| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| N�NA�AM�ME�E |
| sudoers.ldap - sudo LDAP configuration |
| |
| D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
| In addition to the standard _�s_�u_�d_�o_�e_�r_�s file, s�su�ud�do�o may be configured via |
| LDAP. This can be especially useful for synchronizing _�s_�u_�d_�o_�e_�r_�s in a |
| large, distributed environment. |
| |
| Using LDAP for _�s_�u_�d_�o_�e_�r_�s has several benefits: |
| |
| +�o s�su�ud�do�o no longer needs to read _�s_�u_�d_�o_�e_�r_�s in its entirety. When LDAP is |
| used, there are only two or three LDAP queries per invocation. |
| This makes it especially fast and particularly usable in LDAP |
| environments. |
| |
| +�o s�su�ud�do�o no longer exits if there is a typo in _�s_�u_�d_�o_�e_�r_�s. It is not |
| possible to load LDAP data into the server that does not conform to |
| the sudoers schema, so proper syntax is guaranteed. It is still |
| possible to have typos in a user or host name, but this will not |
| prevent s�su�ud�do�o from running. |
| |
| +�o It is possible to specify per-entry options that override the |
| global default options. _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s only supports default options |
| and limited options associated with user/host/commands/aliases. |
| The syntax is complicated and can be difficult for users to |
| understand. Placing the options directly in the entry is more |
| natural. |
| |
| +�o The v�vi�is�su�ud�do�o program is no longer needed. v�vi�is�su�ud�do�o provides locking |
| and syntax checking of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s file. Since LDAP updates |
| are atomic, locking is no longer necessary. Because syntax is |
| checked when the data is inserted into LDAP, there is no need for a |
| specialized tool to check syntax. |
| |
| Another major difference between LDAP and file-based _�s_�u_�d_�o_�e_�r_�s is that in |
| LDAP, s�su�ud�do�o-specific Aliases are not supported. |
| |
| For the most part, there is really no need for s�su�ud�do�o-specific Aliases. |
| Unix groups or user netgroups can be used in place of User_Aliases and |
| RunasAliases. Host netgroups can be used in place of HostAliases. |
| Since Unix groups and netgroups can also be stored in LDAP there is no |
| real need for s�su�ud�do�o-specific aliases. |
| |
| Cmnd_Aliases are not really required either since it is possible to |
| have multiple users listed in a sudoRole. Instead of defining a |
| Cmnd_Alias that is referenced by multiple users, one can create a |
| sudoRole that contains the commands and assign multiple users to it. |
| |
| S�SU�UD�DO�Oe�er�rs�s L�LD�DA�AP�P c�co�on�nt�ta�ai�in�ne�er�r |
| The _�s_�u_�d_�o_�e_�r_�s configuration is contained in the ou=SUDOers LDAP |
| container. |
| |
| Sudo first looks for the cn=default entry in the SUDOers container. If |
| found, the multi-valued sudoOption attribute is parsed in the same |
| |
| |
| |
| 1.7.4 July 12, 2010 1 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| manner as a global Defaults line in _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s. In the following |
| example, the SSH_AUTH_SOCK variable will be preserved in the |
| environment for all users. |
| |
| dn: cn=defaults,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: defaults |
| description: Default sudoOption's go here |
| sudoOption: env_keep+=SSH_AUTH_SOCK |
| |
| The equivalent of a sudoer in LDAP is a sudoRole. It consists of the |
| following components: |
| |
| s�su�ud�do�oU�Us�se�er�r |
| A user name, uid (prefixed with '#'), Unix group (prefixed with a |
| '%') or user netgroup (prefixed with a '+'). |
| |
| s�su�ud�do�oH�Ho�os�st�t |
| A host name, IP address, IP network, or host netgroup (prefixed |
| with a '+'). The special value ALL will match any host. |
| |
| s�su�ud�do�oC�Co�om�mm�ma�an�nd�d |
| A Unix command with optional command line arguments, potentially |
| including globbing characters (aka wild cards). The special value |
| ALL will match any command. If a command is prefixed with an |
