sudo/sudoers.ldap.man.in

.\" Copyright (c) 2003-2008
.\" 	Todd C. Miller <Todd.Miller@courtesan.com>
.\" 
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\" 
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" 
.\" $Sudo$
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  | will give a
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` 
.    ds C' 
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "January 19, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
via \s-1LAP\s0.  This can be especially useful for syncronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
.IP "\(bu" 4
\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety.  Parsing
of \fI/etc/sudoers\fR requires the entire file to be read.  When \s-1LDAP\s0
is used, there are only two or three \s-1LDAP\s0 queries per invocation.
This makes it especially fast and particularly usable in \s-1LDAP\s0
environments.  The first query is to parse global options (see
below).  The second is to match against the user's name and the
groups that the user belongs to.  (The special \s-1ALL\s0 tag is matched
in this query too.)  If no match is returned for the user's name
and groups, a third query returns all entries contain user netgroups
and checks to see if the user belongs to any of them.
.IP "\(bu" 4
\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
It is not possible to load \s-1LDAP\s0 data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
this will not prevent \fBsudo\fR from running.
.IP "\(bu" 4
Options inside of entries now override global default options.
\&\fI/etc/sudoers\fR only supports default options and limited options
associated with user/host/commands and aliases.  The syntax is
complicated and can be difficult for users to understand.
.Sp
Sudo first looks for an entry called \f(CW\*(C`cn=default\*(C'\fR in the \f(CW\*(C`SUDOers\*(C'\fR
container.  If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is
parsed the same way the global \f(CW\*(C`Defaults\*(C'\fR line in \fI/etc/sudoers\fR
is parsed.
.Sp
If, on the second or third query, a response contains a sudoRole
which matches against the user, host, and command, then the matched
object is scanned for a additional options that override the top-level
defaults.  See the example \s-1LDAP\s0 content below for more information.
.IP "\(bu" 4
\&\fBvisudo\fR is no longer needed.  \fBvisudo\fR provides locking and
syntax checking of the \fI/etc/sudoers\fR file.  Since \s-1LDAP\s0 updates
are atomic, locking is no longer necessary.  Because syntax is
checked when the data is inserted into \s-1LDAP\s0, there is no need
for a specialized tool to check syntax.
.IP "\(bu" 4
Aliases are no longer needed.  User, Host, and Cmnd Aliases were
designed to simplify organization of \fIsudoers\fR files and to
improve readability.  Since an \s-1LDAP\s0 \fIsudoers\fR entry allows multiple
values for each of its attributes, and since most \s-1LDAP\s0 browsers are
graphical and easy to work with, these aliases are no longer
needed.
.Sp
If you wish to specify a large number of users into an entry or
wish to have similar entries with identical users, then either use
groups or user netgroups.  Alternately, they can all just be pasted
into the \s-1LDAP\s0 record.
.Sp
If you need to specify a large number of hosts in an entry, use
netgroups or \s-1IP\s0 address matches (10.2.3.4/255.255.0.0).  Alternately,
they can all just be pasted into the \s-1LDAP\s0 record.
.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0.  Probably the biggest is that according to the \s-1RFC\s0,
\&\s-1LDAP\s0's ordering is arbitrary and you cannot expect that Attributes
and Entries are returned in any order.  If there are conflicting
command rules on an entry, the negative takes precedence.  This is
called paranoid behavior (not necessarily the most specific match).
.PP
Here is an example:
.PP
.Vb 5
\&  # /etc/sudoers:
\&  # Allow all commands except shell
\&  johnny  ALL=(root) ALL,!/bin/sh
\&  # Always allows all commands because ALL is matched last
\&  puddles ALL=(root) !/bin/sh,ALL
.Ve
.PP
.Vb 10
\&  # LDAP equivalent of Johnny
\&  # Allows all commands except shell
\&  dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
\&  objectClass: sudoRole
\&  objectClass: top
\&  cn: role1
\&  sudoUser: johnny
\&  sudoHost: ALL
\&  sudoCommand: ALL
\&  sudoCommand: !/bin/sh
.Ve
.PP
.Vb 11
\&  # LDAP equivalent of Puddles
\&  # Notice that even though ALL comes last, it still behaves like
\&  # role1 since the LDAP code assumes the more paranoid configuration
\&  dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
\&  objectClass: sudoRole
\&  objectClass: top
\&  cn: role2
\&  sudoUser: puddles
\&  sudoHost: ALL
\&  sudoCommand: !/bin/sh
\&  sudoCommand: ALL
.Ve
.PP
Another difference is that negations on the Host, User or Runas are
currently ignorred.  For example, the following attributes do not
do what they might appear to do.
