is adapted from README.LDAP.
mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
sample.sudoers schema.OpenLDAP schema.iPlanet sudo.cat \
sudo.man.in sudo.pod sudo.psf sudo_usage.h.in sudoers sudoers.cat \
- sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \
- visudo.man.in visudo.pod auth/API
+ sudoers.man.in sudoers.pod sudoers.ldap.cat sudoers.ldap.man.in \
+ sudoers.ldap.pod sudoers2ldif visudo.cat visudo.man.in visudo.pod \
+ auth/API
BINFILES= ChangeLog HISTORY LICENSE README TODO TROUBLESHOOTING \
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
sudoers.man:: sudoers.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
-sudoers.cat: sudoers.man
+sudoers.ldap.cat: sudoers.ldap.man
+
+sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
+
+sudoers.ldap.man:: sudoers.ldap.man.in
+ CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
+
+sudoers.ldap.cat: sudoers.ldap.man
@DEV@HISTORY: history.pod
@DEV@ pod2text -l -i0 $> > $@
ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
+ @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@MAN_POSTINSTALL@
check:
distclean: clean
-rm -rf Makefile pathnames.h config.h config.status config.cache \
config.log libtool sudo_noexec.lo .libs $(GENERATED) \
- sudo.man sudoers.man visudo.man sudo_usage.h Makefile.binary
+ sudo.man sudoers.man sudoers.ldap.man visudo.man sudo_usage.h \
+ Makefile.binary
clobber: distclean
--- /dev/null
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+N\bNA\bAM\bME\bE
+ sudoers.ldap - sudo LDAP configuration
+
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be con-
+ figured via LAP. This can be especially useful for syn-
+ cronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a large, distributed environment.
+
+ Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
+
+ +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety.
+ Parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs requires the entire file to be
+ read. When LDAP is used, there are only two or three
+ LDAP queries per invocation. This makes it especially
+ fast and particularly usable in LDAP environments.
+ The first query is to parse global options (see
+ below). The second is to match against the user's
+ name and the groups that the user belongs to. (The
+ special ALL tag is matched in this query too.) If no
+ match is returned for the user's name and groups, a
+ third query returns all entries contain user netgroups
+ and checks to see if the user belongs to any of them.
+
+ +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ It is not possible to load LDAP data into the server
+ that does not conform to the sudoers schema, so proper
+ syntax is guaranteed. It is still possible to have
+ typos in a user or host name, but this will not pre-
+ vent s\bsu\bud\bdo\bo from running.
+
+ +\bo Options inside of entries now override global default
+ options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
+ and limited options associated with user/host/commands
+ and aliases. The syntax is complicated and can be
+ difficult for users to understand.
+
+ Sudo first looks for an entry called cn=default in the
+ SUDOers container. If found, the multi-valued sudoOp-
+ tion attribute is parsed the same way the global
+ Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs is parsed.
+
+ If, on the second or third query, a response contains
+ a sudoRole which matches against the user, host, and
+ command, then the matched object is scanned for a
+ additional options that override the top-level
+ defaults. See the example LDAP content below for more
+ information.
+
+ +\bo v\bvi\bis\bsu\bud\bdo\bo is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
+ and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since
+ LDAP updates are atomic, locking is no longer neces-
+ sary. Because syntax is checked when the data is
+ inserted into LDAP, there is no need for a specialized
+ tool to check syntax.
+
+
+
+1.7 January 19, 2008 1
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ +\bo Aliases are no longer needed. User, Host, and Cmnd
+ Aliases were designed to simplify organization of
+ _\bs_\bu_\bd_\bo_\be_\br_\bs files and to improve readability. Since an
+ LDAP _\bs_\bu_\bd_\bo_\be_\br_\bs entry allows multiple values for each of
+ its attributes, and since most LDAP browsers are
+ graphical and easy to work with, these aliases are no
+ longer needed.
+
+ If you wish to specify a large number of users into an
+ entry or wish to have similar entries with identical
+ users, then either use groups or user netgroups.
+ Alternately, they can all just be pasted into the LDAP
+ record.
+
+ If you need to specify a large number of hosts in an
+ entry, use netgroups or IP address matches
+ (10.2.3.4/255.255.0.0). Alternately, they can all
+ just be pasted into the LDAP record.
+
+ D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
+
+ There are some subtle differences in the way sudoers is
+ handled once in LDAP. Probably the biggest is that
+ according to the RFC, LDAP's ordering is arbitrary and you
+ cannot expect that Attributes and Entries are returned in
+ any order. If there are conflicting command rules on an
+ entry, the negative takes precedence. This is called
+ paranoid behavior (not necessarily the most specific
+ match).
