From: Todd C. Miller Date: Sat, 19 Jan 2008 20:06:09 +0000 (+0000) Subject: Beginnings of a sudoers.ldap man page. Currently, much of the information X-Git-Tag: SUDO_1_7_0~222 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=907be979cb6008cfcbdb1bc5adeb8688a86928e6;p=sudo Beginnings of a sudoers.ldap man page. Currently, much of the information is adapted from README.LDAP. --- diff --git a/Makefile.in b/Makefile.in index 7f043b695..2adc341a3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -146,8 +146,9 @@ DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \ mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \ sample.sudoers schema.OpenLDAP schema.iPlanet sudo.cat \ sudo.man.in sudo.pod sudo.psf sudo_usage.h.in sudoers sudoers.cat \ - sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \ - visudo.man.in visudo.pod auth/API + sudoers.man.in sudoers.pod sudoers.ldap.cat sudoers.ldap.man.in \ + sudoers.ldap.pod sudoers2ldif visudo.cat visudo.man.in visudo.pod \ + auth/API BINFILES= ChangeLog HISTORY LICENSE README TODO TROUBLESHOOTING \ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ @@ -368,7 +369,16 @@ sudoers.man.in: $(srcdir)/sudoers.pod sudoers.man:: sudoers.man.in CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status -sudoers.cat: sudoers.man +sudoers.ldap.cat: sudoers.ldap.man + +sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod + @rm -f $(srcdir)/$@ + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) + +sudoers.ldap.man:: sudoers.ldap.man.in + CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status + +sudoers.ldap.cat: sudoers.ldap.man @DEV@HISTORY: history.pod @DEV@ pod2text -l -i0 $> > $@ @@ -411,6 +421,7 @@ install-man: ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) + @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) @MAN_POSTINSTALL@ check: @@ -425,7 +436,8 @@ mostlyclean: clean distclean: clean -rm -rf Makefile pathnames.h config.h config.status config.cache \ config.log libtool sudo_noexec.lo .libs $(GENERATED) \ - sudo.man sudoers.man visudo.man sudo_usage.h Makefile.binary + sudo.man sudoers.man sudoers.ldap.man visudo.man sudo_usage.h \ + Makefile.binary clobber: distclean diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat new file mode 100644 index 000000000..569d68fef --- /dev/null +++ b/sudoers.ldap.cat @@ -0,0 +1,528 @@ + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + +NNAAMMEE + sudoers.ldap - sudo LDAP configuration + +DDEESSCCRRIIPPTTIIOONN + In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be con- + figured via LAP. This can be especially useful for syn- + cronizing _s_u_d_o_e_r_s in a large, distributed environment. + + Using LDAP for _s_u_d_o_e_r_s has several benefits: + + +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. + Parsing of _/_e_t_c_/_s_u_d_o_e_r_s requires the entire file to be + read. When LDAP is used, there are only two or three + LDAP queries per invocation. This makes it especially + fast and particularly usable in LDAP environments. + The first query is to parse global options (see + below). The second is to match against the user's + name and the groups that the user belongs to. (The + special ALL tag is matched in this query too.) If no + match is returned for the user's name and groups, a + third query returns all entries contain user netgroups + and checks to see if the user belongs to any of them. + + +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. + It is not possible to load LDAP data into the server + that does not conform to the sudoers schema, so proper + syntax is guaranteed. It is still possible to have + typos in a user or host name, but this will not pre- + vent ssuuddoo from running. + + +o Options inside of entries now override global default + options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options + and limited options associated with user/host/commands + and aliases. The syntax is complicated and can be + difficult for users to understand. + + Sudo first looks for an entry called cn=default in the + SUDOers container. If found, the multi-valued sudoOp- + tion attribute is parsed the same way the global + Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s is parsed. + + If, on the second or third query, a response contains + a sudoRole which matches against the user, host, and + command, then the matched object is scanned for a + additional options that override the top-level + defaults. See the example LDAP content below for more + information. + + +o vviissuuddoo is no longer needed. vviissuuddoo provides locking + and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since + LDAP updates are atomic, locking is no longer neces- + sary. Because syntax is checked when the data is + inserted into LDAP, there is no need for a specialized + tool to check syntax. + + + +1.7 January 19, 2008 1 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + +o Aliases are no longer needed. User, Host, and Cmnd + Aliases were designed to simplify organization of + _s_u_d_o_e_r_s files and to improve readability. Since an + LDAP _s_u_d_o_e_r_s entry allows multiple values for each of + its attributes, and since most LDAP browsers are + graphical and easy to work with, these aliases are no + longer needed. + + If you wish to specify a large number of users into an + entry or wish to have similar entries with identical + users, then either use groups or user netgroups. + Alternately, they can all just be pasted into the LDAP + record. + + If you need to specify a large number of hosts in an + entry, use netgroups or IP address matches + (10.2.3.4/255.255.0.0). Alternately, they can all + just be pasted into the LDAP record. + + DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss + + There are some subtle differences in the way sudoers is + handled once in LDAP. Probably the biggest is that + according to the RFC, LDAP's ordering is arbitrary and you + cannot expect that Attributes and Entries are returned in + any order. If there are conflicting command rules on an + entry, the negative takes precedence. This is called + paranoid behavior (not necessarily the most specific + match). + + Here is an example: + + # /etc/sudoers: + # Allow all commands except shell + johnny ALL=(root) ALL,!