| exclamation point '!', the user will be prohibited from running |
| that command. |
| |
| s�su�ud�do�oO�Op�pt�ti�io�on�n |
| Identical in function to the global options described above, but |
| specific to the sudoRole in which it resides. |
| |
| s�su�ud�do�oR�Ru�un�nA�As�sU�Us�se�er�r |
| A user name or uid (prefixed with '#') that commands may be run as |
| or a Unix group (prefixed with a '%') or user netgroup (prefixed |
| with a '+') that contains a list of users that commands may be run |
| as. The special value ALL will match any user. |
| |
| s�su�ud�do�oR�Ru�un�nA�As�sG�Gr�ro�ou�up�p |
| A Unix group or gid (prefixed with '#') that commands may be run |
| as. The special value ALL will match any group. |
| |
| Each component listed above should contain a single value, but there |
| may be multiple instances of each component type. A sudoRole must |
| contain at least one sudoUser, sudoHost and sudoCommand. |
| |
| The following example allows users in group wheel to run any command on |
| any host via s�su�ud�do�o: |
| |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 2 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| dn: cn=%wheel,ou=SUDOers,dc=example,dc=com |
| objectClass: top |
| objectClass: sudoRole |
| cn: %wheel |
| sudoUser: %wheel |
| sudoHost: ALL |
| sudoCommand: ALL |
| |
| A�An�na�at�to�om�my�y o�of�f L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s l�lo�oo�ok�ku�up�p |
| When looking up a sudoer using LDAP there are only two or three LDAP |
| queries per invocation. The first query is to parse the global |
| options. The second is to match against the user's name and the groups |
| that the user belongs to. (The special ALL tag is matched in this |
| query too.) If no match is returned for the user's name and groups, a |
| third query returns all entries containing user netgroups and checks to |
| see if the user belongs to any of them. |
| |
| D�Di�if�ff�fe�er�re�en�nc�ce�es�s b�be�et�tw�we�ee�en�n L�LD�DA�AP�P a�an�nd�d n�no�on�n-�-L�LD�DA�AP�P s�su�ud�do�oe�er�rs�s |
| There are some subtle differences in the way sudoers is handled once in |
| LDAP. Probably the biggest is that according to the RFC, LDAP ordering |
| is arbitrary and you cannot expect that Attributes and Entries are |
| returned in any specific order. If there are conflicting command rules |
| on an entry, the negative takes precedence. This is called paranoid |
| behavior (not necessarily the most specific match). |
| |
| Here is an example: |
| |
| # /etc/sudoers: |
| # Allow all commands except shell |
| johnny ALL=(root) ALL,!/bin/sh |
| # Always allows all commands because ALL is matched last |
| puddles ALL=(root) !/bin/sh,ALL |
| |
| # LDAP equivalent of johnny |
| # Allows all commands except shell |
| dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com |
| objectClass: sudoRole |
| objectClass: top |
| cn: role1 |
| sudoUser: johnny |
| sudoHost: ALL |
| sudoCommand: ALL |
| sudoCommand: !/bin/sh |
| |
| # LDAP equivalent of puddles |
| # Notice that even though ALL comes last, it still behaves like |
| # role1 since the LDAP code assumes the more paranoid configuration |
| dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com |
| objectClass: sudoRole |
| objectClass: top |
| cn: role2 |
| sudoUser: puddles |
| sudoHost: ALL |
| sudoCommand: !/bin/sh |
| |
| |
| |
| 1.7.4 July 12, 2010 3 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| sudoCommand: ALL |
| |
| Another difference is that negations on the Host, User or Runas are |
| currently ignorred. For example, the following attributes do not |
| behave the way one might expect. |
| |
| # does not match all but joe |
| # rather, does not match anyone |
| sudoUser: !joe |
| |
| # does not match all but joe |
| # rather, matches everyone including Joe |
| sudoUser: ALL |
| sudoUser: !joe |
| |
| # does not match all but web01 |
| # rather, matches all hosts including web01 |
| sudoHost: ALL |
| sudoHost: !web01 |
| |
| S�Su�ud�do�oe�er�rs�s S�Sc�ch�he�em�ma�a |
| In order to use s�su�ud�do�o's LDAP support, the s�su�ud�do�o schema must be installed |
