Document non-Unix group support in LDAP sudoers.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 12be154ce66c5f095ff341fbdc347fc41b8400b1..1ecc8a66b428a29e5b524763bff742821ca036c6 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -186,8 +186,8 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
               '!'* %:#nonunix_gid |
               '!'* User_Alias
 
-     A User_List is made up of one or more user names, user ids (prefixed with
-     `#'), system group names and ids (prefixed with `%' and `%#'
+     A User_List is made up of one or more user names, user IDs (prefixed with
+     `#'), system group names and IDs (prefixed with `%' and `%#'
      respectively), netgroups (prefixed with `+'), non-Unix group names and
      IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
      list item may be prefixed with zero or more `!' operators.  An odd number
@@ -2078,4 +2078,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.6                       July 16, 2012                      Sudo 1.8.6
+Sudo 1.8.6                    September 15, 2012                    Sudo 1.8.6

diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index 8d640a83f5d5e9f3ca1fb3b4c97165d7e22f696a..afdce4268f99ad97c44feec31527c65561c33b7a 100644 (file)
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -37,10 +37,10 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
      LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
 
      For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
-     Unix groups or user netgroups can be used in place of User_Aliases and
-     Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.
-     Since Unix groups and netgroups can also be stored in LDAP there is no
-     real need for s\bsu\bud\bdo\bo-specific aliases.
+     Unix groups, non-Unix groups (via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn) or user netgroups can
+     be used in place of User_Aliases and Runas_Aliases.  Host netgroups can
+     be used in place of Host_Aliases.  Since groups and netgroups can also be
+     stored in LDAP there is no real need for s\bsu\bud\bdo\bo-specific aliases.
 
      Cmnd_Aliases are not really required either since it is possible to have
      multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias
@@ -67,9 +67,12 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
      following attributes:
 
      s\bsu\bud\bdo\boU\bUs\bse\ber\br
-           A user name, user ID (prefixed with `#'), Unix group (prefixed with
-           `%'), Unix group ID (prefixed with `%#'), or user netgroup
-           (prefixed with `+').
+           A user name, user ID (prefixed with `#'), Unix group name or ID
+           (prefixed with `%' or `%#' respectively), user netgroup (prefixed
+           with `+'), or non-Unix group name or ID (prefixed with `%:' or
+           `%:#' respectively).  Non-Unix group support is only available when
+           an appropriate _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is defined in the global _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs
+           sudoRole object.
 
      s\bsu\bud\bdo\boH\bHo\bos\bst\bt
            A host name, IP address, IP network, or host netgroup (prefixed

diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 22f3c518aa6a2e53fbc86bea152690aa8d11a994..b7e6e4548aa790b460cf22c80db855af0a82473d 100644 (file)
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -86,11 +86,11 @@ Aliases are not supported.
 For the most part, there is really no need for
 \fBsudo\fR-specific
 Aliases.
-Unix groups or user netgroups can be used in place of User_Aliases and
-Runas_Aliases.
+Unix groups, non-Unix groups (via the
+\fIgroup_plugin\fR)
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
-Since Unix groups and netgroups can also be stored in LDAP there is no
-real need for
+Since groups and netgroups can also be stored in LDAP there is no real need for
 \fBsudo\fR-specific
 aliases.
 .PP
@@ -139,12 +139,23 @@ It consists of the following attributes:
 \fBsudoUser\fR
 A user name, user ID (prefixed with
 `#'),
-Unix group (prefixed with
-`%'),
-Unix group ID (prefixed with
-`%#'),
-or user netgroup (prefixed with
-`+').
+Unix group name or ID (prefixed with
+`%'
+or
+`%#'
+respectively), user netgroup (prefixed with
+`+'),
+or non-Unix group name or ID (prefixed with
+`%:'
+or
+`%:#'
+respectively).
+Non-Unix group support is only available when an appropriate
+\fIgroup_plugin\fR
+is defined in the global
+\fIdefaults\fR
+\fRsudoRole\fR
+object.
 .TP 6n
 \fBsudoHost\fR
 A host name, IP address, IP network, or host netgroup (prefixed with a

diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index 68d7dcd2ffb45051f8fe61d7302b7fd2e4e466fa..bce81f868c4ae68d7ae98faa2855077273df41bb 100644 (file)
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -82,11 +82,11 @@ Aliases are not supported.
 For the most part, there is really no need for
 .Nm sudo Ns No -specific
 Aliases.
-Unix groups or user netgroups can be used in place of User_Aliases and
-Runas_Aliases.
+Unix groups, non-Unix groups (via the
+.Em group_plugin )
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
-Since Unix groups and netgroups can also be stored in LDAP there is no
-real need for
+Since groups and netgroups can also be stored in LDAP there is no real need for
 .Nm sudo Ns No -specific
 aliases.
 .Pp
@@ -132,12 +132,23 @@ It consists of the following attributes:
 .It Sy sudoUser
 A user name, user ID (prefixed with
 .Ql # ) ,
-Unix group (prefixed with
-.Ql % ) ,
-Unix group ID (prefixed with
-.Ql %# ) ,
-or user netgroup (prefixed with
-.Ql + ) .
+Unix group name or ID (prefixed with
+.Ql %
+or
+.Ql %#
+respectively), user netgroup (prefixed with
+.Ql + ) ,
+or non-Unix group name or ID (prefixed with
+.Ql %:
+or
+.Ql %:#
+respectively).
+Non-Unix group support is only available when an appropriate
+.Em group_plugin
+is defined in the global
+.Em defaults
+.Li sudoRole
+object.
 .It Sy sudoHost
 A host name, IP address, IP network, or host netgroup (prefixed with a
 .Ql + ) .

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 065f52e3f1187a811fc3b078e56726ab031df91e..703ad2d834aaea9040dd0f435a279ce8b0740e5b 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "September 15, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -451,10 +451,10 @@ User ::= '!'* user name |
 .PP
 A
 \fRUser_List\fR
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
 (prefixed with
 `#'),
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
 `%'
 and
 `%#'

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index fe65e763d140a198e95d91d450d372e53ea972d9..cf0d1da6f8c7200f61a6a4310cbe4bd242e3ac18 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd July 16, 2012
+.Dd September 15, 2012
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -437,10 +437,10 @@ User ::= '!'* user name |
 .Pp
 A
 .Li User_List
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
 (prefixed with
 .Ql # ) ,
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
 .Ql %
 and
 .Ql %#