For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and
- RunasAliases. Host netgroups can be used in place of HostAliases.
+ Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
Since Unix groups and netgroups can also be stored in LDAP there is no
real need for s\bsu\bud\bdo\bo-specific aliases.
-1.7.4 July 12, 2010 1
+1.7.6 April 9, 2011 1
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
- following components:
+ following attributes:
s\bsu\bud\bdo\boU\bUs\bse\ber\br
A user name, uid (prefixed with '#'), Unix group (prefixed with a
with a '+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
+ The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
+ attribute instead.
+
s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
- Each component listed above should contain a single value, but there
- may be multiple instances of each component type. A sudoRole must
- contain at least one sudoUser, sudoHost and sudoCommand.
-
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
-
-
+ The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.0 and higher.
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
+ A timestamp in the form yyyymmddHHMMZ that can be used to provide a
+ start date/time for when the sudoRole will be valid. If multiple
+ sudoNotBefore entries are present, the earliest is used. Note that
+1.7.6 April 9, 2011 2
-1.7.4 July 12, 2010 2
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ timestamps must be in Coordinated Universal Time (UTC), not the
+ local timezone.
+
+ The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.5 and higher and must be explicitly enabled via the
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
+
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ A timestamp in the form yyyymmddHHMMZ that indicates an expiration
+ date/time, after which the sudoRole will no longer be valid. If
+ multiple sudoNotBefore entries are present, the last one is used.
+ Note that timestamps must be in Coordinated Universal Time (UTC),
+ not the local timezone.
+
+ The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
+ option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
+
+ s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
+ The sudoRole entries retrieved from the LDAP directory have no
+ inherent order. The sudoOrder attribute is an integer (or floating
+ point value for LDAP servers that support it) that is used to sort
+ the matching entries. This allows LDAP-based sudoers entries to
+ more closely mimic the behaviour of the sudoers file, where the of
+ the entries influences the result. If multiple entries match, the
+ entry with the highest sudoOrder attribute is chosen. This
+ corresponds to the "last match" behavior of the sudoers file. If
+ the sudoOrder attribute is not present, a value of 0 is assumed.
+
+ The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ and higher.
+
+ Each attribute listed above should contain a single value, but there
+ may be multiple instances of each attribute type. A sudoRole must
+ contain at least one sudoUser, sudoHost and sudoCommand.
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
+
+
+
+1.7.6 April 9, 2011 3
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
see if the user belongs to any of them.
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ directive, the LDAP queries include a subfilter that limits retrieval
+ to entries that satisfy the time constraints, if any.
+
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
- returned in any specific order. If there are conflicting command rules
- on an entry, the negative takes precedence. This is called paranoid
- behavior (not necessarily the most specific match).
+ returned in any specific order.
+
+ The order in which different entries are applied can be controlled
+ using the sudoOrder attribute, but there is no way to guarantee the
+ order of attributes within a specific entry. If there are conflicting
+ command rules in an entry, the negative takes precedence. This is
+ called paranoid behavior (not necessarily the most specific match).
Here is an example:
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
+ sudoCommand: ALL
+ Another difference is that negations on the Host, User or Runas are
+ currently ignored. For example, the following attributes do not behave
+ the way one might expect.
-1.7.4 July 12, 2010 3
+1.7.6 April 9, 2011 4
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sudoCommand: ALL
- Another difference is that negations on the Host, User or Runas are
- currently ignorred. For example, the following attributes do not
- behave the way one might expect.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
# does not match all but joe
# rather, does not match anyone
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
not used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
(SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
+ s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ identically to a U\bUR\bRI\bI line containing multiple entries. Only
+ systems using the OpenSSL libraries support the mixing of ldap://
+ and ldaps:// URIs. The Netscape-derived libraries used on most
+ commercial versions of Unix are only capable of supporting one or
+ the other.
-1.7.4 July 12, 2010 4
+1.7.6 April 9, 2011 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
- identically to a U\bUR\bRI\bI line containing multiple entries. Only
- systems using the OpenSSL libraries support the mixing of ldap://
- and ldaps:// URIs. The Netscape-derived libraries used on most
- commercial versions of Unix are only capable of supporting one or
- the other.
-
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
+ N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
+
T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
+ T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
+ wait for a response from the various LDAP APIs.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ An LDAP filter which is used to restrict the set of records
+ returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
+ the form attribute=value or
+ (&(attribute=value)(attribute2=value2)).
+
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ Whether or not to evaluate the sudoNotBefore and sudoNotAfter
+ attributes that implement time-dependent sudoers entries.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
- likely to confuse users.
-
- B\bBI\bIN\bND\bDD\bDN\bN DN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
- Distinguished Name (DN), to use when performing LDAP operations.
- If not specified, LDAP operations are performed with an anonymous
- identity. By default, most LDAP servers will allow anonymous
- access.
+1.7.6 April 9, 2011 6
-1.7.4 July 12, 2010 5
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ likely to confuse users.
+ B\bBI\bIN\bND\bDD\bDN\bN DN
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing LDAP operations.
+ If not specified, LDAP operations are performed with an anonymous
+ identity. By default, most LDAP servers will allow anonymous
+ access.
B\bBI\bIN\bND\bDP\bPW\bW secret
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
can be verified.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
- An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE.
+ An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
- The path to a certificate authority bundle which contains the
- certificates for all the Certificate Authorities the client knows
- to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
- supported by the OpenLDAP libraries. Netscape-derived LDAP
- libraries use the same certificate database for CA and client
- certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
- Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
-1.7.4 July 12, 2010 6
+1.7.6 April 9, 2011 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ The path to a certificate authority bundle which contains the
+ certificates for all the Certificate Authorities the client knows
+ to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
+ supported by the OpenLDAP libraries. Netscape-derived LDAP
+ libraries use the same certificate database for CA and client
+ certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
+
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
+ Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when connecting to the LDAP server. By
- default, s\bsu\bud\bdo\bo will use an anonymous connection.
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
- to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
+1.7.6 April 9, 2011 8
-1.7.4 July 12, 2010 7
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
+
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ The SASL user name to use when connecting to the LDAP server. By
+ default, s\bsu\bud\bdo\bo will use an anonymous connection.
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
sudoers: files
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
- file format itself still applies.
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+1.7.6 April 9, 2011 9
-1.7.4 July 12, 2010 8
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ operating system does not use an nsswitch.conf file.
+
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
+ On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
+ _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
+ file format itself still applies.
+ To consult LDAP first followed by the local sudoers file (if it
+ exists), use:
sudoers = ldap, files
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
+
+
+
+1.7.6 April 9, 2011 10
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# verbose sudoers matching from ldap
#sudoers_debug 2
-
-
-
-1.7.4 July 12, 2010 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
#
# optional proxy credentials
#binddn <who to search as>
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
+
+
+
+1.7.6 April 9, 2011 11
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# documentation for which options go here.
# Only supported when using OpenLDAP.
#
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
-
-
-
-1.7.4 July 12, 2010 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# krb5_ccname /etc/.ldapcache
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema is in OpenLDAP format. Simply copy it to the
+ The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
+ and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
+
+
+
+1.7.6 April 9, 2011 12
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-1.7.4 July 12, 2010 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
-
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+
+
+
+1.7.6 April 9, 2011 13
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
)
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are
- differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed compared to
- file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between LDAP and non-LDAP
- sudoers" section for more information.
+ Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
+ parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
+ LDAP and non-LDAP sudoers" section for more information.
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
-1.7.4 July 12, 2010 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7.6 April 9, 2011 14