« back to all changes in this revision
Viewing changes to sudoers.ldap.cat
- browse files at revision 29
- compare with another revision
- download diff
- download tarball
- view history from revision 29
- Committer: Bazaar Package Importer
- Author(s): Martin Pitt
- Date: 2009-05-11 18:07:03 UTC
- mfrom: (1.1.6 squeeze)
- Revision ID: james.westby@ubuntu.com-20090511180703-vl2t8cem14g6r61c
Tags: 1.7.0-1ubuntu1
* Merge from debian unstable, remaining changes:
- debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
specific)
- Add debian/sudo_root.8: Explanation of root handling through sudo.
Install it in debian/rules. (Ubuntu specific)
- sudo.c: If the user successfully authenticated and he is in the 'admin'
group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
profile checks for this and displays a short intro about sudo if the
flag is not present. (Ubuntu specific)
- env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
some point)
- debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
installation. Debian reintroduced it because /var/run tmpfs is not the
default there, but has been on Ubuntu for ages.
- debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
specific)
- Add debian/sudo_root.8: Explanation of root handling through sudo.
Install it in debian/rules. (Ubuntu specific)
- sudo.c: If the user successfully authenticated and he is in the 'admin'
group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
profile checks for this and displays a short intro about sudo if the
flag is not present. (Ubuntu specific)
- env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
some point)
- debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
installation. Debian reintroduced it because /var/run tmpfs is not the
default there, but has been on Ubuntu for ages.
added
removed
sudoers.ldap.cat
1
2
3
4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
5
6
7
NNAAMMEE
8
sudoers.ldap - sudo LDAP configuration
9
10
DDEESSCCRRIIPPTTIIOONN
11
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
12
LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
13
large, distributed environment.
14
15
Using LDAP for _s_u_d_o_e_r_s has several benefits:
16
17
+o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
18
used, there are only two or three LDAP queries per invocation.
19
This makes it especially fast and particularly usable in LDAP
20
environments.
21
22
+o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
23
possible to load LDAP data into the server that does not conform to
24
the sudoers schema, so proper syntax is guaranteed. It is still
25
possible to have typos in a user or host name, but this will not
26
prevent ssuuddoo from running.
27
28
+o It is possible to specify per-entry options that override the
29
global default options. _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s only supports default
30
options and limited options associated with
31
user/host/commands/aliases. The syntax is complicated and can be
32
difficult for users to understand. Placing the options directly in
33
the entry is more natural.
34
35
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
36
and syntax checking of the _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s file. Since LDAP
37
updates are atomic, locking is no longer necessary. Because syntax
38
is checked when the data is inserted into LDAP, there is no need
39
for a specialized tool to check syntax.
40
41
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
42
LDAP, ssuuddoo-specific Aliases are not supported.
43
44
For the most part, there is really no need for ssuuddoo-specific Aliases.
45
Unix groups or user netgroups can be used in place of User_Aliases and
46
RunasAliases. Host netgroups can be used in place of HostAliases.
47
Since Unix groups and netgroups can also be stored in LDAP there is no
48
real need for ssuuddoo-specific aliases.
49
50
Cmnd_Aliases are not really required either since it is possible to
51
have multiple users listed in a sudoRole. Instead of defining a
52
Cmnd_Alias that is referenced by multiple users, one can create a
53
sudoRole that contains the commands and assign multiple users to it.
54
55
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
56
57
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
58
container.
59
60
Sudo first looks for the cn=default entry in the SUDOers container. If
61
62
63
64
1.7.0 October 24, 2008 1
65
66
67
68
69
70
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
71
72
73
found, the multi-valued sudoOption attribute is parsed in the same
74
manner as a global Defaults line in _@_s_y_s_c_o_n_f_d_i_r_@_/_s_u_d_o_e_r_s. In the
75
following example, the SSH_AUTH_SOCK variable will be preserved in the
76
environment for all users.
77
78
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
79
objectClass: top
80
objectClass: sudoRole
81
cn: defaults
82
description: Default sudoOption's go here
83
sudoOption: env_keep+=SSH_AUTH_SOCK
84
85
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
86
following components:
87
88
ssuuddooUUsseerr
89
A user name, uid (prefixed with '#'), Unix group (prefixed with a
90
'%') or user netgroup (prefixed with a '+').