+
+ Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of Johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+
+
+
+
+
+
+
+
+1.7 January 19, 2008 2
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ # LDAP equivalent of Puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+ Another difference is that negations on the Host, User or
+ Runas are currently ignorred. For example, the following
+ attributes do not do what they might appear to do.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
+
+ D\bDe\bes\bsc\bcr\bri\bip\bpt\bti\bio\bon\bn o\bof\bf s\bsu\bud\bdo\boR\bRo\bol\ble\be
+
+ The equivalent of a sudoer in LDAP is a 'sudoRole'. It
+ contains sudoUser(s), sudoHost, sudoCommand and optional
+ sudoOption(s), sudoRunAsUser(s) and sudoRunAsGroup(s).
+
+ The following example allows users in group wheel to run
+ any command on any host via s\bsu\bud\bdo\bo:
+
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
+ S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
+
+ In order to use s\bsu\bud\bdo\bo's LDAP support the s\bsu\bud\bdo\bo schema must
+ be installled on your LDAP server. In addition, be sure
+ to index the attribute 'sudoUser'.
+
+ Two versions of the schema, one for OpenLDAP servers and
+
+
+
+1.7 January 19, 2008 3
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ another for netscape-derived servers, may also be found in
+ the s\bsu\bud\bdo\bo distribution. The schema for s\bsu\bud\bdo\bo in OpenLDAP
+ form appears below.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ description )
+ )
+
+
+
+1.7 January 19, 2008 4
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific con-
+ figuration. Typically, this file is shared amongst dif-
+ ferent LDAP-aware clients. As such, most of the settings
+ are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo parses
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ
+ from those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+
+ Also note that on systems using the OpenLDAP libraries,
+ default values specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the
+ user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are not used.
+
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf
+ that are supported by s\bsu\bud\bdo\bo are honored. Configuration
+ options are listed below in upper case but are parsed in a
+ case-independent manner.
+
+ URI ldap[s]://[hostname[:port]] ...
+ Specifies a whitespace-delimited list of one or more
+ URIs describing the LDAP server(s) to connect to. The
+ _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being
+ for servers that support TLS (SSL) encryption. If no
+ _\bp_\bo_\br_\bt is specified, the default is port 389 for ldap://
+ or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is speci-
+ fied, s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems
+ using the OpenSSL libraries support the mixing of
+ ldap:// and ldaps:// URIs. The netscape-derived
+ libraries used on most commercial versions of Unix are
+ only capable of supporting one or the other.
+
+ HOST name[:port] ...
+ If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a
+ whitespace-delimited list of LDAP servers to connect
+ to. Each host may include an optional _\bp_\bo_\br_\bt separated
+ by a colon (':'). The H\bHO\bOS\bST\bT parameter is deprecated in
+ favor of the U\bUR\bRI\bI specification and is included for
+ backwards compatibility.
+
+ PORT port_number
+ If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies
+ the default port to connect to on the LDAP server if a
+ H\bHO\bOS\bST\bT parameter does not specify the port itself. If
+ no P\bPO\bOR\bRT\bT parameter is used, the default is port 389 for
+ LDAP and port 636 for LDAP over TLS (SSL). The P\bPO\bOR\bRT\bT
+ parameter is deprecated in favor of the U\bUR\bRI\bI specifica-
+ tion and is included for backwards compatibility.
+
+ BIND_TIMELIMIT seconds
+ The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of
+ time, in seconds, to wait while trying to connect to
+ an LDAP server. If multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are speci-
+ fied, this is the amount of time to wait before trying
+ the next one in the list.
+
+
+
+1.7 January 19, 2008 5
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ SUDOERS_BASE base
+ The base DN to use when performing s\bsu\bud\bdo\bo LDAP lookups.
+ Typically this is of the form ou=SUDOers,dc=exam-
+ ple,dc=com for the domain example.com.
+
+ SUDOERS_DEBUG debug_level
+ This sets the debug level for s\bsu\bud\bdo\bo LDAP lookups.
+ Debuging information is printed to the standard error.
+ A value of 1 results in a moderate amount of debugging
+ information. A value of 2 shows the results of the
+ matches themselves. This parameter should not be set
+ in a production environment as the extra information
+ is likely to confuse users.
+
+ BINDDN DN
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the
+ form of a Distinguished Name (DN), to use when per-
+ forming LDAP operations. If not specified, LDAP oper-
+ ations are performed with an anonymous identity. By
+ default, most LDAP servers will allow anonymous
+ access.
+
+ BINDPW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use
+ when performing LDAP operations. This is typically
+ used in conjunction with the B\bBI\bIN\bND\bDD\bDN\bN parameter.