/bin/sh + # Always allows all commands because ALL is matched last + puddles ALL=(root) !/bin/sh,ALL + + # LDAP equivalent of Johnny + # Allows all commands except shell + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role1 + sudoUser: johnny + sudoHost: ALL + sudoCommand: ALL + sudoCommand: !/bin/sh + + + + + + + + + +1.7 January 19, 2008 2 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + # LDAP equivalent of Puddles + # Notice that even though ALL comes last, it still behaves like + # role1 since the LDAP code assumes the more paranoid configuration + dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role2 + sudoUser: puddles + sudoHost: ALL + sudoCommand: !/bin/sh + sudoCommand: ALL + + Another difference is that negations on the Host, User or + Runas are currently ignorred. For example, the following + attributes do not do what they might appear to do. + + # does not match all but joe + # rather, does not match anyone + sudoUser: !joe + + # does not match all but joe + # rather, matches everyone including Joe + sudoUser: ALL + sudoUser: !joe + + # does not match all but web01 + # rather, matches all hosts including web01 + sudoHost: ALL + sudoHost: !web01 + + DDeessccrriippttiioonn ooff ssuuddooRRoollee + + The equivalent of a sudoer in LDAP is a 'sudoRole'. It + contains sudoUser(s), sudoHost, sudoCommand and optional + sudoOption(s), sudoRunAsUser(s) and sudoRunAsGroup(s). + + The following example allows users in group wheel to run + any command on any host via ssuuddoo: + + dn: cn=%wheel,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: %wheel + sudoUser: %wheel + sudoHost: ALL + sudoCommand: ALL + + SSuuddooeerrss SScchheemmaa + + In order to use ssuuddoo's LDAP support the ssuuddoo schema must + be installled on your LDAP server. In addition, be sure + to index the attribute 'sudoUser'. + + Two versions of the schema, one for OpenLDAP servers and + + + +1.7 January 19, 2008 3 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + another for netscape-derived servers, may also be found in + the ssuuddoo distribution. The schema for ssuuddoo in OpenLDAP + form appears below. + + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ description ) + ) + + + +1.7 January 19, 2008 4 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + CCoonnffiigguurriinngg llddaapp..ccoonnff + + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific con- + figuration. Typically, this file is shared amongst dif- + ferent LDAP-aware clients. As such, most of the settings + are not ssuuddoo-specific. Note that ssuuddoo parses + _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ + from those described in the _l_d_a_p_._c_o_n_f(4) manual. + + Also note that on systems using the OpenLDAP libraries, + default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the + user's _._l_d_a_p_r_c files are not used. + + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f + that are supported by ssuuddoo are honored. Configuration + options are listed below in upper case but are parsed in a + case-independent manner. + + URI ldap[s]://[hostname[:port]] ... + Specifies a whitespace-delimited list of one or more + URIs describing the LDAP server(s) to connect to. The + _p_r_o_t_o_c_o_l may be either llddaapp or llddaappss, the latter being + for servers that support TLS (SSL) encryption. If no + _p_o_r_t is specified, the default is port 389 for ldap:// + or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is speci- + fied, ssuuddoo will connect to llooccaallhhoosstt. Only systems + using the OpenSSL libraries support the mixing of + ldap:// and ldaps:// URIs. The netscape-derived + libraries used on most commercial versions of Unix are + only capable of supporting one or the other. + + HOST name[:port] ... + If no UURRII is specified, the HHOOSSTT parameter specifies a + whitespace-delimited list of LDAP servers to connect + to. Each host may include an optional _p_o_r_t separated + by a colon (':'). The HHOOSSTT parameter is deprecated in + favor of the UURRII specification and is included for + backwards compatibility. + + PORT port_number + If no UURRII is specified, the PPOORRTT parameter specifies + the default port to connect to on the LDAP server if a + HHOOSSTT parameter does not specify the port itself. If + no PPOORRTT parameter is used, the default is port 389 for + LDAP and port 636 for LDAP over TLS (SSL). The PPOORRTT + parameter is deprecated in favor of the UURRII specifica- + tion and is included for backwards compatibility. + + BIND_TIMELIMIT seconds + The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of + time, in