For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and
- RunasAliases. Host netgroups can be used in place of HostAliases.
+ Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
Since Unix groups and netgroups can also be stored in LDAP there is no
real need for s\bsu\bud\bdo\bo-specific aliases.
-1.7.5b2 January 10, 2011 1
+1.7.5b2 February 1, 2011 1
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
- following components:
+ following attributes:
s\bsu\bud\bdo\boU\bUs\bse\ber\br
A user name, uid (prefixed with '#'), Unix group (prefixed with a
with a '+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
+ The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
+ attribute instead.
+
s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
+ The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.0 and higher.
+
s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
- A timestamp in the form yyyymmddHHMMZ that indicates start of
- validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be entries are
- present, the earliest is used.
+ A timestamp in the form yyyymmddHHMMZ that can be used to provide a
+ start date/time for when the sudoRole will be valid. If multiple
+ sudoNotBefore entries are present, the earliest is used. Note that
- s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
- A timestamp in the form yyyymmddHHMMZ that indicates end of
- validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br entries are
- present, the last one is used.
+1.7.5b2 February 1, 2011 2
-1.7.5b2 January 10, 2011 2
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ timestamps must be in Coordinated Universal Time (UTC), not the
+ local timezone.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.5 and higher and must be explicitly enabled via the
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ A timestamp in the form yyyymmddHHMMZ that indicates an expiration
+ date/time, after which the sudoRole will no longer be valid. If
+ multiple sudoNotBefore entries are present, the last one is used.
+ Note that timestamps must be in Coordinated Universal Time (UTC),
+ not the local timezone.
+
+ The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
+ option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
The sudoRole entries retrieved from the LDAP directory have no
- inherent order. The s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is an integer (or floating
+ inherent order. The sudoOrder attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
the matching entries. This allows LDAP-based sudoers entries to
more closely mimic the behaviour of the sudoers file, where the of
the entries influences the result. If multiple entries match, the
- entry with the highest s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is chosen. This
+ entry with the highest sudoOrder attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file. If
- the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is not present, a value of 0 is assumed.
+ the sudoOrder attribute is not present, a value of 0 is assumed.
- Each component listed above should contain a single value, but there
- may be multiple instances of each component type. A sudoRole must
+ The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ and higher.
+
+ Each attribute listed above should contain a single value, but there
+ may be multiple instances of each attribute type. A sudoRole must
contain at least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
+
+
+
+1.7.5b2 February 1, 2011 3
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
see if the user belongs to any of them.
If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
directive, the LDAP queries include a subfilter that limits retrieval
- to entries that satisfy the time constraints, if any are present.
+ to entries that satisfy the time constraints, if any.
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
returned in any specific order.
The order in which different entries are applied can be controlled
- using the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute, but there is no way to guarantee the
+ using the sudoOrder attribute, but there is no way to guarantee the
order of attributes within a specific entry. If there are conflicting
command rules in an entry, the negative takes precedence. This is
called paranoid behavior (not necessarily the most specific match).
Here is an example:
-
-
-
-
-1.7.5b2 January 10, 2011 3
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# /etc/sudoers:
# Allow all commands except shell
johnny ALL=(root) ALL,!/bin/sh
currently ignored. For example, the following attributes do not behave
the way one might expect.
+
+
+
+
+1.7.5b2 February 1, 2011 4
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
Three versions of the schema: one for OpenLDAP servers
(_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
-
-
-
-1.7.5b2 January 10, 2011 4
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
found in the s\bsu\bud\bdo\bo distribution.
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
not used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
commercial versions of Unix are only capable of supporting one or
the other.
+
+
+1.7.5b2 February 1, 2011 5
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
-
-
-1.7.5b2 January 10, 2011 5
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
- An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT.
+ An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
which case they are queried in the order specified.
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
- Whether or not to evaluate the s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be and s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
+
+
+
+1.7.5b2 February 1, 2011 6
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
identity. By default, most LDAP servers will allow anonymous
access.
S\bSS\bSL\bL on/true/yes/off/false/no
If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
-
-
-
-1.7.5b2 January 10, 2011 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
can be verified.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
- An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE.
+ An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
The path to a certificate authority bundle which contains the
libraries use the same certificate database for CA and client
certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
+
+
+1.7.5b2 February 1, 2011 7
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
-
-
-1.7.5b2 January 10, 2011 7
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
The path to a file containing the private key which matches the
certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
+
+
+
+1.7.5b2 February 1, 2011 8
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
Sudo looks for a line beginning with sudoers: and uses this to
determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
after the first match and later matches take precedence over earlier
-
-
-
-1.7.5b2 January 10, 2011 8
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
ones.
The following sources are recognized:
_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
file format itself still applies.