+
+ ROOTBINDDN DN
+ The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in
+ the form of a Distinguished Name (DN), to use when
+ performing privileged LDAP operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs
+ lookups. The password corresponding to the identity
+ should be stored in </etc/ldap.passwd> If not speci-
+ fied, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
+
+ LDAP_VERSION number
+ The version of the LDAP protocol to use when connect-
+ ing to the server. The default value is protocol ver-
+ sion 3.
+
+ SSL on/true/yes/off/false/no
+ If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS
+ (SSL) encryption is always used when communicating
+ with the LDAP server. Typically, this involves con-
+ necting to the server on port 636 (ldaps).
+
+ SSL start_tls
+ If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP
+ server connection is initiated normally and TLS
+ encryption is begun before the bind credentials are
+ sent. This has the advantage of not requiring a dedi-
+ cated port for encrypted communications. This parame-
+ ter is only supported by LDAP servers that honor the
+ start_tls extension, such as the OpenLDAP server.
+
+
+
+1.7 January 19, 2008 6
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ TLS_CHECKPEER on/true/yes/off/false/no
+ If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's
+ TLS certificated to be verified. If the server's TLS
+ certificate cannot be verified (usually because it is
+ signed by an unknown certificate authority), s\bsu\bud\bdo\bo will
+ be unable to connect to it. If T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is dis-
+ abled, no check is made.
+
+ TLS_CACERTFILE
+ TLS_CACERTDIR
+ TLS_RANDFILE
+ TLS_CIPHERS
+ TLS_CERT
+ TLS_KEY
+ USE_SASL
+ SASL_AUTH_ID
+ ROOTUSE_SASL
+ ROOTSASL_AUTH_ID
+ SASL_SECPROPS
+ KRB5_CCNAME
+
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
+
+ Sudo consults the Name Service Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\b-
+ _\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order. Sudo
+ looks for a line begining with sudoers: and uses this to
+ determine the search order. Note that s\bsu\bud\bdo\bo does not stop
+ searching after the first match and later matches take
+ precedence over earlier ones.
+
+ The following sources are recognized.
+ files read sudoers from a file (usually _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs)
+ ldap read sudoers from LDAP
+
+ In addition, the entry [NOTFOUND=return] will short-cir-
+ cuit the search if the user was not found in the preceding
+ source.
+
+ To consult LDAP first followed by the local sudoers file
+ (if it exists), use:
+
+ sudoers: ldap files
+
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+
+ sudoers: ldap
+
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is
+ no sudoers line, the following default is assumed:
+
+ sudoers: files
+
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+
+
+
+1.7 January 19, 2008 7
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Example entries
+
+ Example ldap.conf
+
+ Debugging info
+
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
+
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ parsing differences between LDAP and file sudoers
+
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mail-
+ ing list, see http://www.sudo.ws/mail-
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
+ ranties, including, but not limited to, the implied war-
+ ranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
+ plete details.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7 January 19, 2008 8
+
+
--- /dev/null
+.\" Copyright (c) 2003-2008
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $Sudo$
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. | will give a
+.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.if \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.\"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDOERS.LDAP @mansectform@"
+.TH SUDOERS.LDAP @mansectform@ "January 19, 2008" "1.7" "MAINTENANCE COMMANDS"
+.SH "NAME"
+sudoers.ldap \- sudo LDAP configuration
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
+via \s-1LAP\s0. This can be especially useful for syncronizing \fIsudoers\fR
+in a large, distributed environment.
+.PP
+Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
+.IP "\(bu" 4
+\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. Parsing
+of \fI/etc/sudoers\fR requires the entire file to be read. When \s-1LDAP\s0
+is used, there are only two or three \s-1LDAP\s0 queries per invocation.
+This makes it especially fast and particularly usable in \s-1LDAP\s0
+environments. The first query is to parse global options (see
+below). The second is to match against the user's name and the
+groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
+in this query too.) If no match is returned for the user's name
+and groups, a third query returns all entries contain user netgroups
+and checks to see if the user belongs to any of them.
+.IP "\(bu" 4
+\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
+It is not possible to load \s-1LDAP\s0 data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent \fBsudo\fR from running.
+.IP "\(bu" 4
+Options inside of entries now override global default options.
+\&\fI/etc/sudoers\fR only supports default options and limited options
+associated with user/host/commands and aliases. The syntax is
+complicated and can be difficult for users to understand.
+.Sp
+Sudo first looks for an entry called \f(CW\*(C`cn=default\*(C'\fR in the \f(CW\*(C`SUDOers\*(C'\fR
+container. If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is
+parsed the same way the global \f(CW\*(C`Defaults\*(C'\fR line in \fI/etc/sudoers\fR
+is parsed.
