1 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
4 .\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 .TH "SUDOERS.LDAP" "5" "June 15, 2016" "Sudo 1.8.17" "File Formats Manual"
24 \- sudo LDAP configuration
26 In addition to the standard
32 This can be especially useful for synchronizing
34 in a large, distributed environment.
42 no longer needs to read
45 When LDAP is used, there are only two or three LDAP queries per invocation.
46 This makes it especially fast and particularly usable in LDAP environments.
50 no longer exits if there is a typo in
52 It is not possible to load LDAP data into the server that does
53 not conform to the sudoers schema, so proper syntax is guaranteed.
54 It is still possible to have typos in a user or host name, but
60 It is possible to specify per-entry options that override the global
63 only supports default options and limited options associated with
64 user/host/commands/aliases.
65 The syntax is complicated and can be difficult for users to understand.
66 Placing the options directly in the entry is more natural.
71 program is no longer needed.
73 provides locking and syntax checking of the
76 Since LDAP updates are atomic, locking is no longer necessary.
77 Because syntax is checked when the data is inserted into LDAP, there
78 is no need for a specialized tool to check syntax.
80 Another major difference between LDAP and file-based
84 Aliases are not supported.
86 For the most part, there is really no need for
89 Unix groups, non-Unix groups (via the
91 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
92 Host netgroups can be used in place of Host_Aliases.
93 Since groups and netgroups can also be stored in LDAP there is no real need for
97 Cmnd_Aliases are not really required either since it is possible
98 to have multiple users listed in a
100 Instead of defining a Cmnd_Alias that is referenced by multiple users,
103 that contains the commands and assign multiple users to it.
104 .SS "SUDOers LDAP container"
107 configuration is contained in the
111 Sudo first looks for the
113 entry in the SUDOers container.
114 If found, the multi-valued
116 attribute is parsed in the same manner as a global
120 In the following example, the
122 variable will be preserved in the environment for all users.
126 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
128 objectClass: sudoRole
130 description: Default sudoOption's go here
131 sudoOption: env_keep+=SSH_AUTH_SOCK
135 The equivalent of a sudoer in LDAP is a
137 It consists of the following attributes:
140 A user name, user ID (prefixed with
142 Unix group name or ID (prefixed with
146 respectively), user netgroup (prefixed with
148 or non-Unix group name or ID (prefixed with
153 User netgroups are matched using the user and domain members only;
154 the host member is not used when matching.
155 Non-Unix group support is only available when an appropriate
157 is defined in the global
163 A host name, IP address, IP network, or host netgroup (prefixed with a
168 Host netgroups are matched using the host (both qualified and unqualified)
169 and domain members only; the user member is not used when matching.
172 A fully-qualified Unix command name with optional command line arguments,
173 potentially including globbing characters (aka wild cards).
174 If a command name is preceded by an exclamation point,
176 the user will be prohibited from running that command.
179 \(Lq\fRsudoedit\fR\(Rq
180 is used to permit a user to run
186 It may take command line arguments just as a normal command does.
188 \(Lq\fRsudoedit\fR\(Rq
189 is a command built into
191 itself and must be specified in without a leading path.
195 will match any command.
197 If a command name is prefixed with a SHA-2 digest, it will
198 only be allowed if the digest matches.
199 This may be useful in situations where the user invoking
201 has write access to the command or its parent directory.
202 The following digest formats are supported: sha224, sha256, sha384 and sha512.
203 The digest name must be followed by a colon
205 and then the actual digest, in either hex or base64 format.
206 For example, given the following value for sudoCommand:
210 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
215 The user may only run
217 if its sha224 digest matches the specified value.
218 Command digests are only supported by version 1.8.7 or higher.
222 Identical in function to the global options described above, but
228 A user name or uid (prefixed with
230 that commands may be run as or a Unix group (prefixed with a
232 or user netgroup (prefixed with a
234 that contains a list of users that commands may be run as.
241 attribute is only available in
252 A Unix group or gid (prefixed with
254 that commands may be run as.
257 will match any group.
261 attribute is only available in
267 A timestamp in the form
268 \fRyyyymmddHHMMSSZ\fR
269 that can be used to provide a start date/time for when the
274 entries are present, the earliest is used.
275 Note that timestamps must be in Coordinated Universal Time (UTC),
276 not the local timezone.
