-1.7 January 19, 2008 1
+1.7 January 20, 2008 1
-1.7 January 19, 2008 2
+1.7 January 20, 2008 2
-1.7 January 19, 2008 3
+1.7 January 20, 2008 3
(_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP) and another for Netscape-derived servers
(_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), may be found in the s\bsu\bud\bdo\bo distribution.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included below.
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the
+ EXAMPLES section.
-
-1.7 January 19, 2008 4
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
- )
-
-
-
-
-
-
-
-1.7 January 19, 2008 5
+1.7 January 20, 2008 4
-1.7 January 19, 2008 6
+1.7 January 20, 2008 5
the form of a Distinguished Name (DN), to use when
performing privileged LDAP operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs
queries. The password corresponding to the identity
- should be stored in </etc/ldap.passwd> If not speci-
+ should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not speci-
fied, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
LDAP_VERSION number
-1.7 January 19, 2008 7
+1.7 January 20, 2008 6
-1.7 January 19, 2008 8
+1.7 January 20, 2008 7
-1.7 January 19, 2008 9
+1.7 January 20, 2008 8
_\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- X\bXX\bXX\bX n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+
- X\bXX\bXX\bX s\bsu\bud\bdo\boe\ber\brs\bs l\bld\bdi\bif\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-1.7 January 19, 2008 10
+
+1.7 January 20, 2008 9
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
- #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
#
# LDAP protocol version, defaults to 3
#ldap_version 3
-1.7 January 19, 2008 11
+1.7 January 20, 2008 10
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
+ S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
+
+ The following schema is in OpenLDAP format. Simply copy
+ it to the schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba),
+ add the proper include line in slapd.conf and restart
+ s\bsl\bla\bap\bpd\bd.
+
+
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- parsing differences between LDAP and file sudoers
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users
-1.7 January 19, 2008 12
+
+1.7 January 20, 2008 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- mailing list, see http://www.sudo.ws/mail-
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
- ranties, including, but not limited to, the implied war-
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
- plete details.
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ description )
+ )
+1.7 January 20, 2008 12
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+ X\bXX\bXX\bX n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+ X\bXX\bXX\bX m\bmo\bor\bre\be e\bex\bxh\bha\bau\bus\bst\bti\biv\bve\be s\bsu\bud\bdo\boe\ber\brs\bs l\bld\bdi\bif\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
+
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ parsing differences between LDAP and file sudoers
+
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mail-
+ ing list, see http://www.sudo.ws/mail-
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
+ ranties, including, but not limited to, the implied war-
+ ranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
+ plete details.
+
-1.7 January 19, 2008 13
+1.7 January 20, 2008 13
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "January 19, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "January 20, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
and another for Netscape-derived servers (\fIschema.iPlanet\fR), may
be found in the \fBsudo\fR distribution.
.PP
-The schema for \fBsudo\fR in OpenLDAP form is included below.
-.PP
-.Vb 6
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
-\& NAME 'sudoUser'
-\& DESC 'User(s) who may run sudo'
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 6
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
-\& NAME 'sudoHost'
-\& DESC 'Host(s) who may run sudo'
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
-\& NAME 'sudoCommand'
-\& DESC 'Command(s) to be executed by sudo'
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
-\& NAME 'sudoRunAs'
-\& DESC 'User(s) impersonated by sudo'
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
-\& NAME 'sudoOption'
-\& DESC 'Options(s) followed by sudo'
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
-\& NAME 'sudoRunAsUser'
-\& DESC 'User(s) impersonated by sudo'
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
-\& NAME 'sudoRunAsGroup'
-\& DESC 'Group(s) impersonated by sudo'
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 6
-\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
-\& DESC 'Sudoer Entries'
-\& MUST ( cn )
-\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ description )
-\& )
-.Ve
+The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
+section.
.Sh "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
-Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration.
+Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options
-that differ from those described in the \fIldap.conf\fR\|(4) manual.
+\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
+that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
-Only those options explicitly listed in \fI/etc/ldap.conf\fR that are
+Only those options explicitly listed in \fI@ldap_conf@\fR that are
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\s-1URI\s0 ldap[s]://[hostname[:port]] ..." 4
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
operations, such as \fIsudoers\fR queries. The password corresponding
-to the identity should be stored in </etc/ldap.passwd>
+to the identity should be stored in \fI@ldap_secret@\fR.
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\s-1LDAP_VERSION\s0 number" 4
.IX Item "LDAP_VERSION number"
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.Sh "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
-Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR,
+Sudo consults the Name Service Switch file, \fI@nsswitch_conf@\fR,
to specify the \fIsudoers\fR search order. Sudo looks for a line
beginning with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search
order. Note that \fBsudo\fR does not stop searching after the first
\& sudoers: ldap
.Ve
.PP
-If the \fI/etc/nsswitch.conf\fR file is not present or there is no
+If the \fI@nsswitch_conf@\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\& sudoers: files
.Ve
.PP
-Note that \fI/etc/nsswitch.conf\fR is supported even when the underlying
+Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
.SH "FILES"
.IX Header "FILES"
-.IP "\fI/etc/ldap.conf\fR" 24
-.IX Item "/etc/ldap.conf"
+.IP "\fI@ldap_conf@\fR" 24
+.IX Item "@ldap_conf@"
\&\s-1LDAP\s0 configuration file
-.IP "\fI/etc/nsswitch.conf\fR" 24
-.IX Item "/etc/nsswitch.conf"
+.IP "\fI@nsswitch_conf@\fR" 24
+.IX Item "@nsswitch_conf@"
determines sudoers source order
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-.Sh "\s-1XXX\s0 nsswitch.conf example?"
