From: Todd C. Miller Date: Fri, 9 Nov 2018 17:38:49 +0000 (-0700) Subject: OpenLDAP schema file for Sudo in on-line configuration (OLC) format. X-Git-Tag: SUDO_1_8_26^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5e098a782d564dbeb700a1bfe56462ee900a5e88;p=sudo OpenLDAP schema file for Sudo in on-line configuration (OLC) format. From Frederic Pasteleurs. --- diff --git a/MANIFEST b/MANIFEST index 2176f6c22..ad7142f14 100644 --- a/MANIFEST +++ b/MANIFEST @@ -28,6 +28,7 @@ doc/fixmdoc.sh doc/schema.ActiveDirectory doc/schema.OpenLDAP doc/schema.iPlanet +doc/schema.olcSudo doc/sudo.cat doc/sudo.conf.cat doc/sudo.conf.man.in diff --git a/README.LDAP b/README.LDAP index 6580ee2fc..4680d43a5 100644 --- a/README.LDAP +++ b/README.LDAP @@ -57,9 +57,11 @@ Schema Changes You must add the appropriate schema to your LDAP server before it can store sudoers content. -For OpenLDAP, copy the file schema.OpenLDAP to the schema directory -(e.g. /etc/openldap/schema). You must then edit your slapd.conf and -add an include line the new schema, e.g. +For OpenLDAP, there are two options, depending on how slapd is configured. + +The first option is to copy the file schema.OpenLDAP to the schema +directory (e.g. /etc/openldap/schema). You must then edit your +slapd.conf and add an include line the new schema, e.g. # Sudo LDAP schema include /etc/openldap/schema/sudo.schema @@ -72,6 +74,22 @@ the attribute 'sudoUser', e.g. After making the changes to slapd.conf, restart slapd. +The second option is only for OpenLDAP 2.3 and higher where slapd.conf +has been configured to use on-line configuration. If your slapd.conf +file includes the line: + + database config + +it should be possible to use the schema.olcSudo file. + +You can apply schema.olcSudo using the ldapadd utility or another +suitable LDAP browser. For example: + + # ldapadd -f schema.olcSudo -H ldap://ldapserver -W -x \ + -D cn=Manager,dc=example,dc=com + +There is no need to restart slapd when updating on-line configuration. + For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory, copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif. @@ -118,7 +136,7 @@ Import into your directory server. The following example is for OpenLDAP. If you are using another directory, provide the LDIF file to your LDAP Administrator. - # ldapadd -f /tmp/sudoers.ldif -h ldapserver \ + # ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver \ -D cn=Manager,dc=example,dc=com -W -x Step 3: diff --git a/doc/CONTRIBUTORS b/doc/CONTRIBUTORS index a8329c076..9922dd621 100644 --- a/doc/CONTRIBUTORS +++ b/doc/CONTRIBUTORS @@ -109,6 +109,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws. Ouellet, Jean-Philippe Paquet, Eric Paradis, Chantal + Pasteleurs, Frederic Percival, Ted Perera, Andres Peron, Christian S.J. diff --git a/doc/schema.OpenLDAP b/doc/schema.OpenLDAP index c7a77e8de..e1d525f84 100644 --- a/doc/schema.OpenLDAP +++ b/doc/schema.OpenLDAP @@ -1,6 +1,7 @@ # # OpenLDAP schema file for Sudo -# Save as /etc/openldap/schema/sudo.schema +# Save as /etc/openldap/schema/sudo.schema and restart slapd. +# For a version that uses online configuration, see schema.olcSudo. # attributetype ( 1.3.6.1.4.1.15953.9.1.1 diff --git a/doc/schema.olcSudo b/doc/schema.olcSudo new file mode 100644 index 000000000..8748dfc2a --- /dev/null +++ b/doc/schema.olcSudo @@ -0,0 +1,79 @@ +dn: cn=sudoschema,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudoschema +# +# OpenLDAP schema file for Sudo in on-line configuration (OLC) format. +# Import using ldapadd or another suitable LDAP browser. +# Converted to OLC format by Frederic Pasteleurs +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +# +olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + )