VERSION = 1.7
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
- LICENSE Makefile.in PORTING README README.LDAP TODO \
- TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \
- config.guess config.h.in config.sub configure configure.in \
- def_data.in indent.pro install-sh ltmain.sh mkdefaults \
- mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
- sample.sudoers sudo.cat sudo.man.in sudo.pod sudo.psf sudoers \
- sudoers.cat sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \
- visudo.man.in visudo.pod auth/API
+ LICENSE Makefile.in PORTING README README.LDAP TODO \
+ TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \
+ config.guess config.h.in config.sub configure configure.in \
+ def_data.in indent.pro install-sh ltmain.sh mkdefaults \
+ mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
+ sample.sudoers schema.OpenLDAP schema.iPlanet sudo.cat \
+ sudo.man.in sudo.pod sudo.psf sudoers sudoers.cat \
+ sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \
+ visudo.man.in visudo.pod auth/API
BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
Build instructions
==================
The most simplest way to build sudo with LDAP support is to include the
-'--with-ldap' option. I recommend including the '--with-pam' option on those
-system with PAM so that if you decide to use LDAP for authentication, you won't
-need to recompile sudo.
+'--with-ldap' option.
- $ ./configure --with-ldap --with-pam
+ $ ./configure --with-ldap
-If your ldap libraries and headers are in a non standard place, you will need
-to specify them at configure time.
+If your ldap libraries and headers are in a non-standard place, you will need
+to specify them at configure time. E.g.
- $ ./configure --with-ldap=/usr/local/ldapsdk --with-pam
+ $ ./configure --with-ldap=/usr/local/ldapsdk
-Sudo is tested against OpenLDAP's implementation. Other LDAP implementations
-may require adding '-lldif' to SUDO_LIBS in the Makefile.
+Sudo is developed using OpenLDAP. Other LDAP implementations may
+require adding '-lldif' to SUDO_LIBS in the Makefile.
Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org>
know what combinations worked best for your OS & LDAP Combinations so we can
Schema Changes
==============
-Add the following schema to your LDAP server so that it may contain sudoer
-content. In OpenLDAP, simply place this into a new file and 'include' it
-in your slapd.conf and restart slapd. For other LDAP servers, provide this
-to your LDAP Administrator. Make sure to index the attribute 'sudoUser'.
-
-
- #
- # schema file for sudo
- #
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
- description )
- )
-
- #
- # Same thing as above, but imports better into SunONE or iPlanet
- # (remove any leading spaces and save to a seperate file)
- #
-
- dn: cn=schema
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
+Add the appropriate schema to your LDAP server so that it may contain
+sudoers content.
+For OpenLDAP, simply copy schema.OpenLDAP to the schema directory
+(e.g. /etc/openldap/schema) and 'include' it in your slapd.conf and
+restart slapd. For other LDAP servers, provide this to your LDAP
+Administrator. Make sure to index the attribute 'sudoUser'.
+For the SunONE or iPlanet LDAP server, use the schema.iPlanet file.
Importing /etc/sudoers to LDAP
==============================
projects / sudo / commitdiff