277 The minute and seconds portions are optional, but some LDAP servers
278 require that they be present (contrary to the RFC).
282 attribute is only available in
284 versions 1.7.5 and higher and must be explicitly enabled via the
287 \fI/etc/ldap.conf\fR.
290 A timestamp in the form
291 \fRyyyymmddHHMMSSZ\fR
292 that indicates an expiration date/time, after which the
294 will no longer be valid.
297 entries are present, the last one is used.
298 Note that timestamps must be in Coordinated Universal Time (UTC),
299 not the local timezone.
300 The minute and seconds portions are optional, but some LDAP servers
301 require that they be present (contrary to the RFC).
305 attribute is only available in
308 1.7.5 and higher and must be explicitly enabled via the
311 \fI/etc/ldap.conf\fR.
316 entries retrieved from the LDAP directory have no inherent order.
319 attribute is an integer (or floating point value for LDAP servers
320 that support it) that is used to sort the matching entries.
321 This allows LDAP-based sudoers entries to more closely mimic the behavior
322 of the sudoers file, where the order of the entries influences the result.
323 If multiple entries match, the entry with the highest
326 This corresponds to the
328 behavior of the sudoers file.
331 attribute is not present, a value of 0 is assumed.
335 attribute is only available in
337 versions 1.7.5 and higher.
339 Each attribute listed above should contain a single value, but there
340 may be multiple instances of each attribute type.
343 must contain at least one
349 The following example allows users in group wheel to run any command
355 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
357 objectClass: sudoRole
364 .SS "Anatomy of LDAP sudoers lookup"
365 When looking up a sudoer using LDAP there are only two or three
366 LDAP queries per invocation.
367 The first query is to parse the global options.
368 The second is to match against the user's name and the groups that
372 tag is matched in this query too.)
373 If no match is returned for the user's name and groups, a third
374 query returns all entries containing user netgroups and other
375 non-Unix groups and checks to see if the user belongs to any of them.
377 If timed entries are enabled with the
379 configuration directive, the LDAP queries include a sub-filter that
380 limits retrieval to entries that satisfy the time constraints, if any.
384 configuration directive is present (see
385 \fIConfiguring ldap.conf\fR
386 below), queries are performed to determine
387 the list of netgroups the user belongs to before the sudoers query.
388 This makes it possible to include netgroups in the sudoers query
389 string in the same manner as Unix groups.
390 The third query mentioned above is not performed unless a group provider
391 plugin is also configured.
392 The actual LDAP queries performed by
400 \fRnisNetgroupTriple\fR
401 containing the user, host and NIS domain.
403 \fRnisNetgroupTriple\fR
404 entries with either the short or long form of the host name or
405 no host name specified in the tuple.
406 If the NIS domain is set, the query will match only match entries
407 that include the domain or for which there is no domain present.
410 set, a wildcard is used to match any domain name but be aware that the
411 NIS schema used by some LDAP servers may not support wild cards for
412 \fRnisNetgroupTriple\fR.
415 Repeated queries are performed to find any nested
418 \fRmemberNisNetgroup\fR
419 entry that refers to an already-matched record.
421 For sites with a large number of netgroups, using
423 can significantly speed up
426 .SS "Differences between LDAP and non-LDAP sudoers"
427 There are some subtle differences in the way sudoers is handled
429 Probably the biggest is that according to the RFC, LDAP ordering
430 is arbitrary and you cannot expect that Attributes and Entries are
431 returned in any specific order.
433 The order in which different entries are applied can be controlled
436 attribute, but there is no way to guarantee the order of attributes
437 within a specific entry.
438 If there are conflicting command rules in an entry, the negative
440 This is called paranoid behavior (not necessarily the most specific
448 # Allow all commands except shell
449 johnny ALL=(root) ALL,!/bin/sh
450 # Always allows all commands because ALL is matched last
451 puddles ALL=(root) !/bin/sh,ALL
453 # LDAP equivalent of johnny
454 # Allows all commands except shell
455 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
456 objectClass: sudoRole
462 sudoCommand: !/bin/sh
464 # LDAP equivalent of puddles
465 # Notice that even though ALL comes last, it still behaves like
466 # role1 since the LDAP code assumes the more paranoid configuration
467 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
468 objectClass: sudoRole
473 sudoCommand: !/bin/sh
478 Another difference is that negations on the Host, User or Runas are
480 For example, the following attributes do not behave the way one might expect.
484 # does not match all but joe
485 # rather, does not match anyone
488 # does not match all but joe
489 # rather, matches everyone including Joe
493 # does not match all but web01
494 # rather, matches all hosts including web01
505 installed on your LDAP server.
506 In addition, be sure to index the
510 Three versions of the schema: one for OpenLDAP servers
511 (\fIschema.OpenLDAP\fR),
512 one for Netscape-derived servers
513 (\fIschema.iPlanet\fR),
514 and one for Microsoft Active Directory
515 (\fIschema.ActiveDirectory\fR)
522 in OpenLDAP form is also included in the
525 .SS "Configuring ldap.conf"
528 file for LDAP-specific configuration.
529 Typically, this file is shared between different LDAP-aware clients.
530 As such, most of the settings are not
536 itself and may support options that differ from those described in the
542 may be overridden via the
547 Also note that on systems using the OpenLDAP libraries, default
549 \fI/etc/openldap/ldap.conf\fR
554 Only those options explicitly listed in
556 as being supported by
559 Configuration options are listed below in upper case but are parsed
560 in a case-independent manner.
564 is used to indicate a comment.
565 Both the comment character and any text after it, up to the end of
566 the line, are ignored.
567 Long lines can be continued with a backslash
569 as the last character on the line.
570 Note that leading white space is removed from the beginning of lines
571 even when the continuation character is used.
573 \fBBIND_TIMELIMIT\fR \fIseconds\fR
576 parameter specifies the amount of time, in seconds, to wait while trying
577 to connect to an LDAP server.
582 are specified, this is the amount of time to wait before trying
583 the next one in the list.
585 \fBBINDDN\fR \fIDN\fR
588 parameter specifies the identity, in the form of a Distinguished Name (DN),
589 to use when performing LDAP operations.
590 If not specified, LDAP operations are performed with an anonymous identity.
591 By default, most LDAP servers will allow anonymous access.
593 \fBBINDPW\fR \fIsecret\fR
596 parameter specifies the password to use when performing LDAP operations.
597 This is typically used in conjunction with the
602 may be a plain text password or a base64-encoded string with a
609 BINDPW base64:dGVzdA==
614 If a plain text password is used, it should be a simple string without quotes.
615 Plain text passwords may not include the comment character
617 and the escaping of special characters with a backslash
622 \fBDEREF\fR \fInever/searching/finding/always\fR
623 How alias dereferencing is to be performed when searching.
626 manual for a full description of this option.
628 \fBHOST\fR \fIname[:port] ...\fR
631 is specified (see below), the
633 parameter specifies a white space-delimited list of LDAP servers to connect to.
634 Each host may include an optional
640 parameter is deprecated in favor of the
642 specification and is included for backwards compatibility only.
644 \fBKRB5_CCNAME\fR \fIfile name\fR
645 The path to the Kerberos 5 credential cache to use when authenticating
646 with the remote server.
647 This option is only relevant when using SASL authentication (see below).
649 \fBLDAP_VERSION\fR \fInumber\fR
650 The version of the LDAP protocol to use when connecting to the server.
651 The default value is protocol version 3.
653 \fBNETGROUP_BASE\fR \fIbase\fR
654 The base DN to use when performing LDAP netgroup queries.
655 Typically this is of the form
656 \fRou=netgroup,dc=example,dc=com\fR
661 lines may be specified, in which case they are queried in the order specified.
663 This option can be used to query a user's netgroups directly via LDAP
664 which is usually faster than fetching every
671 The NIS schema used by some LDAP servers need a modificaton to
675 \fRnisNetgroupTriple\fR
679 requires the following change to the
680 \fRnisNetgroupTriple\fR
685 attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
686 DESC 'Netgroup triple'
687 EQUALITY caseIgnoreIA5Match
688 SUBSTR caseIgnoreIA5SubstringsMatch
689 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
693 \fBNETGROUP_SEARCH_FILTER\fR \fIldap_filter\fR
694 An LDAP filter which is used to restrict the set of records returned
695 when performing an LDAP netgroup query.
696 Typically, this is of the
698 \fRattribute=value\fR
700 \fR(&(attribute=value)(attribute2=value2))\fR.
