1SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m) 2 3NNAAMMEE 4 ssuuddooeerrss..llddaapp - sudo LDAP configuration 5 6DDEESSCCRRIIPPTTIIOONN 7 In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via 8 LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a 9 large, distributed environment. 10 11 Using LDAP for _s_u_d_o_e_r_s has several benefits: 12 13 oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is 14 used, there are only two or three LDAP queries per invocation. This 15 makes it especially fast and particularly usable in LDAP 16 environments. 17 18 oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not 19 possible to load LDAP data into the server that does not conform to 20 the sudoers schema, so proper syntax is guaranteed. It is still 21 possible to have typos in a user or host name, but this will not 22 prevent ssuuddoo from running. 23 24 oo It is possible to specify per-entry options that override the global 25 default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and 26 limited options associated with user/host/commands/aliases. The 27 syntax is complicated and can be difficult for users to understand. 28 Placing the options directly in the entry is more natural. 29 30 oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and 31 syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are 32 atomic, locking is no longer necessary. Because syntax is checked 33 when the data is inserted into LDAP, there is no need for a 34 specialized tool to check syntax. 35 36 Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in 37 LDAP, ssuuddoo-specific Aliases are not supported. 38 39 For the most part, there is really no need for ssuuddoo-specific Aliases. 40 Unix groups or user netgroups can be used in place of User_Aliases and 41 Runas_Aliases. Host netgroups can be used in place of Host_Aliases. 42 Since Unix groups and netgroups can also be stored in LDAP there is no 43 real need for ssuuddoo-specific aliases. 44 45 Cmnd_Aliases are not really required either since it is possible to have 46 multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias 47 that is referenced by multiple users, one can create a sudoRole that 48 contains the commands and assign multiple users to it. 49 50 SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr 51 The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. 52 53 Sudo first looks for the cn=default entry in the SUDOers container. If 54 found, the multi-valued sudoOption attribute is parsed in the same manner 55 as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the 56 SSH_AUTH_SOCK variable will be preserved in the environment for all 57 users. 58 59 dn: cn=defaults,ou=SUDOers,dc=example,dc=com 60 objectClass: top 61 objectClass: sudoRole 62 cn: defaults 63 description: Default sudoOption's go here 64 sudoOption: env_keep+=SSH_AUTH_SOCK 65 66 The equivalent of a sudoer in LDAP is a sudoRole. It consists of the 67 following attributes: 68 69 ssuuddooUUsseerr 70 A user name, user ID (prefixed with `#'), Unix group (prefixed with 71 `%'), Unix group ID (prefixed with `%#'), or user netgroup 72 (prefixed with `+'). 73 74 ssuuddooHHoosstt 75 A host name, IP address, IP network, or host netgroup (prefixed 76 with a `+'). The special value ALL will match any host. 77 78 ssuuddooCCoommmmaanndd 79 A Unix command with optional command line arguments, potentially 80 including globbing characters (aka wild cards). The special value 81 ALL will match any command. If a command is prefixed with an 82 exclamation point `!', the user will be prohibited from running 83 that command. 84 85 ssuuddooOOppttiioonn 86 Identical in function to the global options described above, but 87 specific to the sudoRole in which it resides. 88 89 ssuuddooRRuunnAAssUUsseerr 90 A user name or uid (prefixed with `#') that commands may be run as 91 or a Unix group (prefixed with a `%') or user netgroup (prefixed 92 with a `+') that contains a list of users that commands may be run 93 as. The special value ALL will match any user. 94 95 The sudoRunAsUser attribute is only available in ssuuddoo versions 96 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs 97 attribute instead. 98 99 ssuuddooRRuunnAAssGGrroouupp 100 A Unix group or gid (prefixed with `#') that commands may be run 101 as. The special value ALL will match any group. 102 103 The sudoRunAsGroup attribute is only available in ssuuddoo versions 104 1.7.0 and higher. 105 106 ssuuddooNNoottBBeeffoorree 107 A timestamp in the form yyyymmddHHMMSSZ that can be used to provide 108 a start date/time for when the sudoRole will be valid. If multiple 109 sudoNotBefore entries are present, the earliest is used. Note that 110 timestamps must be in Coordinated Universal Time (UTC), not the 111 local timezone. The minute and seconds portions are optional, but 112 some LDAP servers require that they be present (contrary to the 113 RFC). 114 115 The sudoNotBefore attribute is only available in ssuuddoo versions 116 1.7.5 and higher and must be explicitly enabled via the 117 SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. 118 119 ssuuddooNNoottAAfftteerr 120 A timestamp in the form yyyymmddHHMMSSZ that indicates an 121 expiration date/time, after which the sudoRole will no longer be 122 valid. If multiple sudoNotBefore entries are present, the last one 123 is used. Note that timestamps must be in Coordinated Universal 124 Time (UTC), not the local timezone. The minute and seconds 125 portions are optional, but some LDAP servers require that they be 126 present (contrary to the RFC). 127 128 The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5 129 and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD 130 option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. 131 132 ssuuddooOOrrddeerr 133 The sudoRole entries retrieved from the LDAP directory have no 134 inherent order. The sudoOrder attribute is an integer (or floating 135 point value for LDAP servers that support it) that is used to sort 136 the matching entries. This allows LDAP-based sudoers entries to 137 more closely mimic the behaviour of the sudoers file, where the of 138 the entries influences the result. If multiple entries match, the 139 entry with the highest sudoOrder attribute is chosen. This 140 corresponds to the ``last match'' behavior of the sudoers file. If 141 the sudoOrder attribute is not present, a value of 0 is assumed. 142 143 The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 144 and higher. 145 146 Each attribute listed above should contain a single value, but there may 147 be multiple instances of each attribute type. A sudoRole must contain at 148 least one sudoUser, sudoHost and sudoCommand. 149 150 The following example allows users in group wheel to run any command on 151 any host via ssuuddoo: 152 153 dn: cn=%wheel,ou=SUDOers,dc=example,dc=com 154 objectClass: top 155 objectClass: sudoRole 156 cn: %wheel 157 sudoUser: %wheel 158 sudoHost: ALL 159 sudoCommand: ALL 160 161 AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp 162 When looking up a sudoer using LDAP there are only two or three LDAP 163 queries per invocation. The first query is to parse the global options. 164 The second is to match against the user's name and the groups that the 165 user belongs to. (The special ALL tag is matched in this query too.) If 166 no match is returned for the user's name and groups, a third query 167 returns all entries containing user netgroups and checks to see if the 168 user belongs to any of them. 169 170 If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration 171 directive, the LDAP queries include a subfilter that limits retrieval to 172 entries that satisfy the time constraints, if any. 173 174 DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss 175 There are some subtle differences in the way sudoers is handled once in 176 LDAP. Probably the biggest is that according to the RFC, LDAP ordering 177 is arbitrary and you cannot expect that Attributes and Entries are 178 returned in any specific order. 179 180 The order in which different entries are applied can be controlled using 181 the sudoOrder attribute, but there is no way to guarantee the order of 182 attributes within a specific entry. If there are conflicting command 183 rules in an entry, the negative takes precedence. This is called 184 paranoid behavior (not necessarily the most specific match). 185 186 Here is an example: 187 188 # /etc/sudoers: 189 # Allow all commands except shell 190 johnny ALL=(root) ALL,!/bin/sh 191 # Always allows all commands because ALL is matched last 192 puddles ALL=(root) !/bin/sh,ALL 193 194 # LDAP equivalent of johnny 195 # Allows all commands except shell 196 dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com 197 objectClass: sudoRole 198 objectClass: top 199 cn: role1 200 sudoUser: johnny 201 sudoHost: ALL 202 sudoCommand: ALL 203 sudoCommand: !/bin/sh 204 205 # LDAP equivalent of puddles 206 # Notice that even though ALL comes last, it still behaves like 207 # role1 since the LDAP code assumes the more paranoid configuration 208 dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com 209 objectClass: sudoRole 210 objectClass: top 211 cn: role2 212 sudoUser: puddles 213 sudoHost: ALL 214 sudoCommand: !/bin/sh 215 sudoCommand: ALL 216 217 Another difference is that negations on the Host, User or Runas are 218 currently ignored. For example, the following attributes do not behave 219 the way one might expect. 220 221 # does not match all but joe 222 # rather, does not match anyone 223 sudoUser: !joe 224 225 # does not match all but joe 226 # rather, matches everyone including Joe 227 sudoUser: ALL 228 sudoUser: !joe 229 230 # does not match all but web01 231 # rather, matches all hosts including web01 232 sudoHost: ALL 233 sudoHost: !web01 234 235 SSuuddooeerrss sscchheemmaa 236 In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on 237 your LDAP server. In addition, be sure to index the sudoUser attribute. 238 239 Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), 240 one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft 241 Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo 242 distribution. 243 244 The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S 245 section. 246 247 CCoonnffiigguurriinngg llddaapp..ccoonnff 248 Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. 249 Typically, this file is shared amongst different LDAP-aware clients. As 250 such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses 251 _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those 252 described in the system's ldap.conf(1m) manual. 