X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.ldap.pod;h=f7a39c93425dc183ddd141d5f72dcc5cd8ab9e29;hb=b8ca866b720428733450967af30c0154e5f83789;hp=a194651ca282122258d754e9db5cf616a1ce5f78;hpb=a4d16b7546088ef5bdeadb3a6877bcc1d1530a63;p=debian%2Fsudo diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index a194651..f7a39c9 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -1,4 +1,4 @@ -Copyright (c) 2003-2009 +Copyright (c) 2003-2010 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -23,7 +23,7 @@ sudoers.ldap - sudo LDAP configuration =head1 DESCRIPTION In addition to the standard I file, B may be configured -via LAP. This can be especially useful for synchronizing I +via LDAP. This can be especially useful for synchronizing I in a large, distributed environment. Using LDAP for I has several benefits: @@ -259,14 +259,16 @@ below in upper case but are parsed in a case-independent manner. =item B ldap[s]://[hostname[:port]] ... Specifies a whitespace-delimited list of one or more URIs describing -the LDAP server(s) to connect to. The I may be either B -or B, the latter being for servers that support TLS (SSL) -encryption. If no I is specified, the default is port 389 for -C or port 636 for C. If no I is specified, -B will connect to B. Only systems using the OpenSSL -libraries support the mixing of C and C URIs. -The Netscape-derived libraries used on most commercial versions of -Unix are only capable of supporting one or the other. +the LDAP server(s) to connect to. The I may be either +B or B, the latter being for servers that support TLS +(SSL) encryption. If no I is specified, the default is port +389 for C or port 636 for C. If no I +is specified, B will connect to B. Multiple B +lines are treated identically to a B line containing multiple +entries. Only systems using the OpenSSL libraries support the +mixing of C and C URIs. The Netscape-derived +libraries used on most commercial versions of Unix are only capable +of supporting one or the other. =item B name[:port] ... @@ -301,7 +303,8 @@ to wait for a response to an LDAP query. The base DN to use when performing B LDAP queries. Typically this is of the form C for the domain -C. +C. Multiple B lines may be specified, +in which case they are queried in the order specified. =item B debug_level @@ -360,7 +363,14 @@ If enabled, B will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), B will be unable to connect to it. If B -is disabled, no check is made. +is disabled, no check is made. Note that disabling the check creates +an opportunity for man-in-the-middle attacks since the server's +identity will not be authenticated. If possible, the CA's certificate +should be installed locally so it can be verified. + +=item B file name + +An alias for B. =item B file name @@ -368,6 +378,8 @@ The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. F. This option is only supported by the OpenLDAP libraries. +Netscape-derived LDAP libraries use the same certificate +database for CA and client certificates (see B). =item B directory @@ -559,7 +571,7 @@ determines sudoers source order on AIX # The amount of time, in seconds, to wait while performing an LDAP query. timelimit 30 # - # must be set or sudo will ignore LDAP + # Must be set or sudo will ignore LDAP; may be specified multiple times. sudoers_base ou=SUDOers,dc=example,dc=com # # verbose sudoers matching from ldap @@ -636,9 +648,9 @@ determines sudoers source order on AIX # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes - # sasl_auth_id + # sasl_auth_id # rootuse_sasl yes - # rootsasl_auth_id + # rootsasl_auth_id # sasl_secprops none # krb5_ccname /etc/.ldapcache