editing.
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be con-
figured via LAP. This can be especially useful for syn-
- cronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a large, distributed environment.
+ chronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a large, distributed environment.
Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
(10.2.3.4/255.255.0.0). Alternately, they can all
just be pasted into the LDAP record.
+ S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers
+ LDAP container.
+
+ Sudo first looks for the cn=default entry in the SUDOers
+ container. If found, the multi-valued sudoOption
+ attribute is parsed in the same manner as a global
+ Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following example,
+ the SSH_AUTH_SOCK variable will be preserved in the envi-
+ ronment for all users.
+
+ dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+ The equivalent of a sudoer in LDAP is a sudoRole. It con-
+ sists of the following components:
+
+ sudoUser
+ A user name, uid (prefixed with '#'), Unix group (pre-
+ fixed with a '%') or user netgroup (prefixed with a
+ '+').
+
+ sudoHost
+ A host name, IP address, IP network, or host netgroup
+ (prefixed with a '+'). The special value ALL will
+ match any host.
+
+ sudoCommand
+ A Unix command with optional command line arguments,
+ potentially including globbing characters (aka wild
+
+
+
+1.7 January 19, 2008 2
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ cards). The special value ALL will match any command.
+
+ sudoOption
+ Similar to the global options described above, but
+ specific to the sudoRole in which it resides.
+
+ sudoRunAsUser
+ A user name or uid (prefixed with '#') that commands
+ may be run as or a Unix group (prefixed with a '%') or
+ user netgroup (prefixed with a '+') that contains a
+ list of users that commands may be run as. The spe-
+ cial value ALL will match any user.
+
+ sudoRunAsGroup
+ A Unix group or gid (prefixed with '#') that commands
+ may be run as. The special value ALL will match any
+ group.
+
+ Each entry listed above contains a single value, but may
+ be repeated multiple times. A sudoRole must contain at
+ least one sudoUser, sudoHost and sudoCommand.
+
+ The following example allows users in group wheel to run
+ any command on any host via s\bsu\bud\bdo\bo:
+
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is
Here is an example:
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
- # LDAP equivalent of Johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
-
-
-
-1.7 January 19, 2008 2
+1.7 January 19, 2008 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- # LDAP equivalent of Puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
+ # LDAP equivalent of Johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of Puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
Another difference is that negations on the Host, User or
Runas are currently ignorred. For example, the following
attributes do not do what they might appear to do.
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
- D\bDe\bes\bsc\bcr\bri\bip\bpt\bti\bio\bon\bn o\bof\bf s\bsu\bud\bdo\boR\bRo\bol\ble\be
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
- The equivalent of a sudoer in LDAP is a 'sudoRole'. It
- contains sudoUser(s), sudoHost, sudoCommand and optional
- sudoOption(s), sudoRunAsUser(s) and sudoRunAsGroup(s).
+ S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
- The following example allows users in group wheel to run
- any command on any host via s\bsu\bud\bdo\bo:
+ In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must
+ be installed on your LDAP server. In addition, be sure to
+ index the 'sudoUser' attribute.
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
+ Two versions of the schema, one for OpenLDAP servers
+ (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP) and another for Netscape-derived servers
+ (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), may be found in the s\bsu\bud\bdo\bo distribution.
- S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included below.
- In order to use s\bsu\bud\bdo\bo's LDAP support the s\bsu\bud\bdo\bo schema must
- be installled on your LDAP server. In addition, be sure
- to index the attribute 'sudoUser'.
- Two versions of the schema, one for OpenLDAP servers and
-1.7 January 19, 2008 3
+1.7 January 19, 2008 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- another for netscape-derived servers, may also be found in
- the s\bsu\bud\bdo\bo distribution. The schema for s\bsu\bud\bdo\bo in OpenLDAP
- form appears below.
-
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
-1.7 January 19, 2008 4
+
+
+
+
+1.7 January 19, 2008 5
or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is speci-
fied, s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems
using the OpenSSL libraries support the mixing of
- ldap:// and ldaps:// URIs. The netscape-derived
+ ldap:// and ldaps:// URIs. The Netscape-derived
libraries used on most commercial versions of Unix are
only capable of supporting one or the other.
-1.7 January 19, 2008 5
+1.7 January 19, 2008 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ TIMELIMIT seconds
+ The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time,
+ in seconds, to wait for a response to an LDAP query.
+
SUDOERS_BASE base
- The base DN to use when performing s\bsu\bud\bdo\bo LDAP lookups.
+ The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries.
Typically this is of the form ou=SUDOers,dc=exam-
ple,dc=com for the domain example.com.
SUDOERS_DEBUG debug_level
- This sets the debug level for s\bsu\bud\bdo\bo LDAP lookups.
- Debuging information is printed to the standard error.
- A value of 1 results in a moderate amount of debugging
- information. A value of 2 shows the results of the
- matches themselves. This parameter should not be set
- in a production environment as the extra information
- is likely to confuse users.
+ This sets the debug level for s\bsu\bud\bdo\bo LDAP queries.
+ Debugging information is printed to the standard
+ error. A value of 1 results in a moderate amount of
+ debugging information. A value of 2 shows the results
+ of the matches themselves. This parameter should not
+ be set in a production environment as the extra infor-
+ mation is likely to confuse users.
BINDDN DN
The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in
the form of a Distinguished Name (DN), to use when
performing privileged LDAP operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs
- lookups. The password corresponding to the identity
+ queries. The password corresponding to the identity
should be stored in </etc/ldap.passwd> If not speci-
fied, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP
server connection is initiated normally and TLS
encryption is begun before the bind credentials are
- sent. This has the advantage of not requiring a dedi-
- cated port for encrypted communications. This parame-
- ter is only supported by LDAP servers that honor the
- start_tls extension, such as the OpenLDAP server.
-1.7 January 19, 2008 6
+1.7 January 19, 2008 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ sent. This has the advantage of not requiring a dedi-
+ cated port for encrypted communications. This parame-
+ ter is only supported by LDAP servers that honor the
+ start_tls extension, such as the OpenLDAP server.
+
TLS_CHECKPEER on/true/yes/off/false/no
If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's
TLS certificated to be verified. If the server's TLS
be unable to connect to it. If T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is dis-
abled, no check is made.
- TLS_CACERTFILE
- TLS_CACERTDIR
- TLS_RANDFILE
- TLS_CIPHERS
- TLS_CERT
- TLS_KEY
- USE_SASL
- SASL_AUTH_ID
- ROOTUSE_SASL
- ROOTSASL_AUTH_ID
- SASL_SECPROPS
- KRB5_CCNAME
+ TLS_CACERTFILE file name
+ The path to a certificate authority bundle which con-
+ tains the certificates for all the Certificate Author-
+ ities the client knows to be valid, e.g.
+ _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only supported
+ by the OpenLDAP libraries.
+
+ TLS_CACERTDIR directory
+ Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is
+ a directory containing individual Certificate Author-
+ ity certificates, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory
+ specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bC-\b-
+ E\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the OpenL-
+ DAP libraries.
+
+ TLS_CERT file name
+ The path to a file containing the client certificate
+ which can be used to authenticate the client to the
+ LDAP server.
+
+ OpenLDAP tls_cert /etc/ssl/client_cert.pem
+
+ Netscape-derived tls_cert /var/ldap/cert7.db
+
+ When using Netscape-derived libraries, this file may
+ also contain Certificate Authority certificates.
+
+ TLS_KEY file name
+ The path to a file containing the private key which
+ matches the certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The
+ private key must not be password-protected.
+
+ OpenLDAP tls_cert /etc/ssl/client_key.pem
+
+ Netscape-derived tls_cert /var/ldap/key3.db
+
+ TLS_RANDFILE file name
+ The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an
+ entropy source for systems that lack a random device.
+ It is generally used in conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd.
+ This option is only supported by the OpenLDAP
+
+
+
+1.7 January 19, 2008 8
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ libraries.
+
+ TLS_CIPHERS cipher list
+ The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to
+ restrict which encryption algorithms may be used for
+ TLS (SSL) connections. See the OpenSSL manual for a
+ list of valid ciphers. This option is only supported
+ by the OpenLDAP libraries.
+
+ USE_SASL on/true/yes/off/false/no
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL
+ authentication.
+
+ SASL_AUTH_ID identity
+ The SASL user name to use when connecting to the LDAP
+ server. By default, s\bsu\bud\bdo\bo will use an anonymous con-
+ nection.
+
+ ROOTUSE_SASL on/true/yes/off/false/no
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when
+ connecting to an LDAP server from a privileged pro-
+ cess, such as s\bsu\bud\bdo\bo.
+
+ ROOTSASL_AUTH_ID identity
+ The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is
+ enabled.
+
+ SASL_SECPROPS none/properties
+ SASL security properties or _\bn_\bo_\bn_\be for no properties.
+ See the SASL programmer's manual for details.
+
+ KRB5_CCNAME file name
+ The path to the Kerberos 5 credential cache to use
+ when authenticating with the remote server.
+
+ See the ldap.conf entry in the EXAMPLES section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Sudo consults the Name Service Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\b-
_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order. Sudo
- looks for a line begining with sudoers: and uses this to
+ looks for a line beginning with sudoers: and uses this to
determine the search order. Note that s\bsu\bud\bdo\bo does not stop
searching after the first match and later matches take
precedence over earlier ones.
- The following sources are recognized.
