| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| NNAAMMEE |
| sudoers.ldap - sudo LDAP configuration |
| |
| DDEESSCCRRIIPPTTIIOONN |
| In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via |
| LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a |
| large, distributed environment. |
| |
| Using LDAP for _s_u_d_o_e_r_s has several benefits: |
| |
| +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is |
| used, there are only two or three LDAP queries per invocation. |
| This makes it especially fast and particularly usable in LDAP |
| environments. |
| |
| +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not |
| possible to load LDAP data into the server that does not conform to |
| the sudoers schema, so proper syntax is guaranteed. It is still |
| possible to have typos in a user or host name, but this will not |
| prevent ssuuddoo from running. |
| |
| +o It is possible to specify per-entry options that override the |
| global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options |
| and limited options associated with user/host/commands/aliases. |
| The syntax is complicated and can be difficult for users to |
| understand. Placing the options directly in the entry is more |
| natural. |
| |
| +o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking |
| and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates |
| are atomic, locking is no longer necessary. Because syntax is |
| checked when the data is inserted into LDAP, there is no need for a |
| specialized tool to check syntax. |
| |
| Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in |
| LDAP, ssuuddoo-specific Aliases are not supported. |
| |
| For the most part, there is really no need for ssuuddoo-specific Aliases. |
| Unix groups or user netgroups can be used in place of User_Aliases and |
| RunasAliases. Host netgroups can be used in place of HostAliases. |
| Since Unix groups and netgroups can also be stored in LDAP there is no |
| real need for ssuuddoo-specific aliases. |
| |
| Cmnd_Aliases are not really required either since it is possible to |
| have multiple users listed in a sudoRole. Instead of defining a |
| Cmnd_Alias that is referenced by multiple users, one can create a |
| sudoRole that contains the commands and assign multiple users to it. |
| |
| SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr |
| The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP |
| container. |
| |
| Sudo first looks for the cn=default entry in the SUDOers container. If |
| found, the multi-valued sudoOption attribute is parsed in the same |
| |
| |
| |
| 1.7.4 July 12, 2010 1 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following |
| example, the SSH_AUTH_SOCK variable will be preserved in the |
| environment for all users. |
| |
| dn: cn=defaults,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: defaults |
| description: Default sudoOption's go here |
| sudoOption: env_keep+=SSH_AUTH_SOCK |
| |
| The equivalent of a sudoer in LDAP is a sudoRole. It consists of the |
| following components: |
| |
| ssuuddooUUsseerr |
| A user name, uid (prefixed with '#'), Unix group (prefixed with a |
| '%') or user netgroup (prefixed with a '+'). |
| |
| ssuuddooHHoosstt |
| A host name, IP address, IP network, or host netgroup (prefixed |
| with a '+'). The special value ALL will match any host. |
| |
| ssuuddooCCoommmmaanndd |
| A Unix command with optional command line arguments, potentially |
| including globbing characters (aka wild cards). The special value |
| ALL will match any command. If a command is prefixed with an |
| exclamation point '!', the user will be prohibited from running |
| that command. |
| |
| ssuuddooOOppttiioonn |
| Identical in function to the global options described above, but |
| specific to the sudoRole in which it resides. |
| |
| ssuuddooRRuunnAAssUUsseerr |
| A user name or uid (prefixed with '#') that commands may be run as |
| or a Unix group (prefixed with a '%') or user netgroup (prefixed |
| with a '+') that contains a list of users that commands may be run |
| as. The special value ALL will match any user. |
| |
| ssuuddooRRuunnAAssGGrroouupp |
| A Unix group or gid (prefixed with '#') that commands may be run |
| as. The special value ALL will match any group. |
| |
| Each component listed above should contain a single value, but there |
| may be multiple instances of each component type. A sudoRole must |
| contain at least one sudoUser, sudoHost and sudoCommand. |
| |
| The following example allows users in group wheel to run any command on |
| any host via ssuuddoo: |
| |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 2 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| dn: cn=%wheel,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: %wheel |
| sudoUser: %wheel |
| sudoHost: ALL |
| sudoCommand: ALL |
| |
| AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp |
| When looking up a sudoer using LDAP there are only two or three LDAP |
| queries per invocation. The first query is to parse the global |
| options. The second is to match against the user's name and the groups |
