by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in upper
case but are parsed in a case-independent manner.
+ The pound sign (`#') is used to indicate a comment. Both the comment
+ character and any text after it, up to the end of the line, are ignored.
Long lines can be continued with a backslash (`\') as the last character
on the line. Note that leading white space is removed from the beginning
of lines even when the continuation character is used.
T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
The T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library.
+ This should be a simple string without quotes. The password may
+ not include the comment character (`#') and escaping of special
+ characters with a backslash (`\') is not supported. If this option
+ is used, _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf must not be world-readable to avoid
+ exposing the password. Alternately, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be can be used to
+ store the password in encrypted form (see below).
+
If no T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW is specified, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be will be used if it
exists. The _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be must have the same path as the file
specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY, but use a .sth file extension instead of
.kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
Tivoli Directory Server is encrypted with the password
- ssl_password. This option is only supported by the Tivoli LDAP
- libraries.
+ ssl_password. The _\bg_\bs_\bk_\b8_\bc_\ba_\bp_\bi_\bc_\bm_\bd utility can be used to manage the
+ key database and create a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be. This option is only
+ supported by the Tivoli LDAP libraries.
T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.8 August 19, 2013 Sudo 1.8.8
+Sudo 1.8.8 August 30, 2013 Sudo 1.8.8
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS.LDAP" "8" "August 19, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
Configuration options are listed below in upper case but are parsed
in a case-independent manner.
.PP
+The pound sign
+(`#')
+is used to indicate a comment.
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
Long lines can be continued with a backslash
(`\e')
as the last character on the line.
\fBTLS_KEYPW\fR
contains the password used to decrypt the key database on clients
using the Tivoli Directory Server LDAP library.
+This should be a simple string without quotes.
+The password may not include the comment character
+(`#')
+and escaping of special characters with a backslash
+(`\e')
+is not supported.
+If this option is used,
+\fI@ldap_conf@\fR
+must not be world-readable to avoid exposing the password.
+Alternately, a
+\fIstash file\fR
+can be used to store the password in encrypted form (see below).
+.sp
If no
\fBTLS_KEYPW\fR
is specified, a
\fRldapkey.kdb\fR
that ships with Tivoli Directory Server is encrypted with the password
\fRssl_password\fR.
+The
+\fIgsk8capicmd\fR
+utility can be used to manage the key database and create a
+\fIstash file\fR.
This option is only supported by the Tivoli LDAP libraries.
.PD
.TP 6n
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 19, 2013
+.Dd August 30, 2013
.Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
Configuration options are listed below in upper case but are parsed
in a case-independent manner.
.Pp
+The pound sign
+.Pq Ql #
+is used to indicate a comment.
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
.Sy TLS_KEYPW
contains the password used to decrypt the key database on clients
using the Tivoli Directory Server LDAP library.
+This should be a simple string without quotes.
+The password may not include the comment character
+.Pq Ql #
+and escaping of special characters with a backslash
+.Pq Ql \e
+is not supported.
+If this option is used,
+.Pa @ldap_conf@
+must not be world-readable to avoid exposing the password.
+Alternately, a
+.Em stash file
+can be used to store the password in encrypted form (see below).
+.Pp
If no
.Sy TLS_KEYPW
is specified, a
.Li ldapkey.kdb
that ships with Tivoli Directory Server is encrypted with the password
.Li ssl_password .
+The
+.Em gsk8capicmd
+utility can be used to manage the key database and create a
+.Em stash file .
This option is only supported by the Tivoli LDAP libraries.
.It Sy TLS_RANDFILE Ar file name
The
projects / sudo / commitdiff