Annotation of src/usr.bin/sudo/sudoers.ldap.mdoc.in, Revision 1.1
1.1 ! millert 1: .\"
! 2: .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
! 3: .\"
! 4: .\" Permission to use, copy, modify, and distribute this software for any
! 5: .\" purpose with or without fee is hereby granted, provided that the above
! 6: .\" copyright notice and this permission notice appear in all copies.
! 7: .\"
! 8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 16: .\"
! 17: .Dd $Mdocdate$
! 18: .Dt SUDOERS.LDAP @mansectsu@
! 19: .Os
! 20: .Sh NAME
! 21: .Nm sudoers.ldap
! 22: .Nd sudo LDAP configuration
! 23: .Sh DESCRIPTION
! 24: In addition to the standard
! 25: .Em sudoers
! 26: file,
! 27: .Nm sudo
! 28: may be configured
! 29: via LDAP.
! 30: This can be especially useful for synchronizing
! 31: .Em sudoers
! 32: in a large, distributed environment.
! 33: .Pp
! 34: Using LDAP for
! 35: .Em sudoers
! 36: has several benefits:
! 37: .Bl -bullet
! 38: .It
! 39: .Nm sudo
! 40: no longer needs to read
! 41: .Em sudoers
! 42: in its entirety.
! 43: When LDAP is used, there are only two or three LDAP queries per invocation.
! 44: This makes it especially fast and particularly usable in LDAP environments.
! 45: .It
! 46: .Nm sudo
! 47: no longer exits if there is a typo in
! 48: .Em sudoers .
! 49: It is not possible to load LDAP data into the server that does
! 50: not conform to the sudoers schema, so proper syntax is guaranteed.
! 51: It is still possible to have typos in a user or host name, but
! 52: this will not prevent
! 53: .Nm sudo
! 54: from running.
! 55: .It
! 56: It is possible to specify per-entry options that override the global
! 57: default options.
! 58: .Pa @sysconfdir@/sudoers
! 59: only supports default options and limited options associated with
! 60: user/host/commands/aliases.
! 61: The syntax is complicated and can be difficult for users to understand.
! 62: Placing the options directly in the entry is more natural.
! 63: .It
! 64: The
! 65: .Nm visudo
! 66: program is no longer needed.
! 67: .Nm visudo
! 68: provides locking and syntax checking of the
! 69: .Pa @sysconfdir@/sudoers
! 70: file.
! 71: Since LDAP updates are atomic, locking is no longer necessary.
! 72: Because syntax is checked when the data is inserted into LDAP, there
! 73: is no need for a specialized tool to check syntax.
! 74: .El
! 75: .Pp
! 76: Another major difference between LDAP and file-based
! 77: .Em sudoers
! 78: is that in LDAP,
! 79: .Nm sudo Ns No -specific
! 80: Aliases are not supported.
! 81: .Pp
! 82: For the most part, there is really no need for
! 83: .Nm sudo Ns No -specific
! 84: Aliases.
! 85: Unix groups or user netgroups can be used in place of User_Aliases and
! 86: Runas_Aliases.
! 87: Host netgroups can be used in place of Host_Aliases.
! 88: Since Unix groups and netgroups can also be stored in LDAP there is no
! 89: real need for
! 90: .Nm sudo Ns No -specific
! 91: aliases.
! 92: .Pp
! 93: Cmnd_Aliases are not really required either since it is possible
! 94: to have multiple users listed in a
! 95: .Li sudoRole .
! 96: Instead of defining a Cmnd_Alias that is referenced by multiple users,
! 97: one can create a
! 98: .Li sudoRole
! 99: that contains the commands and assign multiple users to it.
! 100: .Ss SUDOers LDAP container
! 101: The
! 102: .Em sudoers
! 103: configuration is contained in the
! 104: .Li ou=SUDOers
! 105: LDAP container.
! 106: .Pp
! 107: Sudo first looks for the
! 108: .Li cn=default
! 109: entry in the SUDOers container.