- files read sudoers from a file (usually _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs)
- ldap read sudoers from LDAP
+ The following sources are recognized:
+
+ files read sudoers from a file (usually F</etc/sudoers>)
+ ldap read sudoers from LDAP
In addition, the entry [NOTFOUND=return] will short-cir-
cuit the search if the user was not found in the preceding
source.
+
+
+1.7 January 19, 2008 9
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
To consult LDAP first followed by the local sudoers file
(if it exists), use:
sudoers: files
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the
+ underlying operating system does not use an nsswitch.conf
+ file.
+
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ X\bXX\bXX\bX n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+
+
+ X\bXX\bXX\bX s\bsu\bud\bdo\boe\ber\brs\bs l\bld\bdi\bif\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+
+
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-1.7 January 19, 2008 7
+
+
+
+1.7 January 19, 2008 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # must be set or sudo will ignore LDAP
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+
+
+
+1.7 January 19, 2008 11
+
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Example entries
- Example ldap.conf
- Debugging info
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+ # contain CA certs and/or the client's cert. If the client's
+ # cert is included, tls_key should be specified as well.
+ # For backward compatibility, sslpath may be used in place of tls_cert.
+ #tls_cert /var/ldap/cert7.db
+ #tls_key /var/ldap/key3.db
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL username>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL username for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail-
- ing list, see http://www.sudo.ws/mail-
+ Limited free support is available via the sudo-users
+
+
+
+1.7 January 19, 2008 12
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ mailing list, see http://www.sudo.ws/mail-
man/listinfo/sudo-users to subscribe or search the
archives.
-1.7 January 19, 2008 8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7 January 19, 2008 13
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
-via \s-1LAP\s0. This can be especially useful for syncronizing \fIsudoers\fR
+via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
If you need to specify a large number of hosts in an entry, use
netgroups or \s-1IP\s0 address matches (10.2.3.4/255.255.0.0). Alternately,
they can all just be pasted into the \s-1LDAP\s0 record.
+.Sh "SUDOers \s-1LDAP\s0 container"
+.IX Subsection "SUDOers LDAP container"
+The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
+container.
+.PP
+Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
+If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
+same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI/etc/sudoers\fR. In
+the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
+in the environment for all users.
+.PP
+.Vb 6
+\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+\& objectClass: top
+\& objectClass: sudoRole
+\& cn: defaults
+\& description: Default sudoOption's go here
+\& sudoOption: env_keep+=SSH_AUTH_SOCK
+.Ve
+.PP
+The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
+the following components:
+.IP "sudoUser" 4
+.IX Item "sudoUser"
+A user name, uid (prefixed with \f(CW'#'\fR), Unix group (prefixed with
+a \f(CW'%'\fR) or user netgroup (prefixed with a \f(CW'+'\fR).
+.IP "sudoHost" 4
+.IX Item "sudoHost"
+A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
+with a \f(CW'+'\fR).
+The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
+.IP "sudoCommand" 4
+.IX Item "sudoCommand"
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
+.IP "sudoOption" 4
+.IX Item "sudoOption"
+Similar to the global options described above, but specific to the
+\&\f(CW\*(C`sudoRole\*(C'\fR in which it resides.
+.IP "sudoRunAsUser" 4
+.IX Item "sudoRunAsUser"
+A user name or uid (prefixed with \f(CW'#'\fR) that commands may be run
+as or a Unix group (prefixed with a \f(CW'%'\fR) or user netgroup (prefixed
+with a \f(CW'+'\fR) that contains a list of users that commands may be
+run as.
+The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
+.IP "sudoRunAsGroup" 4
+.IX Item "sudoRunAsGroup"
+A Unix group or gid (prefixed with \f(CW'#'\fR) that commands may be run as.
