version 1.1, 2008/11/14 11:58:08 |
version 1.2, 2009/04/11 11:48:06 |
|
|
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
|
$Sudo: sudoers.ldap.pod,v 1.10 2008/05/10 13:18:47 millert Exp $ |
$Sudo: sudoers.ldap.pod,v 1.12 2009/03/10 21:08:18 millert Exp $ |
=pod |
=pod |
|
|
=head1 NAME |
=head1 NAME |
|
|
|
|
Unless it is disabled at build time, B<sudo> consults the Name |
Unless it is disabled at build time, B<sudo> consults the Name |
Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers> |
Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers> |
search order. Sudo looks for a line beginning with C<sudoers:> and |
search order. Sudo looks for a line beginning with C<sudoers>: and |
uses this to determine the search order. Note that B<sudo> does |
uses this to determine the search order. Note that B<sudo> does |
not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
precedence over earlier ones. |
precedence over earlier ones. |
|
|
Note that F<@nsswitch_conf@> is supported even when the underlying |
Note that F<@nsswitch_conf@> is supported even when the underlying |
operating system does not use an nsswitch.conf file. |
operating system does not use an nsswitch.conf file. |
|
|
|
=head2 Configuring netsvc.conf |
|
|
|
On AIX systems, the F<@netsvc_conf@> file is consulted instead of |
|
F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a |
|
variant of I<nsswitch.conf>; information in the previous section |
|
unrelated to the file format itself still applies. |
|
|
|
To consult LDAP first followed by the local sudoers file (if it |
|
exists), use: |
|
|
|
sudoers = ldap, files |
|
|
|
The local I<sudoers> file can be ignored completely by using: |
|
|
|
sudoers = ldap |
|
|
|
To treat LDAP as authoratative and only use the local sudoers file |
|
if the user is not present in LDAP, use: |
|
|
|
sudoers = ldap = auth, files |
|
|
|
Note that in the above example, the C<auth> qualfier only affects |
|
user lookups; both LDAP and I<sudoers> will be queried for C<Defaults> |
|
entries. |
|
|
|
If the F<@netsvc_conf@> file is not present or there is no |
|
sudoers line, the following default is assumed: |
|
|
|
sudoers = files |
|
|
=head1 FILES |
=head1 FILES |
|
|
=over 24 |
=over 24 |
|
|
|
|
determines sudoers source order |
determines sudoers source order |
|
|
|
=item F<@netsvc_conf@> |
|
|
|
determines sudoers source order on AIX |
|
|
=back |
=back |
|
|
=head1 EXAMPLES |
=head1 EXAMPLES |
|
|
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
sudoRunAsGroup $ sudoOption $ description ) |
sudoRunAsGroup $ sudoOption $ description ) |
) |
) |
|
|
=for comment |
|
|
|
Add nsswitch.conf example? |
|
Add more exhaustive sudoers ldif example? |
|
|
|
=head1 SEE ALSO |
=head1 SEE ALSO |
|
|