Add an example cvtsudoers.conf file.

MANIFEST

@@ -76,6 +76,7 @@ etc/sudo-logsrvd.pp
 etc/sudo-python.pp
 etc/sudo.pp
 examples/Makefile.in
+examples/cvtsudoers.conf
 examples/pam.conf
 examples/sudo.conf.in
 examples/sudo_logsrvd.conf

examples/Makefile.in

@@ -1,7 +1,7 @@
 #
 # SPDX-License-Identifier: ISC
 #
-# Copyright (c) 2014, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+# Copyright (c) 2014, 2017-2021 Todd C. Miller <Todd.Miller@sudo.ws>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -54,8 +54,8 @@ SHELL = @SHELL@
 
 LOGSRVD_CONF = @LOGSRVD_CONF@
 
-EXAMPLES = $(srcdir)/pam.conf sudo.conf $(LOGSRVD_CONF) \
+EXAMPLES = $(srcdir)/cvtsudoers.conf $(srcdir)/pam.conf sudo.conf \
-	   $(srcdir)/sudoers $(srcdir)/syslog.conf
+	   $(LOGSRVD_CONF) $(srcdir)/sudoers $(srcdir)/syslog.conf
 
 VERSION = @PACKAGE_VERSION@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@

examples/cvtsudoers.conf

@@ -0,0 +1,82 @@
+#
+# Example /etc/cvtsudoers.conf file
+#
+# This file is optional and allows you to override the cvtsudoers
+# default values.
+#
+
+# Only convert Defaults entries of the specified types.
+# One or more Defaults types may be specified, separated by a comma (',').
+# The supported types are: all, global, user, runas, host, command.
+#defaults = all
+
+# Expand aliases in input_file.  Aliases are preserved by
+# default when the output format is JSON or sudoers.
+#expand_aliases = no
+
+# Use an alternate group file.  When "match_local" is also enabled, perform
+# group queries using the specified file instead of the system group database.
+#group_file = /etc/group
+
+# Default input format.  Only the sudoers and LDIF formats are supported.
+#input_format = sudoers
+
+# Only output rules that match the specified filter.  A filter expression
+# is made up of one or more key = value pairs, separated by a comma (',').
+# The key may be "cmnd" (or "cmd"), "host", "group", or "user".
+#match = user=www,group=wheel
+
+# Match locally.  If enabled, use password and group database information
+# when matching users and groups in the filter.  Only users and groups
+# in the filter that exist on the local system will match, and a user's
+# groups will automatically be added to the filter.  By default, users and
+# groups in the filter do not need to exist on the local system, but all
+# groups used for matching must be explicitly listed in the filter.
+#match_local = no
+
+# When generating LDIF output, increment each sudoOrder attribute by the
+# specified number.  Defaults to an increment of 1.
+#order_increment = 1
+
+# When generating LDIF output, use the number specified by "start_point"
+# in the sudoOrder attribute of the first sudoRole object.  Subsequent
+# sudoRole object use a sudoOrder value generated by adding the
+# increment set by "order_increment".  Defaults to a starting point
+# of 1.  A starting point of 0 will disable the generation of sudoOrder
+# attributes in the resulting LDIF file.
+#order_start = 1
+
+# Specify the default output format (case-insensitive).  The following
+# formats are supported: csv | json | ldif | sudoers.
+# Defaults to LDIF.
+#output_format = ldif
+
+# When generating LDIF output, construct the initial sudoOrder value
+# by concatenating order_start and increment, padding the increment
+# with zeros until it consists of padding digits.  For example, if
+# order_start is 1027, padding is 3, and increment is 1, the value
+# of sudoOrder for the first entry will be 1027000, followed by
+# 1027001, 1027002, etc.  If the number of sudoRole entries is larger
+# than the padding would allow, cvtsudoers will exit with an error.
+# By default, no padding is performed.
+#padding = 0
+
+# Use an alternate passwd file.  When "match_local" is also enabled, perform
+# passwd queries using the specified file instead of the system passwd database.
+#passwd_file = /etc/passwd
+
+# When "match_local" is also enabled, cvtsudoers will prune
+# out non-matching users, groups and hosts from matching entries.
+# Defaults to no.
+#prune_matches = no
+
+# The base DN (distinguished name) that will be used when performing LDAP
+# queries.  If this option is not specified, the value of the SUDOERS_BASE
+# environment variable will be used instead.
+#sudoers_base = ou=SUDOers,dc=my-domain,dc=com
+
+# Suppress the output of specific sections of the security policy.
+# One or more section names may be specified, separated by a comma (',').
+# The supported section name are: defaults, aliases and privileges
+# (which may be shortened to privs).
+#suppress = defaults,aliases,privs