+The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.PP
+Each entry listed above contains a single value, but may be repeated
+multiple times. A sudoRole must contain at least one \f(CW\*(C`sudoUser\*(C'\fR,
+\&\f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
+.PP
+The following example allows users in group wheel to run any command
+on any host via \fBsudo\fR:
+.PP
+.Vb 7
+\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+\& objectClass: top
+\& objectClass: sudoRole
+\& cn: %wheel
+\& sudoUser: %wheel
+\& sudoHost: ALL
+\& sudoCommand: ALL
+.Ve
.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
Here is an example:
.PP
.Vb 5
-\& # /etc/sudoers:
-\& # Allow all commands except shell
-\& johnny ALL=(root) ALL,!/bin/sh
-\& # Always allows all commands because ALL is matched last
-\& puddles ALL=(root) !/bin/sh,ALL
+\& # /etc/sudoers:
+\& # Allow all commands except shell
+\& johnny ALL=(root) ALL,!/bin/sh
+\& # Always allows all commands because ALL is matched last
+\& puddles ALL=(root) !/bin/sh,ALL
.Ve
.PP
.Vb 10
-\& # LDAP equivalent of Johnny
-\& # Allows all commands except shell
-\& dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role1
-\& sudoUser: johnny
-\& sudoHost: ALL
-\& sudoCommand: ALL
-\& sudoCommand: !/bin/sh
+\& # LDAP equivalent of Johnny
+\& # Allows all commands except shell
+\& dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role1
+\& sudoUser: johnny
+\& sudoHost: ALL
+\& sudoCommand: ALL
+\& sudoCommand: !/bin/sh
.Ve
.PP
.Vb 11
-\& # LDAP equivalent of Puddles
-\& # Notice that even though ALL comes last, it still behaves like
-\& # role1 since the LDAP code assumes the more paranoid configuration
-\& dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role2
-\& sudoUser: puddles
-\& sudoHost: ALL
-\& sudoCommand: !/bin/sh
-\& sudoCommand: ALL
+\& # LDAP equivalent of Puddles
+\& # Notice that even though ALL comes last, it still behaves like
+\& # role1 since the LDAP code assumes the more paranoid configuration
+\& dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role2
+\& sudoUser: puddles
+\& sudoHost: ALL
+\& sudoCommand: !/bin/sh
+\& sudoCommand: ALL
.Ve
.PP
Another difference is that negations on the Host, User or Runas are
do what they might appear to do.
.PP
.Vb 3
-\& # does not match all but joe
-\& # rather, does not match anyone
-\& sudoUser: !joe
+\& # does not match all but joe
+\& # rather, does not match anyone
+\& sudoUser: !joe
.Ve
.PP
.Vb 4
-\& # does not match all but joe
-\& # rather, matches everyone including Joe
-\& sudoUser: ALL
-\& sudoUser: !joe
+\& # does not match all but joe
+\& # rather, matches everyone including Joe
+\& sudoUser: ALL
+\& sudoUser: !joe
.Ve
.PP
.Vb 4
-\& # does not match all but web01
-\& # rather, matches all hosts including web01
-\& sudoHost: ALL
-\& sudoHost: !web01
-.Ve
-.Sh "Description of sudoRole"
-.IX Subsection "Description of sudoRole"
-The equivalent of a sudoer in \s-1LDAP\s0 is a 'sudoRole'. It contains
-sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s),
-sudoRunAsUser(s) and sudoRunAsGroup(s).
-.PP
-The following example allows users in group wheel to run any command
-on any host via \fBsudo\fR:
-.PP
-.Vb 7
-\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
-\& objectClass: top
-\& objectClass: sudoRole
-\& cn: %wheel
-\& sudoUser: %wheel
-\& sudoHost: ALL
-\& sudoCommand: ALL
+\& # does not match all but web01
+\& # rather, matches all hosts including web01
+\& sudoHost: ALL
+\& sudoHost: !web01
.Ve
.Sh "Sudoers Schema"
.IX Subsection "Sudoers Schema"
-In order to use \fBsudo\fR's \s-1LDAP\s0 support the \fBsudo\fR schema must be
-installled on your \s-1LDAP\s0 server. In addition, be sure to index the
-attribute 'sudoUser'.
+In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
+installed on your \s-1LDAP\s0 server. In addition, be sure to index the
+\&'sudoUser' attribute.
+.PP
+Two versions of the schema, one for OpenLDAP servers (\fIschema.OpenLDAP\fR)
+and another for Netscape-derived servers (\fIschema.iPlanet\fR), may
+be found in the \fBsudo\fR distribution.
.PP
-Two versions of the schema, one for OpenLDAP servers and another
-for netscape-derived servers, may also be found in the \fBsudo\fR
-distribution. The schema for \fBsudo\fR in OpenLDAP form appears
-below.
+The schema for \fBsudo\fR in OpenLDAP form is included below.
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
-The netscape-derived libraries used on most commercial versions of
+The Netscape-derived libraries used on most commercial versions of
Unix are only capable of supporting one or the other.
.IP "\s-1HOST\s0 name[:port] ..." 4
.IX Item "HOST name[:port] ..."
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
the next one in the list.
+.IP "\s-1TIMELIMIT\s0 seconds" 4
+.IX Item "TIMELIMIT seconds"
+The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
+to wait for a response to an \s-1LDAP\s0 query.
.IP "\s-1SUDOERS_BASE\s0 base" 4
.IX Item "SUDOERS_BASE base"
-The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 lookups. Typically
+The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR.