| on your LDAP server. In addition, be sure to index the 'sudoUser' |
| attribute. |
| |
| Three versions of the schema: one for OpenLDAP servers |
| (_�s_�c_�h_�e_�m_�a_�._�O_�p_�e_�n_�L_�D_�A_�P), one for Netscape-derived servers (_�s_�c_�h_�e_�m_�a_�._�i_�P_�l_�a_�n_�e_�t), |
| and one for Microsoft Active Directory (_�s_�c_�h_�e_�m_�a_�._�A_�c_�t_�i_�v_�e_�D_�i_�r_�e_�c_�t_�o_�r_�y) may be |
| found in the s�su�ud�do�o distribution. |
| |
| The schema for s�su�ud�do�o in OpenLDAP form is included in the EXAMPLES |
| section. |
| |
| C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g l�ld�da�ap�p.�.c�co�on�nf�f |
| Sudo reads the _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f file for LDAP-specific configuration. |
| Typically, this file is shared amongst different LDAP-aware clients. |
| As such, most of the settings are not s�su�ud�do�o-specific. Note that s�su�ud�do�o |
| parses _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f itself and may support options that differ from |
| those described in the _�l_�d_�a_�p_�._�c_�o_�n_�f(4) manual. |
| |
| Also note that on systems using the OpenLDAP libraries, default values |
| specified in _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�l_�d_�a_�p_�._�c_�o_�n_�f or the user's _�._�l_�d_�a_�p_�r_�c files are |
| not used. |
| |
| Only those options explicitly listed in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f that are |
| supported by s�su�ud�do�o are honored. Configuration options are listed below |
| in upper case but are parsed in a case-independent manner. |
| |
| U�UR�RI�I ldap[s]://[hostname[:port]] ... |
| Specifies a whitespace-delimited list of one or more URIs |
| describing the LDAP server(s) to connect to. The _�p_�r_�o_�t_�o_�c_�o_�l may be |
| either l�ld�da�ap�p or l�ld�da�ap�ps�s, the latter being for servers that support TLS |
| (SSL) encryption. If no _�p_�o_�r_�t is specified, the default is port 389 |
| for ldap:// or port 636 for ldaps://. If no _�h_�o_�s_�t_�n_�a_�m_�e is specified, |
| |
| |
| |
| 1.7.4 July 12, 2010 4 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| s�su�ud�do�o will connect to l�lo�oc�ca�al�lh�ho�os�st�t. Multiple U�UR�RI�I lines are treated |
| identically to a U�UR�RI�I line containing multiple entries. Only |
| systems using the OpenSSL libraries support the mixing of ldap:// |
| and ldaps:// URIs. The Netscape-derived libraries used on most |
| commercial versions of Unix are only capable of supporting one or |
| the other. |
| |
| H�HO�OS�ST�T name[:port] ... |
| If no U�UR�RI�I is specified, the H�HO�OS�ST�T parameter specifies a whitespace- |
| delimited list of LDAP servers to connect to. Each host may |
| include an optional _�p_�o_�r_�t separated by a colon (':'). The H�HO�OS�ST�T |
| parameter is deprecated in favor of the U�UR�RI�I specification and is |
| included for backwards compatibility. |
| |
| P�PO�OR�RT�T port_number |
| If no U�UR�RI�I is specified, the P�PO�OR�RT�T parameter specifies the default |
| port to connect to on the LDAP server if a H�HO�OS�ST�T parameter does not |
| specify the port itself. If no P�PO�OR�RT�T parameter is used, the default |
| is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The |
| P�PO�OR�RT�T parameter is deprecated in favor of the U�UR�RI�I specification and |
| is included for backwards compatibility. |
| |
| B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds |
| The B�BI�IN�ND�D_�_T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in |
| seconds, to wait while trying to connect to an LDAP server. If |
| multiple U�UR�RI�Is or H�HO�OS�ST�Ts are specified, this is the amount of time to |
| wait before trying the next one in the list. |
| |
| T�TI�IM�ME�EL�LI�IM�MI�IT�T seconds |
| The T�TI�IM�ME�EL�LI�IM�MI�IT�T parameter specifies the amount of time, in seconds, |
| to wait for a response to an LDAP query. |
| |
| S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E base |
| The base DN to use when performing s�su�ud�do�o LDAP queries. Typically |
| this is of the form ou=SUDOers,dc=example,dc=com for the domain |