seconds, to wait while trying to connect to + an LDAP server. If multiple UURRIIs or HHOOSSTTs are speci- + fied, this is the amount of time to wait before trying + the next one in the list. + + + +1.7 January 19, 2008 5 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + SUDOERS_BASE base + The base DN to use when performing ssuuddoo LDAP lookups. + Typically this is of the form ou=SUDOers,dc=exam- + ple,dc=com for the domain example.com. + + SUDOERS_DEBUG debug_level + This sets the debug level for ssuuddoo LDAP lookups. + Debuging information is printed to the standard error. + A value of 1 results in a moderate amount of debugging + information. A value of 2 shows the results of the + matches themselves. This parameter should not be set + in a production environment as the extra information + is likely to confuse users. + + BINDDN DN + The BBIINNDDDDNN parameter specifies the identity, in the + form of a Distinguished Name (DN), to use when per- + forming LDAP operations. If not specified, LDAP oper- + ations are performed with an anonymous identity. By + default, most LDAP servers will allow anonymous + access. + + BINDPW secret + The BBIINNDDPPWW parameter specifies the password to use + when performing LDAP operations. This is typically + used in conjunction with the BBIINNDDDDNN parameter. + + ROOTBINDDN DN + The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in + the form of a Distinguished Name (DN), to use when + performing privileged LDAP operations, such as _s_u_d_o_e_r_s + lookups. The password corresponding to the identity + should be stored in If not speci- + fied, the BBIINNDDDDNN identity is used (if any). + + LDAP_VERSION number + The version of the LDAP protocol to use when connect- + ing to the server. The default value is protocol ver- + sion 3. + + SSL on/true/yes/off/false/no + If the SSSSLL parameter is set to on, true or yes, TLS + (SSL) encryption is always used when communicating + with the LDAP server. Typically, this involves con- + necting to the server on port 636 (ldaps). + + SSL start_tls + If the SSSSLL parameter is set to start_tls, the LDAP + server connection is initiated normally and TLS + encryption is begun before the bind credentials are + sent. This has the advantage of not requiring a dedi- + cated port for encrypted communications. This parame- + ter is only supported by LDAP servers that honor the + start_tls extension, such as the OpenLDAP server. + + + +1.7 January 19, 2008 6 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + TLS_CHECKPEER on/true/yes/off/false/no + If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's + TLS certificated to be verified. If the server's TLS + certificate cannot be verified (usually because it is + signed by an unknown certificate authority), ssuuddoo will + be unable to connect to it. If TTLLSS__CCHHEECCKKPPEEEERR is dis- + abled, no check is made. + + TLS_CACERTFILE + TLS_CACERTDIR + TLS_RANDFILE + TLS_CIPHERS + TLS_CERT + TLS_KEY + USE_SASL + SASL_AUTH_ID + ROOTUSE_SASL + ROOTSASL_AUTH_ID + SASL_SECPROPS + KRB5_CCNAME + + CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff + + Sudo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_- + _w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. Sudo + looks for a line begining with sudoers: and uses this to + determine the search order. Note that ssuuddoo does not stop + searching after the first match and later matches take + precedence over earlier ones. + + The following sources are recognized. + files read sudoers from a file (usually _/_e_t_c_/_s_u_d_o_e_r_s) + ldap read sudoers from LDAP + + In addition, the entry [NOTFOUND=return] will short-cir- + cuit the search if the user was not found in the preceding + source. + + To consult LDAP first followed by the local sudoers file + (if it exists), use: + + sudoers: ldap files + + The local _s_u_d_o_e_r_s file can be ignored completely by using: + + sudoers: ldap + + If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is + no sudoers line, the following default is assumed: + + sudoers: files + +FFIILLEESS + _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file + + + +1.7 January 19, 2008 7 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order + +EEXXAAMMPPLLEESS + Example entries + + Example ldap.conf + + Debugging info + +SSEEEE AALLSSOO + _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) + +CCAAVVEEAATTSS + parsing differences between LDAP and file sudoers + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a + bug report at http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mail- + ing list, see http://www.sudo.ws/mail- + man/listinfo/sudo-users to subscribe or search the + archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied war- + ranties, including, but not limited to, the implied war- + ranties of merchantability and fitness for a particular + purpose are disclaimed. See the LICENSE file distributed + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- + plete details. + + + + + + + + + + + + + + + + + + + + + + + + + +1.7 January 19, 2008 8 + + diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in new file mode 100644 index 000000000..7f53192e4 --- /dev/null +++ b/sudoers.ldap.man.in @@ -0,0 +1,576 @@ +.\" Copyright (c) 2003-2008 +.\" Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $Sudo$ +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` +. ds C' +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SUDOERS.LDAP @mansectform@" +.TH SUDOERS.LDAP @mansectform@ "January 19, 2008" "1.7" "MAINTENANCE COMMANDS" +.SH "NAME" +sudoers.ldap \- sudo LDAP configuration +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured +via \s-1LAP\s0. This can be especially useful for syncronizing \fIsudoers\fR +in a large, distributed environment. +.PP +Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: +.IP "\(bu" 4 +\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. Parsing +of \fI/etc/sudoers\fR requires the entire file to be read. When \s-1LDAP\s0 +is used, there are only two or three \s-1LDAP\s0 queries per invocation. +This makes it especially fast and particularly usable in \s-1LDAP\s0 +environments. The first query is to parse global options (see +below). The second is to match against the user's name and the +groups that the user belongs to. (The special \s-1ALL\s0 tag is matched +in this query too.) If no match is returned for the user's name +and groups, a third query returns all entries contain user netgroups +and checks to see if the user belongs to any of them. +.IP "\(bu" 4 +\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR. +It is not possible to load \s-1LDAP\s0 data into the server that does +not conform to the sudoers schema, so proper syntax is guaranteed. +It is still possible to have typos in a user or host name, but +this will not prevent \fBsudo\fR from running. +.IP "\(bu" 4 +Options inside of entries now override global default options. +\&\fI/etc/sudoers\fR only supports default options and limited options +associated with user/host/commands and aliases. The syntax is +complicated and can be difficult for users to understand. +.Sp +Sudo first looks for an entry called \f(CW\*(C`cn=default\*(C'\fR in the \f(CW\*(C`SUDOers\*(C'\fR +container. If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is +parsed the same way the global \f(CW\*(C`Defaults\*(C'\fR line in \fI/etc/sudoers\fR +is parsed. +.Sp +If, on the second or third query, a response contains a sudoRole +which matches against the user, host, and command, then the matched +object is scanned for a additional options that override the top-level +defaults. See the example \s-1LDAP\s0 content below for more information. +.IP "\(bu" 4 +\&\fBvisudo\fR is no longer needed. \fBvisudo\fR provides locking and +syntax checking of the \fI/etc/sudoers\fR file. Since \s-1LDAP\s0 updates +are atomic, locking is no longer necessary. Because syntax is +checked when the data is inserted into \s-1LDAP\s0, there is no need +for a specialized tool to check syntax. +.IP "\(bu" 4 +Aliases are no longer needed. User, Host, and Cmnd Aliases were +designed to simplify organization of \fIsudoers\fR files and to +improve readability. Since an \s-1LDAP\s0 \fIsudoers\fR entry allows multiple +values for each of its attributes, and since most \s-1LDAP\s0 browsers are +graphical and easy to work with, these aliases are no longer +needed. +.Sp +If you wish to specify a large number of users into an entry or +wish to have similar entries with identical users, then either use +groups or user netgroups. Alternately, they can all just be pasted +into the \s-1LDAP\s0 record. +.Sp +If you need to specify a large number of hosts in an entry, use +netgroups or \s-1IP\s0 address matches (10.2.3.4/255.255.0.0). Alternately, +they can all just be pasted into the \s-1LDAP\s0 record. +.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers" +.IX Subsection "Differences between LDAP and non-LDAP sudoers" +There are some subtle differences in the way sudoers is handled +once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, +\&\s-1LDAP\s0's ordering is arbitrary and you cannot expect that Attributes +and Entries are returned in any order. If there are conflicting +command rules on an entry, the negative takes precedence. This is +called paranoid behavior (not necessarily the most specific match). +.PP +Here is an example: +.PP +.Vb 5 +\& # /etc/sudoers: +\& # Allow all commands except shell +\& johnny ALL=(root) ALL,!/bin/sh +\& # Always allows all commands because ALL is matched last +\& puddles ALL=(root) !/bin/sh,ALL +.Ve +.PP +.Vb 10 +\& # LDAP equivalent of Johnny +\& # Allows all commands except shell +\& dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com +\& objectClass: sudoRole +\& objectClass: top +\& cn: role1 +\& sudoUser: johnny +\& sudoHost: ALL +\& sudoCommand: ALL +\& sudoCommand: !/bin/sh +.Ve +.PP +.Vb 11 +\& # LDAP equivalent of Puddles +\& # Notice that even though ALL comes last, it still behaves like +\& # role1 since the LDAP code assumes the more paranoid configuration +\& dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com +\& objectClass: sudoRole +\& objectClass: top +\& cn: role2 +\& sudoUser: puddles +\& sudoHost: ALL +\& sudoCommand: !