.IP "\s-1SUDOERS_DEBUG\s0 debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
-This sets the debug level for \fBsudo\fR \s-1LDAP\s0 lookups. Debuging
+This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
.IX Item "ROOTBINDDN DN"
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
-operations, such as \fIsudoers\fR lookups. The password corresponding
+operations, such as \fIsudoers\fR queries. The password corresponding
to the identity should be stored in </etc/ldap.passwd>
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\s-1LDAP_VERSION\s0 number" 4
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
is disabled, no check is made.
-.IP "\s-1TLS_CACERTFILE\s0" 4
-.IX Item "TLS_CACERTFILE"
-.PD 0
-.IP "\s-1TLS_CACERTDIR\s0" 4
-.IX Item "TLS_CACERTDIR"
-.IP "\s-1TLS_RANDFILE\s0" 4
-.IX Item "TLS_RANDFILE"
-.IP "\s-1TLS_CIPHERS\s0" 4
-.IX Item "TLS_CIPHERS"
-.IP "\s-1TLS_CERT\s0" 4
-.IX Item "TLS_CERT"
-.IP "\s-1TLS_KEY\s0" 4
-.IX Item "TLS_KEY"
-.IP "\s-1USE_SASL\s0" 4
-.IX Item "USE_SASL"
-.IP "\s-1SASL_AUTH_ID\s0" 4
-.IX Item "SASL_AUTH_ID"
-.IP "\s-1ROOTUSE_SASL\s0" 4
-.IX Item "ROOTUSE_SASL"
-.IP "\s-1ROOTSASL_AUTH_ID\s0" 4
-.IX Item "ROOTSASL_AUTH_ID"
-.IP "\s-1SASL_SECPROPS\s0" 4
-.IX Item "SASL_SECPROPS"
-.IP "\s-1KRB5_CCNAME\s0" 4
-.IX Item "KRB5_CCNAME"
-.PD
+.IP "\s-1TLS_CACERTFILE\s0 file name" 4
+.IX Item "TLS_CACERTFILE file name"
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid,
+e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
+This option is only supported by the OpenLDAP libraries.
+.IP "\s-1TLS_CACERTDIR\s0 directory" 4
+.IX Item "TLS_CACERTDIR directory"
+Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
+directory containing individual Certificate Authority certificates,
+e.g. \fI/etc/ssl/certs\fR.
+The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
+\&\fB\s-1TLS_CACERTFILE\s0\fR.
+This option is only supported by the OpenLDAP libraries.
+.IP "\s-1TLS_CERT\s0 file name" 4
+.IX Item "TLS_CERT file name"
+The path to a file containing the client certificate which can
+be used to authenticate the client to the \s-1LDAP\s0 server.
+.RS 4
+.IP "OpenLDAP" 18
+.IX Item "OpenLDAP"
+\&\f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
+.IP "Netscape-derived" 18
+.IX Item "Netscape-derived"
+\&\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
+.RE
+.RS 4
+.Sp
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
+.RE
+.IP "\s-1TLS_KEY\s0 file name" 4
+.IX Item "TLS_KEY file name"
+The path to a file containing the private key which matches the
+certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
+password\-protected.
+.RS 4
+.IP "OpenLDAP" 18
+.IX Item "OpenLDAP"
+\&\f(CW\*(C`tls_cert /etc/ssl/client_key.pem\*(C'\fR
+.IP "Netscape-derived" 18
+.IX Item "Netscape-derived"
+\&\f(CW\*(C`tls_cert /var/ldap/key3.db\*(C'\fR
+.RE
+.RS 4
+.RE
+.IP "\s-1TLS_RANDFILE\s0 file name" 4
+.IX Item "TLS_RANDFILE file name"
+The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
+source for systems that lack a random device. It is generally used
+in conjunction with \fIprngd\fR or \fIegd\fR.
+This option is only supported by the OpenLDAP libraries.
+.IP "\s-1TLS_CIPHERS\s0 cipher list" 4
+.IX Item "TLS_CIPHERS cipher list"
+The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
+which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
+See the OpenSSL manual for a list of valid ciphers.
+This option is only supported by the OpenLDAP libraries.
+.IP "\s-1USE_SASL\s0 on/true/yes/off/false/no" 4
+.IX Item "USE_SASL on/true/yes/off/false/no"
+Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
+.IP "\s-1SASL_AUTH_ID\s0 identity" 4
+.IX Item "SASL_AUTH_ID identity"
+The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
+By default, \fBsudo\fR will use an anonymous connection.
+.IP "\s-1ROOTUSE_SASL\s0 on/true/yes/off/false/no" 4
+.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
+Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
+to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
+.IP "\s-1ROOTSASL_AUTH_ID\s0 identity" 4
+.IX Item "ROOTSASL_AUTH_ID identity"
+The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
+.IP "\s-1SASL_SECPROPS\s0 none/properties" 4
+.IX Item "SASL_SECPROPS none/properties"
+\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
+\&\s-1SASL\s0 programmer's manual for details.
