summaryrefslogtreecommitdiffstats
path: root/doc/sudoers.ldap.cat
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sudoers.ldap.cat')
-rw-r--r--doc/sudoers.ldap.cat1033
1 files changed, 1033 insertions, 0 deletions
diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
new file mode 100644
index 0000000..0d48b9a
--- /dev/null
+++ b/doc/sudoers.ldap.cat
@@ -0,0 +1,1033 @@
+SUDOERS.LDAP(4) File Formats Manual SUDOERS.LDAP(4)
+
+NNAAMMEE
+ ssuuddooeerrss..llddaapp - sudo LDAP configuration
+
+DDEESSCCRRIIPPTTIIOONN
+ In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
+ LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
+ large, distributed environment.
+
+ Using LDAP for _s_u_d_o_e_r_s has several benefits:
+
+ ++oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
+ used, there are only two or three LDAP queries per invocation. This
+ makes it especially fast and particularly usable in LDAP environments.
+
+ ++oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
+ possible to load LDAP data into the server that does not conform to
+ the sudoers schema, so proper syntax is guaranteed. It is still
+ possible to have typos in a user or host name, but this will not
+ prevent ssuuddoo from running.
+
+ ++oo It is possible to specify per-entry options that override the global
+ default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and
+ limited options associated with user/host/commands/aliases. The
+ syntax is complicated and can be difficult for users to understand.
+ Placing the options directly in the entry is more natural.
+
+ ++oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and
+ syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are
+ atomic, locking is no longer necessary. Because syntax is checked
+ when the data is inserted into LDAP, there is no need for a
+ specialized tool to check syntax.
+
+ SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
+ The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container.
+
+ Sudo first looks for the cn=defaults entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same manner
+ as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the
+ SSH_AUTH_SOCK variable will be preserved in the environment for all
+ users.
+
+ dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+ The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
+ following attributes:
+
+ ssuuddooUUsseerr
+ A user name, user ID (prefixed with `#'), Unix group name or ID
+ (prefixed with `%' or `%#' respectively), user netgroup (prefixed
+ with `+'), or non-Unix group name or ID (prefixed with `%:' or
+ `%:#' respectively). User netgroups are matched using the user and
+ domain members only; the host member is not used when matching.
+ Non-Unix group support is only available when an appropriate
+ _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s sudoRole object.
+
+ ssuuddooHHoosstt
+ A host name, IP address, IP network, or host netgroup (prefixed
+ with a `+'). The special value ALL will match any host. Host
+ netgroups are matched using the host (both qualified and
+ unqualified) and domain members only; the user member is not used
+ when matching. If a sudoHost entry is preceded by an exclamation
+ point, `!', and the entry matches, the sudoRole in which it resides
+ will be ignored. Negated sudoHost entries are only supported by
+ version 1.8.18 or higher.
+
+ ssuuddooCCoommmmaanndd
+ A fully-qualified Unix command name with optional command line
+ arguments, potentially including globbing characters (aka wild
+ cards). If a command name is preceded by an exclamation point,
+ `!', the user will be prohibited from running that command.
+
+ The built-in command "sudoedit" is used to permit a user to run
+ ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line
+ arguments just as a normal command does. Note that "sudoedit" is a
+ command built into ssuuddoo itself and must be specified in without a
+ leading path.
+
+ The special value ALL will match any command.
+
+ If a command name is prefixed with a SHA-2 digest, it will only be
+ allowed if the digest matches. This may be useful in situations
+ where the user invoking ssuuddoo has write access to the command or its
+ parent directory. The following digest formats are supported:
+ sha224, sha256, sha384 and sha512. The digest name must be
+ followed by a colon (`:') and then the actual digest, in either hex
+ or base64 format. For example, given the following value for
+ sudoCommand:
+
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
+
+ The user may only run _/_b_i_n_/_l_s if its sha224 digest matches the
+ specified value. Command digests are only supported by version
+ 1.8.7 or higher.
+
+ ssuuddooOOppttiioonn
+ Identical in function to the global options described above, but
+ specific to the sudoRole in which it resides.
+
+ ssuuddooRRuunnAAssUUsseerr
+ A user name or uid (prefixed with `#') that commands may be run as
+ or a Unix group (prefixed with a `%') or user netgroup (prefixed
+ with a `+') that contains a list of users that commands may be run
+ as. The special value ALL will match any user. If a sudoRunAsUser
+ entry is preceded by an exclamation point, `!', and the entry
+ matches, the sudoRole in which it resides will be ignored. If
+ sudoRunAsUser is specified but empty, it will match the invoking
+ user. If neither sudoRunAsUser nor sudoRunAsGroup are present, the
+ value of the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root).
+
+ The sudoRunAsUser attribute is only available in ssuuddoo versions
+ 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs
+ attribute instead. Negated sudoRunAsUser entries are only
+ supported by version 1.8.26 or higher.
+
+ ssuuddooRRuunnAAssGGrroouupp
+ A Unix group or gid (prefixed with `#') that commands may be run
+ as. The special value ALL will match any group. If a
+ sudoRunAsGroup entry is preceded by an exclamation point, `!', and
+ the entry matches, the sudoRole in which it resides will be
+ ignored.
+
+ The sudoRunAsGroup attribute is only available in ssuuddoo versions
+ 1.7.0 and higher. Negated sudoRunAsGroup entries are only
+ supported by version 1.8.26 or higher.
+
+ ssuuddooNNoottBBeeffoorree
+ A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
+ a start date/time for when the sudoRole will be valid. If multiple
+ sudoNotBefore entries are present, the earliest is used. Note that
+ timestamps must be in Coordinated Universal Time (UTC), not the
+ local timezone. The minute and seconds portions are optional, but
+ some LDAP servers require that they be present (contrary to the
+ RFC).
+
+ The sudoNotBefore attribute is only available in ssuuddoo versions
+ 1.7.5 and higher and must be explicitly enabled via the
+ SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
+
+ ssuuddooNNoottAAfftteerr
+ A timestamp in the form yyyymmddHHMMSSZ that indicates an
+ expiration date/time, after which the sudoRole will no longer be
+ valid. If multiple sudoNotAfter entries are present, the last one
+ is used. Note that timestamps must be in Coordinated Universal
+ Time (UTC), not the local timezone. The minute and seconds
+ portions are optional, but some LDAP servers require that they be
+ present (contrary to the RFC).
+
+ The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5
+ and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD
+ option in _/_e_t_c_/_l_d_a_p_._c_o_n_f.
+
+ ssuuddooOOrrddeerr
+ The sudoRole entries retrieved from the LDAP directory have no
+ inherent order. The sudoOrder attribute is an integer (or floating
+ point value for LDAP servers that support it) that is used to sort
+ the matching entries. This allows LDAP-based sudoers entries to
+ more closely mimic the behavior of the sudoers file, where the
+ order of the entries influences the result. If multiple entries
+ match, the entry with the highest sudoOrder attribute is chosen.
+ This corresponds to the "last match" behavior of the sudoers file.
+ If the sudoOrder attribute is not present, a value of 0 is assumed.
+
+ The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
+ and higher.
+
+ Each attribute listed above should contain a single value, but there may
+ be multiple instances of each attribute type. A sudoRole must contain at
+ least one sudoUser, sudoHost and sudoCommand.
+
+ The following example allows users in group wheel to run any command on
+ any host via ssuuddoo:
+
+ dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
+ AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
+ When looking up a sudoer using LDAP there are only two or three LDAP
+ queries per invocation. The first query is to parse the global options.
+ The second is to match against the user's name and the groups that the
+ user belongs to. (The special ALL tag is matched in this query too.) If
+ no match is returned for the user's name and groups, a third query
+ returns all entries containing user netgroups and other non-Unix groups
+ and checks to see if the user belongs to any of them.
+
+ If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
+ directive, the LDAP queries include a sub-filter that limits retrieval to
+ entries that satisfy the time constraints, if any.
+
+ If the NNEETTGGRROOUUPP__BBAASSEE configuration directive is present (see _C_o_n_f_i_g_u_r_i_n_g
+ _l_d_a_p_._c_o_n_f below), queries are performed to determine the list of
+ netgroups the user belongs to before the sudoers query. This makes it
+ possible to include netgroups in the sudoers query string in the same
+ manner as Unix groups. The third query mentioned above is not performed
+ unless a group provider plugin is also configured. The actual LDAP
+ queries performed by ssuuddoo are as follows:
+
+ 1. Match all nisNetgroup records with a nisNetgroupTriple containing
+ the user, host and NIS domain. The query will match
+ nisNetgroupTriple entries with either the short or long form of the
+ host name or no host name specified in the tuple. If the NIS domain
+ is set, the query will match only match entries that include the
+ domain or for which there is no domain present. If the NIS domain
+ is _n_o_t set, a wildcard is used to match any domain name but be aware
+ that the NIS schema used by some LDAP servers may not support wild
+ cards for nisNetgroupTriple.
+
+ 2. Repeated queries are performed to find any nested nisNetgroup
+ records with a memberNisNetgroup entry that refers to an already-
+ matched record.
+
+ For sites with a large number of netgroups, using NNEETTGGRROOUUPP__BBAASSEE can
+ significantly speed up ssuuddoo's execution time.
+
+ DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
+ One of the major differences between LDAP and file-based _s_u_d_o_e_r_s is that
+ in LDAP, ssuuddoo-specific Aliases are not supported.
+
+ For the most part, there is little need for ssuuddoo-specific Aliases. Unix
+ groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can be
+ used in place of User_Aliases and Runas_Aliases. Host netgroups can be
+ used in place of Host_Aliases. Since groups and netgroups can also be
+ stored in LDAP there is no real need for ssuuddoo-specific aliases.
+
+ There are also some subtle differences in the way sudoers is handled once
+ in LDAP. Probably the biggest is that according to the RFC, LDAP
+ ordering is arbitrary and you cannot expect that Attributes and Entries
+ are returned in any specific order.
+
+ The order in which different entries are applied can be controlled using
+ the sudoOrder attribute, but there is no way to guarantee the order of
+ attributes within a specific entry. If there are conflicting command
+ rules in an entry, the negative takes precedence. This is called
+ paranoid behavior (not necessarily the most specific match).
+
+ Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+ Another difference is that it is not possible to use negation in a
+ sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the
+ following attributes do not behave the way one might expect.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ CCoonnvveerrttiinngg bbeettwweeeenn ffiillee--bbaasseedd aanndd LLDDAAPP ssuuddooeerrss
+ The cvtsudoers(1) utility can be used to convert between file-based and
+ LDAP _s_u_d_o_e_r_s. However, there are features in the file-based sudoers that
+ have no equivalent in LDAP-based sudoers (and vice versa). These cannot
+ be converted automatically.
+
+ For example, a Cmnd_Alias in a _s_u_d_o_e_r_s file may be converted to a
+ sudoRole that contains multiple commands. Multiple users and/or groups
+ may be assigned to the sudoRole.
+
+ Also, host, user, runas and command-based Defaults entries are not
+ supported. However, a sudoRole may contain one or more sudoOption
+ attributes which can often serve the same purpose.
+
+ Consider the following _s_u_d_o_e_r_s lines:
+
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+ Defaults!PAGERS noexec
+ alice, bob ALL = ALL
+
+ In this example, alice and bob are allowed to run all commands, but the
+ commands listed in PAGERS will have the noexec flag set, preventing shell
+ escapes.
+
+ When converting this to LDAP, two sudoRole objects can be used:
+
+ dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: PAGERS
+ sudoUser: alice
+ sudoUser: bob
+ sudoHost: ALL
+ sudoCommand: /usr/bin/more
+ sudoCommand: /usr/bin/pg
+ sudoCommand: /usr/bin/less
+ sudoOption: noexec
+ sudoOrder: 900
+
+ dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: ADMINS
+ sudoUser: alice
+ sudoUser: bob
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoOrder: 100
+
+ In the LDAP version, the sudoOrder attribute is used to guarantee that
+ the PAGERS sudoRole with _n_o_e_x_e_c has precedence. Unlike the _s_u_d_o_e_r_s
+ version, the LDAP version requires that all users for whom the
+ restriction should apply be assigned to the PAGERS sudoRole. Using a
+ Unix group or netgroup in PAGERS rather than listing each user would make
+ this easier to maintain.
+
+ Per-user Defaults entries can be emulated by using one or more sudoOption
+ attributes in a sudoRole. Consider the following _s_u_d_o_e_r_s lines:
+
+ User_Alias ADMINS = john, sally
+ Defaults:ADMINS !authenticate
+ ADMINS ALL = (ALL:ALL) ALL
+
+ In this example, john and sally are allowed to run any command as any
+ user or group.
+
+ When converting this to LDAP, we can use a Unix group instead of the
+ User_Alias.
+
+ dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: admins
+ sudoUser: %admin
+ sudoHost: ALL
+ sudoRunAsUser: ALL
+ sudoRunAsGroup: ALL
+ sudoCommand: ALL
+ sudoOption: !authenticate
+
+ This assumes that users john and sally are members of the "admins" Unix
+ group.