! 110: If found, the multi-valued
! 111: .Li sudoOption
! 112: attribute is parsed in the same manner as a global
! 113: .Li Defaults
! 114: line in
! 115: .Pa @sysconfdir@/sudoers .
! 116: In the following example, the
! 117: .Ev SSH_AUTH_SOCK
! 118: variable will be preserved in the environment for all users.
! 119: .Bd -literal -offset 4n
! 120: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
! 121: objectClass: top
! 122: objectClass: sudoRole
! 123: cn: defaults
! 124: description: Default sudoOption's go here
! 125: sudoOption: env_keep+=SSH_AUTH_SOCK
! 126: .Ed
! 127: .Pp
! 128: The equivalent of a sudoer in LDAP is a
! 129: .Li sudoRole .
! 130: It consists of the following attributes:
! 131: .Bl -tag -width 4n
! 132: .It Sy sudoUser
! 133: A user name, user ID (prefixed with
! 134: .Ql # ) ,
! 135: Unix group (prefixed with
! 136: .Ql % ) ,
! 137: Unix group ID (prefixed with
! 138: .Ql %# ) ,
! 139: or user netgroup (prefixed with
! 140: .Ql + ) .
! 141: .It Sy sudoHost
! 142: A host name, IP address, IP network, or host netgroup (prefixed with a
! 143: .Ql + ) .
! 144: The special value
! 145: .Li ALL
! 146: will match any host.
! 147: .It Sy sudoCommand
! 148: A Unix command with optional command line arguments, potentially
! 149: including globbing characters (aka wild cards).
! 150: The special value
! 151: .Li ALL
! 152: will match any command.
! 153: If a command is prefixed with an exclamation point
! 154: .Ql \&! ,
! 155: the user will be prohibited from running that command.
! 156: .It Sy sudoOption
! 157: Identical in function to the global options described above, but
! 158: specific to the
! 159: .Li sudoRole
! 160: in which it resides.
! 161: .It Sy sudoRunAsUser
! 162: A user name or uid (prefixed with
! 163: .Ql # )
! 164: that commands may be run as or a Unix group (prefixed with a
! 165: .Ql % )
! 166: or user netgroup (prefixed with a
! 167: .Ql + )
! 168: that contains a list of users that commands may be run as.
! 169: The special value
! 170: .Li ALL
! 171: will match any user.
! 172: .Pp
! 173: The
! 174: .Li sudoRunAsUser
! 175: attribute is only available in
! 176: .Nm sudo
! 177: versions
! 178: 1.7.0 and higher.
! 179: Older versions of
! 180: .Nm sudo
! 181: use the
! 182: .Li sudoRunAs
! 183: attribute instead.
! 184: .It Sy sudoRunAsGroup
! 185: A Unix group or gid (prefixed with
! 186: .Ql # )
! 187: that commands may be run as.
! 188: The special value
! 189: .Li ALL
! 190: will match any group.
! 191: .Pp
! 192: The
! 193: .Li sudoRunAsGroup
! 194: attribute is only available in
! 195: .Nm sudo
! 196: versions
! 197: 1.7.0 and higher.
! 198: .It Sy URI Ar ldap[s]://[hostname[:port]] ...
! 199: Specifies a whitespace-delimited list of one or more URIs describing
! 200: the LDAP server(s) to connect to.
! 201: The
! 202: .Em protocol
! 203: may be either
! 204: .Em ldap
! 205: .Em ldaps ,
! 206: the latter being for servers that support TLS (SSL) encryption.
! 207: If no
! 208: .Em port
! 209: is specified, the default is port 389 for
! 210: .Li ldap://
! 211: or port 636 for
! 212: .Li ldaps:// .
! 213: If no
! 214: .Em hostname
! 215: is specified,
! 216: .Nm sudo
! 217: will connect to
! 218: .Em localhost .
! 219: Multiple
! 220: .Sy URI
! 221: lines are treated identically to a
! 222: .Sy URI
! 223: line containing multiple entries.