+.IP "\s-1KRB5_CCNAME\s0 file name" 4
+.IX Item "KRB5_CCNAME file name"
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+.PP
+See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.Sh "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR,
to specify the \fIsudoers\fR search order. Sudo looks for a line
-begining with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search
+beginning with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search
order. Note that \fBsudo\fR does not stop searching after the first
match and later matches take precedence over earlier ones.
.PP
-The following sources are recognized.
- files read sudoers from a file (usually \fI/etc/sudoers\fR)
- ldap read sudoers from \s-1LDAP\s0
+The following sources are recognized:
+.PP
+.Vb 2
+\& files read sudoers from a file (usually F</etc/sudoers>)
+\& ldap read sudoers from LDAP
+.Ve
.PP
In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
search if the user was not found in the preceding source.
.Vb 1
\& sudoers: files
.Ve
+.PP
+Note that \fI/etc/nsswitch.conf\fR is supported even when the underlying
+operating system does not use an nsswitch.conf file.
.SH "FILES"
.IX Header "FILES"
.IP "\fI/etc/ldap.conf\fR" 24
determines sudoers source order
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-Example entries
-.PP
-Example ldap.conf
-.PP
-Debugging info
+.Sh "\s-1XXX\s0 nsswitch.conf example?"
+.IX Subsection "XXX nsswitch.conf example?"
+.Sh "\s-1XXX\s0 sudoers ldif example?"
+.IX Subsection "XXX sudoers ldif example?"
+.Sh "Example ldap.conf"
+.IX Subsection "Example ldap.conf"
+.Vb 95
+\& # Either specify one or more URIs or one or more host:port pairs.
+\& # If neither is specified sudo will default to localhost, port 389.
+\& #
+\& #host ldapserver
+\& #host ldapserver1 ldapserver2:390
+\& #
+\& # Default port if host is specified without one, defaults to 389.
+\& #port 389
+\& #
+\& # URI will override the host and port settings.
+\& uri ldap://ldapserver
+\& #uri ldaps://secureldapserver
+\& #uri ldaps://secureldapserver ldap://ldapserver
+\& #
+\& # The amount of time, in seconds, to wait while trying to connect to
+\& # an LDAP server.
+\& bind_timelimit 30
+\& #
+\& # The amount of time, in seconds, to wait while performing an LDAP query.
+\& timelimit 30
+\& #
+\& # must be set or sudo will ignore LDAP
+\& sudoers_base ou=SUDOers,dc=example,dc=com
+\& #
+\& # verbose sudoers matching from ldap
+\& #sudoers_debug 2
+\& #
+\& # optional proxy credentials
+\& #binddn <who to search as>
+\& #bindpw <password>
+\& #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+\& #
+\& # LDAP protocol version, defaults to 3
+\& #ldap_version 3
+\& #
+\& # Define if you want to use an encrypted LDAP connection.
+\& # Typically, you must also set the port to 636 (ldaps).
+\& #ssl on
+\& #
+\& # Define if you want to use port 389 and switch to
+\& # encryption before the bind credentials are sent.
+\& # Only supported by LDAP servers that support the start_tls
+\& # extension such as OpenLDAP.
+\& #ssl start_tls
+\& #
+\& # Additional TLS options follow that allow tweaking of the
+\& # SSL/TLS connection.
+\& #
+\& #tls_checkpeer yes # verify server SSL certificate
+\& #tls_checkpeer no # ignore server SSL certificate
+\& #
+\& # If you enable tls_checkpeer, specify either tls_cacertfile
+\& # or tls_cacertdir. Only supported when using OpenLDAP.
+\& #
+\& #tls_cacertfile /etc/certs/trusted_signers.pem
+\& #tls_cacertdir /etc/certs
+\& #
+\& # For systems that don't have /dev/random
+\& # use this along with PRNGD or EGD.pl to seed the
+\& # random number pool to generate cryptographic session keys.
+\& # Only supported when using OpenLDAP.
+\& #
+\& #tls_randfile /etc/egd-pool
+\& #
+\& # You may restrict which ciphers are used. Consult your SSL
+\& # documentation for which options go here.
+\& # Only supported when using OpenLDAP.
+\& #
+\& #tls_ciphers <cipher-list>
+\& #
+\& # Sudo can provide a client certificate when communicating to
+\& # the LDAP server.
+\& # Tips:
+\& # * Enable both lines at the same time.
+\& # * Do not password protect the key file.
+\& # * Ensure the keyfile is only readable by root.
+\& #
+\& # For OpenLDAP:
+\& #tls_cert /etc/certs/client_cert.pem
+\& #tls_key /etc/certs/client_key.pem
+\& #
+\& # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+\& # contain CA certs and/or the client's cert. If the client's
+\& # cert is included, tls_key should be specified as well.
+\& # For backward compatibility, sslpath may be used in place of tls_cert.
+\& #tls_cert /var/ldap/cert7.db
+\& #tls_key /var/ldap/key3.db
+\& #
+\& # If using SASL authentication for LDAP (OpenSSL)
+\& # use_sasl yes
+\& # sasl_auth_id <SASL username>
+\& # rootuse_sasl yes
+\& # rootsasl_auth_id <SASL username for root access>
+\& # sasl_secprops none
+\& # krb5_ccname /etc/.ldapcache
+.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4)
=head1 DESCRIPTION
In addition to the standard I<sudoers> file, B<sudo> may be configured
-via LAP. This can be especially useful for syncronizing I<sudoers>
+via LAP. This can be especially useful for synchronizing I<sudoers>
in a large, distributed environment.
Using LDAP for I<sudoers> has several benefits:
=back
+=head2 SUDOers LDAP container
+
+The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
+container.
+
+Sudo first looks for the C<cn=default> entry in the SUDOers container.
+If found, the multi-valued C<sudoOption> attribute is parsed in the
+same manner as a global C<Defaults> line in F</etc/sudoers>. In
+the following example, the C<SSH_AUTH_SOCK> variable will be preserved
+in the environment for all users.
+
+ dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
+the following components:
+
+=over 4
+
+=item sudoUser
+
+A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
+a C<'%'>) or user netgroup (prefixed with a C<'+'>).
+
+=item sudoHost
+
+A host name, IP address, IP network, or host netgroup (prefixed
+with a C<'+'>).
+The special value C<ALL> will match any host.
+
+=item sudoCommand
+
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value C<ALL> will match any command.
+
+=item sudoOption
+
+Similar to the global options described above, but specific to the
+C<sudoRole> in which it resides.
+
+=item sudoRunAsUser
+
+A user name or uid (prefixed with C<'#'>) that commands may be run
+as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
+with a C<'+'>) that contains a list of users that commands may be
+run as.
+The special value C<ALL> will match any user.
+
+=item sudoRunAsGroup
+
+A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
+The special value C<ALL> will match any group.
+
+=back
+
+Each entry listed above contains a single value, but may be repeated
+multiple times. A sudoRole must contain at least one C<sudoUser>,
+C<sudoHost> and C<sudoCommand>.
+
+The following example allows users in group wheel to run any command
+on any host via B<sudo>:
+
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
=head2 Differences between LDAP and non-LDAP sudoers
There are some subtle differences in the way sudoers is handled
Here is an example:
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of Johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of Puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of Johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of Puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
currently ignorred. For example, the following attributes do not
do what they might appear to do.
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
-
-=head2 Description of sudoRole
-
-The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains
-sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s),
-sudoRunAsUser(s) and sudoRunAsGroup(s).
-
-The following example allows users in group wheel to run any command
-on any host via B<sudo>:
-
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
=head2 Sudoers Schema
-In order to use B<sudo>'s LDAP support the B<sudo> schema must be
-installled on your LDAP server. In addition, be sure to index the
-attribute 'sudoUser'.
+In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
+installed on your LDAP server. In addition, be sure to index the
+'sudoUser' attribute.
-Two versions of the schema, one for OpenLDAP servers and another
-for netscape-derived servers, may also be found in the B<sudo>
-distribution. The schema for B<sudo> in OpenLDAP form appears
-below.
+Two versions of the schema, one for OpenLDAP servers (F<schema.OpenLDAP>)
+and another for Netscape-derived servers (F<schema.iPlanet>), may
+be found in the B<sudo> distribution.
+
+The schema for B<sudo> in OpenLDAP form is included below.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
C<ldap://> or port 636 for C<ldaps://>. If no I<hostname> is specified,
B<sudo> will connect to B<localhost>. Only systems using the OpenSSL
libraries support the mixing of C<ldap://> and C<ldaps://> URIs.
-The netscape-derived libraries used on most commercial versions of
+The Netscape-derived libraries used on most commercial versions of
Unix are only capable of supporting one or the other.
=item HOST name[:port] ...
B<HOST>s are specified, this is the amount of time to wait before trying
the next one in the list.
+=item TIMELIMIT seconds
+
+The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
+to wait for a response to an LDAP query.
+
=item SUDOERS_BASE base
-The base DN to use when performing B<sudo> LDAP lookups. Typically
+The base DN to use when performing B<sudo> LDAP queries. Typically
this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
C<example.com>.