91
92
ssuuddooHHoosstt
93
A host name, IP address, IP network, or host netgroup (prefixed
94
with a '+'). The special value ALL will match any host.
95
96
ssuuddooCCoommmmaanndd
97
A Unix command with optional command line arguments, potentially
98
including globbing characters (aka wild cards). The special value
99
ALL will match any command. If a command is prefixed with an
100
exclamation point '!', the user will be prohibited from running
101
that command.
102
103
ssuuddooOOppttiioonn
104
Identical in function to the global options described above, but
105
specific to the sudoRole in which it resides.
106
107
ssuuddooRRuunnAAssUUsseerr
108
A user name or uid (prefixed with '#') that commands may be run as
109
or a Unix group (prefixed with a '%') or user netgroup (prefixed
110
with a '+') that contains a list of users that commands may be run
111
as. The special value ALL will match any user.
112
113
ssuuddooRRuunnAAssGGrroouupp
114
A Unix group or gid (prefixed with '#') that commands may be run
115
as. The special value ALL will match any group.
116
117
Each component listed above should contain a single value, but there
118
may be multiple instances of each component type. A sudoRole must
119
contain at least one sudoUser, sudoHost and sudoCommand.
120
121
The following example allows users in group wheel to run any command on
122
any host via ssuuddoo:
123
124
125
126
127
128
129
130
1.7.0 October 24, 2008 2
131
132
133
134
135
136
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
137
138
139
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
140
objectClass: top
141
objectClass: sudoRole
142
cn: %wheel
143
sudoUser: %wheel
144
sudoHost: ALL
145
sudoCommand: ALL
146
147
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
148
149
When looking up a sudoer using LDAP there are only two or three LDAP
150
queries per invocation. The first query is to parse the global
151
options. The second is to match against the user's name and the groups
152
that the user belongs to. (The special ALL tag is matched in this
153
query too.) If no match is returned for the user's name and groups, a
154
third query returns all entries containing user netgroups and checks to
155
see if the user belongs to any of them.
156
157
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
158
159
There are some subtle differences in the way sudoers is handled once in
160
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
161
is arbitrary and you cannot expect that Attributes and Entries are
162
returned in any specific order. If there are conflicting command rules
163
on an entry, the negative takes precedence. This is called paranoid
164
behavior (not necessarily the most specific match).
165
166
Here is an example:
167
168
# /etc/sudoers:
169
# Allow all commands except shell
170
johnny ALL=(root) ALL,!/bin/sh
171
# Always allows all commands because ALL is matched last
172
puddles ALL=(root) !/bin/sh,ALL
173
174
# LDAP equivalent of johnny
175
# Allows all commands except shell
176
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
177
objectClass: sudoRole
178
objectClass: top
179
cn: role1
180
sudoUser: johnny
181
sudoHost: ALL
182
sudoCommand: ALL
183
sudoCommand: !/bin/sh
184
185
# LDAP equivalent of puddles
186
# Notice that even though ALL comes last, it still behaves like
187
# role1 since the LDAP code assumes the more paranoid configuration
188
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
189
objectClass: sudoRole
190
objectClass: top
191
cn: role2
192
sudoUser: puddles
193
194
195
196
1.7.0 October 24, 2008 3
197
198
199
200
201
202
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
203
204
205
sudoHost: ALL
206
sudoCommand: !/bin/sh
207
sudoCommand: ALL
208
209
Another difference is that negations on the Host, User or Runas are
210
currently ignorred. For example, the following attributes do not
211
behave the way one might expect.
212
213
# does not match all but joe
214
# rather, does not match anyone
215
sudoUser: !joe
216
217
# does not match all but joe
218
# rather, matches everyone including Joe
219
sudoUser: ALL
220
sudoUser: !joe
221
222
# does not match all but web01
223
# rather, matches all hosts including web01
224
sudoHost: ALL
225
sudoHost: !web01
226
227
SSuuddooeerrss SScchheemmaa
228
229
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
230
on your LDAP server. In addition, be sure to index the 'sudoUser'
231
attribute.