+
+ SSuuddooeerrss sscchheemmaa
+ In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on
+ your LDAP server. In addition, be sure to index the sudoUser attribute.
+
+ The ssuuddoo distribution includes versions of the ssuuddooeerrss schema for
+ multiple LDAP servers:
+
+ _s_c_h_e_m_a_._O_p_e_n_L_D_A_P
+ OpenLDAP slapd and OpenBSD ldapd
+
+ _s_c_h_e_m_a_._o_l_c_S_u_d_o
+ OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
+
+ _s_c_h_e_m_a_._i_P_l_a_n_e_t
+ Netscape-derived servers such as the iPlanet, Oracle, and 389
+ Directory Servers
+
+ _s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y
+ Microsoft Active Directory
+
+ The schema in OpenLDAP format is also included in the _E_X_A_M_P_L_E_S section.
+
+ CCoonnffiigguurriinngg llddaapp..ccoonnff
+ Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
+ Typically, this file is shared between different LDAP-aware clients. As
+ such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
+ _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
+ described in the system's ldap.conf(4) manual. The path to _l_d_a_p_._c_o_n_f may
+ be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).
+
+ Also note that on systems using the OpenLDAP libraries, default values
+ specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
+ used.
+
+ Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported
+ by ssuuddoo are honored. Configuration options are listed below in upper
+ case but are parsed in a case-independent manner.
+
+ Lines beginning with a pound sign (`#') are ignored. Leading white space
+ is removed from the beginning of lines.
+
+ BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
+ The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
+ seconds, to wait while trying to connect to an LDAP server. If
+ multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
+ wait before trying the next one in the list.
+
+ BBIINNDDDDNN _D_N
+ The BBIINNDDDDNN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing LDAP operations.
+ If not specified, LDAP operations are performed with an anonymous
+ identity. By default, most LDAP servers will allow anonymous
+ access.
+
+ BBIINNDDPPWW _s_e_c_r_e_t
+ The BBIINNDDPPWW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
+ BBIINNDDDDNN parameter. The _s_e_c_r_e_t may be a plain text password or a
+ base64-encoded string with a "base64:" prefix. For example:
+
+ BINDPW base64:dGVzdA==
+
+ If a plain text password is used, it should be a simple string
+ without quotes. Plain text passwords may not include the comment
+ character (`#') and the escaping of special characters with a
+ backslash (`\') is not supported.
+
+ DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s
+ How alias dereferencing is to be performed when searching. See the
+ ldap.conf(4) manual for a full description of this option.
+
+ HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
+ If no UURRII is specified (see below), the HHOOSSTT parameter specifies a
+ white space-delimited list of LDAP servers to connect to. Each
+ host may include an optional _p_o_r_t separated by a colon (`:'). The
+ HHOOSSTT parameter is deprecated in favor of the UURRII specification and
+ is included for backwards compatibility only.
+
+ KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e
+ The path to the Kerberos 5 credential cache to use when
+ authenticating with the remote server. This option is only
+ relevant when using SASL authentication (see below).
+
+ LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
+ The version of the LDAP protocol to use when connecting to the
+ server. The default value is protocol version 3.
+
+ NNEETTGGRROOUUPP__BBAASSEE _b_a_s_e
+ The base DN to use when performing LDAP netgroup queries.
+ Typically this is of the form ou=netgroup,dc=my-domain,dc=com for
+ the domain my-domain.com. Multiple NNEETTGGRROOUUPP__BBAASSEE lines may be
+ specified, in which case they are queried in the order specified.
+
+ This option can be used to query a user's netgroups directly via
+ LDAP which is usually faster than fetching every sudoRole object
+ containing a sudoUser that begins with a `+' prefix. The NIS
+ schema used by some LDAP servers need a modification to support
+ querying the nisNetgroup object by its nisNetgroupTriple member.
+ OpenLDAP's ssllaappdd requires the following change to the
+ nisNetgroupTriple attribute:
+
+ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
+ DESC 'Netgroup triple'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ NNEETTGGRROOUUPP__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
+ An LDAP filter which is used to restrict the set of records
+ returned when performing an LDAP netgroup query. Typically, this
+ is of the form attribute=value or
+ (&(attribute=value)(attribute2=value2)). The default search filter
+ is: objectClass=nisNetgroup. If _l_d_a_p___f_i_l_t_e_r is omitted, no search
+ filter will be used. This option is only when querying netgroups
+ directly via LDAP.
+
+ NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s
+ An alias for BBIINNDD__TTIIMMEELLIIMMIITT provided for OpenLDAP compatibility.
+
+ PPOORRTT _p_o_r_t___n_u_m_b_e_r
+ If no UURRII is specified, the PPOORRTT parameter specifies the default
+ port to connect to on the LDAP server if a HHOOSSTT parameter does not
+ specify the port itself. If no PPOORRTT parameter is used, the default
+ is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
+ PPOORRTT parameter is deprecated in favor of the UURRII specification and
+ is included for backwards compatibility only.
+
+ RROOOOTTBBIINNDDDDNN _D_N
+ The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing privileged LDAP
+ operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
+ the identity should be stored in the or the path specified by the
+ _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
+ _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
+ identity is used (if any).
+
+ RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
+ Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as ssuuddoo.
+
+ SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
+ The SASL user name to use when connecting to the LDAP server. By
+ default, ssuuddoo will use an anonymous connection. This option is
+ only relevant when using SASL authentication.
+
+ SSAASSLL__MMEECCHH _m_e_c_h_a_n_i_s_m_s
+ A white space-delimited list of SASL authentication mechanisms to
+ use. By default, ssuuddoo will use GSSAPI authentication.
+
+ SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
+ SASL security properties or _n_o_n_e for no properties. See the SASL
+ programmer's manual for details. This option is only relevant when
+ using SASL authentication.
+
+ SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
+ If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
+ encryption is always used when communicating with the LDAP server.
+ Typically, this involves connecting to the server on port 636
+ (ldaps).
+
+ SSSSLL _s_t_a_r_t___t_l_s
+ If the SSSSLL parameter is set to start_tls, the LDAP server
+ connection is initiated normally and TLS encryption is begun before
+ the bind credentials are sent. This has the advantage of not
+ requiring a dedicated port for encrypted communications. This
+ parameter is only supported by LDAP servers that honor the
+ _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory
+ servers.
+
+ SSUUDDOOEERRSS__BBAASSEE _b_a_s_e
+ The base DN to use when performing ssuuddoo LDAP queries. Typically
+ this is of the form ou=SUDOers,dc=my-domain,dc=com for the domain
+ my-domain.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
+ which case they are queried in the order specified.
+
+ SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l
+ This sets the debug level for ssuuddoo LDAP queries. Debugging
+ information is printed to the standard error. A value of 1 results
+ in a moderate amount of debugging information. A value of 2 shows
+ the results of the matches themselves. This parameter should not
+ be set in a production environment as the extra information is
+ likely to confuse users.
+
+ The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a
+ future release. The same information is now logged via the ssuuddoo
+ debugging framework using the "ldap" subsystem at priorities _d_i_a_g
+ and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively. See the
+ sudo.conf(4) manual for details on how to configure ssuuddoo debugging.
+
+ SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
+ An LDAP filter which is used to restrict the set of records
+ returned when performing a ssuuddoo LDAP query. Typically, this is of
+ the form attribute=value or
+ (&(attribute=value)(attribute2=value2)). The default search filter
+ is: objectClass=sudoRole. If _l_d_a_p___f_i_l_t_e_r is omitted, no search
+ filter will be used.
+
+ SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
+ Whether or not to evaluate the sudoNotBefore and sudoNotAfter
+ attributes that implement time-dependent sudoers entries.
+
+ TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
+ The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
+ to wait for a response to an LDAP query.
+
+ TTIIMMEEOOUUTT _s_e_c_o_n_d_s
+ The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
+ wait for a response from the various LDAP APIs.
+
+ TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e
+ An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
+
+ TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e
+ The path to a certificate authority bundle which contains the
+ certificates for all the Certificate Authorities the client knows
+ to be valid, e.g., _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
+ supported by the OpenLDAP libraries. Netscape-derived LDAP
+ libraries use the same certificate database for CA and client
+ certificates (see TTLLSS__CCEERRTT).
+
+ TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y
+ Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
+ containing individual Certificate Authority certificates, e.g.,
+ _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
+ checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
+ OpenLDAP libraries.
+
+ TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e
+ The path to a file containing the client certificate which can be
+ used to authenticate the client to the LDAP server. The
+ certificate type depends on the LDAP libraries used.