701 The default search filter is:
702 \fRobjectClass=nisNetgroup\fR.
705 is omitted, no search filter will be used.
706 This option is only when querying netgroups directly via LDAP.
708 \fBNETWORK_TIMEOUT\fR \fIseconds\fR
711 provided for OpenLDAP compatibility.
713 \fBPORT\fR \fIport_number\fR
718 parameter specifies the default port to connect to on the LDAP server if a
720 parameter does not specify the port itself.
723 parameter is used, the default is port 389 for LDAP and port 636 for LDAP
727 parameter is deprecated in favor of the
729 specification and is included for backwards compatibility only.
731 \fBROOTBINDDN\fR \fIDN\fR
734 parameter specifies the identity, in the form of a Distinguished Name (DN),
735 to use when performing privileged LDAP operations, such as
738 The password corresponding to the identity should be stored in the
739 or the path specified by the
744 \fI/etc/ldap.secret\fR.
749 identity is used (if any).
751 \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
754 to enable SASL authentication when connecting
755 to an LDAP server from a privileged process, such as
758 \fBSASL_AUTH_ID\fR \fIidentity\fR
759 The SASL user name to use when connecting to the LDAP server.
762 will use an anonymous connection.
763 This option is only relevant when using SASL authentication.
765 \fBSASL_SECPROPS\fR \fInone/properties\fR
766 SASL security properties or
769 See the SASL programmer's manual for details.
770 This option is only relevant when using SASL authentication.
772 \fBSSL\fR \fIon/true/yes/off/false/no\fR
780 TLS (SSL) encryption is always used when communicating with the LDAP server.
781 Typically, this involves connecting to the server on port 636 (ldaps).
783 \fBSSL\fR \fIstart_tls\fR
788 the LDAP server connection is initiated normally and TLS encryption is
789 begun before the bind credentials are sent.
790 This has the advantage of not requiring a dedicated port for encrypted
792 This parameter is only supported by LDAP servers that honor the
794 extension, such as the OpenLDAP and Tivoli Directory servers.
796 \fBSUDOERS_BASE\fR \fIbase\fR
797 The base DN to use when performing
800 Typically this is of the form
801 \fRou=SUDOers,dc=example,dc=com\fR
806 lines may be specified, in which case they are queried in the order specified.
808 \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
809 This sets the debug level for
812 Debugging information is printed to the standard error.
813 A value of 1 results in a moderate amount of debugging information.
814 A value of 2 shows the results of the matches themselves.
815 This parameter should not be set in a production environment as the
816 extra information is likely to confuse users.
820 parameter is deprecated and will be removed in a future release.
821 The same information is now logged via the
823 debugging framework using the
825 subsystem at priorities
831 values 1 and 2 respectively.
834 manual for details on how to configure
838 \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
839 An LDAP filter which is used to restrict the set of records returned
843 Typically, this is of the
845 \fRattribute=value\fR
847 \fR(&(attribute=value)(attribute2=value2))\fR.
848 The default search filter is:
849 \fRobjectClass=sudoRole\fR.
852 is omitted, no search filter will be used.
854 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
855 Whether or not to evaluate the
859 attributes that implement time-dependent sudoers entries.
861 \fBTIMELIMIT\fR \fIseconds\fR
864 parameter specifies the amount of time, in seconds, to wait for a
865 response to an LDAP query.
867 \fBTIMEOUT\fR \fIseconds\fR
870 parameter specifies the amount of time, in seconds, to wait for a
871 response from the various LDAP APIs.
873 \fBTLS_CACERT\fR \fIfile name\fR
876 for OpenLDAP compatibility.
878 \fBTLS_CACERTFILE\fR \fIfile name\fR
879 The path to a certificate authority bundle which contains the certificates
880 for all the Certificate Authorities the client knows to be valid, e.g.\&
881 \fI/etc/ssl/ca-bundle.pem\fR.
882 This option is only supported by the OpenLDAP libraries.
883 Netscape-derived LDAP libraries use the same certificate
884 database for CA and client certificates (see
887 \fBTLS_CACERTDIR\fR \fIdirectory\fR
890 but instead of a file, it is a directory containing individual
891 Certificate Authority certificates, e.g.\&
892 \fI/etc/ssl/certs\fR.
893 The directory specified by
896 \fBTLS_CACERTFILE\fR.
