X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.ldap.man.in;h=66a1b03db9251f90323ff904e2fdd7c21f8e29da;hb=d7751e8b58b26f298b57d31ae87386e685eb8c14;hp=331dbdb4b77a4dec31a855fc284a79cc3583dbcb;hpb=034c7278c8e894d8ab427cb251ee768dfc419178;p=debian%2Fsudo diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 331dbdb..66a1b03 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003-2009 +.\" Copyright (c) 2003-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -14,19 +14,10 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $Sudo: sudoers.ldap.man.in,v 1.13 2009/06/11 20:29:12 millert Exp $ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -70,7 +61,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -149,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 11, 2009" "1.7.2p1" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -159,7 +150,7 @@ sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" .IX Header "DESCRIPTION" In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured -via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR +via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR in a large, distributed environment. .PP Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: @@ -201,7 +192,7 @@ to have multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias that is referenced by multiple users, one can create a sudoRole that contains the commands and assign multiple users to it. -.Sh "SUDOers \s-1LDAP\s0 container" +.SS "SUDOers \s-1LDAP\s0 container" .IX Subsection "SUDOers LDAP container" The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0 container. @@ -271,7 +262,7 @@ on any host via \fBsudo\fR: \& sudoHost: ALL \& sudoCommand: ALL .Ve -.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup" +.SS "Anatomy of \s-1LDAP\s0 sudoers lookup" .IX Subsection "Anatomy of LDAP sudoers lookup" When looking up a sudoer using \s-1LDAP\s0 there are only two or three \&\s-1LDAP\s0 queries per invocation. The first query is to parse the global @@ -280,7 +271,7 @@ groups that the user belongs to. (The special \s-1ALL\s0 tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and checks to see if the user belongs to any of them. -.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers" +.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" .IX Subsection "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, @@ -342,7 +333,7 @@ behave the way one might expect. \& sudoHost: ALL \& sudoHost: !web01 .Ve -.Sh "Sudoers Schema" +.SS "Sudoers Schema" .IX Subsection "Sudoers Schema" In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be installed on your \s-1LDAP\s0 server. In addition, be sure to index the @@ -355,7 +346,7 @@ be found in the \fBsudo\fR distribution. .PP The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 section. -.Sh "Configuring ldap.conf" +.SS "Configuring ldap.conf" .IX Subsection "Configuring ldap.conf" Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. @@ -373,14 +364,16 @@ below in upper case but are parsed in a case-independent manner. .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 .IX Item "URI ldap[s]://[hostname[:port]] ..." Specifies a whitespace-delimited list of one or more URIs describing -the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR -or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0) -encryption. If no \fIport\fR is specified, the default is port 389 for -\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified, -\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL -libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. -The Netscape-derived libraries used on most commercial versions of -Unix are only capable of supporting one or the other. +the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either +\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 +(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port +389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR +is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR +lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple +entries. Only systems using the OpenSSL libraries support the +mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived +libraries used on most commercial versions of Unix are only capable +of supporting one or the other. .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 .IX Item "HOST name[:port] ..." If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a @@ -410,7 +403,8 @@ to wait for a response to an \s-1LDAP\s0 query. .IX Item "SUDOERS_BASE base" The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain -\&\f(CW\*(C`example.com\*(C'\fR. +\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, +in which case they are queried in the order specified. .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 .IX Item "SUDOERS_DEBUG debug_level" This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging @@ -461,13 +455,21 @@ If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1T certificated to be verified. If the server's \s-1TLS\s0 certificate cannot be verified (usually because it is signed by an unknown certificate authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR -is disabled, no check is made. +is disabled, no check is made. Note that disabling the check creates +an opportunity for man-in-the-middle attacks since the server's +identity will not be authenticated. If possible, the \s-1CA\s0's certificate +should be installed locally so it can be verified. +.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 +.IX Item "TLS_CACERT file name" +An alias for \fB\s-1TLS_CACERTFILE\s0\fR. .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 .IX Item "TLS_CACERTFILE file name" The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. \fI/etc/ssl/ca\-bundle.pem\fR. This option is only supported by the OpenLDAP libraries. +Netscape-derived \s-1LDAP\s0 libraries use the same certificate +database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR). .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4 .IX Item "TLS_CACERTDIR directory" Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a @@ -538,7 +540,7 @@ The path to the Kerberos 5 credential cache to use when authenticating with the remote server. .PP See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. -.Sh "Configuring nsswitch.conf" +.SS "Configuring nsswitch.conf" .IX Subsection "Configuring nsswitch.conf" Unless it is disabled at build time, \fBsudo\fR consults the Name Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR @@ -579,7 +581,7 @@ sudoers line, the following default is assumed: .PP Note that \fI@nsswitch_conf@\fR is supported even when the underlying operating system does not use an nsswitch.conf file. -.Sh "Configuring netsvc.conf" +.SS "Configuring netsvc.conf" .IX Subsection "Configuring netsvc.conf" On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of \&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a @@ -632,7 +634,7 @@ determines sudoers source order determines sudoers source order on \s-1AIX\s0 .SH "EXAMPLES" .IX Header "EXAMPLES" -.Sh "Example ldap.conf" +.SS "Example ldap.conf" .IX Subsection "Example ldap.conf" .Vb 10 \& # Either specify one or more URIs or one or more host:port pairs. @@ -656,7 +658,7 @@ determines sudoers source order on \s-1AIX\s0 \& # The amount of time, in seconds, to wait while performing an LDAP query. \& timelimit 30 \& # -\& # must be set or sudo will ignore LDAP +\& # Must be set or sudo will ignore LDAP; may be specified multiple times. \& sudoers_base ou=SUDOers,dc=example,dc=com \& # \& # verbose sudoers matching from ldap @@ -733,13 +735,13 @@ determines sudoers source order on \s-1AIX\s0 \& # \& # If using SASL authentication for LDAP (OpenSSL) \& # use_sasl yes -\& # sasl_auth_id +\& # sasl_auth_id \& # rootuse_sasl yes -\& # rootsasl_auth_id +\& # rootsasl_auth_id \& # sasl_secprops none \& # krb5_ccname /etc/.ldapcache .Ve -.Sh "Sudo schema for OpenLDAP" +.SS "Sudo schema for OpenLDAP" .IX Subsection "Sudo schema for OpenLDAP" The following schema is in OpenLDAP format. Simply copy it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper