X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.ldap.cat;h=20374d493e8197f75e9aefb899c5add2cfdb22dd;hb=d7751e8b58b26f298b57d31ae87386e685eb8c14;hp=0fbab1ea2b114895761a659d7db8dec492535036;hpb=651a7c3679a495ba6ce2b9768029179419d5d4a3;p=debian%2Fsudo diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 0fbab1e..20374d4 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -9,7 +9,7 @@ NNAAMMEE DDEESSCCRRIIPPTTIIOONN In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a + LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a large, distributed environment. Using LDAP for _s_u_d_o_e_r_s has several benefits: @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.2p7 June 1, 2010 1 +1.7.4 July 12, 2010 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.2p7 June 1, 2010 2 +1.7.4 July 12, 2010 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.2p7 June 1, 2010 3 +1.7.4 July 12, 2010 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.2p7 June 1, 2010 4 +1.7.4 July 12, 2010 4 @@ -268,10 +268,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL - libraries support the mixing of ldap:// and ldaps:// URIs. The - Netscape-derived libraries used on most commercial versions of Unix - are only capable of supporting one or the other. + ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated + identically to a UURRII line containing multiple entries. Only + systems using the OpenSSL libraries support the mixing of ldap:// + and ldaps:// URIs. The Netscape-derived libraries used on most + commercial versions of Unix are only capable of supporting one or + the other. HHOOSSTT name[:port] ... If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- @@ -301,7 +303,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSUUDDOOEERRSS__BBAASSEE base The base DN to use when performing ssuuddoo LDAP queries. Typically this is of the form ou=SUDOers,dc=example,dc=com for the domain - example.com. + example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in + which case they are queried in the order specified. SSUUDDOOEERRSS__DDEEBBUUGG debug_level This sets the debug level for ssuuddoo LDAP queries. Debugging @@ -318,14 +321,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use when performing - LDAP operations. This is typically used in conjunction with the - BBIINNDDDDNN parameter. -1.7.2p7 June 1, 2010 5 + +1.7.4 July 12, 2010 5 @@ -334,6 +334,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + BBIINNDDPPWW secret + The BBIINNDDPPWW parameter specifies the password to use when performing + LDAP operations. This is typically used in conjunction with the + BBIINNDDDDNN parameter. + RROOOOTTBBIINNDDDDNN DN The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP @@ -364,16 +369,37 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), ssuuddoo will be unable to connect to it. If - TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. + TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling + the check creates an opportunity for man-in-the-middle attacks + since the server's identity will not be authenticated. If + possible, the CA's certificate should be installed locally so it + can be verified. + + TTLLSS__CCAACCEERRTT file name + An alias for TTLLSS__CCAACCEERRTTFFIILLEE. TTLLSS__CCAACCEERRTTFFIILLEE file name The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only - supported by the OpenLDAP libraries. + supported by the OpenLDAP libraries. Netscape-derived LDAP + libraries use the same certificate database for CA and client + certificates (see TTLLSS__CCEERRTT). TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory + + + +1.7.4 July 12, 2010 6 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + containing individual Certificate Authority certificates, e.g. _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the @@ -388,18 +414,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) tls_cert /etc/ssl/client_cert.pem Netscape-derived: - - - -1.7.2p7 June 1, 2010 6 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - tls_cert /var/ldap/cert7.db When using Netscape-derived libraries, this file may also contain @@ -440,31 +454,30 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties - SASL security properties or _n_o_n_e for no properties. See the SASL - programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name - The path to the Kerberos 5 credential cache to use when - authenticating with the remote server. - - See the ldap.conf entry in the EXAMPLES section. +1.7.4 July 12, 2010 7 -1.7.2p7 June 1, 2010 7 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity + The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. + SSAASSLL__SSEECCPPRROOPPSS none/properties + SASL security properties or _n_o_n_e for no properties. See the SASL + programmer's manual for details. -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + KKRRBB55__CCCCNNAAMMEE file name + The path to the Kerberos 5 credential cache to use when + authenticating with the remote server. + See the ldap.conf entry in the EXAMPLES section. CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff Unless it is disabled at build time, ssuuddoo consults the Name Service @@ -508,30 +521,29 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To consult LDAP first followed by the local sudoers file (if it exists), use: - sudoers = ldap, files - The local _s_u_d_o_e_r_s file can be ignored completely by using: - sudoers = ldap +1.7.4 July 12, 2010 8 - To treat LDAP as authoratative and only use the local sudoers file if - the user is not present in LDAP, use: - sudoers = ldap = auth, files - - Note that in the above example, the auth qualfier only affects user -1.7.2p7 June 1, 2010 8 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + sudoers = ldap, files + The local _s_u_d_o_e_r_s file can be ignored completely by using: + sudoers = ldap -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + To treat LDAP as authoratative and only use the local sudoers file if + the user is not present in LDAP, use: + sudoers = ldap = auth, files + Note that in the above example, the auth qualfier only affects user lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers @@ -569,11 +581,23 @@ EEXXAAMMPPLLEESS # The amount of time, in seconds, to wait while performing an LDAP query. timelimit 30 # - # must be set or sudo will ignore LDAP + # Must be set or sudo will ignore LDAP; may be specified multiple times. sudoers_base ou=SUDOers,dc=example,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2 + + + +1.7.4 July 12, 2010 9 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # # optional proxy credentials #binddn @@ -586,18 +610,6 @@ EEXXAAMMPPLLEESS # Define if you want to use an encrypted LDAP connection. # Typically, you must also set the port to 636 (ldaps). #ssl on - - - -1.7.2p7 June 1, 2010 9 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # # Define if you want to use port 389 and switch to # encryption before the bind credentials are sent. @@ -640,6 +652,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # For OpenLDAP: #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem + + + +1.7.4 July 12, 2010 10 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either # a directory, in which case the files in the directory must have the @@ -652,27 +676,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # The certificate database specified by tls_cert may contain CA certs # and/or the client's cert. If the client's cert is included, tls_key # should be specified as well. - - - -1.7.2p7 June 1, 2010 10 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # For backward compatibility, "sslpath" may be used in place of tls_cert. #tls_cert /var/ldap #tls_key /var/ldap # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes - # sasl_auth_id + # sasl_auth_id # rootuse_sasl yes - # rootsasl_auth_id + # rootsasl_auth_id # sasl_secprops none # krb5_ccname /etc/.ldapcache @@ -707,29 +719,29 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +1.7.4 July 12, 2010 11 -1.7.2p7 June 1, 2010 11 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' @@ -775,18 +787,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - -1.7.2p7 June 1, 2010 12 +1.7.4 July 12, 2010 12