+
+ OpenLDAP:
+ tls_cert /etc/ssl/client_cert.pem
+
+ Netscape-derived:
+ tls_cert /var/ldap/cert7.db
+
+ Tivoli Directory Server:
+ Unused, the key database specified by TTLLSS__KKEEYY contains both
+ keys and certificates.
+
+ When using Netscape-derived libraries, this file may also
+ contain Certificate Authority certificates.
+
+ TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
+ If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
+ certificated to be verified. If the server's TLS certificate
+ cannot be verified (usually because it is signed by an unknown
+ certificate authority), ssuuddoo will be unable to connect to it. If
+ TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling
+ the check creates an opportunity for man-in-the-middle attacks
+ since the server's identity will not be authenticated. If
+ possible, the CA's certificate should be installed locally so it
+ can be verified. This option is not supported by the Tivoli
+ Directory Server LDAP libraries.
+
+ TTLLSS__KKEEYY _f_i_l_e _n_a_m_e
+ The path to a file containing the private key which matches the
+ certificate specified by TTLLSS__CCEERRTT. The private key must not be
+ password-protected. The key type depends on the LDAP libraries
+ used.
+
+ OpenLDAP:
+ tls_key /etc/ssl/client_key.pem
+
+ Netscape-derived:
+ tls_key /var/ldap/key3.db
+
+ Tivoli Directory Server:
+ tls_key /usr/ldap/ldapkey.kdb
+ When using Tivoli LDAP libraries, this file may also contain
+ Certificate Authority and client certificates and may be encrypted.
+
+ TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t
+ The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
+ encryption algorithms may be used for TLS (SSL) connections. See
+ the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ ciphers. This option is not supported by Netscape-derived
+ libraries.
+
+ TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
+ The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
+ database on clients using the Tivoli Directory Server LDAP library.
+ The _s_e_c_r_e_t may be a plain text password or a base64-encoded string
+ with a "base64:" prefix. For example:
+
+ TLS_KEYPW base64:dGVzdA==
+
+ If a plain text password is used, it should be a simple string
+ without quotes. Plain text passwords may not include the comment
+ character (`#') and the escaping of special characters with a
+ backslash (`\') is not supported. If this option is used,
+ _/_e_t_c_/_l_d_a_p_._c_o_n_f must not be world-readable to avoid exposing the
+ password. Alternately, a _s_t_a_s_h _f_i_l_e can be used to store the
+ password in encrypted form (see below).
+
+ If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
+ exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file
+ specified by TTLLSS__KKEEYY, but use a .sth file extension instead of
+ .kdb, e.g., ldapkey.sth. The default ldapkey.kdb that ships with
+ Tivoli Directory Server is encrypted with the password
+ ssl_password. The _g_s_k_8_c_a_p_i_c_m_d utility can be used to manage the
+ key database and create a _s_t_a_s_h _f_i_l_e. This option is only
+ supported by the Tivoli LDAP libraries.
+
+ TTLLSS__RREEQQCCEERRTT _l_e_v_e_l
+ The TTLLSS__RREEQQCCEERRTT parameter controls how the LDAP server's TLS
+ certificated will be verified (if at all). If the server's TLS
+ certificate cannot be verified (usually because it is signed by an
+ unknown certificate authority), ssuuddoo will be unable to connect to
+ it. The following _l_e_v_e_l values are supported:
+
+ never The server certificate will not be requested or
+ checked.
+
+ allow The server certificate will be requested. A missing
+ or invalid certificate is ignored and not considered
+ an error.
+
+ try The server certificate will be requested. A missing
+ certificate is ignored but an invalid certificate
+ will result in a connection error.
+
+ demand | _h_a_r_d
+ The server certificate will be requested. A missing
+ or invalid certificate will result in a connection
+ error. This is the default behavior.
+
+ This option is only supported by the OpenLDAP libraries. Other
+ LDAP libraries only support the TTLLSS__CCHHEECCKKPPEEEERR parameter.
+
+ TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
+ The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
+ for systems that lack a random device. It is generally used in
+ conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
+ the OpenLDAP libraries.
+
+ UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
+ Specifies a white space-delimited list of one or more URIs
+ describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
+ either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
+ (SSL) encryption. If no _p_o_r_t is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
+ ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated
+ identically to a UURRII line containing multiple entries. Only
+ systems using the OpenSSL libraries support the mixing of ldap://
+ and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
+ libraries used on most commercial versions of Unix are only capable
+ of supporting one or the other.
