#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.65 for sudo 1.7.5.
+# Generated by GNU Autoconf 2.65 for sudo 1.7.5b2.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.5'
-PACKAGE_STRING='sudo 1.7.5'
+PACKAGE_VERSION='1.7.5b2'
+PACKAGE_STRING='sudo 1.7.5b2'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.5 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.5b2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.5:";;
+ short | recursive ) echo "Configuration of sudo 1.7.5b2:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.5
+sudo configure 1.7.5b2
generated by GNU Autoconf 2.65
Copyright (C) 2009 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.5, which was
+It was created by sudo $as_me 1.7.5b2, which was
generated by GNU Autoconf 2.65. Invocation command line was
$ $0 $@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.5, which was
+This file was extended by sudo $as_me 1.7.5b2, which was
generated by GNU Autoconf 2.65. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sudo config.status 1.7.5
+sudo config.status 1.7.5b2
configured by $0, generated by GNU Autoconf 2.65,
with options \\"\$ac_cs_config\\"
dnl
dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.7.5], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.5b2], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h)
dnl
dnl This won't work before AC_INIT
-1.7.5 November 3, 2010 1
+1.7.5b2 November 13, 2010 1
-1.7.5 November 3, 2010 2
+1.7.5b2 November 13, 2010 2
-1.7.5 November 3, 2010 3
+1.7.5b2 November 13, 2010 3
-1.7.5 November 3, 2010 4
+1.7.5b2 November 13, 2010 4
-1.7.5 November 3, 2010 5
+1.7.5b2 November 13, 2010 5
-1.7.5 November 3, 2010 6
+1.7.5b2 November 13, 2010 6
-1.7.5 November 3, 2010 7
+1.7.5b2 November 13, 2010 7
-1.7.5 November 3, 2010 8
+1.7.5b2 November 13, 2010 8
-1.7.5 November 3, 2010 9
+1.7.5b2 November 13, 2010 9
-1.7.5 November 3, 2010 10
+1.7.5b2 November 13, 2010 10
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.7.5 November 3, 2010 1
+1.7.5b2 November 13, 2010 1
-1.7.5 November 3, 2010 2
+1.7.5b2 November 13, 2010 2
-1.7.5 November 3, 2010 3
+1.7.5b2 November 13, 2010 3
-1.7.5 November 3, 2010 4
+1.7.5b2 November 13, 2010 4
-1.7.5 November 3, 2010 5
+1.7.5b2 November 13, 2010 5
-1.7.5 November 3, 2010 6
+1.7.5b2 November 13, 2010 6
-1.7.5 November 3, 2010 7
+1.7.5b2 November 13, 2010 7
-1.7.5 November 3, 2010 8
+1.7.5b2 November 13, 2010 8
-1.7.5 November 3, 2010 9
+1.7.5b2 November 13, 2010 9
-1.7.5 November 3, 2010 10
+1.7.5b2 November 13, 2010 10
-1.7.5 November 3, 2010 11
+1.7.5b2 November 13, 2010 11
-1.7.5 November 3, 2010 12
+1.7.5b2 November 13, 2010 12
-1.7.5 November 3, 2010 13
+1.7.5b2 November 13, 2010 13
-1.7.5 November 3, 2010 14
+1.7.5b2 November 13, 2010 14
-1.7.5 November 3, 2010 15
+1.7.5b2 November 13, 2010 15
-1.7.5 November 3, 2010 16
+1.7.5b2 November 13, 2010 16
-1.7.5 November 3, 2010 17
+1.7.5b2 November 13, 2010 17
-1.7.5 November 3, 2010 18
+1.7.5b2 November 13, 2010 18
-1.7.5 November 3, 2010 19
+1.7.5b2 November 13, 2010 19
-1.7.5 November 3, 2010 20
+1.7.5b2 November 13, 2010 20
-1.7.5 November 3, 2010 21
+1.7.5b2 November 13, 2010 21
-1.7.5 November 3, 2010 22
+1.7.5b2 November 13, 2010 22
-1.7.5 November 3, 2010 23
+1.7.5b2 November 13, 2010 23
-1.7.5 November 3, 2010 24
+1.7.5b2 November 13, 2010 24
-1.7.5 November 3, 2010 25
+1.7.5b2 November 13, 2010 25
-1.7.5 November 3, 2010 26
+1.7.5b2 November 13, 2010 26
-1.7.5 November 3, 2010 27
+1.7.5b2 November 13, 2010 27
-1.7.5 November 3, 2010 1
+1.7.5b2 November 13, 2010 1
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
- Each component listed above should contain a single value, but there
- may be multiple instances of each component type. A sudoRole must
- contain at least one sudoUser, sudoHost and sudoCommand.
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
+ A timestamp in the form yyyymmddHHMMZ that indicates start of
+ validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be entries are
+ present, the earliest is used.
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ A timestamp in the form yyyymmddHHMMZ that indicates end of
+ validity of this sudoRole. If multiple s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br entries are
+ present, the last one is used.