! 224: Only systems using the OpenSSL libraries support the mixing of
! 225: .Li ldap://
! 226: and
! 227: .Li ldaps://
! 228: URIs.
! 229: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
! 230: versions of Unix are only capable of supporting one or the other.
! 231: .It Sy HOST Ar name[:port] ...
! 232: If no
! 233: .Sy URI
! 234: is specified, the
! 235: .Sy HOST
! 236: parameter specifies a whitespace-delimited list of LDAP servers to connect to.
! 237: Each host may include an optional
! 238: .Em port
! 239: separated by a colon
! 240: .Pq Ql :\& .
! 241: The
! 242: .Sy HOST
! 243: parameter is deprecated in favor of the
! 244: .Sy URI
! 245: specification and is included for backwards compatibility.
! 246: .It Sy PORT Ar port_number
! 247: If no
! 248: .Sy URI
! 249: is specified, the
! 250: .Sy PORT
! 251: parameter specifies the default port to connect to on the LDAP server if a
! 252: .Sy HOST
! 253: parameter does not specify the port itself.
! 254: If no
! 255: .Sy PORT
! 256: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
! 257: over TLS (SSL).
! 258: The
! 259: .Sy PORT
! 260: parameter is deprecated in favor of the
! 261: .Sy URI
! 262: specification and is included for backwards compatibility.
! 263: .It Sy BIND_TIMELIMIT Ar seconds
! 264: The
! 265: .Sy BIND_TIMELIMIT
! 266: parameter specifies the amount of time, in seconds, to wait while trying
! 267: to connect to an LDAP server.
! 268: If multiple
! 269: .Sy URI Ns No s
! 270: or
! 271: .Sy HOST Ns No s
! 272: are specified, this is the amount of time to wait before trying
! 273: the next one in the list.
! 274: .It Sy TIMELIMIT Ar seconds
! 275: The
! 276: .Sy TIMELIMIT
! 277: parameter specifies the amount of time, in seconds, to wait for a
! 278: response to an LDAP query.
! 279: .It Sy SUDOERS_BASE Ar base
! 280: The base DN to use when performing
! 281: .Nm sudo
! 282: LDAP queries.
! 283: Typically this is of the form
! 284: .Li ou=SUDOers,dc=example,dc=com
! 285: for the domain
! 286: .Li example.com .
! 287: Multiple
! 288: .Sy SUDOERS_BASE
! 289: lines may be specified, in which case they are queried in the order specified.
! 290: .It Sy SUDOERS_DEBUG Ar debug_level
! 291: This sets the debug level for
! 292: .Nm sudo
! 293: LDAP queries.
! 294: Debugging information is printed to the standard error.
! 295: A value of 1 results in a moderate amount of debugging information.
! 296: A value of 2 shows the results of the matches themselves.
! 297: This parameter should not be set in a production environment as the
! 298: extra information is likely to confuse users.
! 299: .It Sy BINDDN Ar DN
! 300: The
! 301: .Sy BINDDN
! 302: parameter specifies the identity, in the form of a Distinguished Name (DN),
! 303: to use when performing LDAP operations.
! 304: If not specified, LDAP operations are performed with an anonymous identity.
! 305: By default, most LDAP servers will allow anonymous access.
! 306: .It Sy BINDPW Ar secret
! 307: The
! 308: .Sy BINDPW
! 309: parameter specifies the password to use when performing LDAP operations.
! 310: This is typically used in conjunction with the
! 311: .Sy BINDDN
! 312: parameter.
! 313: .It Sy ROOTBINDDN Ar DN
! 314: The
! 315: .Sy ROOTBINDDN
! 316: parameter specifies the identity, in the form of a Distinguished Name (DN),
! 317: to use when performing privileged LDAP operations, such as
! 318: .Em sudoers
! 319: queries.
! 320: The password corresponding
! 321: to the identity should be stored in
! 322: .Pa @ldap_secret@ .
! 323: If not specified, the
! 324: .Sy BINDDN
! 325: identity is used (if any).
! 326: .It Sy LDAP_VERSION Ar number
! 327: The version of the LDAP protocol to use when connecting to the server.
! 328: The default value is protocol version 3.
! 329: .It Sy SSL Ar on/true/yes/off/false/no
! 330: If the
! 331: .Sy SSL
! 332: parameter is set to
! 333: .Li on ,
! 334: .Li true
! 335: .Li or
! 336: .Li yes ,
! 337: TLS (SSL) encryption is always used when communicating with the LDAP server.
! 338: Typically, this involves connecting to the server on port 636 (ldaps).
! 339: .It Sy SSL Ar start_tls
! 340: If the
! 341: .Sy SSL
! 342: parameter is set to
! 343: .Li start_tls ,
! 344: the LDAP server connection is initiated normally and TLS encryption is
! 345: begun before the bind credentials are sent.
! 346: This has the advantage of not requiring a dedicated port for encrypted
! 347: communications.
! 348: This parameter is only supported by LDAP servers that honor the
! 349: .Em start_tls
! 350: extension, such as the OpenLDAP and Tivoli Directory servers.
! 351: .It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
! 352: If enabled,
! 353: .Sy TLS_CHECKPEER
! 354: will cause the LDAP server's TLS certificated to be verified.
! 355: If the server's TLS certificate cannot be verified (usually because it
! 356: is signed by an unknown certificate authority),
! 357: .Nm sudo
! 358: will be unable to connect to it.
! 359: If
! 360: .Sy TLS_CHECKPEER
! 361: is disabled, no check is made.
! 362: Note that disabling the check creates an opportunity for man-in-the-middle
! 363: attacks since the server's identity will not be authenticated.
! 364: If possible, the CA's certificate should be installed locally so it can
! 365: be verified.
! 366: This option is not supported by the Tivoli Directory Server LDAP libraries.
! 367: .It Sy TLS_CACERTFILE Ar file name
! 368: The path to a certificate authority bundle which contains the certificates
! 369: for all the Certificate Authorities the client knows to be valid, e.g.\&
! 370: .Pa /etc/ssl/ca-bundle.pem .
! 371: This option is only supported by the OpenLDAP libraries.
! 372: Netscape-derived LDAP libraries use the same certificate
! 373: database for CA and client certificates (see
! 374: .Sy TLS_CERT ) .
! 375: .It Sy TLS_CACERTDIR Ar directory
! 376: Similar to
! 377: .Sy TLS_CACERTFILE
! 378: but instead of a file, it is a directory containing individual
! 379: Certificate Authority certificates, e.g.\&
! 380: .Pa /etc/ssl/certs .
! 381: The directory specified by
! 382: .Sy TLS_CACERTDIR
! 383: is checked after
! 384: .Sy TLS_CACERTFILE .
! 385: This option is only supported by the OpenLDAP libraries.
! 386: .It Sy TLS_CERT Ar file name
! 387: The path to a file containing the client certificate which can
! 388: be used to authenticate the client to the LDAP server.
! 389: The certificate type depends on the LDAP libraries used.
! 390: .Bl -tag -width 4n
! 391: .It OpenLDAP:
! 392: .Li tls_cert /etc/ssl/client_cert.pem
! 393: .It Netscape-derived:
! 394: .Li tls_cert /var/ldap/cert7.db
! 395: .It Tivoli Directory Server:
! 396: Unused, the key database specified by
! 397: .Sy TLS_KEY
! 398: contains both keys and certificates.
! 399: .Pp
! 400: When using Netscape-derived libraries, this file may also contain
! 401: Certificate Authority certificates.
! 402: .El
! 403: .It Sy TLS_KEY Ar file name
! 404: The path to a file containing the private key which matches the
! 405: certificate specified by
! 406: .Sy TLS_CERT .
! 407: The private key must not be password-protected.
! 408: The key type depends on the LDAP libraries used.