| example.com. Multiple S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E lines may be specified, in |
| which case they are queried in the order specified. |
| |
| S�SU�UD�DO�OE�ER�RS�S_�_D�DE�EB�BU�UG�G debug_level |
| This sets the debug level for s�su�ud�do�o LDAP queries. Debugging |
| information is printed to the standard error. A value of 1 results |
| in a moderate amount of debugging information. A value of 2 shows |
| the results of the matches themselves. This parameter should not |
| be set in a production environment as the extra information is |
| likely to confuse users. |
| |
| B�BI�IN�ND�DD�DN�N DN |
| The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing LDAP operations. |
| If not specified, LDAP operations are performed with an anonymous |
| identity. By default, most LDAP servers will allow anonymous |
| access. |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 5 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| B�BI�IN�ND�DP�PW�W secret |
| The B�BI�IN�ND�DP�PW�W parameter specifies the password to use when performing |
| LDAP operations. This is typically used in conjunction with the |
| B�BI�IN�ND�DD�DN�N parameter. |
| |
| R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N DN |
| The R�RO�OO�OT�TB�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a |
| Distinguished Name (DN), to use when performing privileged LDAP |
| operations, such as _�s_�u_�d_�o_�e_�r_�s queries. The password corresponding to |
| the identity should be stored in _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�s_�e_�c_�r_�e_�t. If not |
| specified, the B�BI�IN�ND�DD�DN�N identity is used (if any). |
| |
| L�LD�DA�AP�P_�_V�VE�ER�RS�SI�IO�ON�N number |
| The version of the LDAP protocol to use when connecting to the |
| server. The default value is protocol version 3. |
| |
| S�SS�SL�L on/true/yes/off/false/no |
| If the S�SS�SL�L parameter is set to on, true or yes, TLS (SSL) |
| encryption is always used when communicating with the LDAP server. |
| Typically, this involves connecting to the server on port 636 |
| (ldaps). |
| |
| S�SS�SL�L start_tls |
| If the S�SS�SL�L parameter is set to start_tls, the LDAP server |
| connection is initiated normally and TLS encryption is begun before |
| the bind credentials are sent. This has the advantage of not |
| requiring a dedicated port for encrypted communications. This |
| parameter is only supported by LDAP servers that honor the |
| start_tls extension, such as the OpenLDAP server. |
| |
| T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R on/true/yes/off/false/no |
| If enabled, T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R will cause the LDAP server's TLS |
| certificated to be verified. If the server's TLS certificate |
| cannot be verified (usually because it is signed by an unknown |
| certificate authority), s�su�ud�do�o will be unable to connect to it. If |
| T�TL�LS�S_�_C�CH�HE�EC�CK�KP�PE�EE�ER�R is disabled, no check is made. Note that disabling |
| the check creates an opportunity for man-in-the-middle attacks |
| since the server's identity will not be authenticated. If |
| possible, the CA's certificate should be installed locally so it |
| can be verified. |
| |
| T�TL�LS�S_�_C�CA�AC�CE�ER�RT�T file name |
| An alias for T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E. |
| |
| T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E file name |
| The path to a certificate authority bundle which contains the |
| certificates for all the Certificate Authorities the client knows |
| to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only |
| supported by the OpenLDAP libraries. Netscape-derived LDAP |
| libraries use the same certificate database for CA and client |
| certificates (see T�TL�LS�S_�_C�CE�ER�RT�T). |
| |
| T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R directory |
| Similar to T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E but instead of a file, it is a directory |
| |
| |
| |
| 1.7.4 July 12, 2010 6 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| containing individual Certificate Authority certificates, e.g. |
