From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 15 Sep 2012 18:00:30 +0000 (-0400)
Subject: Document non-Unix group support in LDAP sudoers.
X-Git-Tag: SUDO_1_8_7~1^2~395
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3c34c0a4b84e053cf2deb5736167cb2ebddf960f;p=sudo

Document non-Unix group support in LDAP sudoers.
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 12be154ce..1ecc8a66b 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -186,8 +186,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
               '!'* %:#nonunix_gid |
               '!'* User_Alias
 
-     A User_List is made up of one or more user names, user ids (prefixed with
-     `#'), system group names and ids (prefixed with `%' and `%#'
+     A User_List is made up of one or more user names, user IDs (prefixed with
+     `#'), system group names and IDs (prefixed with `%' and `%#'
      respectively), netgroups (prefixed with `+'), non-Unix group names and
      IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
      list item may be prefixed with zero or more `!' operators.  An odd number
@@ -2078,4 +2078,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.6                       July 16, 2012                      Sudo 1.8.6
+Sudo 1.8.6                    September 15, 2012                    Sudo 1.8.6
diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index 8d640a83f..afdce4268 100644
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -37,10 +37,10 @@ DDEESSCCRRIIPPTTIIOONN
      LDAP, ssuuddoo-specific Aliases are not supported.
 
      For the most part, there is really no need for ssuuddoo-specific Aliases.
-     Unix groups or user netgroups can be used in place of User_Aliases and
-     Runas_Aliases.  Host netgroups can be used in place of Host_Aliases.
-     Since Unix groups and netgroups can also be stored in LDAP there is no
-     real need for ssuuddoo-specific aliases.
+     Unix groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can
+     be used in place of User_Aliases and Runas_Aliases.  Host netgroups can
+     be used in place of Host_Aliases.  Since groups and netgroups can also be
+     stored in LDAP there is no real need for ssuuddoo-specific aliases.
 
      Cmnd_Aliases are not really required either since it is possible to have
      multiple users listed in a sudoRole.  Instead of defining a Cmnd_Alias
@@ -67,9 +67,12 @@ DDEESSCCRRIIPPTTIIOONN
      following attributes:
 
      ssuuddooUUsseerr
-           A user name, user ID (prefixed with `#'), Unix group (prefixed with
-           `%'), Unix group ID (prefixed with `%#'), or user netgroup
-           (prefixed with `+').
+           A user name, user ID (prefixed with `#'), Unix group name or ID
+           (prefixed with `%' or `%#' respectively), user netgroup (prefixed
+           with `+'), or non-Unix group name or ID (prefixed with `%:' or
+           `%:#' respectively).  Non-Unix group support is only available when
+           an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s
+           sudoRole object.
 
      ssuuddooHHoosstt
            A host name, IP address, IP network, or host netgroup (prefixed
diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 22f3c518a..b7e6e4548 100644
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -86,11 +86,11 @@ Aliases are not supported.
 For the most part, there is really no need for
 \fBsudo\fR-specific
 Aliases.
-Unix groups or user netgroups can be used in place of User_Aliases and
-Runas_Aliases.
+Unix groups, non-Unix groups (via the
+\fIgroup_plugin\fR)
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
-Since Unix groups and netgroups can also be stored in LDAP there is no
-real need for
+Since groups and netgroups can also be stored in LDAP there is no real need for
 \fBsudo\fR-specific
 aliases.
 .PP
@@ -139,12 +139,23 @@ It consists of the following attributes:
 \fBsudoUser\fR
 A user name, user ID (prefixed with
 `#'),
-Unix group (prefixed with
-`%'),
-Unix group ID (prefixed with
-`%#'),
-or user netgroup (prefixed with
-`+').
+Unix group name or ID (prefixed with
+`%'
+or
+`%#'
+respectively), user netgroup (prefixed with
+`+'),
+or non-Unix group name or ID (prefixed with
+`%:'
+or
+`%:#'
+respectively).
+Non-Unix group support is only available when an appropriate
+\fIgroup_plugin\fR
+is defined in the global
+\fIdefaults\fR
+\fRsudoRole\fR
+object.
 .TP 6n
 \fBsudoHost\fR
 A host name, IP address, IP network, or host netgroup (prefixed with a
diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index 68d7dcd2f..bce81f868 100644
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -82,11 +82,11 @@ Aliases are not supported.
 For the most part, there is really no need for
 .Nm sudo Ns No -specific
 Aliases.
-Unix groups or user netgroups can be used in place of User_Aliases and
-Runas_Aliases.
+Unix groups, non-Unix groups (via the
+.Em group_plugin )
+or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
-Since Unix groups and netgroups can also be stored in LDAP there is no
-real need for
+Since groups and netgroups can also be stored in LDAP there is no real need for
 .Nm sudo Ns No -specific
 aliases.
 .Pp
@@ -132,12 +132,23 @@ It consists of the following attributes:
 .It Sy sudoUser
 A user name, user ID (prefixed with
 .Ql # ) ,
-Unix group (prefixed with
-.Ql % ) ,
-Unix group ID (prefixed with
-.Ql %# ) ,
-or user netgroup (prefixed with
-.Ql + ) .
+Unix group name or ID (prefixed with
+.Ql %
+or
+.Ql %#
+respectively), user netgroup (prefixed with
+.Ql + ) ,
+or non-Unix group name or ID (prefixed with
+.Ql %:
+or
+.Ql %:#
+respectively).
+Non-Unix group support is only available when an appropriate
+.Em group_plugin
+is defined in the global
+.Em defaults
+.Li sudoRole
+object.
 .It Sy sudoHost
 A host name, IP address, IP network, or host netgroup (prefixed with a
 .Ql + ) .
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 065f52e3f..703ad2d83 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "September 15, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -451,10 +451,10 @@ User ::= '!'* user name |
 .PP
 A
 \fRUser_List\fR
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
 (prefixed with
 `#'),
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
 `%'
 and
 `%#'
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index fe65e763d..cf0d1da6f 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd July 16, 2012
+.Dd September 15, 2012
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -437,10 +437,10 @@ User ::= '!'* user name |
 .Pp
 A
 .Li User_List
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
 (prefixed with
 .Ql # ) ,
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
 .Ql %
 and
 .Ql %#