4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
8
sudoers.ldap - sudo LDAP configuration
10
DDEESSCCRRIIPPTTIIOONN
11
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
12
LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
13
large, distributed environment.
15
Using LDAP for _s_u_d_o_e_r_s has several benefits:
17
+o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
18
used, there are only two or three LDAP queries per invocation.
19
This makes it especially fast and particularly usable in LDAP
22
+o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
23
possible to load LDAP data into the server that does not conform to
24
the sudoers schema, so proper syntax is guaranteed. It is still
25
possible to have typos in a user or host name, but this will not
26
prevent ssuuddoo from running.
28
+o It is possible to specify per-entry options that override the
29
global default options. _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s only supports default
30
options and limited options associated with
31
user/host/commands/aliases. The syntax is complicated and can be
32
difficult for users to understand. Placing the options directly in
33
the entry is more natural.
35
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
36
and syntax checking of the _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s file. Since LDAP
37
updates are atomic, locking is no longer necessary. Because syntax
38
is checked when the data is inserted into LDAP, there is no need
39
for a specialized tool to check syntax.
41
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
42
LDAP, ssuuddoo-specific Aliases are not supported.
44
For the most part, there is really no need for ssuuddoo-specific Aliases.
45
Unix groups or user netgroups can be used in place of User_Aliases and
46
RunasAliases. Host netgroups can be used in place of HostAliases.
47
Since Unix groups and netgroups can also be stored in LDAP there is no
48
real need for ssuuddoo-specific aliases.
50
Cmnd_Aliases are not really required either since it is possible to
51
have multiple users listed in a sudoRole. Instead of defining a
52
Cmnd_Alias that is referenced by multiple users, one can create a
53
sudoRole that contains the commands and assign multiple users to it.
55
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
57
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
60
Sudo first looks for the cn=default entry in the SUDOers container. If
64
1.7.0 October 24, 2008 1
70
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
73
found, the multi-valued sudoOption attribute is parsed in the same
74
manner as a global Defaults line in _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s. In the
75
following example, the SSH_AUTH_SOCK variable will be preserved in the
76
environment for all users.
78
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
82
description: Default sudoOption's go here
83
sudoOption: env_keep+=SSH_AUTH_SOCK
85
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
89
A user name, uid (prefixed with '#'), Unix group (prefixed with a
90
'%') or user netgroup (prefixed with a '+').
93
A host name, IP address, IP network, or host netgroup (prefixed
94
with a '+'). The special value ALL will match any host.
96
ssuuddooCCoommmmaanndd
97
A Unix command with optional command line arguments, potentially
98
including globbing characters (aka wild cards). The special value
99
ALL will match any command. If a command is prefixed with an
100
exclamation point '!', the user will be prohibited from running
104
Identical in function to the global options described above, but
105
specific to the sudoRole in which it resides.
107
ssuuddooRRuunnAAssUUsseerr
108
A user name or uid (prefixed with '#') that commands may be run as
109
or a Unix group (prefixed with a '%') or user netgroup (prefixed
110
with a '+') that contains a list of users that commands may be run
111
as. The special value ALL will match any user.
113
ssuuddooRRuunnAAssGGrroouupp
114
A Unix group or gid (prefixed with '#') that commands may be run
115
as. The special value ALL will match any group.
117
Each component listed above should contain a single value, but there
118
may be multiple instances of each component type. A sudoRole must
119
contain at least one sudoUser, sudoHost and sudoCommand.
121
The following example allows users in group wheel to run any command on
122
any host via ssuuddoo:
130
1.7.0 October 24, 2008 2
136
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
139
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
141
objectClass: sudoRole
147
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
149
When looking up a sudoer using LDAP there are only two or three LDAP
150
queries per invocation. The first query is to parse the global
151
options. The second is to match against the user's name and the groups
152
that the user belongs to. (The special ALL tag is matched in this
153
query too.) If no match is returned for the user's name and groups, a
154
third query returns all entries containing user netgroups and checks to
155
see if the user belongs to any of them.
157
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
159
There are some subtle differences in the way sudoers is handled once in
160
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
161
is arbitrary and you cannot expect that Attributes and Entries are
162
returned in any specific order. If there are conflicting command rules
163
on an entry, the negative takes precedence. This is called paranoid
164
behavior (not necessarily the most specific match).
169
# Allow all commands except shell
170
johnny ALL=(root) ALL,!/bin/sh
171
# Always allows all commands because ALL is matched last
172
puddles ALL=(root) !/bin/sh,ALL
174
# LDAP equivalent of johnny
175
# Allows all commands except shell
176
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
177
objectClass: sudoRole
183
sudoCommand: !/bin/sh
185
# LDAP equivalent of puddles
186
# Notice that even though ALL comes last, it still behaves like
187
# role1 since the LDAP code assumes the more paranoid configuration
188
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
189
objectClass: sudoRole
196
1.7.0 October 24, 2008 3
202
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
206
sudoCommand: !/bin/sh
209
Another difference is that negations on the Host, User or Runas are
210
currently ignorred. For example, the following attributes do not
211
behave the way one might expect.
213
# does not match all but joe
214
# rather, does not match anyone
217
# does not match all but joe
218
# rather, matches everyone including Joe
222
# does not match all but web01
223
# rather, matches all hosts including web01
227
SSuuddooeerrss SScchheemmaa
229
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
230
on your LDAP server. In addition, be sure to index the 'sudoUser'
233
Three versions of the schema: one for OpenLDAP servers
234
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),
235
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be
236
found in the ssuuddoo distribution.
238
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
241
CCoonnffiigguurriinngg llddaapp..ccoonnff
243
Sudo reads the _@_l_d_a_p___c_o_n_f_@ file for LDAP-specific configuration.
244
Typically, this file is shared amongst different LDAP-aware clients.
245
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
246
parses _@_l_d_a_p___c_o_n_f_@ itself and may support options that differ from
247
those described in the _l_d_a_p_._c_o_n_f(4) manual.
249
Also note that on systems using the OpenLDAP libraries, default values
250
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
253
Only those options explicitly listed in _@_l_d_a_p___c_o_n_f_@ that are supported
254
by ssuuddoo are honored. Configuration options are listed below in upper
255
case but are parsed in a case-independent manner.
257
UURRII ldap[s]://[hostname[:port]] ...
258
Specifies a whitespace-delimited list of one or more URIs
262
1.7.0 October 24, 2008 4
268
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
271
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
272
either llddaapp or llddaappss, the latter being for servers that support TLS
273
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
274
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
275
ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL
276
libraries support the mixing of ldap:// and ldaps:// URIs. The
277
Netscape-derived libraries used on most commercial versions of Unix
278
are only capable of supporting one or the other.
280
HHOOSSTT name[:port] ...
281
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
282
delimited list of LDAP servers to connect to. Each host may
283
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT
284
parameter is deprecated in favor of the UURRII specification and is
285
included for backwards compatibility.
288
If no UURRII is specified, the PPOORRTT parameter specifies the default
289
port to connect to on the LDAP server if a HHOOSSTT parameter does not
290
specify the port itself. If no PPOORRTT parameter is used, the default
291
is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
292
PPOORRTT parameter is deprecated in favor of the UURRII specification and
293
is included for backwards compatibility.
295
BBIINNDD__TTIIMMEELLIIMMIITT seconds
296
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
297
seconds, to wait while trying to connect to an LDAP server. If
298
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
299
wait before trying the next one in the list.
301
TTIIMMEELLIIMMIITT seconds
302
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
303
to wait for a response to an LDAP query.
305
SSUUDDOOEERRSS__BBAASSEE base
306
The base DN to use when performing ssuuddoo LDAP queries. Typically
307
this is of the form ou=SUDOers,dc=example,dc=com for the domain
310
SSUUDDOOEERRSS__DDEEBBUUGG debug_level
311
This sets the debug level for ssuuddoo LDAP queries. Debugging
312
information is printed to the standard error. A value of 1 results
313
in a moderate amount of debugging information. A value of 2 shows
314
the results of the matches themselves. This parameter should not
315
be set in a production environment as the extra information is
316
likely to confuse users.
319
The BBIINNDDDDNN parameter specifies the identity, in the form of a
320
Distinguished Name (DN), to use when performing LDAP operations.
321
If not specified, LDAP operations are performed with an anonymous
322
identity. By default, most LDAP servers will allow anonymous
328
1.7.0 October 24, 2008 5
334
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
338
The BBIINNDDPPWW parameter specifies the password to use when performing
339
LDAP operations. This is typically used in conjunction with the
340
BBIINNDDDDNN parameter.
342
RROOOOTTBBIINNDDDDNN DN
343
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
344
Distinguished Name (DN), to use when performing privileged LDAP
345
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
346
the identity should be stored in _@_l_d_a_p___s_e_c_r_e_t_@. If not specified,
347
the BBIINNDDDDNN identity is used (if any).
349
LLDDAAPP__VVEERRSSIIOONN number
350
The version of the LDAP protocol to use when connecting to the
351
server. The default value is protocol version 3.
353
SSSSLL on/true/yes/off/false/no
354
If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
355
encryption is always used when communicating with the LDAP server.
356
Typically, this involves connecting to the server on port 636
360
If the SSSSLL parameter is set to start_tls, the LDAP server
361
connection is initiated normally and TLS encryption is begun before
362
the bind credentials are sent. This has the advantage of not
363
requiring a dedicated port for encrypted communications. This
364
parameter is only supported by LDAP servers that honor the
365
start_tls extension, such as the OpenLDAP server.
367
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no
368
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
369
certificated to be verified. If the server's TLS certificate
370
cannot be verified (usually because it is signed by an unknown
371
certificate authority), ssuuddoo will be unable to connect to it. If
372
TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made.
374
TTLLSS__CCAACCEERRTTFFIILLEE file name
375
The path to a certificate authority bundle which contains the
376
certificates for all the Certificate Authorities the client knows
377
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
378
supported by the OpenLDAP libraries.
380
TTLLSS__CCAACCEERRTTDDIIRR directory
381
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
382
containing individual Certificate Authority certificates, e.g.
383
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
384
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
387
TTLLSS__CCEERRTT file name
388
The path to a file containing the client certificate which can be
389
used to authenticate the client to the LDAP server. The
390
certificate type depends on the LDAP libraries used.
394
1.7.0 October 24, 2008 6
400
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
404
tls_cert /etc/ssl/client_cert.pem
407
tls_cert /var/ldap/cert7.db
409
When using Netscape-derived libraries, this file may also contain
410
Certificate Authority certificates.
412
TTLLSS__KKEEYY file name
413
The path to a file containing the private key which matches the
414
certificate specified by TTLLSS__CCEERRTT. The private key must not be
415
password-protected. The key type depends on the LDAP libraries
419
tls_key /etc/ssl/client_key.pem
422
tls_key /var/ldap/key3.db
424
TTLLSS__RRAANNDDFFIILLEE file name
425
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
426
for systems that lack a random device. It is generally used in
427
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
428
the OpenLDAP libraries.
430
TTLLSS__CCIIPPHHEERRSS cipher list
431
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
432
encryption algorithms may be used for TLS (SSL) connections. See
433
the OpenSSL manual for a list of valid ciphers. This option is
434
only supported by the OpenLDAP libraries.
436
UUSSEE__SSAASSLL on/true/yes/off/false/no
437
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
439
SSAASSLL__AAUUTTHH__IIDD identity
440
The SASL user name to use when connecting to the LDAP server. By
441
default, ssuuddoo will use an anonymous connection.
443
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no
444
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
445
to an LDAP server from a privileged process, such as ssuuddoo.
447
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
448
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
450
SSAASSLL__SSEECCPPRROOPPSS none/properties
451
SASL security properties or _n_o_n_e for no properties. See the SASL
452
programmer's manual for details.
454
KKRRBB55__CCCCNNAAMMEE file name
455
The path to the Kerberos 5 credential cache to use when
456
authenticating with the remote server.
460
1.7.0 October 24, 2008 7
466
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
469
See the ldap.conf entry in the EXAMPLES section.
471
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
473
Unless it is disabled at build time, ssuuddoo consults the Name Service
474
Switch file, _@_n_s_s_w_i_t_c_h___c_o_n_f_@, to specify the _s_u_d_o_e_r_s search order.
475
Sudo looks for a line beginning with sudoers: and uses this to
476
determine the search order. Note that ssuuddoo does not stop searching
477
after the first match and later matches take precedence over earlier
480
The following sources are recognized:
482
files read sudoers from F</etc/sudoers>
483
ldap read sudoers from LDAP
485
In addition, the entry [NOTFOUND=return] will short-circuit the search
486
if the user was not found in the preceding source.
488
To consult LDAP first followed by the local sudoers file (if it
493
The local _s_u_d_o_e_r_s file can be ignored completely by using:
497
If the _@_n_s_s_w_i_t_c_h___c_o_n_f_@ file is not present or there is no sudoers line,
498
the following default is assumed:
502
Note that _@_n_s_s_w_i_t_c_h___c_o_n_f_@ is supported even when the underlying
503
operating system does not use an nsswitch.conf file.