| that the user belongs to. (The special ALL tag is matched in this |
| query too.) If no match is returned for the user's name and groups, a |
| third query returns all entries containing user netgroups and checks to |
| see if the user belongs to any of them. |
| |
| DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss |
| There are some subtle differences in the way sudoers is handled once in |
| LDAP. Probably the biggest is that according to the RFC, LDAP ordering |
| is arbitrary and you cannot expect that Attributes and Entries are |
| returned in any specific order. If there are conflicting command rules |
| on an entry, the negative takes precedence. This is called paranoid |
| behavior (not necessarily the most specific match). |
| |
| Here is an example: |
| |
| # /etc/sudoers: |
| # Allow all commands except shell |
| johnny ALL=(root) ALL,!/bin/sh |
| # Always allows all commands because ALL is matched last |
| puddles ALL=(root) !/bin/sh,ALL |
| |
| # LDAP equivalent of johnny |
| # Allows all commands except shell |
| dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com |
| objectClass: sudoRole |
| objectClass: top |
| cn: role1 |
| sudoUser: johnny |
| sudoHost: ALL |
| sudoCommand: ALL |
| sudoCommand: !/bin/sh |
| |
| # LDAP equivalent of puddles |
| # Notice that even though ALL comes last, it still behaves like |
| # role1 since the LDAP code assumes the more paranoid configuration |
| dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com |
| objectClass: sudoRole |
| objectClass: top |
| cn: role2 |
| sudoUser: puddles |
| sudoHost: ALL |
| sudoCommand: !/bin/sh |
| |
| |
| |
| 1.7.4 July 12, 2010 3 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| sudoCommand: ALL |
| |
| Another difference is that negations on the Host, User or Runas are |
| currently ignorred. For example, the following attributes do not |
| behave the way one might expect. |
| |
| # does not match all but joe |
| # rather, does not match anyone |
| sudoUser: !joe |
| |
| # does not match all but joe |
| # rather, matches everyone including Joe |
| sudoUser: ALL |
| sudoUser: !joe |
| |
| # does not match all but web01 |
| # rather, matches all hosts including web01 |
| sudoHost: ALL |
| sudoHost: !web01 |
| |
| SSuuddooeerrss SScchheemmaa |
| In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed |
| on your LDAP server. In addition, be sure to index the 'sudoUser' |
| attribute. |
| |
| Three versions of the schema: one for OpenLDAP servers |
| (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), |
| and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be |
| found in the ssuuddoo distribution. |
| |
| The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES |
| section. |
| |
| CCoonnffiigguurriinngg llddaapp..ccoonnff |
| Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. |
| Typically, this file is shared amongst different LDAP-aware clients. |
| As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo |
| parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from |
| those described in the _l_d_a_p_._c_o_n_f(4) manual. |
| |
| Also note that on systems using the OpenLDAP libraries, default values |
| specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are |
| not used. |
| |
| Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are |
| supported by ssuuddoo are honored. Configuration options are listed below |
| in upper case but are parsed in a case-independent manner. |
| |
| UURRII ldap[s]://[hostname[:port]] ... |
| Specifies a whitespace-delimited list of one or more URIs |
| describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be |
| either llddaapp or llddaappss, the latter being for servers that support TLS |
| (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 |
| for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, |
| |
| |
| |
| 1.7.4 July 12, 2010 4 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated |
| identically to a UURRII line containing multiple entries. Only |
| systems using the OpenSSL libraries support the mixing of ldap:// |
| and ldaps:// URIs. The Netscape-derived libraries used on most |
| commercial versions of Unix are only capable of supporting one or |
| the other. |
| |
| HHOOSSTT name[:port] ... |
| If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- |
| delimited list of LDAP servers to connect to. Each host may |
| include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT |
| parameter is deprecated in favor of the UURRII specification and is |
| included for backwards compatibility. |
| |
| PPOORRTT port_number |
| If no UURRII is specified, the PPOORRTT parameter specifies the default |
| port to connect to on the LDAP server if a HHOOSSTT parameter does not |
| specify the port itself. If no PPOORRTT parameter is used, the default |
| is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The |
| PPOORRTT parameter is deprecated in favor of the UURRII specification and |
| is included for backwards compatibility. |
| |
| BBIINNDD__TTIIMMEELLIIMMIITT seconds |
| The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in |
