when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax.
- Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
- LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
-
- For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
- Unix groups, non-Unix groups (via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn) or user netgroups can
- be used in place of User_Aliases and Runas_Aliases. Host netgroups can
- be used in place of Host_Aliases. Since groups and netgroups can also be
- stored in LDAP there is no real need for s\bsu\bud\bdo\bo-specific aliases.
-
- Cmnd_Aliases are not really required either since it is possible to have
- multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
- that is referenced by multiple users, one can create a sudoRole that
- contains the commands and assign multiple users to it.
-
S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP container.
SSH_AUTH_SOCK variable will be preserved in the environment for all
users.
- dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
The following example allows users in group wheel to run any command on
any host via s\bsu\bud\bdo\bo:
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
significantly speed up s\bsu\bud\bdo\bo's execution time.
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- There are some subtle differences in the way sudoers is handled once in
- LDAP. Probably the biggest is that according to the RFC, LDAP ordering
- is arbitrary and you cannot expect that Attributes and Entries are
- returned in any specific order.
+ One of the major differences between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that
+ in LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
+
+ For the most part, there is little need for s\bsu\bud\bdo\bo-specific Aliases. Unix
+ groups, non-Unix groups (via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn) or user netgroups can be
+ used in place of User_Aliases and Runas_Aliases. Host netgroups can be
+ used in place of Host_Aliases. Since groups and netgroups can also be
+ stored in LDAP there is no real need for s\bsu\bud\bdo\bo-specific aliases.
+
+ There are also some subtle differences in the way sudoers is handled once
+ in LDAP. Probably the biggest is that according to the RFC, LDAP
+ ordering is arbitrary and you cannot expect that Attributes and Entries
+ are returned in any specific order.
The order in which different entries are applied can be controlled using
the sudoOrder attribute, but there is no way to guarantee the order of
sudoCommand: !/bin/sh
sudoCommand: ALL
- Another difference is that negations on the Host, User or Runas are
- currently ignored. For example, the following attributes do not behave
- the way one might expect.
+ Another difference is that it is not possible to use negation in a
+ sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the
+ following attributes do not behave the way one might expect.
# does not match all but joe
# rather, does not match anyone
sudoUser: ALL
sudoUser: !joe
- # does not match all but web01
- # rather, matches all hosts including web01
+ C\bCo\bon\bnv\bve\ber\brt\bti\bin\bng\bg b\bbe\bet\btw\bwe\bee\ben\bn f\bfi\bil\ble\be-\b-b\bba\bas\bse\bed\bd a\ban\bnd\bd L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
+ The cvtsudoers(1) utility can be used to convert between file-based and
+ LDAP _\bs_\bu_\bd_\bo_\be_\br_\bs. However, there are features in the file-based sudoers that
+ have no equivalent in LDAP-based sudoers (and vice versa). These cannot
+ be converted automatically.
+
+ For example, a Cmnd_Alias in a _\bs_\bu_\bd_\bo_\be_\br_\bs file may be converted to a
+ sudoRole that contains multiple commands. Multiple users and/or groups
+ may be assigned to the sudoRole.
+
+ Also, host, user, runas and command-based Defaults entries are not
+ supported. However, a sudoRole may contain one or more sudoOption
+ attributes which can often serve the same purpose.
+
+ Consider the following _\bs_\bu_\bd_\bo_\be_\br_\bs lines:
+
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+ Defaults!PAGERS noexec
+ alice, bob ALL = ALL
+
+ In this example, alice and bob are allowed to run all commands, but the
+ commands listed in PAGERS will have the noexec flag set, preventing shell
+ escapes.