232
233
Three versions of the schema: one for OpenLDAP servers
234
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),
235
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be
236
found in the ssuuddoo distribution.
237
238
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
239
section.
240
241
CCoonnffiigguurriinngg llddaapp..ccoonnff
242
243
Sudo reads the _@_l_d_a_p___c_o_n_f_@ file for LDAP-specific configuration.
244
Typically, this file is shared amongst different LDAP-aware clients.
245
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
246
parses _@_l_d_a_p___c_o_n_f_@ itself and may support options that differ from
247
those described in the _l_d_a_p_._c_o_n_f(4) manual.
248
249
Also note that on systems using the OpenLDAP libraries, default values
250
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
251
not used.
252
253
Only those options explicitly listed in _@_l_d_a_p___c_o_n_f_@ that are supported
254
by ssuuddoo are honored. Configuration options are listed below in upper
255
case but are parsed in a case-independent manner.
256
257
UURRII ldap[s]://[hostname[:port]] ...
258
Specifies a whitespace-delimited list of one or more URIs
259
260
261
262
1.7.0 October 24, 2008 4
263
264
265
266
267
268
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
269
270
271
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
272
either llddaapp or llddaappss, the latter being for servers that support TLS
273
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
274
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
275
ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL
276
libraries support the mixing of ldap:// and ldaps:// URIs. The
277
Netscape-derived libraries used on most commercial versions of Unix
278
are only capable of supporting one or the other.
279
280
HHOOSSTT name[:port] ...
281
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
282
delimited list of LDAP servers to connect to. Each host may
283
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT
284
parameter is deprecated in favor of the UURRII specification and is
285
included for backwards compatibility.
286
287
PPOORRTT port_number
288
If no UURRII is specified, the PPOORRTT parameter specifies the default
289
port to connect to on the LDAP server if a HHOOSSTT parameter does not
290
specify the port itself. If no PPOORRTT parameter is used, the default
291
is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
292
PPOORRTT parameter is deprecated in favor of the UURRII specification and
293
is included for backwards compatibility.
294
295
BBIINNDD__TTIIMMEELLIIMMIITT seconds
296
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
297
seconds, to wait while trying to connect to an LDAP server. If
298
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
299
wait before trying the next one in the list.
300
301
TTIIMMEELLIIMMIITT seconds
302
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
303
to wait for a response to an LDAP query.
304
305
SSUUDDOOEERRSS__BBAASSEE base
306
The base DN to use when performing ssuuddoo LDAP queries. Typically
307
this is of the form ou=SUDOers,dc=example,dc=com for the domain
308
example.com.
309
310
SSUUDDOOEERRSS__DDEEBBUUGG debug_level
311
This sets the debug level for ssuuddoo LDAP queries. Debugging
312
information is printed to the standard error. A value of 1 results
313
in a moderate amount of debugging information. A value of 2 shows
314
the results of the matches themselves. This parameter should not
315
be set in a production environment as the extra information is
316
likely to confuse users.
317
318
BBIINNDDDDNN DN
319
The BBIINNDDDDNN parameter specifies the identity, in the form of a
320
Distinguished Name (DN), to use when performing LDAP operations.
321
If not specified, LDAP operations are performed with an anonymous
322
identity. By default, most LDAP servers will allow anonymous
323
access.
324
325
326
327
328
1.7.0 October 24, 2008 5
329
330
331
332
333
334
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
335
336
337
BBIINNDDPPWW secret
338
The BBIINNDDPPWW parameter specifies the password to use when performing
339
LDAP operations. This is typically used in conjunction with the
340
BBIINNDDDDNN parameter.
341
342
RROOOOTTBBIINNDDDDNN DN
343
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
344
Distinguished Name (DN), to use when performing privileged LDAP
345
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
346
the identity should be stored in _@_l_d_a_p___s_e_c_r_e_t_@. If not specified,
347
the BBIINNDDDDNN identity is used (if any).
348
349
LLDDAAPP__VVEERRSSIIOONN number
350
The version of the LDAP protocol to use when connecting to the
351
server. The default value is protocol version 3.
352
353
SSSSLL on/true/yes/off/false/no
354
If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
355
encryption is always used when communicating with the LDAP server.
356
Typically, this involves connecting to the server on port 636
357
(ldaps).
358
359
SSSSLL start_tls
360
If the SSSSLL parameter is set to start_tls, the LDAP server
361
connection is initiated normally and TLS encryption is begun before
362
the bind credentials are sent. This has the advantage of not
363
requiring a dedicated port for encrypted communications. This
364
parameter is only supported by LDAP servers that honor the
365
start_tls extension, such as the OpenLDAP server.
366
367
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no
368
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
369
certificated to be verified. If the server's TLS certificate
370
cannot be verified (usually because it is signed by an unknown
371
certificate authority), ssuuddoo will be unable to connect to it. If
372
TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made.
373
374
TTLLSS__CCAACCEERRTTFFIILLEE file name
375
The path to a certificate authority bundle which contains the
376
certificates for all the Certificate Authorities the client knows
377
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
378
supported by the OpenLDAP libraries.
379
380
TTLLSS__CCAACCEERRTTDDIIRR directory
381
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
382
containing individual Certificate Authority certificates, e.g.
383
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
384
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
385
OpenLDAP libraries.
386
387
TTLLSS__CCEERRTT file name
388
The path to a file containing the client certificate which can be
389
used to authenticate the client to the LDAP server. The
390
certificate type depends on the LDAP libraries used.
391
392
393
394
1.7.0 October 24, 2008 6
395
396
397
398
399
400
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
401
402
403
OpenLDAP:
404
tls_cert /etc/ssl/client_cert.pem
405
406
Netscape-derived:
407
tls_cert /var/ldap/cert7.db
408
409
When using Netscape-derived libraries, this file may also contain
410
Certificate Authority certificates.
411
412
TTLLSS__KKEEYY file name
413
The path to a file containing the private key which matches the
414
certificate specified by TTLLSS__CCEERRTT. The private key must not be
415
password-protected. The key type depends on the LDAP libraries
416
used.
417
418
OpenLDAP:
419
tls_key /etc/ssl/client_key.pem
420
421
Netscape-derived:
422
tls_key /var/ldap/key3.db
423
424
TTLLSS__RRAANNDDFFIILLEE file name
425
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
426
for systems that lack a random device. It is generally used in
427
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
428
the OpenLDAP libraries.
429
430
TTLLSS__CCIIPPHHEERRSS cipher list
431
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
432
encryption algorithms may be used for TLS (SSL) connections. See
433
the OpenSSL manual for a list of valid ciphers. This option is
434
only supported by the OpenLDAP libraries.
435
436
UUSSEE__SSAASSLL on/true/yes/off/false/no
437
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
438
439
SSAASSLL__AAUUTTHH__IIDD identity
440
The SASL user name to use when connecting to the LDAP server. By
441
default, ssuuddoo will use an anonymous connection.
442
443
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no
444
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
445
to an LDAP server from a privileged process, such as ssuuddoo.
446
447
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
448
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
449
450
SSAASSLL__SSEECCPPRROOPPSS none/properties
451
SASL security properties or _n_o_n_e for no properties. See the SASL
452
programmer's manual for details.
453
454
KKRRBB55__CCCCNNAAMMEE file name
455
The path to the Kerberos 5 credential cache to use when
456
authenticating with the remote server.
457
458
459
460
1.7.0 October 24, 2008 7
461
462
463
464
465
466
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
467
468
469
See the ldap.conf entry in the EXAMPLES section.
470
471
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
472
473
Unless it is disabled at build time, ssuuddoo consults the Name Service
474
Switch file, _@_n_s_s_w_i_t_c_h___c_o_n_f_@, to specify the _s_u_d_o_e_r_s search order.
475
Sudo looks for a line beginning with sudoers: and uses this to
476
determine the search order. Note that ssuuddoo does not stop searching
477
after the first match and later matches take precedence over earlier
478
ones.
