| version 1.1, 2008/11/14 11:58:08 |
version 1.2, 2009/04/11 11:48:06 |
|
|
| OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
|
| $Sudo: sudoers.ldap.pod,v 1.10 2008/05/10 13:18:47 millert Exp $ |
$Sudo: sudoers.ldap.pod,v 1.12 2009/03/10 21:08:18 millert Exp $ |
| =pod |
=pod |
| |
|
| =head1 NAME |
=head1 NAME |
|
|
| |
|
| Unless it is disabled at build time, B<sudo> consults the Name |
Unless it is disabled at build time, B<sudo> consults the Name |
| Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers> |
Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers> |
| search order. Sudo looks for a line beginning with C<sudoers:> and |
search order. Sudo looks for a line beginning with C<sudoers>: and |
| uses this to determine the search order. Note that B<sudo> does |
uses this to determine the search order. Note that B<sudo> does |
| not stop searching after the first match and later matches take |
not stop searching after the first match and later matches take |
| precedence over earlier ones. |
precedence over earlier ones. |
|
|
| Note that F<@nsswitch_conf@> is supported even when the underlying |
Note that F<@nsswitch_conf@> is supported even when the underlying |
| operating system does not use an nsswitch.conf file. |
operating system does not use an nsswitch.conf file. |
| |
|
| |
=head2 Configuring netsvc.conf |
| |
|
| |
On AIX systems, the F<@netsvc_conf@> file is consulted instead of |
| |
F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a |
| |
variant of I<nsswitch.conf>; information in the previous section |
| |
unrelated to the file format itself still applies. |
| |
|
| |
To consult LDAP first followed by the local sudoers file (if it |
| |
exists), use: |
| |
|
| |
sudoers = ldap, files |
| |
|
| |
The local I<sudoers> file can be ignored completely by using: |
| |
|
| |
sudoers = ldap |
| |
|
| |
To treat LDAP as authoratative and only use the local sudoers file |
| |
if the user is not present in LDAP, use: |
| |
|
| |
sudoers = ldap = auth, files |
| |
|
| |
Note that in the above example, the C<auth> qualfier only affects |
| |
user lookups; both LDAP and I<sudoers> will be queried for C<Defaults> |
| |
entries. |
| |
|
| |
If the F<@netsvc_conf@> file is not present or there is no |
| |
sudoers line, the following default is assumed: |
| |
|
| |
sudoers = files |
| |
|
| =head1 FILES |
=head1 FILES |
| |
|
| =over 24 |
=over 24 |
|
|
| |
|
| determines sudoers source order |
determines sudoers source order |
| |
|
| |
=item F<@netsvc_conf@> |
| |
|
| |
determines sudoers source order on AIX |
| |
|
| =back |
=back |
| |
|
| =head1 EXAMPLES |
=head1 EXAMPLES |
|
|
| MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ |
| sudoRunAsGroup $ sudoOption $ description ) |
sudoRunAsGroup $ sudoOption $ description ) |
| ) |
) |
| |
|
| =for comment |
|
| |
|
| Add nsswitch.conf example? |
|
| Add more exhaustive sudoers ldif example? |
|
| |
|
| =head1 SEE ALSO |
=head1 SEE ALSO |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to sudoers.ldap.pod CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo