From e8d589006f668a5133eee4e9086947143f9d8fd0 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 28 Jun 2010 09:08:34 -0400 Subject: [PATCH] Mention that multiple URI lines are merged into a single one. --HG-- branch : 1.7 --- sudoers.ldap.cat | 62 ++++++++++++++++++++++----------------------- sudoers.ldap.man.in | 20 ++++++++------- sudoers.ldap.pod | 18 +++++++------ 3 files changed, 52 insertions(+), 48 deletions(-) diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index f117d2ebe..db88c6922 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3rc1 June 25, 2010 1 +1.7.3rc1 June 28, 2010 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3rc1 June 25, 2010 2 +1.7.3rc1 June 28, 2010 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3rc1 June 25, 2010 3 +1.7.3rc1 June 28, 2010 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3rc1 June 25, 2010 4 +1.7.3rc1 June 28, 2010 4 @@ -268,10 +268,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL - libraries support the mixing of ldap:// and ldaps:// URIs. The - Netscape-derived libraries used on most commercial versions of Unix - are only capable of supporting one or the other. + ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated + identically to a UURRII line containing multiple entries. Only + systems using the OpenSSL libraries support the mixing of ldap:// + and ldaps:// URIs. The Netscape-derived libraries used on most + commercial versions of Unix are only capable of supporting one or + the other. HHOOSSTT name[:port] ... If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- @@ -319,13 +321,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use when performing - LDAP operations. This is typically used in conjunction with the -1.7.3rc1 June 25, 2010 5 + +1.7.3rc1 June 28, 2010 5 @@ -334,6 +334,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + BBIINNDDPPWW secret + The BBIINNDDPPWW parameter specifies the password to use when performing + LDAP operations. This is typically used in conjunction with the BBIINNDDDDNN parameter. RROOOOTTBBIINNDDDDNN DN @@ -386,12 +389,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. - OpenLDAP: - tls_cert /etc/ssl/client_cert.pem - -1.7.3rc1 June 25, 2010 6 +1.7.3rc1 June 28, 2010 6 @@ -400,6 +400,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + OpenLDAP: + tls_cert /etc/ssl/client_cert.pem + Netscape-derived: tls_cert /var/ldap/cert7.db @@ -452,12 +455,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The path to the Kerberos 5 credential cache to use when authenticating with the remote server. - See the ldap.conf entry in the EXAMPLES section. - - -1.7.3rc1 June 25, 2010 7 +1.7.3rc1 June 28, 2010 7 @@ -466,6 +466,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + See the ldap.conf entry in the EXAMPLES section. + CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff Unless it is disabled at build time, ssuuddoo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. @@ -519,11 +521,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers = ldap = auth, files - Note that in the above example, the auth qualfier only affects user - -1.7.3rc1 June 25, 2010 8 +1.7.3rc1 June 28, 2010 8 @@ -532,6 +532,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + Note that in the above example, the auth qualfier only affects user lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers @@ -585,11 +586,10 @@ EEXXAAMMPPLLEESS # # Define if you want to use an encrypted LDAP connection. # Typically, you must also set the port to 636 (ldaps). - #ssl on -1.7.3rc1 June 25, 2010 9 +1.7.3rc1 June 28, 2010 9 @@ -598,6 +598,7 @@ EEXXAAMMPPLLEESS SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + #ssl on # # Define if you want to use port 389 and switch to # encryption before the bind credentials are sent. @@ -651,11 +652,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # # The certificate database specified by tls_cert may contain CA certs # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. -1.7.3rc1 June 25, 2010 10 +1.7.3rc1 June 28, 2010 10 @@ -664,6 +664,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # should be specified as well. # For backward compatibility, "sslpath" may be used in place of tls_cert. #tls_cert /var/ldap #tls_key /var/ldap @@ -717,11 +718,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -1.7.3rc1 June 25, 2010 11 +1.7.3rc1 June 28, 2010 11 @@ -730,6 +730,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' @@ -786,7 +787,6 @@ DDIISSCCLLAAIIMMEERR - -1.7.3rc1 June 25, 2010 12 +1.7.3rc1 June 28, 2010 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index aa240df9d..014786291 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 25, 2010" "1.7.3rc1" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "June 28, 2010" "1.7.3rc1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -364,14 +364,16 @@ below in upper case but are parsed in a case-independent manner. .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 .IX Item "URI ldap[s]://[hostname[:port]] ..." Specifies a whitespace-delimited list of one or more URIs describing -the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR -or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0) -encryption. If no \fIport\fR is specified, the default is port 389 for -\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified, -\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL -libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. -The Netscape-derived libraries used on most commercial versions of -Unix are only capable of supporting one or the other. +the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either +\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 +(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port +389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR +is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR +lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple +entries. Only systems using the OpenSSL libraries support the +mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived +libraries used on most commercial versions of Unix are only capable +of supporting one or the other. .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 .IX Item "HOST name[:port] ..." If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index 7dabfaa90..d3d160933 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -259,14 +259,16 @@ below in upper case but are parsed in a case-independent manner. =item B ldap[s]://[hostname[:port]] ... Specifies a whitespace-delimited list of one or more URIs describing -the LDAP server(s) to connect to. The I may be either B -or B, the latter being for servers that support TLS (SSL) -encryption. If no I is specified, the default is port 389 for -C or port 636 for C. If no I is specified, -B will connect to B. Only systems using the OpenSSL -libraries support the mixing of C and C URIs. -The Netscape-derived libraries used on most commercial versions of -Unix are only capable of supporting one or the other. +the LDAP server(s) to connect to. The I may be either +B or B, the latter being for servers that support TLS +(SSL) encryption. If no I is specified, the default is port +389 for C or port 636 for C. If no I +is specified, B will connect to B. Multiple B +lines are treated identically to a B line containing multiple +entries. Only systems using the OpenSSL libraries support the +mixing of C and C URIs. The Netscape-derived +libraries used on most commercial versions of Unix are only capable +of supporting one or the other. =item B name[:port] ... -- 2.49.0