tls_ examples

diff --git a/README.LDAP b/README.LDAP
index 2849152359dc9afd8b37a541a4b4b2c685a4ec6d..bb6f3eb0f2aa8a5f54d2226c6694516cb56a0934 100644 (file)
--- a/README.LDAP
+++ b/README.LDAP
@@ -247,6 +247,7 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   # but only works with LDAP SDK's that support
   # ldap_initialize() such as OpenLDAP
   uri            ldap://ldapserver
+  #uri            ldaps://secureldapserver
   #
   # must be set or sudo will ignore LDAP
   sudoers_base   ou=SUDOers,dc=example,dc=com
@@ -265,6 +266,39 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   # encryption before the bind credentials are sent
   #ssl start_tls
   #
+  # Additional TLS options follow that allow tweaking
+  # of the SSL/TLS connection
+  #
+  #tls_checkpeer yes # verify server SSL certificate
+  #tls_checkpeer no  # ignore server SSL certificate
+  #
+  # If you enable tls_checkpeer, specify either tls_cacertfile
+  # or tls_cacertdir.
+  #
+  #tls_cacertfile /etc/certs/trusted_signers.pem
+  #tls_cacertdir  /etc/certs
+  #
+  # For systems that don't have /dev/random
+  # use this along with PRNGD or EGD.pl to seed the
+  # random number pool to generate cryptographic session keys.
+  #
+  #tls_randfile /etc/egd-pool
+  #
+  # You may restrict which ciphers are used.  Consult your SSL
+  # documentation for which options go here.
+  #
+  #tls_ciphers <cipher-list>
+  #
+  # Sudo can provide a client certificate when communicating to
+  # the LDAP server.
+  # Tips:
+  #   * Enable both lines at the same time.
+  #   * Do not password protect the key file.
+  #   * Ensure the keyfile is only readable by root.
+  #
+  #tls_cert /etc/certs/client_cert.pem
+  #tls_key  /etc/certs/client_key.pem
+  #
 
 Debugging your LDAP configuration
 =================================