/bin/sh +\& sudoCommand: ALL +.Ve +.PP +Another difference is that negations on the Host, User or Runas are +currently ignorred. For example, the following attributes do not +do what they might appear to do. +.PP +.Vb 3 +\& # does not match all but joe +\& # rather, does not match anyone +\& sudoUser: !joe +.Ve +.PP +.Vb 4 +\& # does not match all but joe +\& # rather, matches everyone including Joe +\& sudoUser: ALL +\& sudoUser: !joe +.Ve +.PP +.Vb 4 +\& # does not match all but web01 +\& # rather, matches all hosts including web01 +\& sudoHost: ALL +\& sudoHost: !web01 +.Ve +.Sh "Description of sudoRole" +.IX Subsection "Description of sudoRole" +The equivalent of a sudoer in \s-1LDAP\s0 is a 'sudoRole'. It contains +sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s), +sudoRunAsUser(s) and sudoRunAsGroup(s). +.PP +The following example allows users in group wheel to run any command +on any host via \fBsudo\fR: +.PP +.Vb 7 +\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +\& objectClass: top +\& objectClass: sudoRole +\& cn: %wheel +\& sudoUser: %wheel +\& sudoHost: ALL +\& sudoCommand: ALL +.Ve +.Sh "Sudoers Schema" +.IX Subsection "Sudoers Schema" +In order to use \fBsudo\fR's \s-1LDAP\s0 support the \fBsudo\fR schema must be +installled on your \s-1LDAP\s0 server. In addition, be sure to index the +attribute 'sudoUser'. +.PP +Two versions of the schema, one for OpenLDAP servers and another +for netscape-derived servers, may also be found in the \fBsudo\fR +distribution. The schema for \fBsudo\fR in OpenLDAP form appears +below. +.PP +.Vb 6 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 +\& NAME 'sudoUser' +\& DESC 'User(s) who may run sudo' +\& EQUALITY caseExactIA5Match +\& SUBSTR caseExactIA5SubstringsMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 6 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 +\& NAME 'sudoHost' +\& DESC 'Host(s) who may run sudo' +\& EQUALITY caseExactIA5Match +\& SUBSTR caseExactIA5SubstringsMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 +\& NAME 'sudoCommand' +\& DESC 'Command(s) to be executed by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 +\& NAME 'sudoRunAs' +\& DESC 'User(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 +\& NAME 'sudoOption' +\& DESC 'Options(s) followed by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 +\& NAME 'sudoRunAsUser' +\& DESC 'User(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 +\& NAME 'sudoRunAsGroup' +\& DESC 'Group(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 6 +\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL +\& DESC 'Sudoer Entries' +\& MUST ( cn ) +\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ +\& sudoRunAsGroup $ sudoOption $ description ) +\& ) +.Ve +.Sh "Configuring ldap.conf" +.IX Subsection "Configuring ldap.conf" +Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration. +Typically, this file is shared amongst different LDAP-aware clients. +As such, most of the settings are not \fBsudo\fR\-specific. Note that +\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options +that differ from those described in the \fIldap.conf\fR\|(4) manual. +.PP +Also note that on systems using the OpenLDAP libraries, default +values specified in \fI/etc/openldap/ldap.conf\fR or the user's +\&\fI.ldaprc\fR files are not used. +.PP +Only those options explicitly listed in \fI/etc/ldap.conf\fR that are +supported by \fBsudo\fR are honored. Configuration options are listed +below in upper case but are parsed in a case-independent manner. +.IP "\s-1URI\s0 ldap[s]://[hostname[:port]] ..." 4 +.IX Item "URI ldap[s]://[hostname[:port]] ..." +Specifies a whitespace-delimited list of one or more URIs describing +the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR +or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0) +encryption. If no \fIport\fR is specified, the default is port 389 for +\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified, +\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL +libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. +The netscape-derived libraries used on most commercial versions of +Unix are only capable of supporting one or the other. +.IP "\s-1HOST\s0 name[:port] ..." 4 +.IX Item "HOST name[:port] ..." +If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a +whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host +may include an optional \fIport\fR separated by a colon (':'). The +\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification +and is included for backwards compatibility. +.IP "\s-1PORT\s0 port_number" 4 +.IX Item "PORT port_number" +If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the +default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter +does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used, +the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0 +(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR +specification and is included for backwards compatibility. +.IP "\s-1BIND_TIMELIMIT\s0 seconds" 4 +.IX Item "BIND_TIMELIMIT seconds" +The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, +to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or +\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying +the next one in the list. +.IP "\s-1SUDOERS_BASE\s0 base" 4 +.IX Item "SUDOERS_BASE base" +The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 lookups. Typically +this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain +\&\f(CW\*(C`example.com\*(C'\fR. +.IP "\s-1SUDOERS_DEBUG\s0 debug_level" 4 +.IX Item "SUDOERS_DEBUG debug_level" +This sets the debug level for \fBsudo\fR \s-1LDAP\s0 lookups. Debuging +information is printed to the standard error. A value of 1 results +in a moderate amount of debugging information. A value of 2 shows +the results of the matches themselves. This parameter should not +be set in a production environment as the extra information is +likely to confuse users. +.IP "\s-1BINDDN\s0 \s-1DN\s0" 4 +.IX Item "BINDDN DN" +The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a +Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations. +If not specified, \s-1LDAP\s0 operations are performed with an anonymous +identity. By default, most \s-1LDAP\s0 servers will allow anonymous access. +.IP "\s-1BINDPW\s0 secret" 4 +.IX Item "BINDPW secret" +The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing +\&\s-1LDAP\s0 operations. This is typically used in conjunction with the +\&\fB\s-1BINDDN\s0\fR parameter. +.IP "\s-1ROOTBINDDN\s0 \s-1DN\s0" 4 +.IX Item "ROOTBINDDN DN" +The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of +a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0 +operations, such as \fIsudoers\fR lookups. The password corresponding +to the identity should be stored in +If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any). +.IP "\s-1LDAP_VERSION\s0 number" 4 +.IX Item "LDAP_VERSION number" +The version of the \s-1LDAP\s0 protocol to use when connecting to the server. +The default value is protocol version 3. +.IP "\s-1SSL\s0 on/true/yes/off/false/no" 4 +.IX Item "SSL on/true/yes/off/false/no" +If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0 +(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0 +server. Typically, this involves connecting to the server on port +636 (ldaps). +.IP "\s-1SSL\s0 start_tls" 4 +.IX Item "SSL start_tls" +If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server +connection is initiated normally and \s-1TLS\s0 encryption is begun before +the bind credentials are sent. This has the advantage of not +requiring a dedicated port for encrypted communications. This +parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR +extension, such as the OpenLDAP server. +.IP "\s-1TLS_CHECKPEER\s0 on/true/yes/off/false/no" 4 +.IX Item "TLS_CHECKPEER on/true/yes/off/false/no" +If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0 +certificated to be verified. If the server's \s-1TLS\s0 certificate cannot +be verified (usually because it is signed by an unknown certificate +authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR +is disabled, no check is made. +.IP "\s-1TLS_CACERTFILE\s0" 4 +.IX Item "TLS_CACERTFILE" +.PD 0 +.IP "\s-1TLS_CACERTDIR\s0" 4 +.IX Item "TLS_CACERTDIR" +.IP "\s-1TLS_RANDFILE\s0" 4 +.IX Item "TLS_RANDFILE" +.IP "\s-1TLS_CIPHERS\s0" 4 +.IX Item "TLS_CIPHERS" +.IP "\s-1TLS_CERT\s0" 4 +.IX Item "TLS_CERT" +.IP "\s-1TLS_KEY\s0" 4 +.IX Item "TLS_KEY" +.IP "\s-1USE_SASL\s0" 4 +.IX Item "USE_SASL" +.IP "\s-1SASL_AUTH_ID\s0" 4 +.IX Item "SASL_AUTH_ID" +.IP "\s-1ROOTUSE_SASL\s0" 4 +.IX Item "ROOTUSE_SASL" +.IP "\s-1ROOTSASL_AUTH_ID\s0" 4 +.IX Item "ROOTSASL_AUTH_ID" +.IP "\s-1SASL_SECPROPS\s0" 4 +.IX Item "SASL_SECPROPS" +.IP "\s-1KRB5_CCNAME\s0" 4 +.IX Item "KRB5_CCNAME" +.PD +.Sh "Configuring nsswitch.conf" +.IX Subsection "Configuring nsswitch.conf" +Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR, +to specify the \fIsudoers\fR search order. Sudo looks for a line +begining with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search +order. Note that \fBsudo\fR does not stop searching after the first +match and later matches take precedence over earlier ones. +.PP +The following sources are recognized. + files read sudoers from a file (usually \fI/etc/sudoers\fR) + ldap read sudoers from \s-1LDAP\s0 +.PP +In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the +search if the user was not found in the preceding source. +.PP +To consult \s-1LDAP\s0 first followed by the local sudoers file (if it +exists), use: +.PP +.Vb 1 +\& sudoers: ldap files +.Ve +.PP +The local \fIsudoers\fR file can be ignored completely by using: +.PP +.Vb 1 +\& sudoers: ldap +.Ve +.PP +If the \fI/etc/nsswitch.conf\fR file is not present or there is no +sudoers line, the following default is assumed: +.PP +.Vb 1 +\& sudoers: files +.Ve +.SH "FILES" +.IX Header "FILES" +.IP "\fI/etc/ldap.conf\fR" 24 +.IX Item "/etc/ldap.conf" +\&\s-1LDAP\s0 configuration file +.IP "\fI/etc/nsswitch.conf\fR" 24 +.IX Item "/etc/nsswitch.conf" +determines sudoers source order +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Example entries +.PP +Example ldap.conf +.PP +Debugging info +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4) +.SH "CAVEATS" +.IX Header "CAVEATS" +parsing differences between \s-1LDAP\s0 and file sudoers +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod new file mode 100644 index 000000000..cbff8de19 --- /dev/null +++ b/sudoers.ldap.pod @@ -0,0 +1,459 @@ +=cut +Copyright (c) 2003-2008 + Todd C. Miller + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +$Sudo$ +=pod + +=head1 NAME + +sudoers.ldap - sudo LDAP configuration + +=head1 DESCRIPTION + +In addition to the standard I file, B may be configured +via LAP. This can be especially useful for syncronizing I +in a large, distributed environment. + +Using LDAP for I has several benefits: + +=over 4 + +=item * + +B no longer needs to read I in its entirety. Parsing +of F requires the entire file to be read. When LDAP +is used, there are only two or three LDAP queries per invocation. +This makes it especially fast and particularly usable in LDAP +environments. The first query is to parse global options (see +below). The second is to match against the user's name and the +groups that the user belongs to. (The special ALL tag is matched +in this query too.) If no match is returned for the user's name +and groups, a third query returns all entries contain user netgroups +and checks to see if the user belongs to any of them. + +=item * + +B no longer exits if there is a typo in I. +It is not possible to load LDAP data into the server that does +not conform to the sudoers schema, so proper syntax is guaranteed. +It is still possible to have typos in a user or host name, but +this will not prevent B from running. + +=item * + +Options inside of entries now override global default options. +F only supports default options and limited options +associated with user/host/commands and aliases. The syntax is +complicated and can be difficult for users to understand. + +Sudo first looks for an entry called C in the C +container. If found, the multi-valued C attribute is +parsed the same way the global C line in F +is parsed. + +If, on the second or third query, a response contains a sudoRole +which matches against the user, host, and command, then the matched +object is scanned for a additional options that override the top-level +defaults. See the example LDAP content below for more information. + +=item * + +B is no longer needed. B provides locking and +syntax checking of the F file. Since LDAP updates +are atomic, locking is no longer necessary. Because syntax is +checked when the data is inserted into LDAP, there is no need +for a specialized tool to check syntax. + +=item * + +Aliases are no longer needed. User, Host, and Cmnd Aliases were +designed to simplify organization of I files and to +improve readability. Since an LDAP I entry allows multiple +values for each of its attributes, and since most LDAP browsers are +graphical and easy to work with, these aliases are no longer +needed. + +If you wish to specify a large number of users into an entry or +wish to have similar entries with identical users, then either use +groups or user netgroups. Alternately, they can all just be pasted +into the LDAP record. + +If you need to specify a large number of hosts in an entry, use +netgroups or IP address matches (10.2.3.4/255.255.0.0). Alternately, +they can all just be pasted into the LDAP record. + +=back + +=head2 Differences between LDAP and non-LDAP sudoers + +There are some subtle differences in the way sudoers is handled +once in LDAP. Probably the biggest is that according to the RFC, +LDAP's ordering is arbitrary and you cannot expect that Attributes +and Entries are returned in any order. If there are conflicting +command rules on an entry, the negative takes precedence. This is +called paranoid behavior (not necessarily the most specific match). + +Here is an example: + + # /etc/sudoers: + # Allow all commands except shell + johnny ALL=(root) ALL,!/bin/sh + # Always allows all commands because ALL is matched last + puddles ALL=(root) !/bin/sh,ALL + + # LDAP equivalent of Johnny + # Allows all commands except shell + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role1 + sudoUser: johnny + sudoHost: ALL + sudoCommand: ALL + sudoCommand: !/bin/sh + + # LDAP equivalent of Puddles + # Notice that even though ALL comes last, it still behaves like + # role1 since the LDAP code assumes the more paranoid configuration + dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role2 + sudoUser: puddles + sudoHost: ALL + sudoCommand: !/bin/sh + sudoCommand: ALL + +Another difference is that negations on the Host, User or Runas are +currently ignorred. For example, the following attributes do not +do what they might appear to do. + + # does not match all but joe + # rather, does not match anyone + sudoUser: !joe + + # does not match all but joe + # rather, matches everyone including Joe + sudoUser: ALL + sudoUser: !joe + + # does not match all but web01 + # rather, matches all hosts including web01 + sudoHost: ALL + sudoHost: !web01 + +=head2 Description of sudoRole + +The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains +sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s), +sudoRunAsUser(s) and sudoRunAsGroup(s). + +The following example allows users in group wheel to run any command +on any host via B: + + dn: cn=%wheel,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: %wheel + sudoUser: %wheel + sudoHost: ALL + sudoCommand: ALL + +=head2 Sudoers Schema + +In order to use B's LDAP support the B schema must be +installled on your LDAP server. In addition, be sure to index the +attribute 'sudoUser'. + +Two versions of the schema, one for OpenLDAP servers and another +for netscape-derived servers, may also be found in the B +distribution. The schema for B in OpenLDAP form appears +below. + + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ description ) + ) + +=head2 Configuring ldap.conf + +Sudo reads the F file for LDAP-specific configuration. +Typically, this file is shared amongst different LDAP-aware clients. +As such, most of the settings are not B-specific. Note that +B parses F itself and may support options +that differ from those described in the L manual. + +Also note that on systems using the OpenLDAP libraries, default +values specified in F or the user's +F<.ldaprc> files are not used. + +Only those options explicitly listed in F that are +supported by B are honored. Configuration options are listed +below in upper case but are parsed in a case-independent manner. + +=over 4 + +=item URI ldap[s]://[hostname[:port]] ... + +Specifies a whitespace-delimited list of one or more URIs describing +the LDAP server(s) to connect to. The I may be either B +or B, the latter being for servers