| _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�e_�r_�t_�s. The directory specified by T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R is |
| checked after T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E. This option is only supported by the |
| OpenLDAP libraries. |
| |
| T�TL�LS�S_�_C�CE�ER�RT�T file name |
| The path to a file containing the client certificate which can be |
| used to authenticate the client to the LDAP server. The |
| certificate type depends on the LDAP libraries used. |
| |
| OpenLDAP: |
| tls_cert /etc/ssl/client_cert.pem |
| |
| Netscape-derived: |
| tls_cert /var/ldap/cert7.db |
| |
| When using Netscape-derived libraries, this file may also contain |
| Certificate Authority certificates. |
| |
| T�TL�LS�S_�_K�KE�EY�Y file name |
| The path to a file containing the private key which matches the |
| certificate specified by T�TL�LS�S_�_C�CE�ER�RT�T. The private key must not be |
| password-protected. The key type depends on the LDAP libraries |
| used. |
| |
| OpenLDAP: |
| tls_key /etc/ssl/client_key.pem |
| |
| Netscape-derived: |
| tls_key /var/ldap/key3.db |
| |
| T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E file name |
| The T�TL�LS�S_�_R�RA�AN�ND�DF�FI�IL�LE�E parameter specifies the path to an entropy source |
| for systems that lack a random device. It is generally used in |
| conjunction with _�p_�r_�n_�g_�d or _�e_�g_�d. This option is only supported by |
| the OpenLDAP libraries. |
| |
| T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S cipher list |
| The T�TL�LS�S_�_C�CI�IP�PH�HE�ER�RS�S parameter allows the administer to restrict which |
| encryption algorithms may be used for TLS (SSL) connections. See |
| the OpenSSL manual for a list of valid ciphers. This option is |
| only supported by the OpenLDAP libraries. |
| |
| U�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no |
| Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication. |
| |
| S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity |
| The SASL user name to use when connecting to the LDAP server. By |
| default, s�su�ud�do�o will use an anonymous connection. |
| |
| R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no |
| Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting |
| to an LDAP server from a privileged process, such as s�su�ud�do�o. |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 7 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| R�RO�OO�OT�TS�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity |
| The SASL user name to use when R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L is enabled. |
| |
| S�SA�AS�SL�L_�_S�SE�EC�CP�PR�RO�OP�PS�S none/properties |
| SASL security properties or _�n_�o_�n_�e for no properties. See the SASL |
| programmer's manual for details. |
| |
| K�KR�RB�B5�5_�_C�CC�CN�NA�AM�ME�E file name |
| The path to the Kerberos 5 credential cache to use when |
| authenticating with the remote server. |
| |
| See the ldap.conf entry in the EXAMPLES section. |
| |
| C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ns�ss�sw�wi�it�tc�ch�h.�.c�co�on�nf�f |
| Unless it is disabled at build time, s�su�ud�do�o consults the Name Service |
| Switch file, _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f, to specify the _�s_�u_�d_�o_�e_�r_�s search order. |
| Sudo looks for a line beginning with sudoers: and uses this to |
| determine the search order. Note that s�su�ud�do�o does not stop searching |
| after the first match and later matches take precedence over earlier |
| ones. |
| |
| The following sources are recognized: |
| |
| files read sudoers from F</etc/sudoers> |
| ldap read sudoers from LDAP |
| |
| In addition, the entry [NOTFOUND=return] will short-circuit the search |
| if the user was not found in the preceding source. |
| |
| To consult LDAP first followed by the local sudoers file (if it |
| exists), use: |
| |
| sudoers: ldap files |
| |
| The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using: |
| |
| sudoers: ldap |
| |
| If the _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f file is not present or there is no sudoers |
