithms may be used for TLS (SSL) connections. See
519 the OpenSSL manual for a list of valid ciphers. This option is
520 only supported by the OpenLDAP libraries.
526 1.7.6 April 9, 2011 8
532 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
535 U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
536 Enable U
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL for LDAP servers that support SASL authentication.
538 S
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
539 The SASL user name to use when connecting to the LDAP server. By
540 default, s
\bsu
\bud
\bdo
\bo will use an anonymous connection.
542 R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL on/true/yes/off/false/no
543 Enable R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL to enable SASL authentication when connecting
544 to an LDAP server from a privileged process, such as s
\bsu
\bud
\bdo
\bo.
546 R
\bRO
\bOO
\bOT
\bTS
\bSA
\bAS
\bSL
\bL_
\b_A
\bAU
\bUT
\bTH
\bH_
\b_I
\bID
\bD identity
547 The SASL user name to use when R
\bRO
\bOO
\bOT
\bTU
\bUS
\bSE
\bE_
\b_S
\bSA
\bAS
\bSL
\bL is enabled.
549 S
\bSA
\bAS
\bSL
\bL_
\b_S
\bSE
\bEC
\bCP
\bPR
\bRO
\bOP
\bPS
\bS none/properties
550 SASL security properties or _
\bn_
\bo_
\bn_
\be for no properties. See the SASL
551 programmer's manual for details.
553 K
\bKR
\bRB
\bB5
\b5_
\b_C
\bCC
\bCN
\bNA
\bAM
\bME
\bE file name
554 The path to the Kerberos 5 credential cache to use when
555 authenticating with the remote server.
557 See the ldap.conf entry in the EXAMPLES section.
559 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bns
\bss
\bsw
\bwi
\bit
\btc
\bch
\bh.
\b.c
\bco
\bon
\bnf
\bf
560 Unless it is disabled at build time, s
\bsu
\bud
\bdo
\bo consults the Name Service
561 Switch file, _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf, to specify the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs search order.
562 Sudo looks for a line beginning with sudoers: and uses this to
563 determine the search order. Note that s
\bsu
\bud
\bdo
\bo does not stop searching
564 after the first match and later matches take precedence over earlier
567 The following sources are recognized:
569 files read sudoers from F</etc/sudoers>
570 ldap read sudoers from LDAP
572 In addition, the entry [NOTFOUND=return] will short-circuit the search
573 if the user was not found in the preceding source.
575 To consult LDAP first followed by the local sudoers file (if it
580 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
584 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
585 line, the following default is assumed:
592 1.7.6 April 9, 2011 9
598 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
601 Note that _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf is supported even when the underlying
602 operating system does not use an nsswitch.conf file.
604 C
\bCo
\bon
\bnf
\bfi
\big
\bgu
\bur
\bri
\bin
\bng
\bg n
\bne
\bet
\bts
\bsv
\bvc
\bc.
\b.c
\bco
\bon
\bnf
\bf
605 On AIX systems, the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is consulted instead of
606 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf. s
\bsu
\bud
\bdo
\bo simply treats _
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf as a variant of
607 _
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf; information in the previous section unrelated to the
608 file format itself still applies.
610 To consult LDAP first followed by the local sudoers file (if it
613 sudoers = ldap, files
615 The local _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file can be ignored completely by using:
619 To treat LDAP as authoratative and only use the local sudoers file if
620 the user is not present in LDAP, use:
622 sudoers = ldap = auth, files
624 Note that in the above example, the auth qualfier only affects user
625 lookups; both LDAP and _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be queried for Defaults entries.
627 If the _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf file is not present or there is no sudoers
628 line, the following default is assumed:
633 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf LDAP configuration file
635 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\bs_
\bs_
\bw_
\bi_
\bt_
\bc_
\bh_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order
637 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bs_
\bv_
\bc_
\b._
\bc_
\bo_
\bn_
\bf determines sudoers source order on AIX
639 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
640 E
\bEx
\bxa
\bam
\bmp
\bpl
\ble
\be l
\bld
\bda
\bap
\bp.
\b.c
\bco
\bon
\bnf
\bf
641 # Either specify one or more URIs or one or more host:port pairs.
642 # If neither is specified sudo will default to localhost, port 389.
645 #host ldapserver1 ldapserver2:390
647 # Default port if host is specified without one, defaults to 389.
650 # URI will override the host and port settings.
651 uri ldap://ldapserver
652 #uri ldaps://secureldapserver
653 #uri ldaps://secureldapserver ldap://ldapserver
658 1.7.6 April 9, 2011 10
664 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
667 # The amount of time, in seconds, to wait while trying to connect to
671 # The amount of time, in seconds, to wait while performing an LDAP query.
674 # Must be set or sudo will ignore LDAP; may be specified multiple times.
675 sudoers_base ou=SUDOers,dc=example,dc=com
677 # verbose sudoers matching from ldap
680 # Enable support for time-based entries in sudoers.
683 # optional proxy credentials
684 #binddn <who to search as>
686 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
688 # LDAP protocol version, defaults to 3
691 # Define if you want to use an encrypted LDAP connection.
692 # Typically, you must also set the port to 636 (ldaps).
695 # Define if you want to use port 389 and switch to
696 # encryption before the bind credentials are sent.
697 # Only supported by LDAP servers that support the start_tls
698 # extension such as OpenLDAP.
701 # Additional TLS options follow that allow tweaking of the
702 # SSL/TLS connection.
704 #tls_checkpeer yes # verify server SSL certificate
705 #tls_checkpeer no # ignore server SSL certificate
707 # If you enable tls_checkpeer, specify either tls_cacertfile
708 # or tls_cacertdir. Only supported when using OpenLDAP.