.PP
.Vb 3
\&  # does not match all but joe
\&  # rather, does not match anyone
\&  sudoUser: !joe
.Ve
.PP
.Vb 4
\&  # does not match all but joe
\&  # rather, matches everyone including Joe
\&  sudoUser: ALL
\&  sudoUser: !joe
.Ve
.PP
.Vb 4
\&  # does not match all but web01
\&  # rather, matches all hosts including web01
\&  sudoHost: ALL
\&  sudoHost: !web01
.Ve
.Sh "Description of sudoRole"
.IX Subsection "Description of sudoRole"
The equivalent of a sudoer in \s-1LDAP\s0 is a 'sudoRole'.  It contains
sudoUser(s), sudoHost, sudoCommand and optional sudoOption(s),
sudoRunAsUser(s) and sudoRunAsGroup(s).
.PP
The following example allows users in group wheel to run any command
on any host via \fBsudo\fR:
.PP
.Vb 7
\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
\& objectClass: top
\& objectClass: sudoRole
\& cn: %wheel
\& sudoUser: %wheel
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
.Sh "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support the \fBsudo\fR schema must be
installled on your \s-1LDAP\s0 server.  In addition, be sure to index the
attribute 'sudoUser'.
.PP
Two versions of the schema, one for OpenLDAP servers and another
for netscape-derived servers, may also be found in the \fBsudo\fR
distribution.  The schema for \fBsudo\fR in OpenLDAP form appears
below.
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
\&    NAME 'sudoUser'
\&    DESC 'User(s) who may  run sudo'
\&    EQUALITY caseExactIA5Match
\&    SUBSTR caseExactIA5SubstringsMatch
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
\&    NAME 'sudoHost'
\&    DESC 'Host(s) who may run sudo'
\&    EQUALITY caseExactIA5Match
\&    SUBSTR caseExactIA5SubstringsMatch
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 5
\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
\&    NAME 'sudoCommand'
\&    DESC 'Command(s) to be executed by sudo'
\&    EQUALITY caseExactIA5Match
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 5
\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
\&    NAME 'sudoRunAs'
\&    DESC 'User(s) impersonated by sudo'
\&    EQUALITY caseExactIA5Match
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 5
\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
\&    NAME 'sudoOption'
\&    DESC 'Options(s) followed by sudo'
\&    EQUALITY caseExactIA5Match
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 5
\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
\&    NAME 'sudoRunAsUser'
\&    DESC 'User(s) impersonated by sudo'
\&    EQUALITY caseExactIA5Match
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 5
\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
\&    NAME 'sudoRunAsGroup'
\&    DESC 'Group(s) impersonated by sudo'
\&    EQUALITY caseExactIA5Match
\&    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
.Ve
.PP
.Vb 6
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
\&    DESC 'Sudoer Entries'
\&    MUST ( cn )
\&    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
\&          sudoRunAsGroup $ sudoOption $ description )
\&    )
.Ve
.Sh "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific.  Note that
\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options
that differ from those described in the \fIldap.conf\fR\|(4) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
Only those options explicitly listed in \fI/etc/ldap.conf\fR that are
supported by \fBsudo\fR are honored.  Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\s-1URI\s0 ldap[s]://[hostname[:port]] ..." 4
.IX Item "URI ldap[s]://[hostname[:port]] ..."
Specifies a whitespace-delimited list of one or more URIs describing
the \s-1LDAP\s0 server(s) to connect to.  The \fIprotocol\fR may be either \fBldap\fR
or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
encryption.  If no \fIport\fR is specified, the default is port 389 for
\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR.  If no \fIhostname\fR is specified,
\&\fBsudo\fR will connect to \fBlocalhost\fR.  Only systems using the OpenSSL
libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
The netscape-derived libraries used on most commercial versions of
Unix are only capable of supporting one or the other.
.IP "\s-1HOST\s0 name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
whitespace-delimited list of \s-1LDAP\s0 servers to connect to.  Each host
may include an optional \fIport\fR separated by a colon (':').  The
\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
and is included for backwards compatibility.
.IP "\s-1PORT\s0 port_number" 4
.IX Item "PORT port_number"
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
does not specify the port itself.  If no \fB\s-1PORT\s0\fR parameter is used,
the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
(\s-1SSL\s0).  The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
specification and is included for backwards compatibility.
.IP "\s-1BIND_TIMELIMIT\s0 seconds" 4
.IX Item "BIND_TIMELIMIT seconds"
The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
to wait while trying to connect to an \s-1LDAP\s0 server.  If multiple \fB\s-1URI\s0\fRs or
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
the next one in the list.
.IP "\s-1SUDOERS_BASE\s0 base" 4
.IX Item "SUDOERS_BASE base"
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 lookups.  Typically
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR.
