If you want to specify lots of commands, use directories or wildcards, or
just paste them all into LDAP. That's what it's for.
- * The /etc/sudoers file can be disabled. Paranoid security administrators
- can now disallow parsing of any local /etc/sudoers file by an LDAP
- sudoOption 'ignore_local_sudoers'. This way all sudoers can be controlled
- and audited in one place because local entries are not allowed.
- In fact, if this option is included in the cn=defaults object of LDAP,
- sudo won't even look for a /etc/sudoers file.
+ * nsswitch.conf support. Sudo now reads /etc/nsswitch.conf and looks
+ for a line begining with "sudoers:" and uses this to determine the
+ search order for sudoers. To consult LDAP first, falling back on
+ a local sudoers file, use:
+ sudoers: ldap files
+
+ The local sudoers file can be ignored completely by using:
+ sudoers: ldap
* The sudo binary compiled with LDAP support should be totally backward
compatible and be syntactically and source code equivalent to its non
Starting with sudo 1.7.0 comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
- ('#'). Otherwise, the comment may be interpreted as a user ID.
+ ('#'). Otherwise, the comment may be interpreted as a user or
+ group ID.
+
+ When sudo is build with LDAP support the /etc/nsswitch.conf file is
+ now used to determine the sudoers seach order. sudo will default to
+ only using /etc/sudoers unless /etc/nsswitch.conf says otherwise.
+ This can be changed with an nsswitch.conf line, e.g.:
+ sudoers: ldap files
+ Would case LDAP to be searched first, then the sudoers file.
+ To restore the pre-1.7 behavior, run configure with the
+ --with-nsswitch=no flag.
+
+ Sudo now ignores user .ldaprc files as well as system LDAP defaults.
+ All LDAP configuration is now in /etc/ldap.conf (or whichever file
+ was specified by configure's --with-ldap-conf-file option).
+ If you are using TLS, you may now need to specify:
+ tls_checkpeer no
+ in sudo's ldap.conf unless ldap.conf references a valid certificate
+ authority file(s).
o Upgrading from a version prior to 1.6.9:
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
+
+ * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
+ to specify the sudoers order. E.g.:
+ sudoers: ldap files
+ to check LDAP, then /etc/sudoers. The default is "files", even
+ when LDAP support is compiled in. This differs from sudo 1.6
+ where LDAP was always consulted first.
+
+ * Support for /etc/environment. If sudo is run with the -i flag,
+ the contents of /etc/environment are used to populate the new
+ environment that is passed to the command being run.
+
projects / sudo / commitdiff