+.Sp
+If, on the second or third query, a response contains a sudoRole
+which matches against the user, host, and command, then the matched
+object is scanned for a additional options that override the top-level
+defaults. See the example \s-1LDAP\s0 content below for more information.
+.IP "\(bu" 4
+\&\fBvisudo\fR is no longer needed. \fBvisudo\fR provides locking and
+syntax checking of the \fI/etc/sudoers\fR file. Since \s-1LDAP\s0 updates
+are atomic, locking is no longer necessary. Because syntax is
+checked when the data is inserted into \s-1LDAP\s0, there is no need
+for a specialized tool to check syntax.
+.IP "\(bu" 4
+Aliases are no longer needed. User, Host, and Cmnd Aliases were
+designed to simplify organization of \fIsudoers\fR files and to
+improve readability. Since an \s-1LDAP\s0 \fIsudoers\fR entry allows multiple
+values for each of its attributes, and since most \s-1LDAP\s0 browsers are
+graphical and easy to work with, these aliases are no longer
+needed.
+.Sp
+If you wish to specify a large number of users into an entry or
+wish to have similar entries with identical users, then either use
+groups or user netgroups. Alternately, they can all just be pasted
+into the \s-1LDAP\s0 record.
+.Sp
+If you need to specify a large number of hosts in an entry, use
+netgroups or \s-1IP\s0 address matches (10.2.3.4/255.255.0.0). Alternately,
+they can all just be pasted into the \s-1LDAP\s0 record.
+.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.IX Subsection "Differences between LDAP and non-LDAP sudoers"
+There are some subtle differences in the way sudoers is handled
+once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
+\&\s-1LDAP\s0's ordering is arbitrary and you cannot expect that Attributes
+and Entries are returned in any order. If there are conflicting
+command rules on an entry, the negative takes precedence. This is
+called paranoid behavior (not necessarily the most specific match).
+.PP
+Here is an example:
+.PP
+.Vb 5
+\& # /etc/sudoers:
+\& # Allow all commands except shell
+\& johnny ALL=(root) ALL,!/bin/sh
+\& # Always allows all commands because ALL is matched last
+\& puddles ALL=(root) !/bin/sh,ALL
+.Ve
+.PP
+.Vb 10
+\& # LDAP equivalent of Johnny
+\& # Allows all commands except shell
+\& dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role1
+\& sudoUser: johnny
+\& sudoHost: ALL
+\& sudoCommand: ALL
+\& sudoCommand: !/bin/sh
+.Ve
+.PP
+.Vb 11
+\& # LDAP equivalent of Puddles
+\& # Notice that even though ALL comes last, it still behaves like
+\& # role1 since the LDAP code assumes the more paranoid configuration
+\& dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role2
+\& sudoUser: puddles
+\& sudoHost: ALL
+\& sudoCommand: !/bin/sh
+\& sudoCommand: ALL
+.Ve
+.PP
+Another difference is that negations on the Host, User or Runas are
+currently ignorred. For example, the following attributes do not
+do what they might appear to do.
+.PP
+.Vb 3
+\& # does not match all but joe
+\& # rather, does not match anyone
+\& sudoUser: !joe
+.Ve
+.PP
+.Vb 4
+\& # does not match all but joe
+\& # rather, matches everyone including Joe
+\& sudoUser: ALL
+\& sudoUser: !joe
+.Ve
+.PP
+.Vb 4
+\& # does not match all but web01
+\& # rather, matches all hosts including web01
+\& sudoHost: ALL
+\& sudoHost: !web01
+.Ve
+.Sh "Description of sudoRole"
+.IX Subsection "Description of sudoRole"
+The equivalent of a sudoer in \s-1LDAP\s0 is a 'sudoRole'. It contains
+sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s),
+sudoRunAsUser(s) and sudoRunAsGroup(s).
+.PP
+The following example allows users in group wheel to run any command
+on any host via \fBsudo\fR:
+.PP
+.Vb 7
+\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+\& objectClass: top
+\& objectClass: sudoRole
+\& cn: %wheel
+\& sudoUser: %wheel
+\& sudoHost: ALL
+\& sudoCommand: ALL
+.Ve
+.Sh "Sudoers Schema"
+.IX Subsection "Sudoers Schema"
+In order to use \fBsudo\fR's \s-1LDAP\s0 support the \fBsudo\fR schema must be
+installled on your \s-1LDAP\s0 server. In addition, be sure to index the
+attribute 'sudoUser'.
