-1.8.5 March 15, 2012 SUDO(1m)
+1.8.6 June 29, 2012 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 15, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.8.5 April 23, 2012 SUDO_PLUGIN(1m)
+1.8.6 June 29, 2012 SUDO_PLUGIN(1m)
.\" ========================================================================
.\"
.IX Title "SUDO_PLUGIN @mansectsu@"
-.TH SUDO_PLUGIN @mansectsu@ "April 23, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH SUDO_PLUGIN @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
below). For instance, the QAS AD plugin supports the following
formats:
- o Group in the same domain: "Group Name"
+ o Group in the same domain: "%:Group Name"
- o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
- o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and special characters. See
-1.8.5 March 28, 2012 SUDOERS(4)
+1.8.6 June 29, 2012 SUDOERS(4)
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+ those described in the system's _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
- and ldaps:// URIs. The Netscape-derived libraries used on most
- commercial versions of Unix are only capable of supporting one or
- the other.
+ and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
+ libraries used on most commercial versions of Unix are only capable
+ of supporting one or the other.
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it
- can be verified.
+ can be verified. This option is not supported by the Tivoli
+ Directory Server LDAP libraries.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
Netscape-derived:
tls_cert /var/ldap/cert7.db
+ Tivoli Directory Server:
+ Unused, the key database specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY contains both
+ keys and certificates.
+
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
Netscape-derived:
tls_key /var/ldap/key3.db
+ Tivoli Directory Server:
+ tls_cert /usr/ldap/ldapkey.kdb
+
+ When using Tivoli LDAP libraries, this file may also contain
+ Certificate Authority and client certificates and may be encrypted.
+
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW secret
+ The T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW contains the password used to decrypt the key
+ database on clients using the Tivoli Directory Server LDAP library.
+ If no T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW is specified, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be will be used if it
+ exists. The _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be must have the same path as the file
+ specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY, but use a .sth file extension instead of
+ .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
+ Tivoli Directory Server is encrypted with the password
+ ssl_password. This option is only supported by the Tivoli LDAP
+ libraries.
+
T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
- the OpenSSL manual for a list of valid ciphers. This option is
- only supported by the OpenLDAP libraries.
+ the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ ciphers. This option is not supported by Netscape-derived
+ libraries.
U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
-1.8.5 March 14, 2012 SUDOERS.LDAP(4)
+1.8.6 June 29, 2012 SUDOERS.LDAP(4)
-.\" Copyright (c) 2003-2011
+.\" Copyright (c) 2003-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
-that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
+\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that
+differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
entries. Only systems using the OpenSSL libraries support the
-mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
-libraries used on most commercial versions of Unix are only capable
-of supporting one or the other.
+mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived
+and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix
+are only capable of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
is disabled, no check is made. Note that disabling the check creates
an opportunity for man-in-the-middle attacks since the server's
identity will not be authenticated. If possible, the \s-1CA\s0's certificate
-should be installed locally so it can be verified.
+should be installed locally so it can be verified. This option is
+not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries.
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
.IX Item "TLS_CACERT file name"
An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
Netscape-derived:
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
.Sp
+Tivoli Directory Server:
+ Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both
+ keys and certificates.
+.Sp
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
.Sp
Netscape-derived:
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
+.Sp
+Tivoli Directory Server:
+ \f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR
+.Sp
+When using Tivoli \s-1LDAP\s0 libraries, this file may also contain
+Certificate Authority and client certificates and may be encrypted.
+.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4
+.IX Item "TLS_KEYPW secret"
+The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key
+database on clients using the Tivoli Directory Server \s-1LDAP\s0 library.
+If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if
+it exists. The \fIstash file\fR must have the same path as the file
+specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead
+of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that
+ships with Tivoli Directory Server is encrypted with the password
+\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0
+libraries.
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
.IX Item "TLS_RANDFILE file name"
The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
.IX Item "TLS_CIPHERS cipher list"
-The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
-which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
-See the OpenSSL manual for a list of valid ciphers.
-This option is only supported by the OpenLDAP libraries.
+The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which
+encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See
+the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ciphers. This option is not supported by Netscape-derived libraries.
.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
.IX Item "USE_SASL on/true/yes/off/false/no"
Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
following formats:
.IP "\(bu" 4
-Group in the same domain: \*(L"Group Name\*(R"
+Group in the same domain: \*(L"%:Group Name\*(R"
.IP "\(bu" 4
-Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
+Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
.IP "\(bu" 4
-Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
+Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\e) to escape spaces and special characters.
-1.8.5 April 16, 2012 SUDOREPLAY(1m)
+1.8.6 June 29, 2012 SUDOREPLAY(1m)
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "April 16, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.8.5 March 14, 2012 VISUDO(1m)
+1.8.6 June 29, 2012 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l