+
+
+
+1.7.5b2 February 1, 2011 9
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers = files
-
-
-1.7.5b2 January 10, 2011 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base ou=SUDOers,dc=example,dc=com
+
+
+
+1.7.5b2 February 1, 2011 10
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
#
# verbose sudoers matching from ldap
#sudoers_debug 2
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# Only supported by LDAP servers that support the start_tls
-
-
-
-1.7.5b2 January 10, 2011 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# extension such as OpenLDAP.
#ssl start_tls
#
# the LDAP server.
# Tips:
# * Enable both lines at the same time.
+
+
+
+1.7.5b2 February 1, 2011 11
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
#tls_cert /var/ldap
#tls_key /var/ldap
#
-
-
-
-1.7.5b2 January 10, 2011 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL user name>
# krb5_ccname /etc/.ldapcache
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema is in OpenLDAP format. Simply copy it to the
+ The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
+ and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
+
+
+
+1.7.5b2 February 1, 2011 12
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
-
-
-
-1.7.5b2 January 10, 2011 12
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
sudoOrder $ description )
)
+
+
+1.7.5b2 February 1, 2011 13
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
-
-
-
-1.7.5b2 January 10, 2011 13
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.5b2 January 10, 2011 14
+1.7.5b2 February 1, 2011 14
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "January 10, 2011" "1.7.5b2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "February 1, 2011" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.PP
For the most part, there is really no need for \fBsudo\fR\-specific
Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and RunasAliases. Host netgroups can be used in place
-of HostAliases. Since Unix groups and netgroups can also be stored
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
.PP
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a sudoRole. Instead of defining
+to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
-a sudoRole that contains the commands and assign multiple users
+a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
to it.
.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
.Ve
.PP
The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
-the following components:
+the following attributes:
.IP "\fBsudoUser\fR" 4
.IX Item "sudoUser"
A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
+.Sp
+The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
+attribute instead.
.IP "\fBsudoRunAsGroup\fR" 4
.IX Item "sudoRunAsGroup"
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.Sp
+The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher.
.IP "\fBsudoNotBefore\fR" 4
.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates start of validity
-of this \f(CW\*(C`sudoRole\*(C'\fR.
-If multiple \fBsudoNotBefore\fR entries are present, the earliest is used.
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
+a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone.
+.Sp
+The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI@ldap_conf@\fR.
.IP "\fBsudoNotAfter\fR" 4
.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates end of validity
-of this \f(CW\*(C`sudoRole\*(C'\fR.
-If multiple \fBsudoNotAfter\fR entries are present, the last one is used.
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
+date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone.
+.Sp
+The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI@ldap_conf@\fR.
.IP "\fBsudoOrder\fR" 4
.IX Item "sudoOrder"
-The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no
-inherent order. The \fBsudoOrder\fR attribute is an integer (or
+The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
+inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
floating point value for \s-1LDAP\s0 servers that support it) that is used
to sort the matching entries. This allows LDAP-based sudoers entries
to more closely mimic the behaviour of the sudoers file, where the
of the entries influences the result. If multiple entries match,
-the entry with the highest \fBsudoOrder\fR attribute is chosen. This
+the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
-the \fBsudoOrder\fR attribute is not present, a value of 0 is assumed.
+the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
+.Sp
+The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher.
.PP
-Each component listed above should contain a single value, but there
-may be multiple instances of each component type. A sudoRole must
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
.PP
The following example allows users in group wheel to run any command
.PP
If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any are present.
+to entries that satisfy the time constraints, if any.
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
and Entries are returned in any specific order.
.PP
The order in which different entries are applied can be controlled
-using the \fBsudoOrder\fR attribute, but there is no way to guarantee
+using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
the order of attributes within a specific entry. If there are
conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
-Only those options explicitly listed in \fI@ldap_conf@\fR that are
+Only those options explicitly listed in \fI@ldap_conf@\fR as being
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
the next one in the list.
.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
.IX Item "NETWORK_TIMEOUT seconds"
-An alias for \fB\s-1BIND_TIMELIMIT\s0\fR.
+An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
.IX Item "TIMELIMIT seconds"
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
in which case they are queried in the order specified.
.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
-Whether or not to evaluate the \fBsudoNotBefore\fR and \fBsudoNotAfter\fR
+Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
attributes that implement time-dependent sudoers entries.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
should be installed locally so it can be verified.
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
.IX Item "TLS_CACERT file name"
-An alias for \fB\s-1TLS_CACERTFILE\s0\fR.