710 #tls_cacertfile /etc/certs/trusted_signers.pem
711 #tls_cacertdir /etc/certs
713 # For systems that don't have /dev/random
714 # use this along with PRNGD or EGD.pl to seed the
715 # random number pool to generate cryptographic session keys.
716 # Only supported when using OpenLDAP.
718 #tls_randfile /etc/egd-pool
720 # You may restrict which ciphers are used. Consult your SSL
724 1.7.6 April 9, 2011 11
730 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
733 # documentation for which options go here.
734 # Only supported when using OpenLDAP.
736 #tls_ciphers <cipher-list>
738 # Sudo can provide a client certificate when communicating to
741 # * Enable both lines at the same time.
742 # * Do not password protect the key file.
743 # * Ensure the keyfile is only readable by root.
746 #tls_cert /etc/certs/client_cert.pem
747 #tls_key /etc/certs/client_key.pem
749 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
750 # a directory, in which case the files in the directory must have the
751 # default names (e.g. cert8.db and key4.db), or the path to the cert
752 # and key files themselves. However, a bug in version 5.0 of the LDAP
753 # SDK will prevent specific file names from working. For this reason
754 # it is suggested that tls_cert and tls_key be set to a directory,
757 # The certificate database specified by tls_cert may contain CA certs
758 # and/or the client's cert. If the client's cert is included, tls_key
759 # should be specified as well.
760 # For backward compatibility, "sslpath" may be used in place of tls_cert.
764 # If using SASL authentication for LDAP (OpenSSL)
766 # sasl_auth_id <SASL user name>
768 # rootsasl_auth_id <SASL user name for root access>
770 # krb5_ccname /etc/.ldapcache
772 S
\bSu
\bud
\bdo
\bo s
\bsc
\bch
\bhe
\bem
\bma
\ba f
\bfo
\bor
\br O
\bOp
\bpe
\ben
\bnL
\bLD
\bDA
\bAP
\bP
773 The following schema, in OpenLDAP format, is included with s
\bsu
\bud
\bdo
\bo source
774 and binary distributions as _
\bs_
\bc_
\bh_
\be_
\bm_
\ba_
\b._
\bO_
\bp_
\be_
\bn_
\bL_
\bD_
\bA_
\bP. Simply copy it to the
775 schema directory (e.g. _
\b/_
\be_
\bt_
\bc_
\b/_
\bo_
\bp_
\be_
\bn_
\bl_
\bd_
\ba_
\bp_
\b/_
\bs_
\bc_
\bh_
\be_
\bm_
\ba), add the proper include
776 line in slapd.conf and restart s
\bsl
\bla
\bap
\bpd
\bd.
778 attributetype ( 1.3.6.1.4.1.15953.9.1.1
780 DESC 'User(s) who may run sudo'
781 EQUALITY caseExactIA5Match
782 SUBSTR caseExactIA5SubstringsMatch
783 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
785 attributetype ( 1.3.6.1.4.1.15953.9.1.2
790 1.7.6 April 9, 2011 12
796 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
799 DESC 'Host(s) who may run sudo'
800 EQUALITY caseExactIA5Match
801 SUBSTR caseExactIA5SubstringsMatch
802 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
804 attributetype ( 1.3.6.1.4.1.15953.9.1.3
806 DESC 'Command(s) to be executed by sudo'
807 EQUALITY caseExactIA5Match
808 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
810 attributetype ( 1.3.6.1.4.1.15953.9.1.4
812 DESC 'User(s) impersonated by sudo'
813 EQUALITY caseExactIA5Match
814 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
816 attributetype ( 1.3.6.1.4.1.15953.9.1.5
818 DESC 'Options(s) followed by sudo'
819 EQUALITY caseExactIA5Match
820 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
822 attributetype ( 1.3.6.1.4.1.15953.9.1.6
824 DESC 'User(s) impersonated by sudo'
825 EQUALITY caseExactIA5Match
826 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
828 attributetype ( 1.3.6.1.4.1.15953.9.1.7
829 NAME 'sudoRunAsGroup'
830 DESC 'Group(s) impersonated by sudo'
831 EQUALITY caseExactIA5Match
832 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
834 attributetype ( 1.3.6.1.4.1.15953.9.1.8
836 DESC 'Start of time interval for which the entry is valid'
837 EQUALITY generalizedTimeMatch
838 ORDERING generalizedTimeOrderingMatch
839 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
841 attributetype ( 1.3.6.1.4.1.15953.9.1.9
843 DESC 'End of time interval for which the entry is valid'
844 EQUALITY generalizedTimeMatch
845 ORDERING generalizedTimeOrderingMatch
846 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
848 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
850 DESC 'an integer to order the sudoRole entries'
851 EQUALITY integerMatch
852 ORDERING integerOrderingMatch
856 1.7.6 April 9, 2011 13
862 SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
865 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
867 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
868 DESC 'Sudoer Entries'
870 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
871 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
872 sudoOrder $ description )
875 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
876 _
\bl_
\bd_
\ba_
\bp_
\b._
\bc_
\bo_
\bn_
\bf(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(5)
878 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
879 Note that there are differences in the way that LDAP-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs is
880 parsed compared to file-based _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. See the "Differences between
881 LDAP and non-LDAP sudoers" section for more information.
884 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
885 http://www.sudo.ws/sudo/bugs/
887 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
888 Limited free support is available via the sudo-users mailing list, see
889 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
892 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
893 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
894 including, but not limited to, the implied warranties of
895 merchantability and fitness for a particular purpose are disclaimed.
896 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
897 http://www.sudo.ws/sudo/license.html for complete details.
922 1.7.6 April 9, 2011 14