+1.7.5b2 November 13, 2010 2
-1.7.5 November 3, 2010 2
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
+ The sudoRole entries retrieved from the LDAP directory have no
+ inherent order. The s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is an integer that will be
+ used to sort the matching entries. This allows to more closely
+ mimic the behaviour of the sudoers file, where the of the entries
+ does have an influence on the result. If the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute
+ is not present, a value of 0 is assumed.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Each component listed above should contain a single value, but there
+ may be multiple instances of each component type. A sudoRole must
+ contain at least one sudoUser, sudoHost and sudoCommand.
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ directive, the LDAP queries include a subfilter that limits retrieval
+ to entries that satisfy the time constraints, if any are present.
+
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
# LDAP equivalent of johnny
# Allows all commands except shell
+
+
+
+1.7.5b2 November 13, 2010 3
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
-
-
-
-1.7.5 November 3, 2010 3
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+
+
+
+1.7.5b2 November 13, 2010 4
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
(SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
-
-
-
-1.7.5 November 3, 2010 4
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
+
+
+
+1.7.5b2 November 13, 2010 5
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ Whether or not to evaluate the s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be and s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ attributes that implement time-dependent sudoers entries.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
identity. By default, most LDAP servers will allow anonymous
access.
-
-
-
-
-1.7.5 November 3, 2010 5
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
B\bBI\bIN\bND\bDP\bPW\bW secret
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
+
+
+
+1.7.5b2 November 13, 2010 6
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
-
-
-
-1.7.5 November 3, 2010 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
Netscape-derived:
tls_key /var/ldap/key3.db
+
+
+
+
+1.7.5b2 November 13, 2010 7
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
-
-
-
-1.7.5 November 3, 2010 7
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
+
+
+1.7.5b2 November 13, 2010 8
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
sudoers: ldap files
The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
To consult LDAP first followed by the local sudoers file (if it
exists), use:
-
-
-1.7.5 November 3, 2010 8
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
sudoers = ldap, files
The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+
+
+
+
+
+
+1.7.5b2 November 13, 2010 9
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#
# verbose sudoers matching from ldap
#sudoers_debug 2
-
-
-
-1.7.5 November 3, 2010 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
#
# optional proxy credentials
#binddn <who to search as>
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
+
+
+
+1.7.5b2 November 13, 2010 10
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
-
-
-
-1.7.5 November 3, 2010 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
+
+
+
+
+1.7.5b2 November 13, 2010 11
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-1.7.5 November 3, 2010 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
-
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+
+
+
+1.7.5b2 November 13, 2010 12
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
)
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
-1.7.5 November 3, 2010 12
+
+
+1.7.5b2 November 13, 2010 13
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IX Item "sudoRunAsGroup"
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.IP "\fBsudoNotBefore\fR" 4
+.IX Item "sudoNotBefore"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates start of validity
+of this \f(CW\*(C`sudoRole\*(C'\fR.
+If multiple \fBsudoNotBefore\fR entries are present, the earliest is used.
+.IP "\fBsudoNotAfter\fR" 4
+.IX Item "sudoNotAfter"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates end of validity
+of this \f(CW\*(C`sudoRole\*(C'\fR.
+If multiple \fBsudoNotAfter\fR entries are present, the last one is used.
+.IP "\fBsudoOrder\fR" 4
+.IX Item "sudoOrder"
+The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no
+inherent order. The \fBsudoOrder\fR attribute is an integer that will
+be used to sort the matching entries. This allows to more closely
+mimic the behaviour of the sudoers file, where the of the entries
+does have an influence on the result. If the \fBsudoOrder\fR attribute
+is not present, a value of 0 is assumed.
.PP
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
+.PP
+If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
+directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any are present.
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
+.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
+Whether or not to evaluate the \fBsudoNotBefore\fR and \fBsudoNotAfter\fR
+attributes that implement time-dependent sudoers entries.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
\& # verbose sudoers matching from ldap
\& #sudoers_debug 2
\& #
+\& # Enable support for time\-based entries in sudoers.
+\& #sudoers_timed yes
+\& #
\& # optional proxy credentials
\& #binddn <who to search as>
\& #bindpw <password>
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
+\& NAME \*(AqsudoNotBefore\*(Aq
+\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
+\& NAME \*(AqsudoNotAfter\*(Aq
+\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+\& NAME \*(AqsudoOrder\*(Aq
+\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
+\& EQUALITY integerMatch
+\& ORDERING integerOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+\&
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
\& DESC \*(AqSudoer Entries\*(Aq
\& MUST ( cn )
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ description )
+\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+\& sudoOrder $ description )
\& )
.Ve
.SH "SEE ALSO"
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.7.4 July 12, 2010 1
+1.7.5b2 November 13, 2010 1
-1.7.4 July 12, 2010 2
+1.7.5b2 November 13, 2010 2
-1.7.4 July 12, 2010 3
+1.7.5b2 November 13, 2010 3
-1.7.4 July 12, 2010 4
+1.7.5b2 November 13, 2010 4
-1.7.4 July 12, 2010 5
+1.7.5b2 November 13, 2010 5
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.7.5 November 3, 2010 1
+1.7.5b2 November 13, 2010 1
-1.7.5 November 3, 2010 2
+1.7.5b2 November 13, 2010 2
-1.7.5 November 3, 2010 3
+1.7.5b2 November 13, 2010 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff