From: Todd C. Miller Date: Fri, 30 Aug 2013 20:27:26 +0000 (-0600) Subject: Document comment character in ldap.conf X-Git-Tag: SUDO_1_8_8^2~20 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=55ea043a9b7f6693adc1eca0b7f38bb6d1215f40;p=sudo Document comment character in ldap.conf Clarify what is and is not supported in TLS_KEYPW Mention that gsk8capicmd can be used to create a stash file --- diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 9f774756f..2030af1eb 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -285,6 +285,8 @@ DDEESSCCRRIIPPTTIIOONN by ssuuddoo are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. + The pound sign (`#') is used to indicate a comment. Both the comment + character and any text after it, up to the end of the line, are ignored. Long lines can be continued with a backslash (`\') as the last character on the line. Note that leading white space is removed from the beginning of lines even when the continuation character is used. @@ -472,13 +474,21 @@ DDEESSCCRRIIPPTTIIOONN TTLLSS__KKEEYYPPWW _s_e_c_r_e_t The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. + This should be a simple string without quotes. The password may + not include the comment character (`#') and escaping of special + characters with a backslash (`\') is not supported. If this option + is used, _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid + exposing the password. Alternately, a _s_t_a_s_h _f_i_l_e can be used to + store the password in encrypted form (see below). + If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file specified by TTLLSS__KKEEYY, but use a .sth file extension instead of .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with Tivoli Directory Server is encrypted with the password - ssl_password. This option is only supported by the Tivoli LDAP - libraries. + ssl_password. The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the + key database and create a _s_t_a_s_h _f_i_l_e. This option is only + supported by the Tivoli LDAP libraries. TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source @@ -800,4 +810,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.8 August 19, 2013 Sudo 1.8.8 +Sudo 1.8.8 August 30, 2013 Sudo 1.8.8 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 7182ab985..ec27f1359 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "8" "August 19, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" +.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -513,6 +513,11 @@ are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. .PP +The pound sign +(`#') +is used to indicate a comment. +Both the comment character and any text after it, up to the end of +the line, are ignored. Long lines can be continued with a backslash (`\e') as the last character on the line. @@ -837,6 +842,19 @@ The \fBTLS_KEYPW\fR contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. +This should be a simple string without quotes. +The password may not include the comment character +(`#') +and escaping of special characters with a backslash +(`\e') +is not supported. +If this option is used, +\fI@ldap_conf@\fR +must not be world-readable to avoid exposing the password. +Alternately, a +\fIstash file\fR +can be used to store the password in encrypted form (see below). +.sp If no \fBTLS_KEYPW\fR is specified, a @@ -856,6 +874,10 @@ The default \fRldapkey.kdb\fR that ships with Tivoli Directory Server is encrypted with the password \fRssl_password\fR. +The +\fIgsk8capicmd\fR +utility can be used to manage the key database and create a +\fIstash file\fR. This option is only supported by the Tivoli LDAP libraries. .PD .TP 6n diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index a3cfe0812..70f70a19d 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 19, 2013 +.Dd August 30, 2013 .Dt SUDOERS.LDAP @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -482,6 +482,11 @@ are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. .Pp +The pound sign +.Pq Ql # +is used to indicate a comment. +Both the comment character and any text after it, up to the end of +the line, are ignored. Long lines can be continued with a backslash .Pq Ql \e as the last character on the line. @@ -769,6 +774,19 @@ The .Sy TLS_KEYPW contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. +This should be a simple string without quotes. +The password may not include the comment character +.Pq Ql # +and escaping of special characters with a backslash +.Pq Ql \e +is not supported. +If this option is used, +.Pa @ldap_conf@ +must not be world-readable to avoid exposing the password. +Alternately, a +.Em stash file +can be used to store the password in encrypted form (see below). +.Pp If no .Sy TLS_KEYPW is specified, a @@ -788,6 +806,10 @@ The default .Li ldapkey.kdb that ships with Tivoli Directory Server is encrypted with the password .Li ssl_password . +The +.Em gsk8capicmd +utility can be used to manage the key database and create a +.Em stash file . This option is only supported by the Tivoli LDAP libraries. .It Sy TLS_RANDFILE Ar file name The