that support TLS (SSL) +encryption. If no I is specified, the default is port 389 for +C or port 636 for C. If no I is specified, +B will connect to B. Only systems using the OpenSSL +libraries support the mixing of C and C URIs. +The netscape-derived libraries used on most commercial versions of +Unix are only capable of supporting one or the other. + +=item HOST name[:port] ... + +If no B is specified, the B parameter specifies a +whitespace-delimited list of LDAP servers to connect to. Each host +may include an optional I separated by a colon (':'). The +B parameter is deprecated in favor of the B specification +and is included for backwards compatibility. + +=item PORT port_number + +If no B is specified, the B parameter specifies the +default port to connect to on the LDAP server if a B parameter +does not specify the port itself. If no B parameter is used, +the default is port 389 for LDAP and port 636 for LDAP over TLS +(SSL). The B parameter is deprecated in favor of the B +specification and is included for backwards compatibility. + +=item BIND_TIMELIMIT seconds + +The B parameter specifies the amount of time, in seconds, +to wait while trying to connect to an LDAP server. If multiple Bs or +Bs are specified, this is the amount of time to wait before trying +the next one in the list. + +=item SUDOERS_BASE base + +The base DN to use when performing B LDAP lookups. Typically +this is of the form C for the domain +C. + +=item SUDOERS_DEBUG debug_level + +This sets the debug level for B LDAP lookups. Debuging +information is printed to the standard error. A value of 1 results +in a moderate amount of debugging information. A value of 2 shows +the results of the matches themselves. This parameter should not +be set in a production environment as the extra information is +likely to confuse users. + +=item BINDDN DN + +The B parameter specifies the identity, in the form of a +Distinguished Name (DN), to use when performing LDAP operations. +If not specified, LDAP operations are performed with an anonymous +identity. By default, most LDAP servers will allow anonymous access. + +=item BINDPW secret + +The B parameter specifies the password to use when performing +LDAP operations. This is typically used in conjunction with the +B parameter. + +=item ROOTBINDDN DN + +The B parameter specifies the identity, in the form of +a Distinguished Name (DN), to use when performing privileged LDAP +operations, such as I lookups. The password corresponding +to the identity should be stored in +If not specified, the B identity is used (if any). + +=item LDAP_VERSION number + +The version of the LDAP protocol to use when connecting to the server. +The default value is protocol version 3. + +=item SSL on/true/yes/off/false/no + +If the B parameter is set to C, C or C, TLS +(SSL) encryption is always used when communicating with the LDAP +server. Typically, this involves connecting to the server on port +636 (ldaps). + +=item SSL start_tls + +If the B parameter is set to C, the LDAP server +connection is initiated normally and TLS encryption is begun before +the bind credentials are sent. This has the advantage of not +requiring a dedicated port for encrypted communications. This +parameter is only supported by LDAP servers that honor the C +extension, such as the OpenLDAP server. + +=item TLS_CHECKPEER on/true/yes/off/false/no + +If enabled, B will cause the LDAP server's TLS +certificated to be verified. If the server's TLS certificate cannot +be verified (usually because it is signed by an unknown certificate +authority), B will be unable to connect to it. If B +is disabled, no check is made. + +=item TLS_CACERTFILE + +=item TLS_CACERTDIR + +=item TLS_RANDFILE + +=item TLS_CIPHERS + +=item TLS_CERT + +=item TLS_KEY + +=item USE_SASL + +=item SASL_AUTH_ID + +=item ROOTUSE_SASL + +=item ROOTSASL_AUTH_ID + +=item SASL_SECPROPS + +=item KRB5_CCNAME + +=back + +=head2 Configuring nsswitch.conf + +Sudo consults the Name Service Switch file, F, +to specify the I search order. Sudo looks for a line +begining with C and uses this to determine the search +order. Note that B does not stop searching after the first +match and later matches take precedence over earlier ones. + +The following sources are recognized. + files read sudoers from a file (usually F) + ldap read sudoers from LDAP + +In addition, the entry C<[NOTFOUND=return]> will short-circuit the +search if the user was not found in the preceding source. + +To consult LDAP first followed by the local sudoers file (if it +exists), use: + + sudoers: ldap files + +The local I file can be ignored completely by using: + + sudoers: ldap + +If the F file is not present or there is no +sudoers line, the following default is assumed: + + sudoers: files + +=head1 FILES + +=over 24 + +=item F + +LDAP configuration file + +=item F + +determines sudoers source order + +=back + +=head1 EXAMPLES + +Example entries + +Example ldap.conf + +Debugging info + +=head1 SEE ALSO + +L, L + +=head1 CAVEATS + +parsing differences between LDAP and file sudoers + +=head1 BUGS + +If you feel you have found a bug in B, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ + +=head1 SUPPORT + +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. + +=head1 DISCLAIMER + +B is provided ``AS IS'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the LICENSE +file distributed with B or http://www.sudo.ws/sudo/license.html +for complete details.