479
480
The following sources are recognized:
481
482
files read sudoers from F</etc/sudoers>
483
ldap read sudoers from LDAP
484
485
In addition, the entry [NOTFOUND=return] will short-circuit the search
486
if the user was not found in the preceding source.
487
488
To consult LDAP first followed by the local sudoers file (if it
489
exists), use:
490
491
sudoers: ldap files
492
493
The local _s_u_d_o_e_r_s file can be ignored completely by using:
494
495
sudoers: ldap
496
497
If the _@_n_s_s_w_i_t_c_h___c_o_n_f_@ file is not present or there is no sudoers line,
498
the following default is assumed:
499
500
sudoers: files
501
502
Note that _@_n_s_s_w_i_t_c_h___c_o_n_f_@ is supported even when the underlying
503
operating system does not use an nsswitch.conf file.
504
505
FFIILLEESS
506
_@_l_d_a_p___c_o_n_f_@ LDAP configuration file
507
508
_@_n_s_s_w_i_t_c_h___c_o_n_f_@ determines sudoers source order
509
510
EEXXAAMMPPLLEESS
511
EExxaammppllee llddaapp..ccoonnff
512
513
# Either specify one or more URIs or one or more host:port pairs.
514
# If neither is specified sudo will default to localhost, port 389.
515
#
516
#host ldapserver
517
#host ldapserver1 ldapserver2:390
518
#
519
# Default port if host is specified without one, defaults to 389.
520
#port 389
521
#
522
# URI will override the host and port settings.
523
524
525
526
1.7.0 October 24, 2008 8
527
528
529
530
531
532
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
533
534
535
uri ldap://ldapserver
536
#uri ldaps://secureldapserver
537
#uri ldaps://secureldapserver ldap://ldapserver
538
#
539
# The amount of time, in seconds, to wait while trying to connect to
540
# an LDAP server.
541
bind_timelimit 30
542
#
543
# The amount of time, in seconds, to wait while performing an LDAP query.
544
timelimit 30
545
#
546
# must be set or sudo will ignore LDAP
547
sudoers_base ou=SUDOers,dc=example,dc=com
548
#
549
# verbose sudoers matching from ldap
550
#sudoers_debug 2
551
#
552
# optional proxy credentials
553
#binddn <who to search as>
554
#bindpw <password>
555
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
556
#
557
# LDAP protocol version, defaults to 3
558
#ldap_version 3
559
#
560
# Define if you want to use an encrypted LDAP connection.
561
# Typically, you must also set the port to 636 (ldaps).
562
#ssl on
563
#
564
# Define if you want to use port 389 and switch to
565
# encryption before the bind credentials are sent.
566
# Only supported by LDAP servers that support the start_tls
567
# extension such as OpenLDAP.
568
#ssl start_tls
569
#
570
# Additional TLS options follow that allow tweaking of the
571
# SSL/TLS connection.
572
#
573
#tls_checkpeer yes # verify server SSL certificate
574
#tls_checkpeer no # ignore server SSL certificate
575
#
576
# If you enable tls_checkpeer, specify either tls_cacertfile
577
# or tls_cacertdir. Only supported when using OpenLDAP.
578
#
579
#tls_cacertfile /etc/certs/trusted_signers.pem
580
#tls_cacertdir /etc/certs
581
#
582
# For systems that don't have /dev/random
583
# use this along with PRNGD or EGD.pl to seed the
584
# random number pool to generate cryptographic session keys.
585
# Only supported when using OpenLDAP.
586
#
587
#tls_randfile /etc/egd-pool
588
#
589
590
591
592
1.7.0 October 24, 2008 9
593
594
595
596
597
598
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
599
600
601
# You may restrict which ciphers are used. Consult your SSL
602
# documentation for which options go here.
603
# Only supported when using OpenLDAP.
604
#
605
#tls_ciphers <cipher-list>
606
#
607
# Sudo can provide a client certificate when communicating to
608
# the LDAP server.
609
# Tips:
610
# * Enable both lines at the same time.
611
# * Do not password protect the key file.
612
# * Ensure the keyfile is only readable by root.
613
#
614
# For OpenLDAP:
615
#tls_cert /etc/certs/client_cert.pem
616
#tls_key /etc/certs/client_key.pem
617
#
618
# For SunONE or iPlanet LDAP, the file specified by tls_cert may
619
# contain CA certs and/or the client's cert. If the client's
620
# cert is included, tls_key should be specified as well.
621
# For backward compatibility, sslpath may be used in place of tls_cert.
622
#tls_cert /var/ldap/cert7.db
623
#tls_key /var/ldap/key3.db
624
#
625
# If using SASL authentication for LDAP (OpenSSL)
626
# use_sasl yes
627
# sasl_auth_id <SASL username>
628
# rootuse_sasl yes
629
# rootsasl_auth_id <SASL username for root access>
630
# sasl_secprops none
631
# krb5_ccname /etc/.ldapcache
632
633
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
634
635
The following schema is in OpenLDAP format. Simply copy it to the
636
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
637
line in slapd.conf and restart ssllaappdd.
638
639
attributetype ( 1.3.6.1.4.1.15953.9.1.1
640
NAME 'sudoUser'
641
DESC 'User(s) who may run sudo'
642
EQUALITY caseExactIA5Match
643
SUBSTR caseExactIA5SubstringsMatch
644
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
645
646
attributetype ( 1.3.6.1.4.1.15953.9.1.2
647
NAME 'sudoHost'
648
DESC 'Host(s) who may run sudo'
649
EQUALITY caseExactIA5Match
650
SUBSTR caseExactIA5SubstringsMatch
651
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
652
653
attributetype ( 1.3.6.1.4.1.15953.9.1.3
654
NAME 'sudoCommand'
655
656
657
658
1.7.0 October 24, 2008 10
659
660
661
662
663
664
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
665
666
667
DESC 'Command(s) to be executed by sudo'
668
EQUALITY caseExactIA5Match
669
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
670
671
attributetype ( 1.3.6.1.4.1.15953.9.1.4
672
NAME 'sudoRunAs'
673
DESC 'User(s) impersonated by sudo'
674
EQUALITY caseExactIA5Match
675
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
676
677
attributetype ( 1.3.6.1.4.1.15953.9.1.5
678
NAME 'sudoOption'
679
DESC 'Options(s) followed by sudo'
680
EQUALITY caseExactIA5Match
681
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
682
683
attributetype ( 1.3.6.1.4.1.15953.9.1.6
684
NAME 'sudoRunAsUser'
685
DESC 'User(s) impersonated by sudo'
686
EQUALITY caseExactIA5Match
687
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
688
689
attributetype ( 1.3.6.1.4.1.15953.9.1.7
690
NAME 'sudoRunAsGroup'
691
DESC 'Group(s) impersonated by sudo'
692
EQUALITY caseExactIA5Match
693
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
694
695
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
696
DESC 'Sudoer Entries'
697
MUST ( cn )
698
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
699
sudoRunAsGroup $ sudoOption $ description )
700
)
701
702
Add nsswitch.conf example? Add more exhaustive sudoers ldif example?
703
704
SSEEEE AALLSSOO
705
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5)
706
707
CCAAVVEEAATTSS
708
The way that _s_u_d_o_e_r_s is parsed differs between Note that there are
709
differences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to
710
file-based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP
711
sudoers" section for more information.
712
713
BBUUGGSS
714
If you feel you have found a bug in ssuuddoo, please submit a bug report at
715
http://www.sudo.ws/sudo/bugs/
716
717
SSUUPPPPOORRTT
718
Limited free support is available via the sudo-users mailing list, see
719
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
720
the archives.
721
722
723
724
1.7.0 October 24, 2008 11
725
726
727
728
729
730
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
731
732
733
DDIISSCCLLAAIIMMEERR
734
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
735
including, but not limited to, the implied warranties of
736
merchantability and fitness for a particular purpose are disclaimed.
737
See the LICENSE file distributed with ssuuddoo or
738
http://www.sudo.ws/sudo/license.html for complete details.
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
1.7.0 October 24, 2008 12
791
792
Loggerhead is a web-based interface for Breezy
Version: 2.0.1