26
26
prevent ssuuddoo from running.
28
28
+o It is possible to specify per-entry options that override the
29
global default options. _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s only supports default
30
options and limited options associated with
31
user/host/commands/aliases. The syntax is complicated and can be
32
difficult for users to understand. Placing the options directly in
33
the entry is more natural.
29
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options
30
and limited options associated with user/host/commands/aliases.
31
The syntax is complicated and can be difficult for users to
32
understand. Placing the options directly in the entry is more
35
35
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
36
and syntax checking of the _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s file. Since LDAP
37
updates are atomic, locking is no longer necessary. Because syntax
38
is checked when the data is inserted into LDAP, there is no need
39
for a specialized tool to check syntax.
36
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates
37
are atomic, locking is no longer necessary. Because syntax is
38
checked when the data is inserted into LDAP, there is no need for a
39
specialized tool to check syntax.
41
41
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
42
42
LDAP, ssuuddoo-specific Aliases are not supported.
73
73
found, the multi-valued sudoOption attribute is parsed in the same
74
manner as a global Defaults line in _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s. In the
75
following example, the SSH_AUTH_SOCK variable will be preserved in the
74
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
75
example, the SSH_AUTH_SOCK variable will be preserved in the
76
76
environment for all users.
78
78
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
241
241
CCoonnffiigguurriinngg llddaapp..ccoonnff
243
Sudo reads the _@_l_d_a_p___c_o_n_f_@ file for LDAP-specific configuration.
243
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
244
244
Typically, this file is shared amongst different LDAP-aware clients.
245
245
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
246
parses _@_l_d_a_p___c_o_n_f_@ itself and may support options that differ from
246
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
247
247
those described in the _l_d_a_p_._c_o_n_f(4) manual.
249
249
Also note that on systems using the OpenLDAP libraries, default values
250
250
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
253
Only those options explicitly listed in _@_l_d_a_p___c_o_n_f_@ that are supported
254
by ssuuddoo are honored. Configuration options are listed below in upper
255
case but are parsed in a case-independent manner.
253
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are
254
supported by ssuuddoo are honored. Configuration options are listed below
255
in upper case but are parsed in a case-independent manner.
257
257
UURRII ldap[s]://[hostname[:port]] ...
258
258
Specifies a whitespace-delimited list of one or more URIs
262
1.7.0 October 24, 2008 4
262
1.7.2p1 June 11, 2009 4
343
343
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
344
344
Distinguished Name (DN), to use when performing privileged LDAP
345
345
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
346
the identity should be stored in _@_l_d_a_p___s_e_c_r_e_t_@. If not specified,
347
the BBIINNDDDDNN identity is used (if any).
346
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
347
specified, the BBIINNDDDDNN identity is used (if any).
349
349
LLDDAAPP__VVEERRSSIIOONN number
350
350
The version of the LDAP protocol to use when connecting to the
471
471
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
473
473
Unless it is disabled at build time, ssuuddoo consults the Name Service
474
Switch file, _@_n_s_s_w_i_t_c_h___c_o_n_f_@, to specify the _s_u_d_o_e_r_s search order.
474
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
475
475
Sudo looks for a line beginning with sudoers: and uses this to
476
476
determine the search order. Note that ssuuddoo does not stop searching
477
477
after the first match and later matches take precedence over earlier
497
If the _@_n_s_s_w_i_t_c_h___c_o_n_f_@ file is not present or there is no sudoers line,
498
the following default is assumed:
497
If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
498
line, the following default is assumed:
502
Note that _@_n_s_s_w_i_t_c_h___c_o_n_f_@ is supported even when the underlying
502
Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
503
503
operating system does not use an nsswitch.conf file.
505
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
507
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
508
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
509
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
510
file format itself still applies.
512
To consult LDAP first followed by the local sudoers file (if it
515
sudoers = ldap, files
517
The local _s_u_d_o_e_r_s file can be ignored completely by using:
521
To treat LDAP as authoratative and only use the local sudoers file if
522
the user is not present in LDAP, use:
526
1.7.2p1 June 11, 2009 8
532
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
535
sudoers = ldap = auth, files
537
Note that in the above example, the auth qualfier only affects user
538
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
540
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
541
line, the following default is assumed:
506
_@_l_d_a_p___c_o_n_f_@ LDAP configuration file
508
_@_n_s_s_w_i_t_c_h___c_o_n_f_@ determines sudoers source order
546
_/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
548
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
550
_/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
511
553
EExxaammppllee llddaapp..ccoonnff
557
587
# LDAP protocol version, defaults to 3
592
1.7.2p1 June 11, 2009 9
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
560
602
# Define if you want to use an encrypted LDAP connection.
561
603
# Typically, you must also set the port to 636 (ldaps).
587
629
#tls_randfile /etc/egd-pool
592
1.7.0 October 24, 2008 9
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
601
631
# You may restrict which ciphers are used. Consult your SSL
602
632
# documentation for which options go here.
603
633
# Only supported when using OpenLDAP.
615
645
#tls_cert /etc/certs/client_cert.pem
616
646
#tls_key /etc/certs/client_key.pem
618
# For SunONE or iPlanet LDAP, the file specified by tls_cert may
619
# contain CA certs and/or the client's cert. If the client's
620
# cert is included, tls_key should be specified as well.
621
# For backward compatibility, sslpath may be used in place of tls_cert.
622
#tls_cert /var/ldap/cert7.db
623
#tls_key /var/ldap/key3.db
648
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
649
# a directory, in which case the files in the directory must have the
650
# default names (e.g. cert8.db and key4.db), or the path to the cert
651
# and key files themselves. However, a bug in version 5.0 of the LDAP
652
# SDK will prevent specific file names from working. For this reason
653
# it is suggested that tls_cert and tls_key be set to a directory,
658
1.7.2p1 June 11, 2009 10
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
668
# The certificate database specified by tls_cert may contain CA certs
669
# and/or the client's cert. If the client's cert is included, tls_key
670
# should be specified as well.
671
# For backward compatibility, "sslpath" may be used in place of tls_cert.
625
675
# If using SASL authentication for LDAP (OpenSSL)
653
703
attributetype ( 1.3.6.1.4.1.15953.9.1.3
654
704
NAME 'sudoCommand'
658
1.7.0 October 24, 2008 10
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
667
705
DESC 'Command(s) to be executed by sudo'
668
706
EQUALITY caseExactIA5Match
669
707
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
680
718
EQUALITY caseExactIA5Match
681
719
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
724
1.7.2p1 June 11, 2009 11
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
683
733
attributetype ( 1.3.6.1.4.1.15953.9.1.6
684
734
NAME 'sudoRunAsUser'
685
735
DESC 'User(s) impersonated by sudo'
719
767
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
724
1.7.0 October 24, 2008 11
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
733
770
DDIISSCCLLAAIIMMEERR
734
771
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
735
772
including, but not limited to, the implied warranties of