From 6fd9d853a8e6a5a3ba44092ce5af50077b81b216 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 1 Feb 2011 14:31:04 -0500 Subject: [PATCH] Be clear about what versions of sudo support new LDAP attributes. Fix up some formatting of attribute names. Minor other tweaks. --- doc/sudoers.ldap.cat | 354 ++++++++++++++++++++-------------------- doc/sudoers.ldap.man.in | 77 ++++++--- doc/sudoers.ldap.pod | 75 ++++++--- 3 files changed, 276 insertions(+), 230 deletions(-) diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 5ee611f0d..5b1988016 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -43,7 +43,7 @@ DDEESSCCRRIIPPTTIIOONN For the most part, there is really no need for ssuuddoo-specific Aliases. Unix groups or user netgroups can be used in place of User_Aliases and - RunasAliases. Host netgroups can be used in place of HostAliases. + Runas_Aliases. Host netgroups can be used in place of Host_Aliases. Since Unix groups and netgroups can also be stored in LDAP there is no real need for ssuuddoo-specific aliases. @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b3 January 10, 2011 1 +1.8.0b3 February 1, 2011 1 @@ -82,7 +82,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoOption: env_keep+=SSH_AUTH_SOCK The equivalent of a sudoer in LDAP is a sudoRole. It consists of the - following components: + following attributes: ssuuddooUUsseerr A user name, uid (prefixed with '#'), Unix group (prefixed with a @@ -109,46 +109,67 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) with a '+') that contains a list of users that commands may be run as. The special value ALL will match any user. + The sudoRunAsUser attribute is only available in ssuuddoo versions + 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs + attribute instead. + ssuuddooRRuunnAAssGGrroouupp A Unix group or gid (prefixed with '#') that commands may be run as. The special value ALL will match any group. + The sudoRunAsGroup attribute is only available in ssuuddoo versions + 1.7.0 and higher. + ssuuddooNNoottBBeeffoorree - A timestamp in the form yyyymmddHHMMZ that indicates start of - validity of this sudoRole. If multiple ssuuddooNNoottBBeeffoorree entries are - present, the earliest is used. + A timestamp in the form yyyymmddHHMMZ that can be used to provide a + start date/time for when the sudoRole will be valid. If multiple + sudoNotBefore entries are present, the earliest is used. Note that - ssuuddooNNoottAAfftteerr - A timestamp in the form yyyymmddHHMMZ that indicates end of - validity of this sudoRole. If multiple ssuuddooNNoottAAfftteerr entries are - present, the last one is used. +1.8.0b3 February 1, 2011 2 -1.8.0b3 January 10, 2011 2 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + timestamps must be in Coordinated Universal Time (UTC), not the + local timezone. -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + The sudoNotBefore attribute is only available in ssuuddoo versions + 1.7.5 and higher and must be explicitly enabled via the + SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. + ssuuddooNNoottAAfftteerr + A timestamp in the form yyyymmddHHMMZ that indicates an expiration + date/time, after which the sudoRole will no longer be valid. If + multiple sudoNotBefore entries are present, the last one is used. + Note that timestamps must be in Coordinated Universal Time (UTC), + not the local timezone. + + The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5 + and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD + option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. ssuuddooOOrrddeerr The sudoRole entries retrieved from the LDAP directory have no - inherent order. The ssuuddooOOrrddeerr attribute is an integer (or floating + inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the - entry with the highest ssuuddooOOrrddeerr attribute is chosen. This + entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If - the ssuuddooOOrrddeerr attribute is not present, a value of 0 is assumed. + the sudoOrder attribute is not present, a value of 0 is assumed. - Each component listed above should contain a single value, but there - may be multiple instances of each component type. A sudoRole must + The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 + and higher. + + Each attribute listed above should contain a single value, but there + may be multiple instances of each attribute type. A sudoRole must contain at least one sudoUser, sudoHost and sudoCommand. The following example allows users in group wheel to run any command on @@ -169,11 +190,23 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) that the user belongs to. (The special ALL tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and checks to + + + +1.8.0b3 February 1, 2011 3 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + see if the user belongs to any of them. If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration directive, the LDAP queries include a subfilter that limits retrieval - to entries that satisfy the time constraints, if any are present. + to entries that satisfy the time constraints, if any. DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss There are some subtle differences in the way sudoers is handled once in @@ -182,26 +215,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) returned in any specific order. The order in which different entries are applied can be controlled - using the ssuuddooOOrrddeerr attribute, but there is no way to guarantee the + using the sudoOrder attribute, but there is no way to guarantee the order of attributes within a specific entry. If there are conflicting command rules in an entry, the negative takes precedence. This is called paranoid behavior (not necessarily the most specific match). Here is an example: - - - - -1.8.0b3 January 10, 2011 3 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # /etc/sudoers: # Allow all commands except shell johnny ALL=(root) ALL,!