253 254 Also note that on systems using the OpenLDAP libraries, default values 255 specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not 256 used. 257 258 Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported 259 by ssuuddoo are honored. Configuration options are listed below in upper 260 case but are parsed in a case-independent manner. 261 262 UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._. 263 Specifies a whitespace-delimited list of one or more URIs 264 describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be 265 either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS 266 (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 267 for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, 268 ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated 269 identically to a UURRII line containing multiple entries. Only 270 systems using the OpenSSL libraries support the mixing of ldap:// 271 and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP 272 libraries used on most commercial versions of Unix are only capable 273 of supporting one or the other. 274 275 HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._. 276 If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- 277 delimited list of LDAP servers to connect to. Each host may 278 include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT 279 parameter is deprecated in favor of the UURRII specification and is 280 included for backwards compatibility. 281 282 PPOORRTT _p_o_r_t___n_u_m_b_e_r 283 If no UURRII is specified, the PPOORRTT parameter specifies the default 284 port to connect to on the LDAP server if a HHOOSSTT parameter does not 285 specify the port itself. If no PPOORRTT parameter is used, the default 286 is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The 287 PPOORRTT parameter is deprecated in favor of the UURRII specification and 288 is included for backwards compatibility. 289 290 BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s 291 The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in 292 seconds, to wait while trying to connect to an LDAP server. If 293 multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to 294 wait before trying the next one in the list. 295 296 NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s 297 An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. 298 299 TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s 300 The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, 301 to wait for a response to an LDAP query. 302 303 TTIIMMEEOOUUTT _s_e_c_o_n_d_s 304 The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to 305 wait for a response from the various LDAP APIs. 306 307 SSUUDDOOEERRSS__BBAASSEE _b_a_s_e 308 The base DN to use when performing ssuuddoo LDAP queries. Typically 309 this is of the form ou=SUDOers,dc=example,dc=com for the domain 310 example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in 311 which case they are queried in the order specified. 312 313 SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r 314 An LDAP filter which is used to restrict the set of records 315 returned when performing a ssuuddoo LDAP query. Typically, this is of 316 the form attribute=value or 317 (&(attribute=value)(attribute2=value2)). 318 319 SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o 320 Whether or not to evaluate the sudoNotBefore and sudoNotAfter 321 attributes that implement time-dependent sudoers entries. 322 323 SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l 324 This sets the debug level for ssuuddoo LDAP queries. Debugging 325 information is printed to the standard error. A value of 1 results 326 in a moderate amount of debugging information. A value of 2 shows 327 the results of the matches themselves. This parameter should not 328 be set in a production environment as the extra information is 329 likely to confuse users. 330 331 BBIINNDDDDNN _D_N 332 The BBIINNDDDDNN parameter specifies the identity, in the form of a 333 Distinguished Name (DN), to use when performing LDAP operations. 334 If not specified, LDAP operations are performed with an anonymous 335 identity. By default, most LDAP servers will allow anonymous 336 access. 337 338 BBIINNDDPPWW _s_e_c_r_e_t 339 The BBIINNDDPPWW parameter specifies the password to use when performing 340 LDAP operations. This is typically used in conjunction with the 341 BBIINNDDDDNN parameter. 342 343 RROOOOTTBBIINNDDDDNN _D_N 344 The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a 345 Distinguished Name (DN), to use when performing privileged LDAP 346 operations, such as _s_u_d_o_e_r_s queries. The password corresponding to 347 the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not 348 specified, the BBIINNDDDDNN identity is used (if any). 349 350 LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r 351 The version of the LDAP protocol to use when connecting to the 352 server. The default value is protocol version 3. 353 354 SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o 355 If the SSSSLL parameter is set to on, true or yes, TLS (SSL) 356 encryption is always used when communicating with the LDAP server. 