+.PP
+Two versions of the schema, one for OpenLDAP servers and another
+for netscape-derived servers, may also be found in the \fBsudo\fR
+distribution. The schema for \fBsudo\fR in OpenLDAP form appears
+below.
+.PP
+.Vb 6
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
+\& NAME 'sudoUser'
+\& DESC 'User(s) who may run sudo'
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 6
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
+\& NAME 'sudoHost'
+\& DESC 'Host(s) who may run sudo'
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
+\& NAME 'sudoCommand'
+\& DESC 'Command(s) to be executed by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
+\& NAME 'sudoRunAs'
+\& DESC 'User(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
+\& NAME 'sudoOption'
+\& DESC 'Options(s) followed by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
+\& NAME 'sudoRunAsUser'
+\& DESC 'User(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
+\& NAME 'sudoRunAsGroup'
+\& DESC 'Group(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 6
+\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+\& DESC 'Sudoer Entries'
+\& MUST ( cn )
+\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+\& sudoRunAsGroup $ sudoOption $ description )
+\& )
+.Ve
+.Sh "Configuring ldap.conf"
+.IX Subsection "Configuring ldap.conf"
+Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not \fBsudo\fR\-specific. Note that
+\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options
+that differ from those described in the \fIldap.conf\fR\|(4) manual.
+.PP
+Also note that on systems using the OpenLDAP libraries, default
+values specified in \fI/etc/openldap/ldap.conf\fR or the user's
+\&\fI.ldaprc\fR files are not used.
+.PP
+Only those options explicitly listed in \fI/etc/ldap.conf\fR that are
+supported by \fBsudo\fR are honored. Configuration options are listed
+below in upper case but are parsed in a case-independent manner.
+.IP "\s-1URI\s0 ldap[s]://[hostname[:port]] ..." 4
+.IX Item "URI ldap[s]://[hostname[:port]] ..."
+Specifies a whitespace-delimited list of one or more URIs describing
+the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR
+or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
+encryption. If no \fIport\fR is specified, the default is port 389 for
+\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
+\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
+libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
+The netscape-derived libraries used on most commercial versions of
+Unix are only capable of supporting one or the other.
+.IP "\s-1HOST\s0 name[:port] ..." 4
+.IX Item "HOST name[:port] ..."
+If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
+whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
+may include an optional \fIport\fR separated by a colon (':'). The
+\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
+and is included for backwards compatibility.
+.IP "\s-1PORT\s0 port_number" 4
+.IX Item "PORT port_number"
+If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
+default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
+does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
+the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
+(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
+specification and is included for backwards compatibility.
+.IP "\s-1BIND_TIMELIMIT\s0 seconds" 4
+.IX Item "BIND_TIMELIMIT seconds"
+The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
+to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
+\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
+the next one in the list.
+.IP "\s-1SUDOERS_BASE\s0 base" 4
+.IX Item "SUDOERS_BASE base"
+The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 lookups. Typically
+this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
+\&\f(CW\*(C`example.com\*(C'\fR.
+.IP "\s-1SUDOERS_DEBUG\s0 debug_level" 4
+.IX Item "SUDOERS_DEBUG debug_level"
+This sets the debug level for \fBsudo\fR \s-1LDAP\s0 lookups. Debuging
+information is printed to the standard error. A value of 1 results
+in a moderate amount of debugging information. A value of 2 shows
+the results of the matches themselves. This parameter should not
+be set in a production environment as the extra information is
+likely to confuse users.
+.IP "\s-1BINDDN\s0 \s-1DN\s0" 4
+.IX Item "BINDDN DN"
+The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
+Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
+If not specified, \s-1LDAP\s0 operations are performed with an anonymous
+identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
+.IP "\s-1BINDPW\s0 secret" 4
+.IX Item "BINDPW secret"
+The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
+\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
+\&\fB\s-1BINDDN\s0\fR parameter.
+.IP "\s-1ROOTBINDDN\s0 \s-1DN\s0" 4
+.IX Item "ROOTBINDDN DN"
+The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
+a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
+operations, such as \fIsudoers\fR lookups. The password corresponding
+to the identity should be stored in </etc/ldap.passwd>
+If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
+.IP "\s-1LDAP_VERSION\s0 number" 4
+.IX Item "LDAP_VERSION number"
+The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
+The default value is protocol version 3.
+.IP "\s-1SSL\s0 on/true/yes/off/false/no" 4
+.IX Item "SSL on/true/yes/off/false/no"
+If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
+(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
+server. Typically, this involves connecting to the server on port
+636 (ldaps).
+.IP "\s-1SSL\s0 start_tls" 4
+.IX Item "SSL start_tls"
+If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
+connection is initiated normally and \s-1TLS\s0 encryption is begun before
+the bind credentials are sent. This has the advantage of not
+requiring a dedicated port for encrypted communications. This
+parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
+extension, such as the OpenLDAP server.
+.IP "\s-1TLS_CHECKPEER\s0 on/true/yes/off/false/no" 4
+.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
+If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
+certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
+be verified (usually because it is signed by an unknown certificate
+authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
+is disabled, no check is made.
+.IP "\s-1TLS_CACERTFILE\s0" 4
+.IX Item "TLS_CACERTFILE"
+.PD 0
+.IP "\s-1TLS_CACERTDIR\s0" 4
+.IX Item "TLS_CACERTDIR"
+.IP "\s-1TLS_RANDFILE\s0" 4
+.IX Item "TLS_RANDFILE"
+.IP "\s-1TLS_CIPHERS\s0" 4
+.IX Item "TLS_CIPHERS"
+.IP "\s-1TLS_CERT\s0" 4
+.IX Item "TLS_CERT"
+.IP "\s-1TLS_KEY\s0" 4
+.IX Item "TLS_KEY"
+.IP "\s-1USE_SASL\s0" 4
+.IX Item "USE_SASL"
+.IP "\s-1SASL_AUTH_ID\s0" 4
+.IX Item "SASL_AUTH_ID"
+.IP "\s-1ROOTUSE_SASL\s0" 4
+.IX Item "ROOTUSE_SASL"
+.IP "\s-1ROOTSASL_AUTH_ID\s0" 4
+.IX Item "ROOTSASL_AUTH_ID"
+.IP "\s-1SASL_SECPROPS\s0" 4
+.IX Item "SASL_SECPROPS"
+.IP "\s-1KRB5_CCNAME\s0" 4
+.IX Item "KRB5_CCNAME"
+.PD
+.Sh "Configuring nsswitch.conf"
+.IX Subsection "Configuring nsswitch.conf"
+Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR,
+to specify the \fIsudoers\fR search order. Sudo looks for a line
+begining with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search
+order. Note that \fBsudo\fR does not stop searching after the first
+match and later matches take precedence over earlier ones.
+.PP
+The following sources are recognized.
+ files read sudoers from a file (usually \fI/etc/sudoers\fR)
+ ldap read sudoers from \s-1LDAP\s0
+.PP
+In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
+search if the user was not found in the preceding source.
+.PP
+To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+exists), use:
+.PP
+.Vb 1
+\& sudoers: ldap files
+.Ve
+.PP
+The local \fIsudoers\fR file can be ignored completely by using:
+.PP
+.Vb 1
+\& sudoers: ldap
+.Ve
+.PP
+If the \fI/etc/nsswitch.conf\fR file is not present or there is no
+sudoers line, the following default is assumed:
+.PP
+.Vb 1
+\& sudoers: files
+.Ve
+.SH "FILES"
+.IX Header "FILES"
+.IP "\fI/etc/ldap.conf\fR" 24
+.IX Item "/etc/ldap.conf"
+\&\s-1LDAP\s0 configuration file
+.IP "\fI/etc/nsswitch.conf\fR" 24
+.IX Item "/etc/nsswitch.conf"
+determines sudoers source order
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Example entries
+.PP
+Example ldap.conf
+.PP
+Debugging info
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4)
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+parsing differences between \s-1LDAP\s0 and file sudoers
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
--- /dev/null
+=cut
+Copyright (c) 2003-2008
+ Todd C. Miller <Todd.Miller@courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+$Sudo$
+=pod
+
+=head1 NAME
+
+sudoers.ldap - sudo LDAP configuration
+
+=head1 DESCRIPTION
+
+In addition to the standard I<sudoers> file, B<sudo> may be configured
+via LAP. This can be especially useful for syncronizing I<sudoers>
+in a large, distributed environment.
+
+Using LDAP for I<sudoers> has several benefits:
+
+=over 4
+
+=item *
+
+B<sudo> no longer needs to read I<sudoers> in its entirety. Parsing
+of F</etc/sudoers> requires the entire file to be read. When LDAP
+is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP
+environments. The first query is to parse global options (see
+below). The second is to match against the user's name and the
+groups that the user belongs to. (The special ALL tag is matched
+in this query too.) If no match is returned for the user's name
+and groups, a third query returns all entries contain user netgroups
+and checks to see if the user belongs to any of them.
+
+=item *
+
+B<sudo> no longer exits if there is a typo in I<sudoers>.
+It is not possible to load LDAP data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent B<sudo> from running.
+
+=item *
+
+Options inside of entries now override global default options.