| seconds, to wait while trying to connect to an LDAP server. If |
| multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to |
| wait before trying the next one in the list. |
| |
| TTIIMMEELLIIMMIITT seconds |
| The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, |
| to wait for a response to an LDAP query. |
| |
| SSUUDDOOEERRSS__BBAASSEE base |
| The base DN to use when performing ssuuddoo LDAP queries. Typically |
| this is of the form ou=SUDOers,dc=example,dc=com for the domain |
| example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in |
| which case they are queried in the order specified. |
| |
| SSUUDDOOEERRSS__DDEEBBUUGG debug_level |
| This sets the debug level for ssuuddoo LDAP queries. Debugging |
| information is printed to the standard error. A value of 1 results |
| in a moderate amount of debugging information. A value of 2 shows |
| the results of the matches themselves. This parameter should not |
| be set in a production environment as the extra information is |
| likely to confuse users. |
| |
| BBIINNDDDDNN DN |
| The BBIINNDDDDNN parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing LDAP operations. |
| If not specified, LDAP operations are performed with an anonymous |
| identity. By default, most LDAP servers will allow anonymous |
| access. |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 5 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| BBIINNDDPPWW secret |
| The BBIINNDDPPWW parameter specifies the password to use when performing |
| LDAP operations. This is typically used in conjunction with the |
| BBIINNDDDDNN parameter. |
| |
| RROOOOTTBBIINNDDDDNN DN |
| The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing privileged LDAP |
| operations, such as _s_u_d_o_e_r_s queries. The password corresponding to |
| the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not |
| specified, the BBIINNDDDDNN identity is used (if any). |
| |
| LLDDAAPP__VVEERRSSIIOONN number |
| The version of the LDAP protocol to use when connecting to the |
| server. The default value is protocol version 3. |
| |
| SSSSLL on/true/yes/off/false/no |
| If the SSSSLL parameter is set to on, true or yes, TLS (SSL) |
| encryption is always used when communicating with the LDAP server. |
| Typically, this involves connecting to the server on port 636 |
| (ldaps). |
| |
| SSSSLL start_tls |
| If the SSSSLL parameter is set to start_tls, the LDAP server |
| connection is initiated normally and TLS encryption is begun before |
| the bind credentials are sent. This has the advantage of not |
| requiring a dedicated port for encrypted communications. This |
| parameter is only supported by LDAP servers that honor the |
| start_tls extension, such as the OpenLDAP server. |
| |
| TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no |
| If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS |
| certificated to be verified. If the server's TLS certificate |
| cannot be verified (usually because it is signed by an unknown |
| certificate authority), ssuuddoo will be unable to connect to it. If |
| TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling |
| the check creates an opportunity for man-in-the-middle attacks |
| since the server's identity will not be authenticated. If |
| possible, the CA's certificate should be installed locally so it |
| can be verified. |
| |
| TTLLSS__CCAACCEERRTT file name |
| An alias for TTLLSS__CCAACCEERRTTFFIILLEE. |
| |
| TTLLSS__CCAACCEERRTTFFIILLEE file name |
| The path to a certificate authority bundle which contains the |
| certificates for all the Certificate Authorities the client knows |
| to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only |
| supported by the OpenLDAP libraries. Netscape-derived LDAP |
| libraries use the same certificate database for CA and client |
| certificates (see TTLLSS__CCEERRTT). |
| |
| TTLLSS__CCAACCEERRTTDDIIRR directory |
| Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory |
| |
| |
| |
| 1.7.4 July 12, 2010 6 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| containing individual Certificate Authority certificates, e.g. |
| _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is |
| checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the |
| OpenLDAP libraries. |
| |
| TTLLSS__CCEERRTT file name |
| The path to a file containing the client certificate which can be |
| used to authenticate the client to the LDAP server. The |
| certificate type depends on the LDAP libraries used. |
| |
| OpenLDAP: |
| tls_cert /etc/ssl/client_cert.pem |
| |
| Netscape-derived: |
| tls_cert /var/ldap/cert7.db |
| |
| When using Netscape-derived libraries, this file may also contain |
| Certificate Authority certificates. |
| |
| TTLLSS__KKEEYY file name |
| The path to a file containing the private key which matches the |
| certificate specified by TTLLSS__CCEERRTT. The private key must not be |
| password-protected. The key type depends on the LDAP libraries |
| used. |
| |
| OpenLDAP: |
| tls_key /etc/ssl/client_key.pem |
| |
| Netscape-derived: |
| tls_key /var/ldap/key3.db |
| |
