X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.ldap.cat;h=e95ffc07c501f67cdb15b15a72ab034104d7e515;hb=034c7278c8e894d8ab427cb251ee768dfc419178;hp=8b581ffd4537d4c36adc5e943e2a469fdb9e2a96;hpb=06a67e2a5850f36c627b46f330c988e031536ab3;p=debian%2Fsudo diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 8b581ff..e95ffc0 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -26,17 +26,17 @@ DDEESSCCRRIIPPTTIIOONN prevent ssuuddoo from running. +o It is possible to specify per-entry options that override the - global default options. _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s only supports default - options and limited options associated with - user/host/commands/aliases. The syntax is complicated and can be - difficult for users to understand. Placing the options directly in - the entry is more natural. + global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options + and limited options associated with user/host/commands/aliases. + The syntax is complicated and can be difficult for users to + understand. Placing the options directly in the entry is more + natural. +o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking - and syntax checking of the _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s file. Since LDAP - updates are atomic, locking is no longer necessary. Because syntax - is checked when the data is inserted into LDAP, there is no need - for a specialized tool to check syntax. + and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates + are atomic, locking is no longer necessary. Because syntax is + checked when the data is inserted into LDAP, there is no need for a + specialized tool to check syntax. Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in LDAP, ssuuddoo-specific Aliases are not supported. @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.0 October 24, 2008 1 +1.7.2p1 June 11, 2009 1 @@ -71,8 +71,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) found, the multi-valued sudoOption attribute is parsed in the same - manner as a global Defaults line in _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s. In the - following example, the SSH_AUTH_SOCK variable will be preserved in the + manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following + example, the SSH_AUTH_SOCK variable will be preserved in the environment for all users. dn: cn=defaults,ou=SUDOers,dc=example,dc=com @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.0 October 24, 2008 2 +1.7.2p1 June 11, 2009 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.0 October 24, 2008 3 +1.7.2p1 June 11, 2009 3 @@ -240,26 +240,26 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _@_l_d_a_p___c_o_n_f_@ file for LDAP-specific configuration. + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo - parses _@_l_d_a_p___c_o_n_f_@ itself and may support options that differ from + parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those described in the _l_d_a_p_._c_o_n_f(4) manual. Also note that on systems using the OpenLDAP libraries, default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not used. - Only those options explicitly listed in _@_l_d_a_p___c_o_n_f_@ that are supported - by ssuuddoo are honored. Configuration options are listed below in upper - case but are parsed in a case-independent manner. + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are + supported by ssuuddoo are honored. Configuration options are listed below + in upper case but are parsed in a case-independent manner. UURRII ldap[s]://[hostname[:port]] ... Specifies a whitespace-delimited list of one or more URIs -1.7.0 October 24, 2008 4 +1.7.2p1 June 11, 2009 4 @@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.0 October 24, 2008 5 +1.7.2p1 June 11, 2009 5 @@ -343,8 +343,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as _s_u_d_o_e_r_s queries. The password corresponding to - the identity should be stored in _@_l_d_a_p___s_e_c_r_e_t_@. If not specified, - the BBIINNDDDDNN identity is used (if any). + the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not + specified, the BBIINNDDDDNN identity is used (if any). LLDDAAPP__VVEERRSSIIOONN number The version of the LDAP protocol to use when connecting to the @@ -391,7 +391,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.0 October 24, 2008 6 +1.7.2p1 June 11, 2009 6 @@ -457,7 +457,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.0 October 24, 2008 7 +1.7.2p1 June 11, 2009 7 @@ -471,7 +471,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff Unless it is disabled at build time, ssuuddoo consults the Name Service - Switch file, _@_n_s_s_w_i_t_c_h___c_o_n_f_@, to specify the _s_u_d_o_e_r_s search order. + Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. Sudo looks for a line beginning with sudoers: and uses this to determine the search order. Note that ssuuddoo does not stop searching after the first match and later matches take precedence over earlier @@ -494,18 +494,60 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers: ldap - If the _@_n_s_s_w_i_t_c_h___c_o_n_f_@ file is not present or there is no sudoers line, - the following default is assumed: + If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers + line, the following default is assumed: sudoers: files - Note that _@_n_s_s_w_i_t_c_h___c_o_n_f_@ is supported even when the underlying + Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying operating system does not use an nsswitch.conf file. + CCoonnffiigguurriinngg nneettssvvcc..ccoonnff + + On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of + _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the + file format itself still applies. + + To consult LDAP first followed by the local sudoers file (if it + exists), use: + + sudoers = ldap, files + + The local _s_u_d_o_e_r_s file can be ignored completely by using: + + sudoers = ldap + + To treat LDAP as authoratative and only use the local sudoers file if + the user is not present in LDAP, use: + + + +1.7.2p1 June 11, 2009 8 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + sudoers = ldap = auth, files + + Note that in the above example, the auth qualfier only affects user + lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. + + If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers + line, the following default is assumed: + + sudoers = files + FFIILLEESS - _@_l_d_a_p___c_o_n_f_@ LDAP configuration file + _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file + + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order - _@_n_s_s_w_i_t_c_h___c_o_n_f_@ determines sudoers source order + _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX EEXXAAMMPPLLEESS EExxaammppllee llddaapp..ccoonnff @@ -520,18 +562,6 @@ EEXXAAMMPPLLEESS #port 389 # # URI will override the host and port settings. - - - -1.7.0 October 24, 2008 8 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - uri ldap://ldapserver #uri ldaps://secureldapserver #uri ldaps://secureldapserver ldap://ldapserver @@ -556,6 +586,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # # LDAP protocol version, defaults to 3 #ldap_version 3 + + + +1.7.2p1 June 11, 2009 9 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # # Define if you want to use an encrypted LDAP connection. # Typically, you must also set the port to 636 (ldaps). @@ -586,18 +628,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # #tls_randfile /etc/egd-pool # - - - -1.7.0 October 24, 2008 9 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # You may restrict which ciphers are used. Consult your SSL # documentation for which options go here. # Only supported when using OpenLDAP. @@ -615,12 +645,32 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem # - # For SunONE or iPlanet LDAP, the file specified by tls_cert may - # contain CA certs and/or the client's cert. If the client's - # cert is included, tls_key should be specified as well. - # For backward compatibility, sslpath may be used in place of tls_cert. - #tls_cert /var/ldap/cert7.db - #tls_key /var/ldap/key3.db + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either + # a directory, in which case the files in the directory must have the + # default names (e.g. cert8.db and key4.db), or the path to the cert + # and key files themselves. However, a bug in version 5.0 of the LDAP + # SDK will prevent specific file names from working. For this reason + # it is suggested that tls_cert and tls_key be set to a directory, + # not a file name. + + + +1.7.2p1 June 11, 2009 10 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key + # should be specified as well. + # For backward compatibility, "sslpath" may be used in place of tls_cert. + #tls_cert /var/ldap + #tls_key /var/ldap # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes @@ -652,18 +702,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' - - - -1.7.0 October 24, 2008 10 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -680,6 +718,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + + +1.7.2p1 June 11, 2009 11 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' @@ -699,8 +749,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoRunAsGroup $ sudoOption $ description ) ) - Add nsswitch.conf example? Add more exhaustive sudoers ldif example? - SSEEEE AALLSSOO _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) @@ -719,17 +767,6 @@ SSUUPPPPOORRTT http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. - - -1.7.0 October 24, 2008 11 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of @@ -750,43 +787,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1.7.0 October 24, 2008 12 +1.7.2p1 June 11, 2009 12