357 Typically, this involves connecting to the server on port 636 358 (ldaps). 359 360 SSSSLL _s_t_a_r_t___t_l_s 361 If the SSSSLL parameter is set to start_tls, the LDAP server 362 connection is initiated normally and TLS encryption is begun before 363 the bind credentials are sent. This has the advantage of not 364 requiring a dedicated port for encrypted communications. This 365 parameter is only supported by LDAP servers that honor the 366 _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory 367 servers. 368 369 TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o 370 If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS 371 certificated to be verified. If the server's TLS certificate 372 cannot be verified (usually because it is signed by an unknown 373 certificate authority), ssuuddoo will be unable to connect to it. If 374 TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling 375 the check creates an opportunity for man-in-the-middle attacks 376 since the server's identity will not be authenticated. If 377 possible, the CA's certificate should be installed locally so it 378 can be verified. This option is not supported by the Tivoli 379 Directory Server LDAP libraries. 380 381 TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e 382 An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. 383 384 TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e 385 The path to a certificate authority bundle which contains the 386 certificates for all the Certificate Authorities the client knows 387 to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only 388 supported by the OpenLDAP libraries. Netscape-derived LDAP 389 libraries use the same certificate database for CA and client 390 certificates (see TTLLSS__CCEERRTT). 391 392 TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y 393 Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory 394 containing individual Certificate Authority certificates, e.g. 395 _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is 396 checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the 397 OpenLDAP libraries. 398 399 TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e 400 The path to a file containing the client certificate which can be 401 used to authenticate the client to the LDAP server. The 402 certificate type depends on the LDAP libraries used. 403 404 OpenLDAP: 405 tls_cert /etc/ssl/client_cert.pem 406 407 Netscape-derived: 408 tls_cert /var/ldap/cert7.db 409 410 Tivoli Directory Server: 411 Unused, the key database specified by TTLLSS__KKEEYY contains both 412 keys and certificates. 413 414 When using Netscape-derived libraries, this file may also 415 contain Certificate Authority certificates. 416 417 TTLLSS__KKEEYY _f_i_l_e _n_a_m_e 418 The path to a file containing the private key which matches the 419 certificate specified by TTLLSS__CCEERRTT. The private key must not be 420 password-protected. The key type depends on the LDAP libraries 421 used. 422 423 OpenLDAP: 424 tls_key /etc/ssl/client_key.pem 425 426 Netscape-derived: 427 tls_key /var/ldap/key3.db 428 429 Tivoli Directory Server: 430 tls_cert /usr/ldap/ldapkey.kdb 431 When using Tivoli LDAP libraries, this file may also contain 432 Certificate Authority and client certificates and may be encrypted. 433 434 TTLLSS__KKEEYYPPWW _s_e_c_r_e_t 435 The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key 436 database on clients using the Tivoli Directory Server LDAP library. 437 If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it 438 exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file 439 specified by TTLLSS__KKEEYY, but use a .sth file extension instead of 440 .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with 441 Tivoli Directory Server is encrypted with the password 442 ssl_password. This option is only supported by the Tivoli LDAP 443 libraries. 444 445 TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e 446 The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source 447 for systems that lack a random device. It is generally used in 448 conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by 449 the OpenLDAP libraries. 450 451 TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t 452 The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which 453 encryption algorithms may be used for TLS (SSL) connections. See 454 the OpenLDAP or Tivoli Directory Server manual for a list of valid 455 ciphers. This option is not supported by Netscape-derived 456 libraries. 457 458 UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o 459 Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. 460 461 SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y 462 The SASL user name to use when connecting to the LDAP server. By 463 default, ssuuddoo will use an anonymous connection. 464 465 RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o 466 Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting 467 to an LDAP server from a privileged process, such as ssuuddoo. 468 469 RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y 470 The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. 471 472 SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s 473 SASL security properties or _n_o_n_e for no properties. See the SASL 474 programmer's manual for details. 