« back to all changes in this revision
Viewing changes to sudoers.ldap.cat
- browse files at revision 32
- compare with another revision
- download diff
- download tarball
- view history from revision 32
- Committer: Bazaar Package Importer
- Author(s): Marc Deslauriers
- Date: 2010-02-08 18:47:06 UTC
- mfrom: (1.1.9 sid)
- Revision ID: james.westby@ubuntu.com-20100208184706-kqgmuj0qe7telzq3
Tags: 1.7.2p1-1ubuntu1
* Merge from debian testing. Remaining changes:
- debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
specific)
- Add debian/sudo_root.8: Explanation of root handling through sudo.
Install it in debian/rules. (Ubuntu specific)
- sudo.c: If the user successfully authenticated and he is in the 'admin'
group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
profile checks for this and displays a short intro about sudo if the
flag is not present. (Ubuntu specific)
- env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
some point)
- debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
installation. Debian reintroduced it because /var/run tmpfs is not the
default there, but has been on Ubuntu for ages.
- debian/{source_sudo.py,rules,sudo-ldap.dirs,sudo.dirs}: Add apport hook
- debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
specific)
- Add debian/sudo_root.8: Explanation of root handling through sudo.
Install it in debian/rules. (Ubuntu specific)
- sudo.c: If the user successfully authenticated and he is in the 'admin'
group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
profile checks for this and displays a short intro about sudo if the
flag is not present. (Ubuntu specific)
- env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
some point)
- debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
installation. Debian reintroduced it because /var/run tmpfs is not the
default there, but has been on Ubuntu for ages.
- debian/{source_sudo.py,rules,sudo-ldap.dirs,sudo.dirs}: Add apport hook
added
removed
sudoers.ldap.cat
26
26
prevent ssuuddoo from running.
27
27
28
28
+o It is possible to specify per-entry options that override the
29
global default options. _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s only supports default
30
options and limited options associated with
31
user/host/commands/aliases. The syntax is complicated and can be
32
difficult for users to understand. Placing the options directly in
33
the entry is more natural.
29
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options
30
and limited options associated with user/host/commands/aliases.
31
The syntax is complicated and can be difficult for users to
32
understand. Placing the options directly in the entry is more
33
natural.
34
34
35
35
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
36
and syntax checking of the _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s file. Since LDAP
37
updates are atomic, locking is no longer necessary. Because syntax
38
is checked when the data is inserted into LDAP, there is no need
39
for a specialized tool to check syntax.
36
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates
37
are atomic, locking is no longer necessary. Because syntax is
38
checked when the data is inserted into LDAP, there is no need for a
39
specialized tool to check syntax.
40
40
41
41
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
42
42
LDAP, ssuuddoo-specific Aliases are not supported.
61
61
62
62
63
63
64
1.7.0 October 24, 2008 1
64
1.7.2p1 June 11, 2009 1
65
65
66
66
67
67
71
71
72
72
73
73
found, the multi-valued sudoOption attribute is parsed in the same
74
manner as a global Defaults line in _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s. In the
75
following example, the SSH_AUTH_SOCK variable will be preserved in the
74
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
75
example, the SSH_AUTH_SOCK variable will be preserved in the
76
76
environment for all users.
77
77
78
78
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
127
127
128
128
129
129
130
1.7.0 October 24, 2008 2
130
1.7.2p1 June 11, 2009 2
131
131
132
132
133
133
193
193
194
194
195
195
196
1.7.0 October 24, 2008 3
196
1.7.2p1 June 11, 2009 3
197
197
198
198
199
199
240
240
241
241
CCoonnffiigguurriinngg llddaapp..ccoonnff
242
242
243
Sudo reads the _@_l_d_a_p___c_o_n_f_@ file for LDAP-specific configuration.
243
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
244
244
Typically, this file is shared amongst different LDAP-aware clients.
245
245
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
246
parses _@_l_d_a_p___c_o_n_f_@ itself and may support options that differ from
246
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
247
247
those described in the _l_d_a_p_._c_o_n_f(4) manual.
248
248
249
249
Also note that on systems using the OpenLDAP libraries, default values
250
250
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
251
251
not used.
252
252
253
Only those options explicitly listed in _@_l_d_a_p___c_o_n_f_@ that are supported
254
by ssuuddoo are honored. Configuration options are listed below in upper
255
case but are parsed in a case-independent manner.
253
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are
254
supported by ssuuddoo are honored. Configuration options are listed below
255
in upper case but are parsed in a case-independent manner.
256
256
257
257
UURRII ldap[s]://[hostname[:port]] ...
258
258
Specifies a whitespace-delimited list of one or more URIs
259
259
260
260
261
261
262
1.7.0 October 24, 2008 4
262
1.7.2p1 June 11, 2009 4
263
263
264
264
265
265
325
325
326
326
327
327
328
1.7.0 October 24, 2008 5
328
1.7.2p1 June 11, 2009 5
329
329
330
330
331
331
343
343
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
344
344
Distinguished Name (DN), to use when performing privileged LDAP
345
345
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
346
the identity should be stored in _@_l_d_a_p___s_e_c_r_e_t_@. If not specified,
347
the BBIINNDDDDNN identity is used (if any).
346
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
347
specified, the BBIINNDDDDNN identity is used (if any).
348
348
349
349
LLDDAAPP__VVEERRSSIIOONN number
350
350
The version of the LDAP protocol to use when connecting to the
391
391
392
392
393
393
394
1.7.0 October 24, 2008 6
394
1.7.2p1 June 11, 2009 6
395
395
396
396
397
397
457
457
458
458
459
459
460
1.7.0 October 24, 2008 7
460
1.7.2p1 June 11, 2009 7
461
461
462
462
463
463
471
471
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
472
472
473
473
Unless it is disabled at build time, ssuuddoo consults the Name Service
474
Switch file, _@_n_s_s_w_i_t_c_h___c_o_n_f_@, to specify the _s_u_d_o_e_r_s search order.
474
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
475
475
Sudo looks for a line beginning with sudoers: and uses this to
476
476
determine the search order. Note that ssuuddoo does not stop searching
477
477
after the first match and later matches take precedence over earlier
494
494
495
495
sudoers: ldap
496
496
497
If the _@_n_s_s_w_i_t_c_h___c_o_n_f_@ file is not present or there is no sudoers line,
498
the following default is assumed:
497
If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
498
line, the following default is assumed:
499
499
500
500
sudoers: files
501
501
502
Note that _@_n_s_s_w_i_t_c_h___c_o_n_f_@ is supported even when the underlying
502
Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
503
503
operating system does not use an nsswitch.conf file.
504
504
505
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
506
507
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
508
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
509
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
510
file format itself still applies.
511
512
To consult LDAP first followed by the local sudoers file (if it
513
exists), use:
514
515
sudoers = ldap, files
516
517
The local _s_u_d_o_e_r_s file can be ignored completely by using:
518
519
sudoers = ldap
520
521
To treat LDAP as authoratative and only use the local sudoers file if
522
the user is not present in LDAP, use:
523
524
525
526
1.7.2p1 June 11, 2009 8
527
528
529
530
531
532
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
533
534
535
sudoers = ldap = auth, files
536
537
Note that in the above example, the auth qualfier only affects user
538
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
539
540
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
541
line, the following default is assumed:
542
543
sudoers = files
544
505
545
FFIILLEESS
506
_@_l_d_a_p___c_o_n_f_@ LDAP configuration file
507
508
_@_n_s_s_w_i_t_c_h___c_o_n_f_@ determines sudoers source order
546
_/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
547
548
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
549
550
_/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
509
551
510
552
EEXXAAMMPPLLEESS
511
553
EExxaammppllee llddaapp..ccoonnff
520
562
#port 389
521
563
#
522
564
# URI will override the host and port settings.
523
524
525
526
1.7.0 October 24, 2008 8
527
528
529
530
531
532
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
533
534
535
565
uri ldap://ldapserver
536
566
#uri ldaps://secureldapserver
537
567
#uri ldaps://secureldapserver ldap://ldapserver
556
586
#
557
587
# LDAP protocol version, defaults to 3
558
588
#ldap_version 3
589
590
591
592
1.7.2p1 June 11, 2009 9
593
594
595
596
597
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
599
600
559
601
#
560
602
# Define if you want to use an encrypted LDAP connection.
561
603
# Typically, you must also set the port to 636 (ldaps).
586
628
#
587
629
#tls_randfile /etc/egd-pool
588
630
#
589
590
591
592
1.7.0 October 24, 2008 9
593
594
595
596
597
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
599
600
601
631
# You may restrict which ciphers are used. Consult your SSL
602
632
# documentation for which options go here.
603
633
# Only supported when using OpenLDAP.
615
645
#tls_cert /etc/certs/client_cert.pem
616
646
#tls_key /etc/certs/client_key.pem
617
647
#
618
# For SunONE or iPlanet LDAP, the file specified by tls_cert may
619
# contain CA certs and/or the client's cert. If the client's
620
# cert is included, tls_key should be specified as well.
621
# For backward compatibility, sslpath may be used in place of tls_cert.
622
#tls_cert /var/ldap/cert7.db
623
#tls_key /var/ldap/key3.db
648
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
649
# a directory, in which case the files in the directory must have the
650
# default names (e.g. cert8.db and key4.db), or the path to the cert
651
# and key files themselves. However, a bug in version 5.0 of the LDAP
652
# SDK will prevent specific file names from working. For this reason
653
# it is suggested that tls_cert and tls_key be set to a directory,
654
# not a file name.
655
656
657
658
1.7.2p1 June 11, 2009 10
659
660
661
662
663
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
665
666
667
#
668
# The certificate database specified by tls_cert may contain CA certs
669
# and/or the client's cert. If the client's cert is included, tls_key
670
# should be specified as well.
671
# For backward compatibility, "sslpath" may be used in place of tls_cert.
672
#tls_cert /var/ldap
673
#tls_key /var/ldap
624
674
#
625
675
# If using SASL authentication for LDAP (OpenSSL)
626
676
# use_sasl yes
652
702
653
703
attributetype ( 1.3.6.1.4.1.15953.9.1.3
654
704
NAME 'sudoCommand'
655
656
657
658
1.7.0 October 24, 2008 10
659
660
661
662
663
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
665
666
667
705
DESC 'Command(s) to be executed by sudo'
668
706
EQUALITY caseExactIA5Match
669
707
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
680
718
EQUALITY caseExactIA5Match
681
719
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
682
720
721
722
723
724
1.7.2p1 June 11, 2009 11
725
726
727
728
729
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
731
732
683
733
attributetype ( 1.3.6.1.4.1.15953.9.1.6
684
734
NAME 'sudoRunAsUser'
685
735
DESC 'User(s) impersonated by sudo'
699
749
sudoRunAsGroup $ sudoOption $ description )
700
750
)
701
751
702
Add nsswitch.conf example? Add more exhaustive sudoers ldif example?
703
704
752
SSEEEE AALLSSOO
705
753
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5)
706
754
719
767
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
720
768
the archives.
721
769
722
723
724
1.7.0 October 24, 2008 11
725
726
727
728
729
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
731
732
733
770
DDIISSCCLLAAIIMMEERR
734
771
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
735
772
including, but not limited to, the implied warranties of
750
787
751
788
752
789
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
1.7.0 October 24, 2008 12
790
1.7.2p1 June 11, 2009 12
791
791
792
792
Loggerhead is a web-based interface for Breezy
Version: 2.0.1