+
+ UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
+ Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
+
+ RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
+ The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
+
+ See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section.
+
+ CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
+ Unless it is disabled at build time, ssuuddoo consults the Name Service
+ Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
+ Sudo looks for a line beginning with sudoers: and uses this to determine
+ the search order. Note that ssuuddoo does not stop searching after the first
+ match and later matches take precedence over earlier ones. The following
+ sources are recognized:
+
+ files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s
+ ldap read sudoers from LDAP
+
+ In addition, the entry [NOTFOUND=return] will short-circuit the search if
+ the user was not found in the preceding source.
+
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
+
+ sudoers: ldap files
+
+ The local _s_u_d_o_e_r_s file can be ignored completely by using:
+
+ sudoers: ldap
+
+ If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
+ line, the following default is assumed:
+
+ sudoers: files
+
+ Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
+ operating system does not use an nsswitch.conf file, except on AIX (see
+ below).
+
+ CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
+ On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
+ _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
+ _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file
+ format itself still applies.
+
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
+
+ sudoers = ldap, files
+
+ The local _s_u_d_o_e_r_s file can be ignored completely by using:
+
+ sudoers = ldap
+
+ To treat LDAP as authoritative and only use the local sudoers file if the
+ user is not present in LDAP, use:
+
+ sudoers = ldap = auth, files
+
+ Note that in the above example, the auth qualifier only affects user
+ lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
+
+ If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
+ the following default is assumed:
+
+ sudoers = files
+
+ IInntteeggrraattiioonn wwiitthh ssssssdd
+ On systems with the _S_y_s_t_e_m _S_e_c_u_r_i_t_y _S_e_r_v_i_c_e_s _D_a_e_m_o_n (SSSD) and where ssuuddoo
+ has been built with SSSD support, it is possible to use SSSD to cache
+ LDAP _s_u_d_o_e_r_s rules. To use SSSD as the _s_u_d_o_e_r_s source, you should use
+ sssd instead of ldap for the sudoers entry in _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. Note
+ that the _/_e_t_c_/_l_d_a_p_._c_o_n_f file is not used by the SSSD ssuuddoo back end.
+ Please see sssd-sudo(4) for more information on configuring ssuuddoo to work
+ with SSSD.
+
+FFIILLEESS
+ _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
+
+ _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
+
+ _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
+
+EEXXAAMMPPLLEESS
+ EExxaammppllee llddaapp..ccoonnff
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=my-domain,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+ # a directory, in which case the files in the directory must have the
+ # default names (e.g., cert8.db and key4.db), or the path to the cert
+ # and key files themselves. However, a bug in version 5.0 of the LDAP
+ # SDK will prevent specific file names from working. For this reason
+ # it is suggested that tls_cert and tls_key be set to a directory,
+ # not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
+ # For backward compatibility, "sslpath" may be used in place of tls_cert.
+ #tls_cert /var/ldap
+ #tls_key /var/ldap
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL user name>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL user name for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
+
+ SSuuddooeerrss sscchheemmaa ffoorr OOppeennLLDDAAPP
+ The following schema, in OpenLDAP format, is included with ssuuddoo source
+ and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the
+ schema directory (e.g., _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
+ line in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. Sites using the optional on-line
+ configuration supported by OpenLDAP 2.3 and higher should apply the
+ _s_c_h_e_m_a_._o_l_c_S_u_d_o file instead.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+
+SSEEEE AALLSSOO
+ cvtsudoers(1), ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4)
+
+AAUUTTHHOORRSS
+ Many people have worked on ssuuddoo over the years; this version consists of
+ code written primarily by:
+
+ Todd C. Miller
+
+ See the CONTRIBUTORS file in the ssuuddoo distribution
+ (https://www.sudo.ws/contributors.html) for an exhaustive list of people
+ who have contributed to ssuuddoo.
+
+CCAAVVEEAATTSS
+ Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
+ parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P
+ _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information.
+
+BBUUGGSS
+ If you feel you have found a bug in ssuuddoo, please submit a bug report at
+ https://bugzilla.sudo.ws/
+
+SSUUPPPPOORRTT
+ Limited free support is available via the sudo-users mailing list, see
+ https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+DDIISSCCLLAAIIMMEERR
+ ssuuddoo is provided "AS IS" and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with ssuuddoo or https://www.sudo.ws/license.html for
+ complete details.
+
+Sudo 1.8.26 November 9, 2018 Sudo 1.8.26