+F</etc/sudoers> only supports default options and limited options
+associated with user/host/commands and aliases. The syntax is
+complicated and can be difficult for users to understand.
+
+Sudo first looks for an entry called C<cn=default> in the C<SUDOers>
+container. If found, the multi-valued C<sudoOption> attribute is
+parsed the same way the global C<Defaults> line in F</etc/sudoers>
+is parsed.
+
+If, on the second or third query, a response contains a sudoRole
+which matches against the user, host, and command, then the matched
+object is scanned for a additional options that override the top-level
+defaults. See the example LDAP content below for more information.
+
+=item *
+
+B<visudo> is no longer needed. B<visudo> provides locking and
+syntax checking of the F</etc/sudoers> file. Since LDAP updates
+are atomic, locking is no longer necessary. Because syntax is
+checked when the data is inserted into LDAP, there is no need
+for a specialized tool to check syntax.
+
+=item *
+
+Aliases are no longer needed. User, Host, and Cmnd Aliases were
+designed to simplify organization of I<sudoers> files and to
+improve readability. Since an LDAP I<sudoers> entry allows multiple
+values for each of its attributes, and since most LDAP browsers are
+graphical and easy to work with, these aliases are no longer
+needed.
+
+If you wish to specify a large number of users into an entry or
+wish to have similar entries with identical users, then either use
+groups or user netgroups. Alternately, they can all just be pasted
+into the LDAP record.
+
+If you need to specify a large number of hosts in an entry, use
+netgroups or IP address matches (10.2.3.4/255.255.0.0). Alternately,
+they can all just be pasted into the LDAP record.
+
+=back
+
+=head2 Differences between LDAP and non-LDAP sudoers
+
+There are some subtle differences in the way sudoers is handled
+once in LDAP. Probably the biggest is that according to the RFC,
+LDAP's ordering is arbitrary and you cannot expect that Attributes
+and Entries are returned in any order. If there are conflicting
+command rules on an entry, the negative takes precedence. This is
+called paranoid behavior (not necessarily the most specific match).
+
+Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of Johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of Puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+Another difference is that negations on the Host, User or Runas are
+currently ignorred. For example, the following attributes do not
+do what they might appear to do.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
+
+=head2 Description of sudoRole
+
+The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains
+sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s),
+sudoRunAsUser(s) and sudoRunAsGroup(s).
+
+The following example allows users in group wheel to run any command
+on any host via B<sudo>:
+
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
+=head2 Sudoers Schema
+
+In order to use B<sudo>'s LDAP support the B<sudo> schema must be
+installled on your LDAP server. In addition, be sure to index the
+attribute 'sudoUser'.
+
+Two versions of the schema, one for OpenLDAP servers and another
+for netscape-derived servers, may also be found in the B<sudo>
+distribution. The schema for B<sudo> in OpenLDAP form appears
+below.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ description )
+ )
+
+=head2 Configuring ldap.conf
+
+Sudo reads the F</etc/ldap.conf> file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not B<sudo>-specific. Note that
+B<sudo> parses F</etc/ldap.conf> itself and may support options
+that differ from those described in the L<ldap.conf(4)> manual.
+
+Also note that on systems using the OpenLDAP libraries, default
+values specified in F</etc/openldap/ldap.conf> or the user's
+F<.ldaprc> files are not used.
+
+Only those options explicitly listed in F</etc/ldap.conf> that are
+supported by B<sudo> are honored. Configuration options are listed
+below in upper case but are parsed in a case-independent manner.
+
+=over 4
+
+=item URI ldap[s]://[hostname[:port]] ...
+
+Specifies a whitespace-delimited list of one or more URIs describing
+the LDAP server(s) to connect to. The I<protocol> may be either B<ldap>
+or B<ldaps>, the latter being for servers that support TLS (SSL)
+encryption. If no I<port> is specified, the default is port 389 for
+C<ldap://> or port 636 for C<ldaps://>. If no I<hostname> is specified,
+B<sudo> will connect to B<localhost>. Only systems using the OpenSSL
+libraries support the mixing of C<ldap://> and C<ldaps://> URIs.
+The netscape-derived libraries used on most commercial versions of
+Unix are only capable of supporting one or the other.
+
+=item HOST name[:port] ...
+
+If no B<URI> is specified, the B<HOST> parameter specifies a
+whitespace-delimited list of LDAP servers to connect to. Each host
+may include an optional I<port> separated by a colon (':'). The
+B<HOST> parameter is deprecated in favor of the B<URI> specification
+and is included for backwards compatibility.