+
+ When converting this to LDAP, two sudoRole objects can be used:
+
+ dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: PAGERS
+ sudoUser: alice
+ sudoUser: bob
+ sudoHost: ALL
+ sudoCommand: /usr/bin/more
+ sudoCommand: /usr/bin/pg
+ sudoCommand: /usr/bin/less
+ sudoOption: noexec
+ sudoOrder: 900
+
+ dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: ADMINS
+ sudoUser: alice
+ sudoUser: bob
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoOrder: 100
+
+ In the LDAP version, the sudoOrder attribute is used to guarantee that
+ the PAGERS sudoRole with _\bn_\bo_\be_\bx_\be_\bc has precedence. Unlike the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ version, the LDAP version requires that all users for whom the
+ restriction should apply be assigned to the PAGERS sudoRole. Using a
+ Unix group or netgroup in PAGERS rather than listing each user would make
+ this easier to maintain.
+
+ Per-user Defaults entries can be emulated by using one or more sudoOption
+ attributes in a sudoRole. Consider the following _\bs_\bu_\bd_\bo_\be_\br_\bs lines:
+
+ User_Alias ADMINS = john, sally
+ Defaults:ADMINS !authenticate
+ ADMINS ALL = (ALL:ALL) ALL
+
+ In this example, john and sally are allowed to run any command as any
+ user or group.
+
+ When converting this to LDAP, we can use a Unix group instead of the
+ User_Alias.
+
+ dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: admins
+ sudoUser: %admin
sudoHost: ALL
- sudoHost: !web01
+ sudoRunAsUser: ALL
+ sudoRunAsGroup: ALL
+ sudoCommand: ALL
+ sudoOption: !authenticate
+
+ This assumes that users john and sally are members of the "admins" Unix
+ group.
S\bSu\bud\bdo\boe\ber\brs\bs s\bsc\bch\bhe\bem\bma\ba
In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed on
N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
The base DN to use when performing LDAP netgroup queries.
- Typically this is of the form ou=netgroup,dc=example,dc=com for the
- domain example.com. Multiple N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE lines may be specified,
- in which case they are queried in the order specified.
+ Typically this is of the form ou=netgroup,dc=my-domain,dc=com for
+ the domain my-domain.com. Multiple N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE lines may be
+ specified, in which case they are queried in the order specified.
This option can be used to query a user's netgroups directly via
LDAP which is usually faster than fetching every sudoRole object
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
- this is of the form ou=SUDOers,dc=example,dc=com for the domain
- example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
+ this is of the form ou=SUDOers,dc=my-domain,dc=com for the domain
+ my-domain.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG _\bd_\be_\bb_\bu_\bg_\b__\bl_\be_\bv_\be_\bl
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
+ sudoers_base ou=SUDOers,dc=my-domain,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
)
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4)
+ cvtsudoers(1), ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.23 March 21, 2018 Sudo 1.8.23
+Sudo 1.8.23 March 29, 2018 Sudo 1.8.23
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
.\"
-.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2003-2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS.LDAP" "5" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "March 29, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
Since LDAP updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
-.PP
-Another major difference between LDAP and file-based
-\fIsudoers\fR
-is that in LDAP,
-\fBsudo\fR-specific
-Aliases are not supported.
-.PP
-For the most part, there is really no need for
-\fBsudo\fR-specific
-Aliases.
-Unix groups, non-Unix groups (via the
-\fIgroup_plugin\fR)
-or user netgroups can be used in place of User_Aliases and Runas_Aliases.
-Host netgroups can be used in place of Host_Aliases.
-Since groups and netgroups can also be stored in LDAP there is no real need for
-\fBsudo\fR-specific
-aliases.
-.PP
-Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a
-\fRsudoRole\fR.
-Instead of defining a Cmnd_Alias that is referenced by multiple users,
-one can create a
-\fRsudoRole\fR
-that contains the commands and assign multiple users to it.
.SS "SUDOers LDAP container"
The
\fIsudoers\fR
.nf
.sp
.RS 4n
-dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
.nf
.sp
.RS 4n
-dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
\fBsudo\fR's
execution time.
.SS "Differences between LDAP and non-LDAP sudoers"
-There are some subtle differences in the way sudoers is handled
+One of the major differences between LDAP and file-based
+\fIsudoers\fR
+is that in LDAP,
+\fBsudo\fR-specific
+Aliases are not supported.