897 This option is only supported by the OpenLDAP libraries.
899 \fBTLS_CERT\fR \fIfile name\fR
900 The path to a file containing the client certificate which can
901 be used to authenticate the client to the LDAP server.
902 The certificate type depends on the LDAP libraries used.
908 \fRtls_cert /etc/ssl/client_cert.pem\fR
912 \fRtls_cert /var/ldap/cert7.db\fR
914 Tivoli Directory Server:
915 Unused, the key database specified by
917 contains both keys and certificates.
919 When using Netscape-derived libraries, this file may also contain
920 Certificate Authority certificates.
926 \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
929 will cause the LDAP server's TLS certificated to be verified.
930 If the server's TLS certificate cannot be verified (usually because it
931 is signed by an unknown certificate authority),
933 will be unable to connect to it.
936 is disabled, no check is made.
937 Note that disabling the check creates an opportunity for man-in-the-middle
938 attacks since the server's identity will not be authenticated.
939 If possible, the CA's certificate should be installed locally so it can
941 This option is not supported by the Tivoli Directory Server LDAP libraries.
943 \fBTLS_KEY\fR \fIfile name\fR
944 The path to a file containing the private key which matches the
945 certificate specified by
947 The private key must not be password-protected.
948 The key type depends on the LDAP libraries used.
954 \fRtls_key /etc/ssl/client_key.pem\fR
958 \fRtls_key /var/ldap/key3.db\fR
960 Tivoli Directory Server:
961 \fRtls_key /usr/ldap/ldapkey.kdb\fR
964 When using Tivoli LDAP libraries, this file may also contain
965 Certificate Authority and client certificates and may be encrypted.
969 \fBTLS_CIPHERS\fR \fIcipher list\fR
972 parameter allows the administer to restrict which encryption algorithms
973 may be used for TLS (SSL) connections.
974 See the OpenLDAP or Tivoli Directory Server manual for a list of valid
976 This option is not supported by Netscape-derived libraries.
978 \fBTLS_KEYPW\fR \fIsecret\fR
981 contains the password used to decrypt the key database on clients
982 using the Tivoli Directory Server LDAP library.
985 may be a plain text password or a base64-encoded string with a
992 TLS_KEYPW base64:dGVzdA==
997 If a plain text password is used, it should be a simple string without quotes.
998 Plain text passwords may not include the comment character
1000 and the escaping of special characters with a backslash
1003 If this option is used,
1004 \fI/etc/ldap.conf\fR
1005 must not be world-readable to avoid exposing the password.
1008 can be used to store the password in encrypted form (see below).
1014 will be used if it exists.
1017 must have the same path as the file specified by
1021 file extension instead of
1027 that ships with Tivoli Directory Server is encrypted with the password
1031 utility can be used to manage the key database and create a
1033 This option is only supported by the Tivoli LDAP libraries.
1036 \fBTLS_RANDFILE\fR \fIfile name\fR
1039 parameter specifies the path to an entropy source for systems that lack
1041 It is generally used in conjunction with
1045 This option is only supported by the OpenLDAP libraries.
1047 \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
1048 Specifies a white space-delimited list of one or more URIs describing
1049 the LDAP server(s) to connect to.
1055 the latter being for servers that support TLS (SSL) encryption.
1058 is specified, the default is port 389 for
1070 lines are treated identically to a
1072 line containing multiple entries.
1073 Only systems using the OpenSSL libraries support the mixing of
1078 Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
1079 versions of Unix are only capable of supporting one or the other.
1081 \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
1084 for LDAP servers that support SASL authentication.
1086 \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
1087 The SASL user name to use when
1096 .SS "Configuring nsswitch.conf"
1097 Unless it is disabled at build time,
1099 consults the Name Service Switch file,
1100 \fI/etc/nsswitch.conf\fR,
1104 Sudo looks for a line beginning with
1106 and uses this to determine the search order.
1110 not stop searching after the first match and later matches take
1111 precedence over earlier ones.
1112 The following sources are recognized:
1122 read sudoers from LDAP
1126 In addition, the entry
1127 \fR[NOTFOUND=return]\fR
1128 will short-circuit the search if the user was not found in the
1131 To consult LDAP first followed by the local sudoers file (if it
1142 file can be ignored completely by using:
1151 \fI/etc/nsswitch.conf\fR
1152 file is not present or there is no sudoers line, the following
1162 \fI/etc/nsswitch.conf\fR
1163 is supported even when the underlying operating system does not use
1164 an nsswitch.conf file, except on AIX (see below).