! 409: .Bl -tag -width 4n
! 410: .It OpenLDAP:
! 411: .Li tls_key /etc/ssl/client_key.pem
! 412: .It Netscape-derived:
! 413: .Li tls_key /var/ldap/key3.db
! 414: .It Tivoli Directory Server:
! 415: .Li tls_cert /usr/ldap/ldapkey.kdb
! 416: .El
! 417: When using Tivoli LDAP libraries, this file may also contain
! 418: Certificate Authority and client certificates and may be encrypted.
! 419: .It Sy TLS_KEYPW Ar secret
! 420: The
! 421: .Sy TLS_KEYPW
! 422: contains the password used to decrypt the key database on clients
! 423: using the Tivoli Directory Server LDAP library.
! 424: If no
! 425: .Sy TLS_KEYPW
! 426: is specified, a
! 427: .Em stash file
! 428: will be used if it exists.
! 429: The
! 430: .Em stash file
! 431: must have the same path as the file specified by
! 432: .Sy TLS_KEY ,
! 433: but use a
! 434: .Li .sth
! 435: file extension instead of
! 436: .Li .kdb ,
! 437: e.g.\&
! 438: .Li ldapkey.sth .
! 439: The default
! 440: .Li ldapkey.kdb
! 441: that ships with Tivoli Directory Server is encrypted with the password
! 442: .Li ssl_password .
! 443: This option is only supported by the Tivoli LDAP libraries.
! 444: .It Sy TLS_RANDFILE Ar file name
! 445: The
! 446: .Sy TLS_RANDFILE
! 447: parameter specifies the path to an entropy source for systems that lack
! 448: a random device.
! 449: It is generally used in conjunction with
! 450: .Em prngd
! 451: or
! 452: .Em egd .
! 453: This option is only supported by the OpenLDAP libraries.
! 454: .It Sy TLS_CIPHERS Ar cipher list
! 455: The
! 456: .Sy TLS_CIPHERS
! 457: parameter allows the administer to restrict which encryption algorithms
! 458: may be used for TLS (SSL) connections.
! 459: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
! 460: ciphers.
! 461: This option is not supported by Netscape-derived libraries.
! 462: .It Sy USE_SASL Ar on/true/yes/off/false/no
! 463: Enable
! 464: .Sy USE_SASL
! 465: for LDAP servers that support SASL authentication.
! 466: .It Sy SASL_AUTH_ID Ar identity
! 467: The SASL user name to use when connecting to the LDAP server.
! 468: By default,
! 469: .Nm sudo
! 470: will use an anonymous connection.
! 471: .It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
! 472: Enable
! 473: .Sy ROOTUSE_SASL
! 474: to enable SASL authentication when connecting
! 475: to an LDAP server from a privileged process, such as
! 476: .Nm sudo .
! 477: .It Sy ROOTSASL_AUTH_ID Ar identity
! 478: The SASL user name to use when
! 479: .Sy ROOTUSE_SASL
! 480: is enabled.
! 481: .It Sy SASL_SECPROPS Ar none/properties
! 482: SASL security properties or
! 483: .Em none
! 484: for no properties.
! 485: See the SASL programmer's manual for details.
! 486: .It Sy KRB5_CCNAME Ar file name
! 487: The path to the Kerberos 5 credential cache to use when authenticating
! 488: with the remote server.
! 489: .El
! 490: .Pp
! 491: See the
! 492: .Pa ldap.conf
! 493: entry in the
! 494: .Sx EXAMPLES
! 495: section.
! 496: .Ss Configuring nsswitch.conf
! 497: Unless it is disabled at build time,
! 498: .Nm sudo
! 499: consults the Name Service Switch file,
! 500: .Pa @nsswitch_conf@ ,
! 501: to specify the
! 502: .Em sudoers
! 503: search order.
! 504: Sudo looks for a line beginning with
! 505: .Li sudoers :
! 506: and uses this to determine the search order.
! 507: Note that
! 508: .Nm sudo
! 509: does
! 510: not stop searching after the first match and later matches take
! 511: precedence over earlier ones.