+An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
.IX Item "TLS_CACERTFILE file name"
The path to a certificate authority bundle which contains the certificates
.Ve
.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
-The following schema is in OpenLDAP format. Simply copy it to the
-schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
-\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
+The following schema, in OpenLDAP format, is included with \fBsudo\fR
+source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
+it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
+proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
For the most part, there is really no need for B<sudo>-specific
Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and RunasAliases. Host netgroups can be used in place
-of HostAliases. Since Unix groups and netgroups can also be stored
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
in LDAP there is no real need for B<sudo>-specific aliases.
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a sudoRole. Instead of defining
+to have multiple users listed in a C<sudoRole>. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
-a sudoRole that contains the commands and assign multiple users
+a C<sudoRole> that contains the commands and assign multiple users
to it.
=head2 SUDOers LDAP container
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
-the following components:
+the following attributes:
=over 4
run as.
The special value C<ALL> will match any user.
+The C<sudoRunAsUser> attribute is only available in B<sudo> versions
+1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
+attribute instead.
+
=item B<sudoRunAsGroup>
A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
The special value C<ALL> will match any group.
+The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
+1.7.0 and higher.
+
=item B<sudoNotBefore>
-A timestamp in the form C<yyyymmddHHMMZ> that indicates start of validity
-of this C<sudoRole>.
-If multiple B<sudoNotBefore> entries are present, the earliest is used.
+A timestamp in the form C<yyyymmddHHMMZ> that can be used to provide
+a start date/time for when the C<sudoRole> will be valid. If
+multiple C<sudoNotBefore> entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotBefore> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
=item B<sudoNotAfter>
-A timestamp in the form C<yyyymmddHHMMZ> that indicates end of validity
-of this C<sudoRole>.
-If multiple B<sudoNotAfter> entries are present, the last one is used.
+A timestamp in the form C<yyyymmddHHMMZ> that indicates an expiration
+date/time, after which the C<sudoRole> will no longer be valid. If
+multiple C<sudoNotBefore> entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotAfter> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
=item B<sudoOrder>
-The sudoRole entries retrieved from the LDAP directory have no
-inherent order. The B<sudoOrder> attribute is an integer (or
+The C<sudoRole> entries retrieved from the LDAP directory have no
+inherent order. The C<sudoOrder> attribute is an integer (or
floating point value for LDAP servers that support it) that is used
to sort the matching entries. This allows LDAP-based sudoers entries
to more closely mimic the behaviour of the sudoers file, where the
of the entries influences the result. If multiple entries match,
-the entry with the highest B<sudoOrder> attribute is chosen. This
+the entry with the highest C<sudoOrder> attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file. If
-the B<sudoOrder> attribute is not present, a value of 0 is assumed.
+the C<sudoOrder> attribute is not present, a value of 0 is assumed.
+
+The C<sudoOrder> attribute is only available in B<sudo> versions
+1.7.5 and higher.
=back
-Each component listed above should contain a single value, but there
-may be multiple instances of each component type. A sudoRole must
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A C<sudoRole> must
contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
The following example allows users in group wheel to run any command
If timed entries are enabled with the B<SUDOERS_TIMED> configuration
directive, the LDAP queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any are present.
+to entries that satisfy the time constraints, if any.
=head2 Differences between LDAP and non-LDAP sudoers
and Entries are returned in any specific order.
The order in which different entries are applied can be controlled
-using the B<sudoOrder> attribute, but there is no way to guarantee
+using the C<sudoOrder> attribute, but there is no way to guarantee
the order of attributes within a specific entry. If there are
conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
values specified in F</etc/openldap/ldap.conf> or the user's
F<.ldaprc> files are not used.
-Only those options explicitly listed in F<@ldap_conf@> that are
+Only those options explicitly listed in F<@ldap_conf@> as being
supported by B<sudo> are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
=item B<NETWORK_TIMEOUT> seconds
-An alias for B<BIND_TIMELIMIT>.
+An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
=item B<TIMELIMIT> seconds
=item B<SUDOERS_TIMED> on/true/yes/off/false/no
-Whether or not to evaluate the B<sudoNotBefore> and B<sudoNotAfter>
+Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
attributes that implement time-dependent sudoers entries.
=item B<SUDOERS_DEBUG> debug_level
=item B<TLS_CACERT> file name
-An alias for B<TLS_CACERTFILE>.
+An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
=item B<TLS_CACERTFILE> file name
=head2 Sudo schema for OpenLDAP
-The following schema is in OpenLDAP format. Simply copy it to the
-schema directory (e.g. F</etc/openldap/schema>), add the proper
-C<include> line in C<slapd.conf> and restart B<slapd>.
+The following schema, in OpenLDAP format, is included with B<sudo>
+source and binary distributions as F<schema.OpenLDAP>. Simply copy
+it to the schema directory (e.g. F</etc/openldap/schema>), add the
+proper C<include> line in C<slapd.conf> and restart B<slapd>.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
projects / sudo / commitdiff