1165 .SS "Configuring netsvc.conf"
1167 \fI/etc/netsvc.conf\fR
1168 file is consulted instead of
1169 \fI/etc/nsswitch.conf\fR.
1174 \fInsswitch.conf\fR;
1175 information in the previous section unrelated to the file format
1176 itself still applies.
1178 To consult LDAP first followed by the local sudoers file (if it
1183 sudoers = ldap, files
1189 file can be ignored completely by using:
1197 To treat LDAP as authoritative and only use the local sudoers file
1198 if the user is not present in LDAP, use:
1202 sudoers = ldap = auth, files
1206 Note that in the above example, the
1208 qualifier only affects user lookups; both LDAP and
1215 \fI/etc/netsvc.conf\fR
1216 file is not present or there is no sudoers line, the following
1224 .SS "Integration with sssd"
1226 \fISystem Security Services Daemon\fR
1229 has been built with SSSD support,
1230 it is possible to use SSSD to cache LDAP
1235 source, you should use
1239 for the sudoers entry in
1240 \fI/etc/nsswitch.conf\fR.
1242 \fI/etc/ldap.conf\fR
1243 file is not used by the SSSD
1248 for more information on configuring
1253 \fI/etc/ldap.conf\fR
1254 LDAP configuration file
1256 \fI/etc/nsswitch.conf\fR
1257 determines sudoers source order
1259 \fI/etc/netsvc.conf\fR
1260 determines sudoers source order on AIX
1262 .SS "Example ldap.conf"
1265 # Either specify one or more URIs or one or more host:port pairs.
1266 # If neither is specified sudo will default to localhost, port 389.
1269 #host ldapserver1 ldapserver2:390
1271 # Default port if host is specified without one, defaults to 389.
1274 # URI will override the host and port settings.
1275 uri ldap://ldapserver
1276 #uri ldaps://secureldapserver
1277 #uri ldaps://secureldapserver ldap://ldapserver
1279 # The amount of time, in seconds, to wait while trying to connect to
1283 # The amount of time, in seconds, to wait while performing an LDAP query.
1286 # Must be set or sudo will ignore LDAP; may be specified multiple times.
1287 sudoers_base ou=SUDOers,dc=example,dc=com
1289 # verbose sudoers matching from ldap
1292 # Enable support for time-based entries in sudoers.
1295 # optional proxy credentials
1296 #binddn <who to search as>
1298 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1300 # LDAP protocol version, defaults to 3
1303 # Define if you want to use an encrypted LDAP connection.
1304 # Typically, you must also set the port to 636 (ldaps).
1307 # Define if you want to use port 389 and switch to
1308 # encryption before the bind credentials are sent.
1309 # Only supported by LDAP servers that support the start_tls
1310 # extension such as OpenLDAP.
1313 # Additional TLS options follow that allow tweaking of the
1314 # SSL/TLS connection.
1316 #tls_checkpeer yes # verify server SSL certificate
1317 #tls_checkpeer no # ignore server SSL certificate
1319 # If you enable tls_checkpeer, specify either tls_cacertfile
1320 # or tls_cacertdir. Only supported when using OpenLDAP.
1322 #tls_cacertfile /etc/certs/trusted_signers.pem
1323 #tls_cacertdir /etc/certs
1325 # For systems that don't have /dev/random
1326 # use this along with PRNGD or EGD.pl to seed the
1327 # random number pool to generate cryptographic session keys.
1328 # Only supported when using OpenLDAP.
1330 #tls_randfile /etc/egd-pool
1332 # You may restrict which ciphers are used. Consult your SSL
1333 # documentation for which options go here.
1334 # Only supported when using OpenLDAP.
1336 #tls_ciphers <cipher-list>
1338 # Sudo can provide a client certificate when communicating to
1341 # * Enable both lines at the same time.
1342 # * Do not password protect the key file.
1343 # * Ensure the keyfile is only readable by root.
1346 #tls_cert /etc/certs/client_cert.pem
1347 #tls_key /etc/certs/client_key.pem
1349 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1350 # a directory, in which case the files in the directory must have the
1351 # default names (e.g. cert8.db and key4.db), or the path to the cert
1352 # and key files themselves. However, a bug in version 5.0 of the LDAP
1353 # SDK will prevent specific file names from working. For this reason
1354 # it is suggested that tls_cert and tls_key be set to a directory,
1357 # The certificate database specified by tls_cert may contain CA certs
1358 # and/or the client's cert. If the client's cert is included, tls_key
1359 # should be specified as well.
1360 # For backward compatibility, "sslpath" may be used in place of tls_cert.
1364 # If using SASL authentication for LDAP (OpenSSL)
1366 # sasl_auth_id <SASL user name>
1368 # rootsasl_auth_id <SASL user name for root access>
1369 # sasl_secprops none
1370 # krb5_ccname /etc/.ldapcache
1373 .SS "Sudo schema for OpenLDAP"
1374 The following schema, in OpenLDAP format, is included with
1376 source and binary distributions as
1377 \fIschema.OpenLDAP\fR.
1379 it to the schema directory (e.g.\&
1380 \fI/etc/openldap/schema\fR),
1390 attributetype ( 1.3.6.1.4.1.15953.9.1.1
1392 DESC 'User(s) who may run sudo'
1393 EQUALITY caseExactIA5Match
1394 SUBSTR caseExactIA5SubstringsMatch
1395 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1397 attributetype ( 1.3.6.1.4.1.15953.9.1.2
1399 DESC 'Host(s) who may run sudo'
1400 EQUALITY caseExactIA5Match
1401 SUBSTR caseExactIA5SubstringsMatch
1402 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1404 attributetype ( 1.3.6.1.4.1.15953.9.1.3
1406 DESC 'Command(s) to be executed by sudo'
1407 EQUALITY caseExactIA5Match
1408 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1410 attributetype ( 1.3.6.1.4.1.15953.9.1.4
1412 DESC 'User(s) impersonated by sudo'
1413 EQUALITY caseExactIA5Match
1414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1416 attributetype ( 1.3.6.1.4.1.15953.9.1.5
1418 DESC 'Options(s) followed by sudo'
1419 EQUALITY caseExactIA5Match
1420 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1422 attributetype ( 1.3.6.1.4.1.15953.9.1.6
1423 NAME 'sudoRunAsUser'
1424 DESC 'User(s) impersonated by sudo'
1425 EQUALITY caseExactIA5Match
1426 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1428 attributetype ( 1.3.6.1.4.1.15953.9.1.7
1429 NAME 'sudoRunAsGroup'
1430 DESC 'Group(s) impersonated by sudo'
1431 EQUALITY caseExactIA5Match
1432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1434 attributetype ( 1.3.6.1.4.1.15953.9.1.8
1435 NAME 'sudoNotBefore'
1436 DESC 'Start of time interval for which the entry is valid'
1437 EQUALITY generalizedTimeMatch
1438 ORDERING generalizedTimeOrderingMatch
1439 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1441 attributetype ( 1.3.6.1.4.1.15953.9.1.9
1443 DESC 'End of time interval for which the entry is valid'
1444 EQUALITY generalizedTimeMatch
1445 ORDERING generalizedTimeOrderingMatch
1446 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1448 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1450 DESC 'an integer to order the sudoRole entries'
1451 EQUALITY integerMatch
1452 ORDERING integerOrderingMatch
1453 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1455 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1456 DESC 'Sudoer Entries'
1458 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1459 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1460 sudoOrder $ description )
1470 Many people have worked on
1472 over the years; this version consists of code written primarily by:
1478 See the CONTRIBUTORS file in the
1480 distribution (https://www.sudo.ws/contributors.html) for an
1481 exhaustive list of people who have contributed to
1484 Note that there are differences in the way that LDAP-based
1486 is parsed compared to file-based
1489 \fIDifferences between LDAP and non-LDAP sudoers\fR
1490 section for more information.
1492 If you feel you have found a bug in
1494 please submit a bug report at https://bugzilla.sudo.ws/
1496 Limited free support is available via the sudo-users mailing list,
1497 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1498 search the archives.
1503 and any express or implied warranties, including, but not limited
1504 to, the implied warranties of merchantability and fitness for a
1505 particular purpose are disclaimed.
1506 See the LICENSE file distributed with
1508 or https://www.sudo.ws/license.html for complete details.