! 512: The following sources are recognized:
! 513: .Pp
! 514: .Bl -tag -width 8n -offset 4n -compact
! 515: .It files
! 516: read sudoers from
! 517: .Pa @sysconfdir@/sudoers
! 518: .It ldap
! 519: read sudoers from LDAP
! 520: .El
! 521: .Pp
! 522: In addition, the entry
! 523: .Li [NOTFOUND=return]
! 524: will short-circuit the search if the user was not found in the
! 525: preceding source.
! 526: .Pp
! 527: To consult LDAP first followed by the local sudoers file (if it
! 528: exists), use:
! 529: .Bd -literal -offset 4n
! 530: sudoers: ldap files
! 531: .Ed
! 532: .Pp
! 533: The local
! 534: .Em sudoers
! 535: file can be ignored completely by using:
! 536: .Bd -literal -offset 4n
! 537: sudoers: ldap
! 538: .Ed
! 539: .Pp
! 540: If the
! 541: .Pa @nsswitch_conf@
! 542: file is not present or there is no sudoers line, the following
! 543: default is assumed:
! 544: .Bd -literal -offset 4n
! 545: sudoers: files
! 546: .Ed
! 547: .Pp
! 548: Note that
! 549: .Pa @nsswitch_conf@
! 550: is supported even when the underlying operating system does not use
! 551: an nsswitch.conf file, except on AIX (see below).
! 552: .Ss Configuring netsvc.conf
! 553: On AIX systems, the
! 554: .Pa @netsvc_conf@
! 555: file is consulted instead of
! 556: .Pa @nsswitch_conf@ .
! 557: .Nm sudo
! 558: simply treats
! 559: .Pa netsvc.conf
! 560: as a variant of
! 561: .Pa nsswitch.conf ;
! 562: information in the previous section unrelated to the file format
! 563: itself still applies.
! 564: .Pp
! 565: To consult LDAP first followed by the local sudoers file (if it
! 566: exists), use:
! 567: .Bd -literal -offset 4n
! 568: sudoers = ldap, files
! 569: .Ed
! 570: .Pp
! 571: The local
! 572: .Em sudoers
! 573: file can be ignored completely by using:
! 574: .Bd -literal -offset 4n
! 575: sudoers = ldap
! 576: .Ed
! 577: .Pp
! 578: To treat LDAP as authoratative and only use the local sudoers file
! 579: if the user is not present in LDAP, use:
! 580: .Bd -literal -offset 4n
! 581: sudoers = ldap = auth, files
! 582: .Ed
! 583: .Pp
! 584: Note that in the above example, the
! 585: .Li auth
! 586: qualfier only affects user lookups; both LDAP and
! 587: .Em sudoers
! 588: will be queried for
! 589: .Li Defaults
! 590: entries.
! 591: .Pp
! 592: If the
! 593: .Pa @netsvc_conf@
! 594: file is not present or there is no sudoers line, the following
! 595: default is assumed:
! 596: .Bd -literal -offset 4n
! 597: sudoers = files
! 598: .Ed
! 599: .Sh FILES
! 600: .Bl -tag -width 24n
! 601: .It Pa @ldap_conf@
! 602: LDAP configuration file
! 603: .It Pa @nsswitch_conf@
! 604: determines sudoers source order
! 605: .It Pa @netsvc_conf@
! 606: determines sudoers source order on AIX
! 607: .El
! 608: .Sh EXAMPLES
! 609: .Ss Example ldap.conf
! 610: .Bd -literal -offset 2n
! 611: # Either specify one or more URIs or one or more host:port pairs.
! 612: # If neither is specified sudo will default to localhost, port 389.
! 613: #
! 614: #host ldapserver
! 615: #host ldapserver1 ldapserver2:390
! 616: #
! 617: # Default port if host is specified without one, defaults to 389.
! 618: #port 389
! 619: #
! 620: # URI will override the host and port settings.