| line, the following default is assumed: |
| |
| sudoers: files |
| |
| Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying |
| operating system does not use an nsswitch.conf file. |
| |
| C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f |
| On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of |
| _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of |
| _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the |
| file format itself still applies. |
| |
| To consult LDAP first followed by the local sudoers file (if it |
| exists), use: |
| |
| |
| |
| 1.7.4 July 12, 2010 8 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| sudoers = ldap, files |
| |
| The local _�s_�u_�d_�o_�e_�r_�s file can be ignored completely by using: |
| |
| sudoers = ldap |
| |
| To treat LDAP as authoratative and only use the local sudoers file if |
| the user is not present in LDAP, use: |
| |
| sudoers = ldap = auth, files |
| |
| Note that in the above example, the auth qualfier only affects user |
| lookups; both LDAP and _�s_�u_�d_�o_�e_�r_�s will be queried for Defaults entries. |
| |
| If the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is not present or there is no sudoers |
| line, the following default is assumed: |
| |
| sudoers = files |
| |
| F�FI�IL�LE�ES�S |
| _�/_�e_�t_�c_�/_�l_�d_�a_�p_�._�c_�o_�n_�f LDAP configuration file |
| |
| _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f determines sudoers source order |
| |
| _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f determines sudoers source order on AIX |
| |
| E�EX�XA�AM�MP�PL�LE�ES�S |
| E�Ex�xa�am�mp�pl�le�e l�ld�da�ap�p.�.c�co�on�nf�f |
| # Either specify one or more URIs or one or more host:port pairs. |
| # If neither is specified sudo will default to localhost, port 389. |
| # |
| #host ldapserver |
| #host ldapserver1 ldapserver2:390 |
| # |
| # Default port if host is specified without one, defaults to 389. |
| #port 389 |
| # |
| # URI will override the host and port settings. |
| uri ldap://ldapserver |
| #uri ldaps://secureldapserver |
| #uri ldaps://secureldapserver ldap://ldapserver |
| # |
| # The amount of time, in seconds, to wait while trying to connect to |
| # an LDAP server. |
| bind_timelimit 30 |
| # |
| # The amount of time, in seconds, to wait while performing an LDAP query. |
| timelimit 30 |
| # |
| # Must be set or sudo will ignore LDAP; may be specified multiple times. |
| sudoers_base ou=SUDOers,dc=example,dc=com |
| # |
| # verbose sudoers matching from ldap |
| #sudoers_debug 2 |
| |
| |
| |
| 1.7.4 July 12, 2010 9 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| # |
| # optional proxy credentials |
| #binddn <who to search as> |
| #bindpw <password> |
| #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> |
| # |
| # LDAP protocol version, defaults to 3 |
| #ldap_version 3 |
| # |
| # Define if you want to use an encrypted LDAP connection. |
| # Typically, you must also set the port to 636 (ldaps). |
| #ssl on |
| # |
| # Define if you want to use port 389 and switch to |
| # encryption before the bind credentials are sent. |
| # Only supported by LDAP servers that support the start_tls |
| # extension such as OpenLDAP. |
| #ssl start_tls |
| # |
| # Additional TLS options follow that allow tweaking of the |
| # SSL/TLS connection. |
| # |
| #tls_checkpeer yes # verify server SSL certificate |
| #tls_checkpeer no # ignore server SSL certificate |
| # |
| # If you enable tls_checkpeer, specify either tls_cacertfile |
| # or tls_cacertdir. Only supported when using OpenLDAP. |
| # |
| #tls_cacertfile /etc/certs/trusted_signers.pem |
| #tls_cacertdir /etc/certs |
| # |
| # For systems that don't have /dev/random |
| # use this along with PRNGD or EGD.pl to seed the |
| # random number pool to generate cryptographic session keys. |
| # Only supported when using OpenLDAP. |
| # |
| #tls_randfile /etc/egd-pool |
| # |
| # You may restrict which ciphers are used. Consult your SSL |
| # documentation for which options go here. |
| # Only supported when using OpenLDAP. |