/bin/sh @@ -235,6 +255,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) currently ignored. For example, the following attributes do not behave the way one might expect. + + + + +1.8.0b3 February 1, 2011 4 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # does not match all but joe # rather, does not match anyone sudoUser: !joe @@ -256,18 +289,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), - - - -1.8.0b3 January 10, 2011 4 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo distribution. @@ -285,7 +306,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not used. - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported by ssuuddoo are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. @@ -302,6 +323,17 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) commercial versions of Unix are only capable of supporting one or the other. + + +1.8.0b3 February 1, 2011 5 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + HHOOSSTT name[:port] ... If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- delimited list of LDAP servers to connect to. Each host may @@ -323,19 +355,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to wait before trying the next one in the list. - - -1.8.0b3 January 10, 2011 5 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds - An alias for BBIINNDD__TTIIMMEELLIIMMIITT. + An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. TTIIMMEELLIIMMIITT seconds The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, @@ -352,7 +373,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) which case they are queried in the order specified. SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no - Whether or not to evaluate the ssuuddooNNoottBBeeffoorree and ssuuddooNNoottAAfftteerr + Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes that implement time-dependent sudoers entries. SSUUDDOOEERRSS__DDEEBBUUGG debug_level @@ -367,6 +388,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The BBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing LDAP operations. If not specified, LDAP operations are performed with an anonymous + + + +1.8.0b3 February 1, 2011 6 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + identity. By default, most LDAP servers will allow anonymous access. @@ -388,18 +421,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSSSLL on/true/yes/off/false/no If the SSSSLL parameter is set to on, true or yes, TLS (SSL) - - - -1.8.0b3 January 10, 2011 6 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). @@ -424,7 +445,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) can be verified. TTLLSS__CCAACCEERRTT file name - An alias for TTLLSS__CCAACCEERRTTFFIILLEE. + An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. TTLLSS__CCAACCEERRTTFFIILLEE file name The path to a certificate authority bundle which contains the @@ -434,6 +455,17 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) libraries use the same certificate database for CA and client certificates (see TTLLSS__CCEERRTT). + + +1.8.0b3 February 1, 2011 7 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory containing individual Certificate Authority certificates, e.g. @@ -455,17 +487,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. - - -1.8.0b3 January 10, 2011 7 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - TTLLSS__KKEEYY file name The path to a file containing the private key which matches the certificate specified by TTLLSS__CCEERRTT. The private key must not be @@ -499,6 +520,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting + + + +1.8.0b3 February 1, 2011 8 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + to an LDAP server from a privileged process, such as ssuuddoo. RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity @@ -520,18 +553,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Sudo looks for a line beginning with sudoers: and uses this to determine the search order. Note that ssuuddoo does not stop searching after the first match and later matches take precedence over earlier - - - -1.8.0b3 January 10, 2011 8 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - ones. The following sources are recognized: @@ -565,6 +586,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file format itself still applies. + + + +1.8.0b3 February 1, 2011 9 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + To consult LDAP first followed by the local sudoers file (if it exists), use: @@ -587,17 +620,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers = files - - -1.8.0b3 January 10, 2011 9 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - FFIILLEESS _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file @@ -630,6 +652,18 @@ EEXXAAMMPPLLEESS # # Must be set or sudo will ignore LDAP; may be specified multiple times. sudoers_base ou=SUDOers,dc=example,dc=com + + + +1.8.0b3 February 1, 2011 10 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # # verbose sudoers matching from ldap #sudoers_debug 2 @@ -652,18 +686,6 @@ EEXXAAMMPPLLEESS # Define if you want to use port 389 and switch to # encryption before the bind credentials are sent. # Only supported by LDAP servers that support the start_tls - - - -1.8.0b3 January 10, 2011 10 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # extension such as OpenLDAP. #ssl start_tls # @@ -696,6 +718,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # the LDAP server. # Tips: # * Enable both lines at the same time. + + + +1.8.0b3 February 1, 2011 11 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # * Do not password protect the key file. # * Ensure the keyfile is only readable by root. # @@ -718,18 +752,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) #tls_cert /var/ldap #tls_key /var/ldap # - - - -1.8.0b3 January 10, 2011 11 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes # sasl_auth_id @@ -739,7 +761,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # krb5_ccname /etc/.ldapcache SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema is in OpenLDAP format. Simply copy it to the + The following schema, in OpenLDAP format, is included with ssuuddoo source + and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line in slapd.conf and restart ssllaappdd. @@ -761,6 +784,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match + + + +1.8.0b3 February 1, 2011 12 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 @@ -784,18 +819,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' - - - -1.8.0b3 January 10, 2011 12 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -828,6 +851,17 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoOrder $ description ) ) + + +1.8.0b3 February 1, 2011 13 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + SSEEEE AALLSSOO _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) @@ -850,18 +884,6 @@ DDIISSCCLLAAIIMMEERR including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or - - - -1.8.0b3 January 10, 2011 13 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - http://www.sudo.ws/sudo/license.html for complete details. @@ -897,28 +919,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - - - - - - - - - - - - - - - - - - - - -1.8.0b3 January 10, 2011 14 +1.8.0b3 February 1, 2011 14 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index cf4ad116b..b93ee25e2 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "January 10, 2011" "1.8.0b3" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "February 1, 2011" "1.8.0b3" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -183,14 +183,14 @@ is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported. .PP For the most part, there is really no need for \fBsudo\fR\-specific Aliases. Unix groups or user netgroups can be used in place of -User_Aliases and RunasAliases. Host netgroups can be used in place -of HostAliases. Since Unix groups and netgroups can also be stored +User_Aliases and Runas_Aliases. Host netgroups can be used in place +of Host_Aliases. Since Unix groups and netgroups can also be stored in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases. .PP Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a sudoRole. Instead of defining +to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining a Cmnd_Alias that is referenced by multiple users, one can create -a sudoRole that contains the commands and assign multiple users +a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users to it. .SS "SUDOers \s-1LDAP\s0 container" .IX Subsection "SUDOers LDAP container" @@ -213,7 +213,7 @@ in the environment for all users. .Ve .PP The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of -the following components: +the following attributes: .IP "\fBsudoUser\fR" 4 .IX Item "sudoUser" A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with @@ -241,34 +241,56 @@ as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefi with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be run as. The special value \f(CW\*(C`ALL\*(C'\fR will match any user. +.Sp +The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions +1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR +attribute instead. .IP "\fBsudoRunAsGroup\fR" 4 .IX Item "sudoRunAsGroup" A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as. The special value \f(CW\*(C`ALL\*(C'\fR will match any group. +.Sp +The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions +1.7.0 and higher. .IP "\fBsudoNotBefore\fR" 4 .IX Item "sudoNotBefore" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates start of validity -of this \f(CW\*(C`sudoRole\*(C'\fR. -If multiple \fBsudoNotBefore\fR entries are present, the earliest is used. +A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide +a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If +multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used. +Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), +not the local timezone. +.Sp +The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions +1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR +option in \fI@ldap_conf@\fR. .IP "\fBsudoNotAfter\fR" 4 .IX Item "sudoNotAfter" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates end of validity -of this \f(CW\*(C`sudoRole\*(C'\fR. -If multiple \fBsudoNotAfter\fR entries are present, the last one is