! 621: uri ldap://ldapserver
! 622: #uri ldaps://secureldapserver
! 623: #uri ldaps://secureldapserver ldap://ldapserver
! 624: #
! 625: # The amount of time, in seconds, to wait while trying to connect to
! 626: # an LDAP server.
! 627: bind_timelimit 30
! 628: #
! 629: # The amount of time, in seconds, to wait while performing an LDAP query.
! 630: timelimit 30
! 631: #
! 632: # Must be set or sudo will ignore LDAP; may be specified multiple times.
! 633: sudoers_base ou=SUDOers,dc=example,dc=com
! 634: #
! 635: # verbose sudoers matching from ldap
! 636: #sudoers_debug 2
! 637: #
! 638: # optional proxy credentials
! 639: #binddn <who to search as>
! 640: #bindpw <password>
! 641: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
! 642: #
! 643: # LDAP protocol version, defaults to 3
! 644: #ldap_version 3
! 645: #
! 646: # Define if you want to use an encrypted LDAP connection.
! 647: # Typically, you must also set the port to 636 (ldaps).
! 648: #ssl on
! 649: #
! 650: # Define if you want to use port 389 and switch to
! 651: # encryption before the bind credentials are sent.
! 652: # Only supported by LDAP servers that support the start_tls
! 653: # extension such as OpenLDAP.
! 654: #ssl start_tls
! 655: #
! 656: # Additional TLS options follow that allow tweaking of the
! 657: # SSL/TLS connection.
! 658: #
! 659: #tls_checkpeer yes # verify server SSL certificate
! 660: #tls_checkpeer no # ignore server SSL certificate
! 661: #
! 662: # If you enable tls_checkpeer, specify either tls_cacertfile
! 663: # or tls_cacertdir. Only supported when using OpenLDAP.
! 664: #
! 665: #tls_cacertfile /etc/certs/trusted_signers.pem
! 666: #tls_cacertdir /etc/certs
! 667: #
! 668: # For systems that don't have /dev/random
! 669: # use this along with PRNGD or EGD.pl to seed the
! 670: # random number pool to generate cryptographic session keys.
! 671: # Only supported when using OpenLDAP.
! 672: #
! 673: #tls_randfile /etc/egd-pool
! 674: #
! 675: # You may restrict which ciphers are used. Consult your SSL
! 676: # documentation for which options go here.
! 677: # Only supported when using OpenLDAP.
! 678: #
! 679: #tls_ciphers <cipher-list>
! 680: #
! 681: # Sudo can provide a client certificate when communicating to
! 682: # the LDAP server.
! 683: # Tips:
! 684: # * Enable both lines at the same time.
! 685: # * Do not password protect the key file.
! 686: # * Ensure the keyfile is only readable by root.
! 687: #
! 688: # For OpenLDAP:
! 689: #tls_cert /etc/certs/client_cert.pem
! 690: #tls_key /etc/certs/client_key.pem
! 691: #
! 692: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
! 693: # a directory, in which case the files in the directory must have the
! 694: # default names (e.g. cert8.db and key4.db), or the path to the cert
! 695: # and key files themselves. However, a bug in version 5.0 of the LDAP
! 696: # SDK will prevent specific file names from working. For this reason
! 697: # it is suggested that tls_cert and tls_key be set to a directory,
! 698: # not a file name.
! 699: #
! 700: # The certificate database specified by tls_cert may contain CA certs
! 701: # and/or the client's cert. If the client's cert is included, tls_key
! 702: # should be specified as well.
! 703: # For backward compatibility, "sslpath" may be used in place of tls_cert.
! 704: #tls_cert /var/ldap
! 705: #tls_key /var/ldap
! 706: #
! 707: # If using SASL authentication for LDAP (OpenSSL)
! 708: # use_sasl yes
! 709: # sasl_auth_id <SASL user name>
! 710: # rootuse_sasl yes
! 711: # rootsasl_auth_id <SASL user name for root access>
! 712: # sasl_secprops none
! 713: # krb5_ccname /etc/.ldapcache
! 714: .Ed
! 715: .Ss Sudo schema for OpenLDAP
! 716: The following schema, in OpenLDAP format, is included with
! 717: .Nm sudo
! 718: source and binary distributions as
! 719: .Pa schema.OpenLDAP .