475 476 KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e 477 The path to the Kerberos 5 credential cache to use when 478 authenticating with the remote server. 479 480 DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s 481 How alias dereferencing is to be performed when searching. See the 482 ldap.conf(1m) manual for a full description of this option. 483 484 See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section. 485 486 CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff 487 Unless it is disabled at build time, ssuuddoo consults the Name Service 488 Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. 489 Sudo looks for a line beginning with sudoers: and uses this to determine 490 the search order. Note that ssuuddoo does not stop searching after the first 491 match and later matches take precedence over earlier ones. The following 492 sources are recognized: 493 494 files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s 495 ldap read sudoers from LDAP 496 497 In addition, the entry [NOTFOUND=return] will short-circuit the search if 498 the user was not found in the preceding source. 499 500 To consult LDAP first followed by the local sudoers file (if it exists), 501 use: 502 503 sudoers: ldap files 504 505 The local _s_u_d_o_e_r_s file can be ignored completely by using: 506 507 sudoers: ldap 508 509 If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers 510 line, the following default is assumed: 511 512 sudoers: files 513 514 Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying 515 operating system does not use an nsswitch.conf file, except on AIX (see 516 below). 517 518 CCoonnffiigguurriinngg nneettssvvcc..ccoonnff 519 On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of 520 _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of 521 _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file 522 format itself still applies. 523 524 To consult LDAP first followed by the local sudoers file (if it exists), 525 use: 526 527 sudoers = ldap, files 528 529 The local _s_u_d_o_e_r_s file can be ignored completely by using: 530 531 sudoers = ldap 532 533 To treat LDAP as authoratative and only use the local sudoers file if the 534 user is not present in LDAP, use: 535 536 sudoers = ldap = auth, files 537 538 Note that in the above example, the auth qualfier only affects user 539 lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. 540 541 If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line, 542 the following default is assumed: 543 544 sudoers = files 545 546FFIILLEESS 547 _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file 548 549 _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order 550 551 _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX 552 553EEXXAAMMPPLLEESS 554 EExxaammppllee llddaapp..ccoonnff 555 # Either specify one or more URIs or one or more host:port pairs. 556 # If neither is specified sudo will default to localhost, port 389. 557 # 558 #host ldapserver 559 #host ldapserver1 ldapserver2:390 560 # 561 # Default port if host is specified without one, defaults to 389. 562 #port 389 563 # 564 # URI will override the host and port settings. 565 uri ldap://ldapserver 566 #uri ldaps://secureldapserver 567 #uri ldaps://secureldapserver ldap://ldapserver 568 # 569 # The amount of time, in seconds, to wait while trying to connect to 570 # an LDAP server. 571 bind_timelimit 30 572 # 573 # The amount of time, in seconds, to wait while performing an LDAP query. 574 timelimit 30 575 # 576 # Must be set or sudo will ignore LDAP; may be specified multiple times. 577 sudoers_base ou=SUDOers,dc=example,dc=com 578 # 579 # verbose sudoers matching from ldap 580 #sudoers_debug 2 581 # 582 # Enable support for time-based entries in sudoers. 583 #sudoers_timed yes 584 # 585 # optional proxy credentials 586 #binddn <who to search as> 587 #bindpw <password> 588 #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw> 589 # 590 # LDAP protocol version, defaults to 3 591 #ldap_version 3 592 # 593 # Define if you want to use an encrypted LDAP connection. 594 # Typically, you must also set the port to 636 (ldaps). 595 #ssl on 596 # 597 # Define if you want to use port 389 and switch to 598 # encryption before the bind credentials are sent. 599 # Only supported by LDAP servers that support the start_tls 600 # extension such as OpenLDAP. 601 #ssl start_tls 602 # 603 # Additional TLS options follow that allow tweaking of the 604 # SSL/TLS connection. 605 # 606 #tls_checkpeer yes # verify server SSL certificate 607 #tls_checkpeer no # ignore server SSL certificate 608 # 609 # If you enable tls_checkpeer, specify either tls_cacertfile 610 # or tls_cacertdir. Only supported when using OpenLDAP. 611 # 612 #tls_cacertfile /etc/certs/trusted_signers.pem 613 #tls_cacertdir /etc/certs 614 # 615 # For systems that don't have /dev/random 616 # use this along with PRNGD or EGD.pl to seed the 617 # random number pool to generate cryptographic session keys. 618 # Only supported when using OpenLDAP. 619 # 620 #tls_randfile /etc/egd-pool 621 # 622 # You may restrict which ciphers are used. Consult your SSL 623 # documentation for which options go here. 624 # Only supported when using OpenLDAP. 625 # 626 #tls_ciphers <cipher-list> 627 # 628 # Sudo can provide a client certificate when communicating to 629 # the LDAP server. 630 # Tips: 631 # * Enable both lines at the same time. 632 # * Do not password protect the key file. 633 # * Ensure the keyfile is only readable by root. 634 # 635 # For OpenLDAP: 636 #tls_cert /etc/certs/client_cert.pem 637 #tls_key /etc/certs/client_key.pem 638 # 639 # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either 640 # a directory, in which case the files in the directory must have the 641 # default names (e.g. cert8.db and key4.db), or the path to the cert 642 # and key files themselves. However, a bug in version 5.0 of the LDAP 643 # SDK will prevent specific file names from working. For this reason 644 # it is suggested that tls_cert and tls_key be set to a directory, 645 # not a file name. 646 # 647 # The certificate database specified by tls_cert may contain CA certs 648 # and/or the client's cert. If the client's cert is included, tls_key 649 # should be specified as well. 650 # For backward compatibility, "sslpath" may be used in place of tls_cert. 651 #tls_cert /var/ldap 652 #tls_key /var/ldap 653 # 654 # If using SASL authentication for LDAP (OpenSSL) 655 # use_sasl yes 656 # sasl_auth_id <SASL user name> 657 # rootuse_sasl yes 658 # rootsasl_auth_id <SASL user name for root access> 659 # sasl_secprops none 660 # krb5_ccname /etc/.ldapcache 661 662 SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP 663 The following schema, in OpenLDAP format, is included with ssuuddoo source 664 and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the 665 schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line 666 in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. 667 668 attributetype ( 1.3.6.1.4.1.15953.9.1.1 669 NAME 'sudoUser' 670 DESC 'User(s) who may run sudo' 671 EQUALITY caseExactIA5Match 672 SUBSTR caseExactIA5SubstringsMatch 673 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 674 675 attributetype ( 1.3.6.1.4.1.15953.9.1.2 676 NAME 'sudoHost' 677 DESC 'Host(s) who may run sudo' 678 EQUALITY caseExactIA5Match 679 SUBSTR caseExactIA5SubstringsMatch 680 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 681 682 attributetype ( 1.3.6.1.4.1.15953.9.1.3 683 NAME 'sudoCommand' 684 DESC 'Command(s) to be executed by sudo' 685 EQUALITY caseExactIA5Match 686 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 687 688 attributetype ( 1.3.6.1.4.1.15953.9.1.4 689 NAME 'sudoRunAs' 690 DESC 'User(s) impersonated by sudo' 691 EQUALITY caseExactIA5Match 692 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 693 694 attributetype ( 1.3.6.1.4.1.15953.9.1.5 695 NAME 'sudoOption' 696 DESC 'Options(s) followed by sudo' 697 EQUALITY caseExactIA5Match 698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 699 700 attributetype ( 1.3.6.1.4.1.15953.9.1.6 701 NAME 'sudoRunAsUser' 702 DESC 'User(s) impersonated by sudo' 703 EQUALITY caseExactIA5Match 704 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 705 706 attributetype ( 1.3.6.1.4.1.15953.9.1.7 707 NAME 'sudoRunAsGroup' 708 DESC 'Group(s) impersonated by sudo' 709 EQUALITY caseExactIA5Match 710 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 711 712 attributetype ( 1.3.6.1.4.1.15953.9.1.8 713 NAME 'sudoNotBefore' 714 DESC 'Start of time interval for which the entry is valid' 715 EQUALITY generalizedTimeMatch 716 ORDERING generalizedTimeOrderingMatch 717 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) 718 719 attributetype ( 1.3.6.1.4.1.15953.9.1.9 720 NAME 'sudoNotAfter' 721 DESC 'End of time interval for which the entry is valid' 722 EQUALITY generalizedTimeMatch 723 ORDERING generalizedTimeOrderingMatch 724 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) 725 726 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 727 NAME 'sudoOrder' 728 DESC 'an integer to order the sudoRole entries' 729 EQUALITY integerMatch 730 ORDERING integerOrderingMatch 731 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 732 733 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL 734 DESC 'Sudoer Entries' 735 MUST ( cn ) 736 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ 737 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ 738 sudoOrder $ description ) 739 ) 740 741SSEEEE AALLSSOO 742 ldap.conf(1m), sudoers(1m) 743 744CCAAVVEEAATTSS 745 Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is 746 parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P 747 _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information. 748 749BBUUGGSS 750 If you feel you have found a bug in ssuuddoo, please submit a bug report at 751 http://www.sudo.ws/sudo/bugs/ 752 753SSUUPPPPOORRTT 754 Limited free support is available via the sudo-users mailing list, see 755 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the 756 archives. 757 758DDIISSCCLLAAIIMMEERR 759 ssuuddoo is provided ``AS IS'' and any express or implied warranties, 760 including, but not limited to, the implied warranties of merchantability 761 and fitness for a particular purpose are disclaimed. See the LICENSE 762 file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for 763 complete details. 764 765Sudo 1.7.10 July 12, 2012 Sudo 1.7.10 766