From e1db0d126f427e9630d0de089d722f77316ccbc1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 20 Jan 2008 15:17:35 +0000 Subject: [PATCH] Substitute values for ldap.conf, ldap.secret and nsswitch.conf Move schema into EXAMPLES --- sudoers.ldap.cat | 208 ++++++++++++++++++++++---------------------- sudoers.ldap.man.in | 178 +++++++++++++++++++------------------ sudoers.ldap.pod | 141 ++++++++++++++++-------------- 3 files changed, 270 insertions(+), 257 deletions(-) diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 0dc5cb06b..590aecbd0 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7 January 19, 2008 1 +1.7 January 20, 2008 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 2 +1.7 January 20, 2008 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 3 +1.7 January 20, 2008 3 @@ -253,79 +253,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P) and another for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), may be found in the ssuuddoo distribution. - The schema for ssuuddoo in OpenLDAP form is included below. + The schema for ssuuddoo in OpenLDAP form is included in the + EXAMPLES section. - -1.7 January 19, 2008 4 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ description ) - ) - - - - - - - -1.7 January 19, 2008 5 +1.7 January 20, 2008 4 @@ -391,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 6 +1.7 January 20, 2008 5 @@ -436,7 +370,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as _s_u_d_o_e_r_s queries. The password corresponding to the identity - should be stored in If not speci- + should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not speci- fied, the BBIINNDDDDNN identity is used (if any). LDAP_VERSION number @@ -457,7 +391,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 7 +1.7 January 20, 2008 6 @@ -523,7 +457,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 8 +1.7 January 20, 2008 7 @@ -589,7 +523,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 9 +1.7 January 20, 2008 8 @@ -622,13 +556,12 @@ FFIILLEESS _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order EEXXAAMMPPLLEESS - XXXXXX nnsssswwiittcchh..ccoonnff eexxaammppllee?? + EExxaammppllee llddaapp..ccoonnff + - XXXXXX ssuuddooeerrss llddiiff eexxaammppllee?? - EExxaammppllee llddaapp..ccoonnff @@ -655,7 +588,8 @@ EEXXAAMMPPLLEESS -1.7 January 19, 2008 10 + +1.7 January 20, 2008 9 @@ -694,7 +628,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # optional proxy credentials #binddn #bindpw - #rootbinddn + #rootbinddn # # LDAP protocol version, defaults to 3 #ldap_version 3 @@ -721,7 +655,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 19, 2008 11 +1.7 January 20, 2008 10 @@ -772,22 +706,22 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # sasl_secprops none # krb5_ccname /etc/.ldapcache -SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) + SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP + + The following schema is in OpenLDAP format. Simply copy + it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), + add the proper include line in slapd.conf and restart + ssllaappdd. + + -CCAAVVEEAATTSS - parsing differences between LDAP and file sudoers -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT - Limited free support is available via the sudo-users -1.7 January 19, 2008 12 + +1.7 January 20, 2008 11 @@ -796,19 +730,56 @@ SSUUPPPPOORRTT SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - mailing list, see http://www.sudo.ws/mail- - man/listinfo/sudo-users to subscribe or search the - archives. + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied war- - ranties, including, but not limited to, the implied war- - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- - plete details. + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ description ) + ) @@ -816,16 +787,45 @@ DDIISSCCLLAAIIMMEERR +1.7 January 20, 2008 12 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + XXXXXX nnsssswwiittcchh..ccoonnff eexxaammppllee?? + XXXXXX mmoorree eexxhhaauussttiivvee ssuuddooeerrss llddiiff eexxaammppllee?? +SSEEEE AALLSSOO + _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) + +CCAAVVEEAATTSS + parsing differences between LDAP and file sudoers + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a + bug report at http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mail- + ing list, see http://www.sudo.ws/mail- + man/listinfo/sudo-users to subscribe or search the + archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied war- + ranties, including, but not limited to, the implied war- + ranties of merchantability and fitness for a particular + purpose are disclaimed. See the LICENSE file distributed + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- + plete details. + @@ -853,6 +853,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 19, 2008 13 +1.7 January 20, 2008 13 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index a01295cd9..d1952a680 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -146,7 +146,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "January 19, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "January 20, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" @@ -357,87 +357,21 @@ Two versions of the schema, one for OpenLDAP servers (\fIschema.OpenLDAP\fR) and another for Netscape-derived servers (\fIschema.iPlanet\fR), may be found in the \fBsudo\fR distribution. .PP -The schema for \fBsudo\fR in OpenLDAP form is included below. -.PP -.Vb 6 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 -\& NAME 'sudoUser' -\& DESC 'User(s) who may run sudo' -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 6 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 -\& NAME 'sudoHost' -\& DESC 'Host(s) who may run sudo' -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 5 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 -\& NAME 'sudoCommand' -\& DESC 'Command(s) to be executed by sudo' -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 5 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 -\& NAME 'sudoRunAs' -\& DESC 'User(s) impersonated by sudo' -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 5 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 -\& NAME 'sudoOption' -\& DESC 'Options(s) followed by sudo' -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 5 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 -\& NAME 'sudoRunAsUser' -\& DESC 'User(s) impersonated by sudo' -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 5 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 -\& NAME 'sudoRunAsGroup' -\& DESC 'Group(s) impersonated by sudo' -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -.Ve -.PP -.Vb 6 -\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL -\& DESC 'Sudoer Entries' -\& MUST ( cn ) -\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ -\& sudoRunAsGroup $ sudoOption $ description ) -\& ) -.Ve +The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 +section. .Sh "Configuring ldap.conf" .IX Subsection "Configuring ldap.conf" -Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration. +Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not \fBsudo\fR\-specific. Note that -\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options -that differ from those described in the \fIldap.conf\fR\|(4) manual. +\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options +that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual. .PP Also note that on systems using the OpenLDAP libraries, default values specified in \fI/etc/openldap/ldap.conf\fR or the user's \&\fI.ldaprc\fR files are not used. .PP -Only those options explicitly listed in \fI/etc/ldap.conf\fR that are +Only those options explicitly listed in \fI@ldap_conf@\fR that are supported by \fBsudo\fR are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. .IP "\s-1URI\s0 ldap[s]://[hostname[:port]] ..." 4 @@ -505,7 +439,7 @@ The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0 operations, such as \fIsudoers\fR queries. The password corresponding -to the identity should be stored in +to the identity should be stored in \fI@ldap_secret@\fR. If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any). .IP "\s-1LDAP_VERSION\s0 number" 4 .IX Item "LDAP_VERSION number" @@ -616,7 +550,7 @@ with the remote server. See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. .Sh "Configuring nsswitch.conf" .IX Subsection "Configuring nsswitch.conf" -Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR, +Sudo consults the Name Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search order. Note that \fBsudo\fR does not stop searching after the first @@ -645,29 +579,25 @@ The local \fIsudoers\fR file can be ignored completely by using: \& sudoers: ldap .Ve .PP -If the \fI/etc/nsswitch.conf\fR file is not present or there is no +If the \fI@nsswitch_conf@\fR file is not present or there is no sudoers line, the following default is assumed: .PP .Vb 1 \& sudoers: files .Ve .PP -Note that \fI/etc/nsswitch.conf\fR is supported even when the underlying +Note that \fI@nsswitch_conf@\fR is supported even when the underlying operating system does not use an nsswitch.conf file. .SH "FILES" .IX Header "FILES" -.IP "\fI/etc/ldap.conf\fR" 24 -.IX Item "/etc/ldap.conf" +.IP "\fI@ldap_conf@\fR" 24 +.IX Item "@ldap_conf@" \&\s-1LDAP\s0 configuration file -.IP "\fI/etc/nsswitch.conf\fR" 24 -.IX Item "/etc/nsswitch.conf" +.IP "\fI@nsswitch_conf@\fR" 24 +.IX Item "@nsswitch_conf@" determines sudoers source order .SH "EXAMPLES" .IX Header "EXAMPLES" -.Sh "\s-1XXX\s0 nsswitch.conf example?" -.IX Subsection "XXX nsswitch.conf example?" -.Sh "\s-1XXX\s0 sudoers ldif example?" -.IX Subsection "XXX sudoers ldif example?" .Sh "Example ldap.conf" .IX Subsection "Example ldap.conf" .Vb 95 @@ -701,7 +631,7 @@ determines sudoers source order \& # optional proxy credentials \& #binddn \& #bindpw -\& #rootbinddn +\& #rootbinddn \& # \& # LDAP protocol version, defaults to 3 \& #ldap_version 3 @@ -767,6 +697,82 @@ determines sudoers source order \& # sasl_secprops none \& # krb5_ccname /etc/.ldapcache .Ve +.Sh "Sudo schema for OpenLDAP" +.IX Subsection "Sudo schema for