Document negated sudoHost entries.

doc/sudoers.ldap.cat

@@ -80,7 +80,9 @@ DDEESSCCRRIIPPTTIIOONN
            with a `+').  The special value ALL will match any host.  Host
            netgroups are matched using the host (both qualified and
            unqualified) and domain members only; the user member is not used
-           when matching.
+           when matching.  If a sudoHost entry is preceded by an exclamation
+           point, `!', and the entry matches, the sudoRole in which it resides
+           will be ignored.
 
      ssuuddooCCoommmmaanndd
            A fully-qualified Unix command name with optional command line

doc/sudoers.ldap.man.in

@@ -167,6 +167,13 @@ The special value
 will match any host.
 Host netgroups are matched using the host (both qualified and unqualified)
 and domain members only; the user member is not used when matching.
+If a
+\fRsudoHost\fR
+entry is preceded by an exclamation point,
+\(oq\&!\(cq,
+and the entry matches, the
+\fRsudoRole\fR
+in which it resides will be ignored.
 .TP 6n
 \fBsudoCommand\fR
 A fully-qualified Unix command name with optional command line arguments,

doc/sudoers.ldap.mdoc.in

@@ -159,6 +159,13 @@ The special value
 will match any host.
 Host netgroups are matched using the host (both qualified and unqualified)
 and domain members only; the user member is not used when matching.
+If a
+.Li sudoHost
+entry is preceded by an exclamation point,
+.Ql \&! ,
+and the entry matches, the
+.Li sudoRole
+in which it resides will be ignored.
 .It Sy sudoCommand
 A fully-qualified Unix command name with optional command line arguments,
 potentially including globbing characters (aka wild cards).