+.PP
+For the most part, there is little need for
+\fBsudo\fR-specific
+Aliases.
+Unix groups, non-Unix groups (via the
+\fIgroup_plugin\fR)
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since groups and netgroups can also be stored in LDAP there is no real need for
+\fBsudo\fR-specific
+aliases.
+.PP
+There are also some subtle differences in the way sudoers is handled
once in LDAP.
Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
.RE
.fi
.PP
-Another difference is that negations on the Host, User or Runas are
-currently ignored.
+Another difference is that it is not possible to use negation in a
+sudoUser, sudoRunAsUser or sudoRunAsGroup attribute.
For example, the following attributes do not behave the way one might expect.
.nf
.sp
# rather, matches everyone including Joe
sudoUser: ALL
sudoUser: !joe
+.RE
+.fi
+.SS "Converting between file-based and LDAP sudoers"
+The
+cvtsudoers(1)
+utility can be used to convert between file-based and LDAP
+\fIsudoers\fR.
+However, there are features in the file-based sudoers that have
+no equivalent in LDAP-based sudoers (and vice versa).
+These cannot be converted automatically.
+.PP
+For example, a Cmnd_Alias in a
+\fIsudoers\fR
+file may be converted to a
+\fRsudoRole\fR
+that contains multiple commands.
+Multiple users and/or groups may be assigned to the
+\fRsudoRole\fR.
+.PP
+Also, host, user, runas and command-based
+\fRDefaults\fR
+entries are not supported.
+However, a
+\fRsudoRole\fR
+may contain one or more
+\fRsudoOption\fR
+attributes which can often serve the same purpose.
+.PP
+Consider the following
+\fIsudoers\fR
+lines:
+.nf
+.sp
+.RS 4n
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+Defaults!PAGERS noexec
+alice, bob ALL = ALL
+.RE
+.fi
+.PP
+In this example, alice and bob are allowed to run all commands, but
+the commands listed in PAGERS will have the noexec flag set,
+preventing shell escapes.
+.PP
+When converting this to LDAP, two sudoRole objects can be used:
+.nf
+.sp
+.RS 4n
+dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: PAGERS
+sudoUser: alice
+sudoUser: bob
+sudoHost: ALL
+sudoCommand: /usr/bin/more
+sudoCommand: /usr/bin/pg
+sudoCommand: /usr/bin/less
+sudoOption: noexec
+sudoOrder: 900
-# does not match all but web01
-# rather, matches all hosts including web01
+dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: ADMINS
+sudoUser: alice
+sudoUser: bob
+sudoHost: ALL
+sudoCommand: ALL
+sudoOrder: 100
+.RE
+.fi
+.PP
+In the LDAP version, the sudoOrder attribute is used to guarantee
+that the PAGERS sudoRole with
+\fInoexec\fR
+has precedence.
+Unlike the
+\fIsudoers\fR
+version, the LDAP version requires that all users for whom the restriction
+should apply be assigned to the PAGERS sudoRole.
+Using a Unix group or netgroup in PAGERS rather than listing each
+user would make this easier to maintain.
+.PP
+Per-user
+\fRDefaults\fR
+entries can be emulated by using one or more sudoOption attributes
+in a sudoRole.
+Consider the following
+\fIsudoers\fR
+lines:
+.nf
+.sp
+.RS 4n
+User_Alias ADMINS = john, sally
+Defaults:ADMINS !authenticate
+ADMINS ALL = (ALL:ALL) ALL
+.RE
+.fi
+.PP
+In this example, john and sally are allowed to run any command
+as any user or group.
+.PP
+When converting this to LDAP, we can use a Unix group instead
+of the User_Alias.
+.nf
+.sp
+.RS 4n
+dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: admins
+sudoUser: %admin
sudoHost: ALL
-sudoHost: !web01
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
.RE
.fi
+.PP
+This assumes that users john and sally are members of the
+\(Lqadmins\(Rq
+Unix group.