| TTLLSS__RRAANNDDFFIILLEE file name |
| The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source |
| for systems that lack a random device. It is generally used in |
| conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by |
| the OpenLDAP libraries. |
| |
| TTLLSS__CCIIPPHHEERRSS cipher list |
| The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which |
| encryption algorithms may be used for TLS (SSL) connections. See |
| the OpenSSL manual for a list of valid ciphers. This option is |
| only supported by the OpenLDAP libraries. |
| |
| UUSSEE__SSAASSLL on/true/yes/off/false/no |
| Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. |
| |
| SSAASSLL__AAUUTTHH__IIDD identity |
| The SASL user name to use when connecting to the LDAP server. By |
| default, ssuuddoo will use an anonymous connection. |
| |
| RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no |
| Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting |
| to an LDAP server from a privileged process, such as ssuuddoo. |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 7 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity |
| The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. |
| |
| SSAASSLL__SSEECCPPRROOPPSS none/properties |
| SASL security properties or _n_o_n_e for no properties. See the SASL |
| programmer's manual for details. |
| |
| KKRRBB55__CCCCNNAAMMEE file name |
| The path to the Kerberos 5 credential cache to use when |
| authenticating with the remote server. |
| |
| See the ldap.conf entry in the EXAMPLES section. |
| |
| CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff |
| Unless it is disabled at build time, ssuuddoo consults the Name Service |
| Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. |
| Sudo looks for a line beginning with sudoers: and uses this to |
| determine the search order. Note that ssuuddoo does not stop searching |
| after the first match and later matches take precedence over earlier |
| ones. |
| |
| The following sources are recognized: |
| |
| files read sudoers from F</etc/sudoers> |
| ldap read sudoers from LDAP |
| |
| In addition, the entry [NOTFOUND=return] will short-circuit the search |
| if the user was not found in the preceding source. |
| |
| To consult LDAP first followed by the local sudoers file (if it |
| exists), use: |
| |
| sudoers: ldap files |
| |
| The local _s_u_d_o_e_r_s file can be ignored completely by using: |
| |
| sudoers: ldap |
| |
| If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers |
| line, the following default is assumed: |
| |
| sudoers: files |
| |
| Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying |
| operating system does not use an nsswitch.conf file. |
| |
| CCoonnffiigguurriinngg nneettssvvcc..ccoonnff |
| On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of |
| _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of |
| _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the |
| file format itself still applies. |
| |
| To consult LDAP first followed by the local sudoers file (if it |
| exists), use: |
| |
| |
| |
| 1.7.4 July 12, 2010 8 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| sudoers = ldap, files |
| |
| The local _s_u_d_o_e_r_s file can be ignored completely by using: |
| |
| sudoers = ldap |
| |
| To treat LDAP as authoratative and only use the local sudoers file if |
| the user is not present in LDAP, use: |
| |
| sudoers = ldap = auth, files |
| |
| Note that in the above example, the auth qualfier only affects user |
| lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. |
| |
| If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers |
| line, the following default is assumed: |
| |
| sudoers = files |
| |
| FFIILLEESS |
| _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file |
| |
| _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order |
| |
| _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX |
| |
| EEXXAAMMPPLLEESS |
| EExxaammppllee llddaapp..ccoonnff |
| # Either specify one or more URIs or one or more host:port pairs. |
| # If neither is specified sudo will default to localhost, port 389. |
| # |
| #host ldapserver |
| #host ldapserver1 ldapserver2:390 |
| # |
| # Default port if host is specified without one, defaults to 389. |
| #port 389 |
| # |
| # URI will override the host and port settings. |
| uri ldap://ldapserver |
| #uri ldaps://secureldapserver |
| #uri ldaps://secureldapserver ldap://ldapserver |
| # |
| # The amount of time, in seconds, to wait while trying to connect to |
| # an LDAP server. |
| bind_timelimit 30 |
| # |
| # The amount of time, in seconds, to wait while performing an LDAP query. |
| timelimit 30 |
| # |
| # Must be set or sudo will ignore LDAP; may be specified multiple times. |
| sudoers_base ou=SUDOers,dc=example,dc=com |
| # |
| # verbose sudoers matching from ldap |
| #sudoers_debug 2 |
| |
| |
| |
| 1.7.4 July 12, 2010 9 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| # |
| # optional proxy credentials |
| #binddn <who to search as> |
| #bindpw <password> |
| #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> |
| # |
