-1.8.0b2 November 5, 2010 1
+1.8.0b2 November 18, 2010 1
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
- Each component listed above should contain a single value, but there
- may be multiple instances of each component type. A sudoRole must
- contain at least one sudoUser, sudoHost and sudoCommand.
-
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
-
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
+ A timestamp in the form yyyymmddHHMMZ that indicates start of
+ validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be entries are
+ present, the earliest is used.
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ A timestamp in the form yyyymmddHHMMZ that indicates end of
+ validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br entries are
+ present, the last one is used.
+ Each component listed above should contain a single value, but there
+1.8.0b2 November 18, 2010 2
-1.8.0b2 November 5, 2010 2
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ may be multiple instances of each component type. A sudoRole must
+ contain at least one sudoUser, sudoHost and sudoCommand.
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ directive, the LDAP queries include a subfilter that limits retrieval
+ to entries that satisfy the time constraints, if any are present.
+
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
sudoCommand: ALL
sudoCommand: !/bin/sh
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
-1.8.0b2 November 5, 2010 3
+1.8.0b2 November 18, 2010 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
not used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are
- supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
- in upper case but are parsed in a case-independent manner.
-
- U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
- Specifies a whitespace-delimited list of one or more URIs
- describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
- (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
-1.8.0b2 November 5, 2010 4
+1.8.0b2 November 18, 2010 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are
+ supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
+ in upper case but are parsed in a case-independent manner.
+
+ U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
+ Specifies a whitespace-delimited list of one or more URIs
+ describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
+ either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ Whether or not to evaluate the sudoNotBefore and sudoNotAfter
+ attributes that implement time-dependent sudoers entries.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
+
+
+
+1.8.0b2 November 18, 2010 5
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
identity. By default, most LDAP servers will allow anonymous
access.
-
-
-
-
-1.8.0b2 November 5, 2010 5
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
B\bBI\bIN\bND\bDP\bPW\bW secret
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
possible, the CA's certificate should be installed locally so it
can be verified.
+
+
+
+1.8.0b2 November 18, 2010 6
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
-
-
-
-1.8.0b2 November 5, 2010 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenSSL manual for a list of valid ciphers. This option is
- only supported by the OpenLDAP libraries.
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when connecting to the LDAP server. By
- default, s\bsu\bud\bdo\bo will use an anonymous connection.
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
- to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
+1.8.0b2 November 18, 2010 7
-1.8.0b2 November 5, 2010 7
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ only supported by the OpenLDAP libraries.
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ The SASL user name to use when connecting to the LDAP server. By
+ default, s\bsu\bud\bdo\bo will use an anonymous connection.
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
line, the following default is assumed:
+
+
+
+1.8.0b2 November 18, 2010 8
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
sudoers: files
Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
To consult LDAP first followed by the local sudoers file (if it
exists), use:
-
-
-1.8.0b2 November 5, 2010 8
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
sudoers = ldap, files
The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
# URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
+
+
+
+1.8.0b2 November 18, 2010 9
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
#uri ldaps://secureldapserver ldap://ldapserver
#
# The amount of time, in seconds, to wait while trying to connect to
#
# verbose sudoers matching from ldap
#sudoers_debug 2
-
-
-
-1.8.0b2 November 5, 2010 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
#
# optional proxy credentials
#binddn <who to search as>
# Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
+
+
+
+1.8.0b2 November 18, 2010 10
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
-
-
-
-1.8.0b2 November 5, 2010 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
+
+
+
+1.8.0b2 November 18, 2010 11
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-1.8.0b2 November 5, 2010 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
-
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
+
+
+
+1.8.0b2 November 18, 2010 12
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ description )
)
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
-1.8.0b2 November 5, 2010 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.8.0b2 November 18, 2010 13
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "November 5, 2010" "1.8.0b2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "November 18, 2010" "1.8.0b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IX Item "sudoRunAsGroup"
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.IP "\fBsudoNotBefore\fR" 4
+.IX Item "sudoNotBefore"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates start of validity
+of this \f(CW\*(C`sudoRole\*(C'\fR.
+If multiple \fBsudoNotBefore\fR entries are present, the earliest is used.
+.IP "\fBsudoNotAfter\fR" 4
+.IX Item "sudoNotAfter"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates end of validity
+of this \f(CW\*(C`sudoRole\*(C'\fR.
+If multiple \fBsudoNotAfter\fR entries are present, the last one is used.
.PP
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
+.PP
+If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
+directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any are present.
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
+.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
+Whether or not to evaluate the sudoNotBefore and sudoNotAfter
+attributes that implement time-dependent sudoers entries.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
\& # verbose sudoers matching from ldap
\& #sudoers_debug 2
\& #
+\& # Enable support for time\-based entries in sudoers.
+\& #sudoers_timed yes
+\& #
\& # optional proxy credentials
\& #binddn <who to search as>
\& #bindpw <password>
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
+\& NAME \*(AqsudoNotBefore\*(Aq
+\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
+\& NAME \*(AqsudoNotAfter\*(Aq
+\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
\& DESC \*(AqSudoer Entries\*(Aq
\& MUST ( cn )
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ description )
+\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+\& description )
\& )
.Ve
.SH "SEE ALSO"
projects / sudo / commitdiff