-.IX Subsection "XXX nsswitch.conf example?"
-.Sh "\s-1XXX\s0 sudoers ldif example?"
-.IX Subsection "XXX sudoers ldif example?"
.Sh "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 95
\& # optional proxy credentials
\& #binddn <who to search as>
\& #bindpw <password>
-\& #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
\& #
\& # LDAP protocol version, defaults to 3
\& #ldap_version 3
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
+.Sh "Sudo schema for OpenLDAP"
+.IX Subsection "Sudo schema for OpenLDAP"
+The following schema is in OpenLDAP format. Simply copy it to the
+schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
+\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
+.PP
+.Vb 6
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
+\& NAME 'sudoUser'
+\& DESC 'User(s) who may run sudo'
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 6
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
+\& NAME 'sudoHost'
+\& DESC 'Host(s) who may run sudo'
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
+\& NAME 'sudoCommand'
+\& DESC 'Command(s) to be executed by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
+\& NAME 'sudoRunAs'
+\& DESC 'User(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
+\& NAME 'sudoOption'
+\& DESC 'Options(s) followed by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
+\& NAME 'sudoRunAsUser'
+\& DESC 'User(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 5
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
+\& NAME 'sudoRunAsGroup'
+\& DESC 'Group(s) impersonated by sudo'
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+.Ve
+.PP
+.Vb 6
+\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+\& DESC 'Sudoer Entries'
+\& MUST ( cn )
+\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+\& sudoRunAsGroup $ sudoOption $ description )
+\& )
+.Ve
+.Sh "\s-1XXX\s0 nsswitch.conf example?"
+.IX Subsection "XXX nsswitch.conf example?"
+.Sh "\s-1XXX\s0 more exhaustive sudoers ldif example?"
+.IX Subsection "XXX more exhaustive sudoers ldif example?"
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4)
and another for Netscape-derived servers (F<schema.iPlanet>), may
be found in the B<sudo> distribution.
-The schema for B<sudo> in OpenLDAP form is included below.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
- )
+The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
+section.
=head2 Configuring ldap.conf
-Sudo reads the F</etc/ldap.conf> file for LDAP-specific configuration.
+Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not B<sudo>-specific. Note that
-B<sudo> parses F</etc/ldap.conf> itself and may support options
-that differ from those described in the L<ldap.conf(4)> manual.
+B<sudo> parses F<@ldap_conf@> itself and may support options
+that differ from those described in the L<ldap.conf(5)> manual.
Also note that on systems using the OpenLDAP libraries, default
values specified in F</etc/openldap/ldap.conf> or the user's
F<.ldaprc> files are not used.
-Only those options explicitly listed in F</etc/ldap.conf> that are
+Only those options explicitly listed in F<@ldap_conf@> that are
supported by B<sudo> are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
The B<ROOTBINDDN> parameter specifies the identity, in the form of
a Distinguished Name (DN), to use when performing privileged LDAP
operations, such as I<sudoers> queries. The password corresponding
-to the identity should be stored in </etc/ldap.passwd>
+to the identity should be stored in F<@ldap_secret@>.
If not specified, the B<BINDDN> identity is used (if any).
=item LDAP_VERSION number
=head2 Configuring nsswitch.conf
-Sudo consults the Name Service Switch file, F</etc/nsswitch.conf>,
+Sudo consults the Name Service Switch file, F<@nsswitch_conf@>,
to specify the I<sudoers> search order. Sudo looks for a line
beginning with C<sudoers:> and uses this to determine the search
order. Note that B<sudo> does not stop searching after the first
sudoers: ldap
-If the F</etc/nsswitch.conf> file is not present or there is no
+If the F<@nsswitch_conf@> file is not present or there is no
sudoers line, the following default is assumed:
sudoers: files
-Note that F</etc/nsswitch.conf> is supported even when the underlying
+Note that F<@nsswitch_conf@> is supported even when the underlying
operating system does not use an nsswitch.conf file.
=head1 FILES
=over 24
-=item F</etc/ldap.conf>
+=item F<@ldap_conf@>
LDAP configuration file
-=item F</etc/nsswitch.conf>
+=item F<@nsswitch_conf@>
determines sudoers source order
=head1 EXAMPLES
-=head2 XXX nsswitch.conf example?
-
-=head2 XXX sudoers ldif example?
-
=head2 Example ldap.conf
# Either specify one or more URIs or one or more host:port pairs.
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
- #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
#
# LDAP protocol version, defaults to 3
#ldap_version 3
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
+=head2 Sudo schema for OpenLDAP
+
+The following schema is in OpenLDAP format. Simply copy it to the
+schema directory (e.g. F</etc/openldap/schema>), add the proper
+C<include> line in C<slapd.conf> and restart B<slapd>.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ description )
+ )
+
+=head2 XXX nsswitch.conf example?
+
+=head2 XXX more exhaustive sudoers ldif example?
+
=head1 SEE ALSO
L<ldap.conf(4)>, L<sudoers(4)>
projects / sudo / commitdiff