-1.7.3rc1 June 25, 2010 1
+1.7.3rc1 June 28, 2010 1
-1.7.3rc1 June 25, 2010 2
+1.7.3rc1 June 28, 2010 2
-1.7.3rc1 June 25, 2010 3
+1.7.3rc1 June 28, 2010 3
-1.7.3rc1 June 25, 2010 4
+1.7.3rc1 June 28, 2010 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
- libraries support the mixing of ldap:// and ldaps:// URIs. The
- Netscape-derived libraries used on most commercial versions of Unix
- are only capable of supporting one or the other.
+ s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ identically to a U\bUR\bRI\bI line containing multiple entries. Only
+ systems using the OpenSSL libraries support the mixing of ldap://
+ and ldaps:// URIs. The Netscape-derived libraries used on most
+ commercial versions of Unix are only capable of supporting one or
+ the other.
H\bHO\bOS\bST\bT name[:port] ...
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
identity. By default, most LDAP servers will allow anonymous
access.
- B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
- LDAP operations. This is typically used in conjunction with the
-1.7.3rc1 June 25, 2010 5
+
+1.7.3rc1 June 28, 2010 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ B\bBI\bIN\bND\bDP\bPW\bW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
B\bBI\bIN\bND\bDD\bDN\bN parameter.
R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
- OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
-
-1.7.3rc1 June 25, 2010 6
+1.7.3rc1 June 28, 2010 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ OpenLDAP:
+ tls_cert /etc/ssl/client_cert.pem
+
Netscape-derived:
tls_cert /var/ldap/cert7.db
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
- See the ldap.conf entry in the EXAMPLES section.
-
-
-1.7.3rc1 June 25, 2010 7
+1.7.3rc1 June 28, 2010 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ See the ldap.conf entry in the EXAMPLES section.
+
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
sudoers = ldap = auth, files
- Note that in the above example, the auth qualfier only affects user
-
-1.7.3rc1 June 25, 2010 8
+1.7.3rc1 June 28, 2010 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
- #ssl on
-1.7.3rc1 June 25, 2010 9
+1.7.3rc1 June 28, 2010 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ #ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
-1.7.3rc1 June 25, 2010 10
+1.7.3rc1 June 28, 2010 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-1.7.3rc1 June 25, 2010 11
+1.7.3rc1 June 28, 2010 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
-
-1.7.3rc1 June 25, 2010 12
+1.7.3rc1 June 28, 2010 12
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "June 25, 2010" "1.7.3rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "June 28, 2010" "1.7.3rc1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
.IX Item "URI ldap[s]://[hostname[:port]] ..."
Specifies a whitespace-delimited list of one or more URIs describing
-the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR
-or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
-encryption. If no \fIport\fR is specified, the default is port 389 for
-\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
-\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
-libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
-The Netscape-derived libraries used on most commercial versions of
-Unix are only capable of supporting one or the other.
+the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
+\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
+(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
+389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
+is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
+lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
=item B<URI> ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs describing
-the LDAP server(s) to connect to. The I<protocol> may be either B<ldap>
-or B<ldaps>, the latter being for servers that support TLS (SSL)
-encryption. If no I<port> is specified, the default is port 389 for
-C<ldap://> or port 636 for C<ldaps://>. If no I<hostname> is specified,
-B<sudo> will connect to B<localhost>. Only systems using the OpenSSL
-libraries support the mixing of C<ldap://> and C<ldaps://> URIs.
-The Netscape-derived libraries used on most commercial versions of
-Unix are only capable of supporting one or the other.
+the LDAP server(s) to connect to. The I<protocol> may be either
+B<ldap> or B<ldaps>, the latter being for servers that support TLS
+(SSL) encryption. If no I<port> is specified, the default is port
+389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
+is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
+lines are treated identically to a B<URI> line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
=item B<HOST> name[:port] ...
projects / sudo / commitdiff