used. +A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration +date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If +multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used. +Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), +not the local timezone. +.Sp +The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions +1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR +option in \fI@ldap_conf@\fR. .IP "\fBsudoOrder\fR" 4 .IX Item "sudoOrder" -The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no -inherent order. The \fBsudoOrder\fR attribute is an integer (or +The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no +inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or floating point value for \s-1LDAP\s0 servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, -the entry with the highest \fBsudoOrder\fR attribute is chosen. This +the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If -the \fBsudoOrder\fR attribute is not present, a value of 0 is assumed. +the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed. +.Sp +The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions +1.7.5 and higher. .PP -Each component listed above should contain a single value, but there -may be multiple instances of each component type. A sudoRole must +Each attribute listed above should contain a single value, but there +may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR. .PP The following example allows users in group wheel to run any command @@ -295,7 +317,7 @@ netgroups and checks to see if the user belongs to any of them. .PP If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval -to entries that satisfy the time constraints, if any are present. +to entries that satisfy the time constraints, if any. .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" .IX Subsection "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled @@ -304,7 +326,7 @@ once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, and Entries are returned in any specific order. .PP The order in which different entries are applied can be controlled -using the \fBsudoOrder\fR attribute, but there is no way to guarantee +using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee the order of attributes within a specific entry. If there are conflicting command rules in an entry, the negative takes precedence. This is called paranoid behavior (not necessarily the most specific @@ -387,7 +409,7 @@ Also note that on systems using the OpenLDAP libraries, default values specified in \fI/etc/openldap/ldap.conf\fR or the user's \&\fI.ldaprc\fR files are not used. .PP -Only those options explicitly listed in \fI@ldap_conf@\fR that are +Only those options explicitly listed in \fI@ldap_conf@\fR as being supported by \fBsudo\fR are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 @@ -426,7 +448,7 @@ to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1UR the next one in the list. .IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4 .IX Item "NETWORK_TIMEOUT seconds" -An alias for \fB\s-1BIND_TIMELIMIT\s0\fR. +An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility. .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4 .IX Item "TIMELIMIT seconds" The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, @@ -443,7 +465,7 @@ this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domai in which case they are queried in the order specified. .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 .IX Item "SUDOERS_TIMED on/true/yes/off/false/no" -Whether or not to evaluate the \fBsudoNotBefore\fR and \fBsudoNotAfter\fR +Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR attributes that implement time-dependent sudoers entries. .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 .IX Item "SUDOERS_DEBUG debug_level" @@ -501,7 +523,7 @@ identity will not be authenticated. If possible, the \s-1CA\s0's certificate should be installed locally so it can be verified. .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 .IX Item "TLS_CACERT file name" -An alias for \fB\s-1TLS_CACERTFILE\s0\fR. +An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 .IX Item "TLS_CACERTFILE file name" The path to a certificate authority bundle which contains the certificates @@ -786,9 +808,10 @@ determines sudoers source order on \s-1AIX\s0 .Ve .SS "Sudo schema for OpenLDAP" .IX Subsection "Sudo schema for OpenLDAP" -The following schema is in OpenLDAP format. Simply copy it to the -schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper -\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. +The following schema, in OpenLDAP format, is included with \fBsudo\fR +source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy +it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the +proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. .PP .Vb 6 \& attributetype ( 1.3.6.1.4.1.15953.9.1.1 diff --git a/doc/sudoers.ldap.pod b/doc/sudoers.ldap.pod index 021e5b91a..0d1b473a2 100644 --- a/doc/sudoers.ldap.pod +++ b/doc/sudoers.ldap.pod @@ -68,14 +68,14 @@ is that in LDAP, B-specific Aliases are not supported. For the most part, there is really no need for B-specific Aliases. Unix groups or user netgroups can be used in place of -User_Aliases and RunasAliases. Host netgroups can be used in place -of HostAliases. Since Unix groups and netgroups can also be stored +User_Aliases and Runas_Aliases. Host netgroups can be used in place +of Host_Aliases. Since Unix groups and netgroups can also be stored in LDAP there is no real need for B-specific aliases. Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a sudoRole. Instead of defining +to have multiple users listed in a C. Instead of defining a Cmnd_Alias that is referenced by multiple users, one can create -a sudoRole that contains the commands and assign multiple users +a C that contains the commands and assign multiple users to it. =head2 SUDOers LDAP container @@ -97,7 +97,7 @@ in the environment for all users. sudoOption: env_keep+=SSH_AUTH_SOCK The equivalent of a sudoer in LDAP is a C. It consists of -the following components: +the following attributes: =over 4 @@ -133,39 +133,61 @@ with a C<'+'>) that contains a list of users that commands may be run as. The special value C will match any user. +The C attribute is only available in B versions +1.7.0 and higher. Older versions of B use the C +attribute instead. + =item B A Unix group or gid (prefixed with C<'#'>) that commands may be run as. The special value C will match any group. +The C attribute is only available in B versions +1.7.0 and higher. + =item B -A timestamp in the form C that indicates start of validity -of this C. -If multiple B entries are present, the earliest is used. +A timestamp in the form C that can be used to provide +a start date/time for when the C will be valid. If +multiple C entries are present, the earliest is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. + +The C attribute is only available in B versions +1.7.5 and higher and must be explicitly enabled via the B +option in F<@ldap_conf@>. =item B -A timestamp in the form C that indicates end of validity -of this C. -If multiple B entries are present, the last one is used. +A timestamp in the form C that indicates an expiration +date/time, after which the C will no longer be valid. If +multiple C entries are present, the last one is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. + +The C attribute is only available in B versions +1.7.5 and higher and must be explicitly enabled via the B +option in F<@ldap_conf@>. =item B -The sudoRole entries retrieved from the LDAP directory have no -inherent order. The B attribute is an integer (or +The C entries retrieved from the LDAP directory have no +inherent order. The C attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, -the entry with the highest B attribute is chosen. This +the entry with the highest C attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If -the B attribute is not present, a value of 0 is assumed. +the C attribute is not present, a value of 0 is assumed. + +The C attribute is only available in B versions +1.7.5 and higher. =back -Each component listed above should contain a single value, but there -may be multiple instances of each component type. A sudoRole must +Each attribute listed above should contain a single value, but there +may be multiple instances of each attribute type. A C must contain at least one C, C and C. The following example allows users in group wheel to run any command @@ -191,7 +213,7 @@ netgroups and checks to see if the user belongs to any of them. If timed entries are enabled with the B configuration directive, the LDAP queries include a subfilter that limits retrieval -to entries that satisfy the time constraints, if any are present. +to entries that satisfy the time constraints, if any. =head2 Differences between LDAP and non-LDAP sudoers @@ -201,7 +223,7 @@ LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are returned in any specific order. The order in which different entries are applied can be controlled -using the B attribute, but there is no way to guarantee +using the C attribute, but there is no way to guarantee the order of attributes within a specific entry. If there are conflicting command rules in an entry, the negative takes precedence. This is called paranoid behavior (not necessarily the most specific @@ -282,7 +304,7 @@ Also note that on systems using the OpenLDAP libraries, default values specified in F or the user's F<.ldaprc> files are not used. -Only those options explicitly listed in F<@ldap_conf@> that are +Only those options explicitly listed in F<@ldap_conf@> as being supported by B are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. @@ -328,7 +350,7 @@ the next one in the list. =item B seconds -An alias for B. +An alias for B for OpenLDAP compatibility. =item B seconds @@ -349,7 +371,7 @@ in which case they are queried in the order specified. =item B on/true/yes/off/false/no -Whether or not to evaluate the B and B +Whether or not to evaluate the C and C attributes that implement time-dependent sudoers entries. =item B debug_level @@ -416,7 +438,7 @@ should be installed locally so it can be verified. =item B file name -An alias for B. +An alias for B for OpenLDAP compatibility. =item B file name @@ -705,9 +727,10 @@ determines sudoers source order on AIX =head2 Sudo schema for OpenLDAP -The following schema is in OpenLDAP format. Simply copy it to the -schema directory (e.g. F), add the proper -C line in C and restart B. +The following schema, in OpenLDAP format, is included with B +source and binary distributions as F. Simply copy +it to the schema directory (e.g. F), add the +proper C line in C and restart B. attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' -- 2.40.0