D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
- LAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
+ LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
large, distributed environment.
Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
-1.7.2p7 June 1, 2010 1
+1.7.4 July 12, 2010 1
-1.7.2p7 June 1, 2010 2
+1.7.4 July 12, 2010 2
-1.7.2p7 June 1, 2010 3
+1.7.4 July 12, 2010 3
-1.7.2p7 June 1, 2010 4
+1.7.4 July 12, 2010 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
- libraries support the mixing of ldap:// and ldaps:// URIs. The
- Netscape-derived libraries used on most commercial versions of Unix
- are only capable of supporting one or the other.
+ s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ identically to a U\bUR\bRI\bI line containing multiple entries. Only
+ systems using the OpenSSL libraries support the mixing of ldap://
+ and ldaps:// URIs. The Netscape-derived libraries used on most
+ commercial versions of Unix are only capable of supporting one or
+ the other.
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
- example.com.
+ example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
+ which case they are queried in the order specified.
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
identity. By default, most LDAP servers will allow anonymous
access.
- B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
- LDAP operations. This is typically used in conjunction with the
- B\bBI\bIN\bND\bDD\bDN\bN parameter.
-1.7.2p7 June 1, 2010 5
+
+1.7.4 July 12, 2010 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ B\bBI\bIN\bND\bDP\bPW\bW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
+ B\bBI\bIN\bND\bDD\bDN\bN parameter.
+
R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made.
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made. Note that disabling
+ the check creates an opportunity for man-in-the-middle attacks
+ since the server's identity will not be authenticated. If
+ possible, the CA's certificate should be installed locally so it
+ can be verified.
+
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
+ An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
- supported by the OpenLDAP libraries.
+ supported by the OpenLDAP libraries. Netscape-derived LDAP
+ libraries use the same certificate database for CA and client
+ certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
+
+
+
+1.7.4 July 12, 2010 6
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
-
-
-
-1.7.2p7 June 1, 2010 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
tls_cert /var/ldap/cert7.db
When using Netscape-derived libraries, this file may also contain
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
- R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
- SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
- programmer's manual for details.
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
- The path to the Kerberos 5 credential cache to use when
- authenticating with the remote server.
-
- See the ldap.conf entry in the EXAMPLES section.
+1.7.4 July 12, 2010 7
-1.7.2p7 June 1, 2010 7
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
+ programmer's manual for details.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ The path to the Kerberos 5 credential cache to use when
+ authenticating with the remote server.
+ See the ldap.conf entry in the EXAMPLES section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
To consult LDAP first followed by the local sudoers file (if it
exists), use:
- sudoers = ldap, files
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
- sudoers = ldap
+1.7.4 July 12, 2010 8
- To treat LDAP as authoratative and only use the local sudoers file if
- the user is not present in LDAP, use:
- sudoers = ldap = auth, files
-
- Note that in the above example, the auth qualfier only affects user
-1.7.2p7 June 1, 2010 8
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ sudoers = ldap, files
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ sudoers = ldap
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ To treat LDAP as authoratative and only use the local sudoers file if
+ the user is not present in LDAP, use:
+ sudoers = ldap = auth, files
+ Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
- # must be set or sudo will ignore LDAP
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
+
+
+
+1.7.4 July 12, 2010 9
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
#
# optional proxy credentials
#binddn <who to search as>
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
-
-
-
-1.7.2p7 June 1, 2010 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
+
+
+
+1.7.4 July 12, 2010 10
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
-
-
-
-1.7.2p7 June 1, 2010 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
- # sasl_auth_id <SASL username>
+ # sasl_auth_id <SASL user name>
# rootuse_sasl yes
- # rootsasl_auth_id <SASL username for root access>
+ # rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+1.7.4 July 12, 2010 11
-1.7.2p7 June 1, 2010 11
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.2p7 June 1, 2010 12
+1.7.4 July 12, 2010 12