.IP "\s-1SUDOERS_DEBUG\s0 debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 lookups.  Debuging
information is printed to the standard error.  A value of 1 results
in a moderate amount of debugging information.  A value of 2 shows
the results of the matches themselves.  This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
.IP "\s-1BINDDN\s0 \s-1DN\s0" 4
.IX Item "BINDDN DN"
The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
If not specified, \s-1LDAP\s0 operations are performed with an anonymous
identity.  By default, most \s-1LDAP\s0 servers will allow anonymous access.
.IP "\s-1BINDPW\s0 secret" 4
.IX Item "BINDPW secret"
The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
\&\s-1LDAP\s0 operations.  This is typically used in conjunction with the
\&\fB\s-1BINDDN\s0\fR parameter.
.IP "\s-1ROOTBINDDN\s0 \s-1DN\s0" 4
.IX Item "ROOTBINDDN DN"
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
operations, such as \fIsudoers\fR lookups.  The password corresponding
to the identity should be stored in </etc/ldap.passwd>
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\s-1LDAP_VERSION\s0 number" 4
.IX Item "LDAP_VERSION number"
The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
The default value is protocol version 3.
.IP "\s-1SSL\s0 on/true/yes/off/false/no" 4
.IX Item "SSL on/true/yes/off/false/no"
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
server.  Typically, this involves connecting to the server on port
636 (ldaps).
.IP "\s-1SSL\s0 start_tls" 4
.IX Item "SSL start_tls"
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
connection is initiated normally and \s-1TLS\s0 encryption is begun before
the bind credentials are sent.  This has the advantage of not
requiring a dedicated port for encrypted communications.  This
parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
extension, such as the OpenLDAP server.
.IP "\s-1TLS_CHECKPEER\s0 on/true/yes/off/false/no" 4
.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
certificated to be verified.  If the server's \s-1TLS\s0 certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it.  If \fB\s-1TLS_CHECKPEER\s0\fR
is disabled, no check is made.
.IP "\s-1TLS_CACERTFILE\s0" 4
.IX Item "TLS_CACERTFILE"
.PD 0
.IP "\s-1TLS_CACERTDIR\s0" 4
.IX Item "TLS_CACERTDIR"
.IP "\s-1TLS_RANDFILE\s0" 4
.IX Item "TLS_RANDFILE"
.IP "\s-1TLS_CIPHERS\s0" 4
.IX Item "TLS_CIPHERS"
.IP "\s-1TLS_CERT\s0" 4
.IX Item "TLS_CERT"
.IP "\s-1TLS_KEY\s0" 4
.IX Item "TLS_KEY"
.IP "\s-1USE_SASL\s0" 4
.IX Item "USE_SASL"
.IP "\s-1SASL_AUTH_ID\s0" 4
.IX Item "SASL_AUTH_ID"
.IP "\s-1ROOTUSE_SASL\s0" 4
.IX Item "ROOTUSE_SASL"
.IP "\s-1ROOTSASL_AUTH_ID\s0" 4
.IX Item "ROOTSASL_AUTH_ID"
.IP "\s-1SASL_SECPROPS\s0" 4
.IX Item "SASL_SECPROPS"
.IP "\s-1KRB5_CCNAME\s0" 4
.IX Item "KRB5_CCNAME"
.PD
.Sh "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Sudo consults the Name Service Switch file, \fI/etc/nsswitch.conf\fR,
to specify the \fIsudoers\fR search order.  Sudo looks for a line
begining with \f(CW\*(C`sudoers:\*(C'\fR and uses this to determine the search
order.  Note that \fBsudo\fR does not stop searching after the first
match and later matches take precedence over earlier ones.
.PP
The following sources are recognized.
    files	read sudoers from a file (usually \fI/etc/sudoers\fR)
    ldap	read sudoers from \s-1LDAP\s0
.PP
In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
search if the user was not found in the preceding source.
.PP
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
exists), use:
.PP
.Vb 1
\&    sudoers: ldap files
.Ve
.PP
The local \fIsudoers\fR file can be ignored completely by using:
.PP
.Vb 1
\&    sudoers: ldap
.Ve
.PP
If the \fI/etc/nsswitch.conf\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\&    sudoers: files
.Ve
.SH "FILES"
.IX Header "FILES"
.IP "\fI/etc/ldap.conf\fR" 24
.IX Item "/etc/ldap.conf"
\&\s-1LDAP\s0 configuration file
.IP "\fI/etc/nsswitch.conf\fR" 24
.IX Item "/etc/nsswitch.conf"
determines sudoers source order
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Example entries
.PP
Example ldap.conf
.PP
Debugging info
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(4), \fIsudoers\fR\|(4)
.SH "CAVEATS"
.IX Header "CAVEATS"
parsing differences between \s-1LDAP\s0 and file sudoers
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed.  See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.