| # |
| #tls_ciphers <cipher-list> |
| # |
| # Sudo can provide a client certificate when communicating to |
| # the LDAP server. |
| # Tips: |
| # * Enable both lines at the same time. |
| # * Do not password protect the key file. |
| # * Ensure the keyfile is only readable by root. |
| # |
| # For OpenLDAP: |
| #tls_cert /etc/certs/client_cert.pem |
| #tls_key /etc/certs/client_key.pem |
| |
| |
| |
| 1.7.4 July 12, 2010 10 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| # |
| # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either |
| # a directory, in which case the files in the directory must have the |
| # default names (e.g. cert8.db and key4.db), or the path to the cert |
| # and key files themselves. However, a bug in version 5.0 of the LDAP |
| # SDK will prevent specific file names from working. For this reason |
| # it is suggested that tls_cert and tls_key be set to a directory, |
| # not a file name. |
| # |
| # The certificate database specified by tls_cert may contain CA certs |
| # and/or the client's cert. If the client's cert is included, tls_key |
| # should be specified as well. |
| # For backward compatibility, "sslpath" may be used in place of tls_cert. |
| #tls_cert /var/ldap |
| #tls_key /var/ldap |
| # |
| # If using SASL authentication for LDAP (OpenSSL) |
| # use_sasl yes |
| # sasl_auth_id <SASL user name> |
| # rootuse_sasl yes |
| # rootsasl_auth_id <SASL user name for root access> |
| # sasl_secprops none |
| # krb5_ccname /etc/.ldapcache |
| |
| S�Su�ud�do�o s�sc�ch�he�em�ma�a f�fo�or�r O�Op�pe�en�nL�LD�DA�AP�P |
| The following schema is in OpenLDAP format. Simply copy it to the |
| schema directory (e.g. _�/_�e_�t_�c_�/_�o_�p_�e_�n_�l_�d_�a_�p_�/_�s_�c_�h_�e_�m_�a), add the proper include |
| line in slapd.conf and restart s�sl�la�ap�pd�d. |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.1 |
| NAME 'sudoUser' |
| DESC 'User(s) who may run sudo' |
| EQUALITY caseExactIA5Match |
| SUBSTR caseExactIA5SubstringsMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.2 |
| NAME 'sudoHost' |
| DESC 'Host(s) who may run sudo' |
| EQUALITY caseExactIA5Match |
| SUBSTR caseExactIA5SubstringsMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.3 |
| NAME 'sudoCommand' |
| DESC 'Command(s) to be executed by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.4 |
| NAME 'sudoRunAs' |
| DESC 'User(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| |
| |
| 1.7.4 July 12, 2010 11 |
| |
| |
| |
| |
| |
| SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) |
| |
| |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.5 |
| NAME 'sudoOption' |
| DESC 'Options(s) followed by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.6 |
| NAME 'sudoRunAsUser' |
| DESC 'User(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.15953.9.1.7 |
| NAME 'sudoRunAsGroup' |
| DESC 'Group(s) impersonated by sudo' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL |
| DESC 'Sudoer Entries' |
| MUST ( cn ) |
| MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
| sudoRunAsGroup $ sudoOption $ description ) |
| ) |
| |
| S�SE�EE�E A�AL�LS�SO�O |
| _�l_�d_�a_�p_�._�c_�o_�n_�f(4), _�s_�u_�d_�o_�e_�r_�s(5) |
| |
| C�CA�AV�VE�EA�AT�TS�S |
| The way that _�s_�u_�d_�o_�e_�r_�s is parsed differs between Note that there are |
| differences in the way that LDAP-based _�s_�u_�d_�o_�e_�r_�s is parsed compared to |
| file-based _�s_�u_�d_�o_�e_�r_�s. See the "Differences between LDAP and non-LDAP |
| sudoers" section for more information. |
| |
| B�BU�UG�GS�S |
| If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ |
| |
| S�SU�UP�PP�PO�OR�RT�T |
| Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search |
| the archives. |
| |
| D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R |
| s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of |
| merchantability and fitness for a particular purpose are disclaimed. |
| See the LICENSE file distributed with s�su�ud�do�o or |
| http://www.sudo.ws/sudo/license.html for complete details. |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 12 |
| |
| |