.SS "Sudoers schema"
In order to use
\fBsudo\fR's
\fBNETGROUP_BASE\fR \fIbase\fR
The base DN to use when performing LDAP netgroup queries.
Typically this is of the form
-\fRou=netgroup,dc=example,dc=com\fR
+\fRou=netgroup,dc=my-domain,dc=com\fR
for the domain
-\fRexample.com\fR.
+\fRmy-domain.com\fR.
Multiple
\fBNETGROUP_BASE\fR
lines may be specified, in which case they are queried in the order specified.
\fBsudo\fR
LDAP queries.
Typically this is of the form
-\fRou=SUDOers,dc=example,dc=com\fR
+\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
-\fRexample.com\fR.
+\fRmy-domain.com\fR.
Multiple
\fBSUDOERS_BASE\fR
lines may be specified, in which case they are queried in the order specified.
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
-sudoers_base ou=SUDOers,dc=example,dc=com
+sudoers_base ou=SUDOers,dc=my-domain,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
.RE
.fi
.SH "SEE ALSO"
+cvtsudoers(1),
ldap.conf(@mansectform@),
sssd-sudo(@mansectform@),
sudo.conf(@mansectform@),
.\"
-.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2003-2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd March 21, 2018
+.Dd March 29, 2018
.Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
.El
-.Pp
-Another major difference between LDAP and file-based
-.Em sudoers
-is that in LDAP,
-.Nm sudo Ns -specific
-Aliases are not supported.
-.Pp
-For the most part, there is really no need for
-.Nm sudo Ns -specific
-Aliases.
-Unix groups, non-Unix groups (via the
-.Em group_plugin )
-or user netgroups can be used in place of User_Aliases and Runas_Aliases.
-Host netgroups can be used in place of Host_Aliases.
-Since groups and netgroups can also be stored in LDAP there is no real need for
-.Nm sudo Ns -specific
-aliases.
-.Pp
-Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a
-.Li sudoRole .
-Instead of defining a Cmnd_Alias that is referenced by multiple users,
-one can create a
-.Li sudoRole
-that contains the commands and assign multiple users to it.
.Ss SUDOers LDAP container
The
.Em sudoers
.Ev SSH_AUTH_SOCK
variable will be preserved in the environment for all users.
.Bd -literal -offset 4n
-dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
and the entry matches, the
.Li sudoRole
in which it resides will be ignored.
-Negated
+Negated
.Li sudoHost
entries are only supported by version 1.8.18 or higher.
.It Sy sudoCommand
on any host via
.Nm sudo :
.Bd -literal -offset 4n
-dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
.Nm sudo Ns 's
execution time.
.Ss Differences between LDAP and non-LDAP sudoers
-There are some subtle differences in the way sudoers is handled
+One of the major differences between LDAP and file-based
+.Em sudoers
+is that in LDAP,
+.Nm sudo Ns -specific
+Aliases are not supported.
+.Pp
+For the most part, there is little need for
+.Nm sudo Ns -specific
+Aliases.
+Unix groups, non-Unix groups (via the
+.Em group_plugin )
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since groups and netgroups can also be stored in LDAP there is no real need for
+.Nm sudo Ns -specific
+aliases.
+.Pp
+There are also some subtle differences in the way sudoers is handled
once in LDAP.
Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
sudoCommand: ALL
.Ed
.Pp
-Another difference is that negations on the Host, User or Runas are
-currently ignored.
+Another difference is that it is not possible to use negation in a
+sudoUser, sudoRunAsUser or sudoRunAsGroup attribute.
For example, the following attributes do not behave the way one might expect.
.Bd -literal -offset 4n
# does not match all but joe
# rather, matches everyone including Joe
sudoUser: ALL
sudoUser: !joe
+.Ed
+.Ss Converting between file-based and LDAP sudoers
+The
+.Xr cvtsudoers 1
+utility can be used to convert between file-based and LDAP
+.Em sudoers .
+However, there are features in the file-based sudoers that have
+no equivalent in LDAP-based sudoers (and vice versa).
+These cannot be converted automatically.
+.Pp
+For example, a Cmnd_Alias in a
+.Em sudoers
+file may be converted to a
+.Li sudoRole
+that contains multiple commands.
+Multiple users and/or groups may be assigned to the
+.Li sudoRole .
+.Pp
+Also, host, user, runas and command-based
+.Li Defaults
+entries are not supported.
+However, a
+.Li sudoRole
+may contain one or more
+.Li sudoOption
+attributes which can often serve the same purpose.
+.Pp
+Consider the following
+.Em sudoers
+lines:
+.Bd -literal -offset 4n
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+Defaults!PAGERS noexec
+alice, bob ALL = ALL
+.Ed
+.Pp
+In this example, alice and bob are allowed to run all commands, but
+the commands listed in PAGERS will have the noexec flag set,
+preventing shell escapes.
+.Pp
+When converting this to LDAP, two sudoRole objects can be used:
+.Bd -literal -offset 4n
+dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: PAGERS
+sudoUser: alice
+sudoUser: bob
+sudoHost: ALL
+sudoCommand: /usr/bin/more
+sudoCommand: /usr/bin/pg
+sudoCommand: /usr/bin/less
+sudoOption: noexec
+sudoOrder: 900
-# does not match all but web01
-# rather, matches all hosts including web01
+dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: ADMINS
+sudoUser: alice
+sudoUser: bob
+sudoHost: ALL
+sudoCommand: ALL
+sudoOrder: 100
+.Ed
+.Pp
+In the LDAP version, the sudoOrder attribute is used to guarantee
+that the PAGERS sudoRole with
+.Em noexec
+has precedence.
+Unlike the
+.Em sudoers
+version, the LDAP version requires that all users for whom the restriction
+should apply be assigned to the PAGERS sudoRole.
+Using a Unix group or netgroup in PAGERS rather than listing each
+user would make this easier to maintain.
+.Pp
+Per-user
+.Li Defaults
+entries can be emulated by using one or more sudoOption attributes
+in a sudoRole.
+Consider the following
+.Em sudoers
+lines:
+.Bd -literal -offset 4n
+User_Alias ADMINS = john, sally
+Defaults:ADMINS !authenticate
+ADMINS ALL = (ALL:ALL) ALL
+.Ed
+.Pp
+In this example, john and sally are allowed to run any command
+as any user or group.
+.Pp
+When converting this to LDAP, we can use a Unix group instead
+of the User_Alias.
+.Bd -literal -offset 4n
+dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: admins
+sudoUser: %admin
sudoHost: ALL
-sudoHost: !web01
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
.Ed
+.Pp
+This assumes that users john and sally are members of the
+.Dq admins
+Unix group.
.Ss Sudoers schema
In order to use
.Nm sudo Ns 's
.It Sy NETGROUP_BASE Ar base
The base DN to use when performing LDAP netgroup queries.
Typically this is of the form
-.Li ou=netgroup,dc=example,dc=com
+.Li ou=netgroup,dc=my-domain,dc=com
for the domain
-.Li example.com .
+.Li my-domain.com .
Multiple
.Sy NETGROUP_BASE
lines may be specified, in which case they are queried in the order specified.
.Nm sudo
LDAP queries.
Typically this is of the form
-.Li ou=SUDOers,dc=example,dc=com
+.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
-.Li example.com .
+.Li my-domain.com .
Multiple
.Sy SUDOERS_BASE
lines may be specified, in which case they are queried in the order specified.
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
-sudoers_base ou=SUDOers,dc=example,dc=com
+sudoers_base ou=SUDOers,dc=my-domain,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
)
.Ed
.Sh SEE ALSO
+.Xr cvtsudoers 1 ,
.Xr ldap.conf @mansectform@ ,
.Xr sssd-sudo @mansectform@ ,
.Xr sudo.conf @mansectform@ ,
projects / sudo / commitdiff