506
_@_l_d_a_p___c_o_n_f_@ LDAP configuration file
508
_@_n_s_s_w_i_t_c_h___c_o_n_f_@ determines sudoers source order
511
EExxaammppllee llddaapp..ccoonnff
513
# Either specify one or more URIs or one or more host:port pairs.
514
# If neither is specified sudo will default to localhost, port 389.
517
#host ldapserver1 ldapserver2:390
519
# Default port if host is specified without one, defaults to 389.
522
# URI will override the host and port settings.
526
1.7.0 October 24, 2008 8
532
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
535
uri ldap://ldapserver
536
#uri ldaps://secureldapserver
537
#uri ldaps://secureldapserver ldap://ldapserver
539
# The amount of time, in seconds, to wait while trying to connect to
543
# The amount of time, in seconds, to wait while performing an LDAP query.
546
# must be set or sudo will ignore LDAP
547
sudoers_base ou=SUDOers,dc=example,dc=com
549
# verbose sudoers matching from ldap
552
# optional proxy credentials
553
#binddn <who to search as>
555
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
557
# LDAP protocol version, defaults to 3
560
# Define if you want to use an encrypted LDAP connection.
561
# Typically, you must also set the port to 636 (ldaps).
564
# Define if you want to use port 389 and switch to
565
# encryption before the bind credentials are sent.
566
# Only supported by LDAP servers that support the start_tls
567
# extension such as OpenLDAP.
570
# Additional TLS options follow that allow tweaking of the
571
# SSL/TLS connection.
573
#tls_checkpeer yes # verify server SSL certificate
574
#tls_checkpeer no # ignore server SSL certificate
576
# If you enable tls_checkpeer, specify either tls_cacertfile
577
# or tls_cacertdir. Only supported when using OpenLDAP.
579
#tls_cacertfile /etc/certs/trusted_signers.pem
580
#tls_cacertdir /etc/certs
582
# For systems that don't have /dev/random
583
# use this along with PRNGD or EGD.pl to seed the
584
# random number pool to generate cryptographic session keys.
585
# Only supported when using OpenLDAP.
587
#tls_randfile /etc/egd-pool
592
1.7.0 October 24, 2008 9
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
601
# You may restrict which ciphers are used. Consult your SSL
602
# documentation for which options go here.
603
# Only supported when using OpenLDAP.
605
#tls_ciphers <cipher-list>
607
# Sudo can provide a client certificate when communicating to
610
# * Enable both lines at the same time.
611
# * Do not password protect the key file.
612
# * Ensure the keyfile is only readable by root.
615
#tls_cert /etc/certs/client_cert.pem
616
#tls_key /etc/certs/client_key.pem
618
# For SunONE or iPlanet LDAP, the file specified by tls_cert may
619
# contain CA certs and/or the client's cert. If the client's
620
# cert is included, tls_key should be specified as well.
621
# For backward compatibility, sslpath may be used in place of tls_cert.
622
#tls_cert /var/ldap/cert7.db
623
#tls_key /var/ldap/key3.db
625
# If using SASL authentication for LDAP (OpenSSL)
627
# sasl_auth_id <SASL username>
629
# rootsasl_auth_id <SASL username for root access>
631
# krb5_ccname /etc/.ldapcache
633
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
635
The following schema is in OpenLDAP format. Simply copy it to the
636
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
637
line in slapd.conf and restart ssllaappdd.
639
attributetype ( 1.3.6.1.4.1.15953.9.1.1
641
DESC 'User(s) who may run sudo'
642
EQUALITY caseExactIA5Match
643
SUBSTR caseExactIA5SubstringsMatch
644
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
646
attributetype ( 1.3.6.1.4.1.15953.9.1.2
648
DESC 'Host(s) who may run sudo'
649
EQUALITY caseExactIA5Match
650
SUBSTR caseExactIA5SubstringsMatch
651
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
653
attributetype ( 1.3.6.1.4.1.15953.9.1.3
658
1.7.0 October 24, 2008 10
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
667
DESC 'Command(s) to be executed by sudo'
668
EQUALITY caseExactIA5Match
669
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
671
attributetype ( 1.3.6.1.4.1.15953.9.1.4
673
DESC 'User(s) impersonated by sudo'
674
EQUALITY caseExactIA5Match
675
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
677
attributetype ( 1.3.6.1.4.1.15953.9.1.5
679
DESC 'Options(s) followed by sudo'
680
EQUALITY caseExactIA5Match
681
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
683
attributetype ( 1.3.6.1.4.1.15953.9.1.6
685
DESC 'User(s) impersonated by sudo'
686
EQUALITY caseExactIA5Match
687
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
689
attributetype ( 1.3.6.1.4.1.15953.9.1.7
690
NAME 'sudoRunAsGroup'
691
DESC 'Group(s) impersonated by sudo'
692
EQUALITY caseExactIA5Match
693
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
695
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
696
DESC 'Sudoer Entries'
698
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
699
sudoRunAsGroup $ sudoOption $ description )
702
Add nsswitch.conf example? Add more exhaustive sudoers ldif example?
705
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5)
708
The way that _s_u_d_o_e_r_s is parsed differs between Note that there are
709
differences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to
710
file-based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP
711
sudoers" section for more information.
714
If you feel you have found a bug in ssuuddoo, please submit a bug report at
715
http://www.sudo.ws/sudo/bugs/
718
Limited free support is available via the sudo-users mailing list, see
719
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
724
1.7.0 October 24, 2008 11
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
734
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
735
including, but not limited to, the implied warranties of
736
merchantability and fitness for a particular purpose are disclaimed.
737
See the LICENSE file distributed with ssuuddoo or
738
http://www.sudo.ws/sudo/license.html for complete details.
790
1.7.0 October 24, 2008 12