OpenLDAP" +The following schema is in OpenLDAP format. Simply copy it to the +schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper +\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. +.PP +.Vb 6 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 +\& NAME 'sudoUser' +\& DESC 'User(s) who may run sudo' +\& EQUALITY caseExactIA5Match +\& SUBSTR caseExactIA5SubstringsMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 6 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 +\& NAME 'sudoHost' +\& DESC 'Host(s) who may run sudo' +\& EQUALITY caseExactIA5Match +\& SUBSTR caseExactIA5SubstringsMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 +\& NAME 'sudoCommand' +\& DESC 'Command(s) to be executed by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 +\& NAME 'sudoRunAs' +\& DESC 'User(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 +\& NAME 'sudoOption' +\& DESC 'Options(s) followed by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 +\& NAME 'sudoRunAsUser' +\& DESC 'User(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 5 +\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 +\& NAME 'sudoRunAsGroup' +\& DESC 'Group(s) impersonated by sudo' +\& EQUALITY caseExactIA5Match +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +.Ve +.PP +.Vb 6 +\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL +\& DESC 'Sudoer Entries' +\& MUST ( cn ) +\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ +\& sudoRunAsGroup $ sudoOption $ description ) +\& ) +.Ve +.Sh "\s-1XXX\s0 nsswitch.conf example?" +.IX Subsection "XXX nsswitch.conf example?" +.Sh "\s-1XXX\s0 more exhaustive sudoers ldif example?" +.IX Subsection "XXX more exhaustive sudoers ldif example?" .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4) diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index f26dfe7ac..000b860e0 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -241,72 +241,22 @@ Two versions of the schema, one for OpenLDAP servers (F) and another for Netscape-derived servers (F), may be found in the B distribution. -The schema for B in OpenLDAP form is included below. - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ description ) - ) +The schema for B in OpenLDAP form is included in the L +section. =head2 Configuring ldap.conf -Sudo reads the F file for LDAP-specific configuration. +Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not B-specific. Note that -B parses F itself and may support options -that differ from those described in the L manual. +B parses F<@ldap_conf@> itself and may support options +that differ from those described in the L manual. Also note that on systems using the OpenLDAP libraries, default values specified in F or the user's F<.ldaprc> files are not used. -Only those options explicitly listed in F that are +Only those options explicitly listed in F<@ldap_conf@> that are supported by B are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. @@ -386,7 +336,7 @@ B parameter. The B parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as I queries. The password corresponding -to the identity should be stored in +to the identity should be stored in F<@ldap_secret@>. If not specified, the B identity is used (if any). =item LDAP_VERSION number @@ -520,7 +470,7 @@ See the C entry in the L section. =head2 Configuring nsswitch.conf -Sudo consults the Name Service Switch file, F, +Sudo consults the Name Service Switch file, F<@nsswitch_conf@>, to specify the I search order. Sudo looks for a line beginning with C and uses this to determine the search order. Note that B does not stop searching after the first @@ -543,23 +493,23 @@ The local I file can be ignored completely by using: sudoers: ldap -If the F file is not present or there is no +If the F<@nsswitch_conf@> file is not present or there is no sudoers line, the following default is assumed: sudoers: files -Note that F is supported even when the underlying +Note that F<@nsswitch_conf@> is supported even when the underlying operating system does not use an nsswitch.conf file. =head1 FILES =over 24 -=item F +=item F<@ldap_conf@> LDAP configuration file -=item F +=item F<@nsswitch_conf@> determines sudoers source order @@ -567,10 +517,6 @@ determines sudoers source order =head1 EXAMPLES -=head2 XXX nsswitch.conf example? - -=head2 XXX sudoers ldif example? - =head2 Example ldap.conf # Either specify one or more URIs or one or more host:port pairs. @@ -603,7 +549,7 @@ determines sudoers source order # optional proxy credentials #binddn #bindpw - #rootbinddn + #rootbinddn # # LDAP protocol version, defaults to 3 #ldap_version 3 @@ -669,6 +615,67 @@ determines sudoers source order # sasl_secprops none # krb5_ccname /etc/.ldapcache +=head2 Sudo schema for OpenLDAP + +The following schema is in OpenLDAP format. Simply copy it to the +schema directory (e.g. F), add the proper +C line in C and restart B. + + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ description ) + ) + +=head2 XXX nsswitch.conf example? + +=head2 XXX more exhaustive sudoers ldif example? + =head1 SEE ALSO L, L -- 2.40.0