| # LDAP protocol version, defaults to 3 |
| #ldap_version 3 |
| # |
| # Define if you want to use an encrypted LDAP connection. |
| # Typically, you must also set the port to 636 (ldaps). |
| #ssl on |
| # |
| # Define if you want to use port 389 and switch to |
| # encryption before the bind credentials are sent. |
| # Only supported by LDAP servers that support the start_tls |
| # extension such as OpenLDAP. |
| #ssl start_tls |
| # |
| # Additional TLS options follow that allow tweaking of the |
| # SSL/TLS connection. |
| # |
| #tls_checkpeer yes # verify server SSL certificate |
| #tls_checkpeer no # ignore server SSL certificate |
| # |
| # If you enable tls_checkpeer, specify either tls_cacertfile |
| # or tls_cacertdir. Only supported when using OpenLDAP. |
| # |
| #tls_cacertfile /etc/certs/trusted_signers.pem |
| #tls_cacertdir /etc/certs |
| # |
| # For systems that don't have /dev/random |
| # use this along with PRNGD or EGD.pl to seed the |
| # random number pool to generate cryptographic session keys. |
| # Only supported when using OpenLDAP. |
| # |
| #tls_randfile /etc/egd-pool |
| # |
| # You may restrict which ciphers are used. Consult your SSL |
| # documentation for which options go here. |
| # Only supported when using OpenLDAP. |
| # |
| #tls_ciphers <cipher-list> |
| # |
| # Sudo can provide a client certificate when communicating to |
| # the LDAP server. |
| # Tips: |
| # * Enable both lines at the same time. |
| # * Do not password protect the key file. |
| # * Ensure the keyfile is only readable by root. |
| # |
| # For OpenLDAP: |
| #tls_cert /etc/certs/client_cert.pem |
| #tls_key /etc/certs/client_key.pem |
| |
| |
| |
| 1.7.4 July 12, 2010 10 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| # |
| # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either |
| # a directory, in which case the files in the directory must have the |
| # default names (e.g. cert8.db and key4.db), or the path to the cert |
| # and key files themselves. However, a bug in version 5.0 of the LDAP |
| # SDK will prevent specific file names from working. For this reason |
| # it is suggested that tls_cert and tls_key be set to a directory, |
| # not a file name. |
| # |
| # The certificate database specified by tls_cert may contain CA certs |
| # and/or the client's cert. If the client's cert is included, tls_key |
| # should be specified as well. |
| # For backward compatibility, "sslpath" may be used in place of tls_cert. |
| #tls_cert /var/ldap |
| #tls_key /var/ldap |
| # |
| # If using SASL authentication for LDAP (OpenSSL) |
| # use_sasl yes |
| # sasl_auth_id <SASL user name> |
| # rootuse_sasl yes |
| # rootsasl_auth_id <SASL user name for root access> |
| # sasl_secprops none |
| # krb5_ccname /etc/.ldapcache |
| |
| SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP |
| The following schema is in OpenLDAP format. Simply copy it to the |
| schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include |
| line in slapd.conf and restart ssllaappdd. |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.1 |
| NAME 'sudoUser' |
| DESC 'User(s) who may run sudo' |
| EQUALITY caseExactIA5Match |
| SUBSTR caseExactIA5SubstringsMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.2 |
| NAME 'sudoHost' |
| DESC 'Host(s) who may run sudo' |
| EQUALITY caseExactIA5Match |
| SUBSTR caseExactIA5SubstringsMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.3 |
| NAME 'sudoCommand' |
| DESC 'Command(s) to be executed by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.4 |
| NAME 'sudoRunAs' |
| DESC 'User(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| |
| |
| 1.7.4 July 12, 2010 11 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.5 |
| NAME 'sudoOption' |
| DESC 'Options(s) followed by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.6 |
| NAME 'sudoRunAsUser' |
| DESC 'User(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.7 |
| NAME 'sudoRunAsGroup' |
| DESC 'Group(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL |
| DESC 'Sudoer Entries' |
| MUST ( cn ) |
| MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
| sudoRunAsGroup $ sudoOption $ description ) |
| ) |
| |
| SSEEEE AALLSSOO |
| _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) |
| |
| CCAAVVEEAATTSS |
| The way that _s_u_d_o_e_r_s is parsed differs between Note that there are |
| differences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to |
| file-based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP |
| sudoers" section for more information. |
| |
| BBUUGGSS |
| If you feel you have found a bug in ssuuddoo, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ |
| |
| SSUUPPPPOORRTT |
| Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search |
| the archives. |
| |
| DDIISSCCLLAAIIMMEERR |
| ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of |
| merchantability and fitness for a particular purpose are disclaimed. |
| See the LICENSE file distributed with ssuuddoo or |
| http://www.sudo.ws/sudo/license.html for complete details. |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 12 |
| |
| |