! 720: Simply copy
! 721: it to the schema directory (e.g.\&
! 722: .Pa /etc/openldap/schema ) ,
! 723: add the proper
! 724: .Li include
! 725: line in
! 726: .Pa slapd.conf
! 727: and restart
! 728: .Nm slapd .
! 729: .Bd -literal -offset 2n
! 730: attributetype ( 1.3.6.1.4.1.15953.9.1.1
! 731: NAME 'sudoUser'
! 732: DESC 'User(s) who may run sudo'
! 733: EQUALITY caseExactIA5Match
! 734: SUBSTR caseExactIA5SubstringsMatch
! 735: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 736:
! 737: attributetype ( 1.3.6.1.4.1.15953.9.1.2
! 738: NAME 'sudoHost'
! 739: DESC 'Host(s) who may run sudo'
! 740: EQUALITY caseExactIA5Match
! 741: SUBSTR caseExactIA5SubstringsMatch
! 742: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 743:
! 744: attributetype ( 1.3.6.1.4.1.15953.9.1.3
! 745: NAME 'sudoCommand'
! 746: DESC 'Command(s) to be executed by sudo'
! 747: EQUALITY caseExactIA5Match
! 748: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 749:
! 750: attributetype ( 1.3.6.1.4.1.15953.9.1.4
! 751: NAME 'sudoRunAs'
! 752: DESC 'User(s) impersonated by sudo'
! 753: EQUALITY caseExactIA5Match
! 754: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 755:
! 756: attributetype ( 1.3.6.1.4.1.15953.9.1.5
! 757: NAME 'sudoOption'
! 758: DESC 'Options(s) followed by sudo'
! 759: EQUALITY caseExactIA5Match
! 760: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 761:
! 762: attributetype ( 1.3.6.1.4.1.15953.9.1.6
! 763: NAME 'sudoRunAsUser'
! 764: DESC 'User(s) impersonated by sudo'
! 765: EQUALITY caseExactIA5Match
! 766: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 767:
! 768: attributetype ( 1.3.6.1.4.1.15953.9.1.7
! 769: NAME 'sudoRunAsGroup'
! 770: DESC 'Group(s) impersonated by sudo'
! 771: EQUALITY caseExactIA5Match
! 772: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
! 773:
! 774: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
! 775: DESC 'Sudoer Entries'
! 776: MUST ( cn )
! 777: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
! 778: sudoRunAsGroup $ sudoOption $ description )
! 779: )
! 780: .Ed
! 781: .Sh SEE ALSO
! 782: .Xr ldap.conf @mansectsu@ ,
! 783: .Xr sudoers @mansectsu@
! 784: .Sh CAVEATS
! 785: Note that there are differences in the way that LDAP-based
! 786: .Em sudoers
! 787: is parsed compared to file-based
! 788: .Em sudoers .
! 789: See the
! 790: .Sx Differences between LDAP and non-LDAP sudoers
! 791: section for more information.
! 792: .Sh BUGS
! 793: If you feel you have found a bug in
! 794: .Nm sudo ,
! 795: please submit a bug report at http://www.sudo.ws/sudo/bugs/
! 796: .Sh SUPPORT
! 797: Limited free support is available via the sudo-users mailing list,
! 798: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
! 799: search the archives.
! 800: .Sh DISCLAIMER
! 801: .Nm sudo
! 802: is provided
! 803: .Dq AS IS
! 804: and any express or implied warranties, including, but not limited
! 805: to, the implied warranties of merchantability and fitness for a
! 806: particular purpose are disclaimed.
! 807: See the LICENSE file distributed with
! 808: .Nm sudo
! 809: or http://www.sudo.ws/sudo/license.html for complete details.