+
+=item PORT port_number
+
+If no B<URI> is specified, the B<PORT> parameter specifies the
+default port to connect to on the LDAP server if a B<HOST> parameter
+does not specify the port itself. If no B<PORT> parameter is used,
+the default is port 389 for LDAP and port 636 for LDAP over TLS
+(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
+specification and is included for backwards compatibility.
+
+=item BIND_TIMELIMIT seconds
+
+The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
+to wait while trying to connect to an LDAP server. If multiple B<URI>s or
+B<HOST>s are specified, this is the amount of time to wait before trying
+the next one in the list.
+
+=item SUDOERS_BASE base
+
+The base DN to use when performing B<sudo> LDAP lookups. Typically
+this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
+C<example.com>.
+
+=item SUDOERS_DEBUG debug_level
+
+This sets the debug level for B<sudo> LDAP lookups. Debuging
+information is printed to the standard error. A value of 1 results
+in a moderate amount of debugging information. A value of 2 shows
+the results of the matches themselves. This parameter should not
+be set in a production environment as the extra information is
+likely to confuse users.
+
+=item BINDDN DN
+
+The B<BINDDN> parameter specifies the identity, in the form of a
+Distinguished Name (DN), to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous
+identity. By default, most LDAP servers will allow anonymous access.
+
+=item BINDPW secret
+
+The B<BINDPW> parameter specifies the password to use when performing
+LDAP operations. This is typically used in conjunction with the
+B<BINDDN> parameter.
+
+=item ROOTBINDDN DN
+
+The B<ROOTBINDDN> parameter specifies the identity, in the form of
+a Distinguished Name (DN), to use when performing privileged LDAP
+operations, such as I<sudoers> lookups. The password corresponding
+to the identity should be stored in </etc/ldap.passwd>
+If not specified, the B<BINDDN> identity is used (if any).
+
+=item LDAP_VERSION number
+
+The version of the LDAP protocol to use when connecting to the server.
+The default value is protocol version 3.
+
+=item SSL on/true/yes/off/false/no
+
+If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
+(SSL) encryption is always used when communicating with the LDAP
+server. Typically, this involves connecting to the server on port
+636 (ldaps).
+
+=item SSL start_tls
+
+If the B<SSL> parameter is set to C<start_tls>, the LDAP server
+connection is initiated normally and TLS encryption is begun before
+the bind credentials are sent. This has the advantage of not
+requiring a dedicated port for encrypted communications. This
+parameter is only supported by LDAP servers that honor the C<start_tls>
+extension, such as the OpenLDAP server.
+
+=item TLS_CHECKPEER on/true/yes/off/false/no
+
+If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
+certificated to be verified. If the server's TLS certificate cannot
+be verified (usually because it is signed by an unknown certificate
+authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
+is disabled, no check is made.
+
+=item TLS_CACERTFILE
+
+=item TLS_CACERTDIR
+
+=item TLS_RANDFILE
+
+=item TLS_CIPHERS
+
+=item TLS_CERT
+
+=item TLS_KEY
+
+=item USE_SASL
+
+=item SASL_AUTH_ID
+
+=item ROOTUSE_SASL
+
+=item ROOTSASL_AUTH_ID
+
+=item SASL_SECPROPS
+
+=item KRB5_CCNAME
+
+=back
+
+=head2 Configuring nsswitch.conf
+
+Sudo consults the Name Service Switch file, F</etc/nsswitch.conf>,
+to specify the I<sudoers> search order. Sudo looks for a line
+begining with C<sudoers:> and uses this to determine the search
+order. Note that B<sudo> does not stop searching after the first
+match and later matches take precedence over earlier ones.
+
+The following sources are recognized.
+ files read sudoers from a file (usually F</etc/sudoers>)
+ ldap read sudoers from LDAP
+
+In addition, the entry C<[NOTFOUND=return]> will short-circuit the
+search if the user was not found in the preceding source.
+
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+
+ sudoers: ldap files
+
+The local I<sudoers> file can be ignored completely by using:
+
+ sudoers: ldap
+
+If the F</etc/nsswitch.conf> file is not present or there is no
+sudoers line, the following default is assumed:
+
+ sudoers: files
+
+=head1 FILES
+
+=over 24
+
+=item F</etc/ldap.conf>
+
+LDAP configuration file
+
+=item F</etc/nsswitch.conf>
+
+determines sudoers source order
+
+=back
+
+=head1 EXAMPLES
+
+Example entries
+
+Example ldap.conf
+
+Debugging info
+
+=head1 SEE ALSO
+
+L<ldap.conf(4)>, L<sudoers(4)>
+
+=head1 CAVEATS
+
+parsing differences between LDAP and file sudoers
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
projects / sudo / commitdiff