=item SUDOERS_DEBUG debug_level
-This sets the debug level for B<sudo> LDAP lookups. Debuging
+This sets the debug level for B<sudo> LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
The B<ROOTBINDDN> parameter specifies the identity, in the form of
a Distinguished Name (DN), to use when performing privileged LDAP
-operations, such as I<sudoers> lookups. The password corresponding
+operations, such as I<sudoers> queries. The password corresponding
to the identity should be stored in </etc/ldap.passwd>
If not specified, the B<BINDDN> identity is used (if any).
authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
is disabled, no check is made.
-=item TLS_CACERTFILE
+=item TLS_CACERTFILE file name
+
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid,
+e.g. F</etc/ssl/ca-bundle.pem>.
+This option is only supported by the OpenLDAP libraries.
+
+=item TLS_CACERTDIR directory
+
+Similar to B<TLS_CACERTFILE> but instead of a file, it is a
+directory containing individual Certificate Authority certificates,
+e.g. F</etc/ssl/certs>.
+The directory specified by B<TLS_CACERTDIR> is checked after
+B<TLS_CACERTFILE>.
+This option is only supported by the OpenLDAP libraries.
+
+=item TLS_CERT file name
-=item TLS_CACERTDIR
+The path to a file containing the client certificate which can
+be used to authenticate the client to the LDAP server.
-=item TLS_RANDFILE
+=over 18
-=item TLS_CIPHERS
+=item OpenLDAP
-=item TLS_CERT
+C<tls_cert /etc/ssl/client_cert.pem>
+
+=item Netscape-derived
+
+C<tls_cert /var/ldap/cert7.db>
+
+=back
-=item TLS_KEY
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
-=item USE_SASL
+=item TLS_KEY file name
-=item SASL_AUTH_ID
+The path to a file containing the private key which matches the
+certificate specified by B<TLS_CERT>. The private key must not be
+password-protected.
-=item ROOTUSE_SASL
+=over 18
-=item ROOTSASL_AUTH_ID
+=item OpenLDAP
-=item SASL_SECPROPS
+C<tls_cert /etc/ssl/client_key.pem>
-=item KRB5_CCNAME
+=item Netscape-derived
+
+C<tls_cert /var/ldap/key3.db>
=back
+=item TLS_RANDFILE file name
+
+The B<TLS_RANDFILE> parameter specifies the path to an entropy
+source for systems that lack a random device. It is generally used
+in conjunction with I<prngd> or I<egd>.
+This option is only supported by the OpenLDAP libraries.
+
+=item TLS_CIPHERS cipher list
+
+The B<TLS_CIPHERS> parameter allows the administer to restrict
+which encryption algorithms may be used for TLS (SSL) connections.
+See the OpenSSL manual for a list of valid ciphers.
+This option is only supported by the OpenLDAP libraries.
+
+=item USE_SASL on/true/yes/off/false/no
+
+Enable B<USE_SASL> for LDAP servers that support SASL authentication.
+
+=item SASL_AUTH_ID identity
+
+The SASL user name to use when connecting to the LDAP server.
+By default, B<sudo> will use an anonymous connection.
+
+=item ROOTUSE_SASL on/true/yes/off/false/no
+
+Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as B<sudo>.
+
+=item ROOTSASL_AUTH_ID identity
+
+The SASL user name to use when B<ROOTUSE_SASL> is enabled.
+
+=item SASL_SECPROPS none/properties
+
+SASL security properties or I<none> for no properties. See the
+SASL programmer's manual for details.
+
+=item KRB5_CCNAME file name
+
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+
+=back
+
+See the C<ldap.conf> entry in the L<EXAMPLES> section.
+
=head2 Configuring nsswitch.conf
Sudo consults the Name Service Switch file, F</etc/nsswitch.conf>,
to specify the I<sudoers> search order. Sudo looks for a line
-begining with C<sudoers:> and uses this to determine the search
+beginning with C<sudoers:> and uses this to determine the search
order. Note that B<sudo> does not stop searching after the first
match and later matches take precedence over earlier ones.
-The following sources are recognized.
+The following sources are recognized:
+
files read sudoers from a file (usually F</etc/sudoers>)
ldap read sudoers from LDAP
sudoers: files
+Note that F</etc/nsswitch.conf> is supported even when the underlying
+operating system does not use an nsswitch.conf file.
+
=head1 FILES
=over 24
=head1 EXAMPLES
-Example entries
-
-Example ldap.conf
-
-Debugging info
+=head2 XXX nsswitch.conf example?
+
+=head2 XXX sudoers ldif example?
+
+=head2 Example ldap.conf
+
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # must be set or sudo will ignore LDAP
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+ # contain CA certs and/or the client's cert. If the client's
+ # cert is included, tls_key should be specified as well.
+ # For backward compatibility, sslpath may be used in place of tls_cert.
+ #tls_cert /var/ldap/cert7.db
+ #tls_key /var/ldap/key3.db
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL username>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL username for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
=head1 SEE ALSO
projects / sudo / commitdiff