diff --git a/Makefile.in b/Makefile.in index b176fec7b..b38f6393d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -137,14 +137,15 @@ LIB_OBJS = @LIBOBJS@ @ALLOCA@ VERSION = 1.7 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ - LICENSE Makefile.in PORTING README README.LDAP TODO \ - TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \ - config.guess config.h.in config.sub configure configure.in \ - def_data.in indent.pro install-sh ltmain.sh mkdefaults \ - mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \ - sample.sudoers sudo.cat sudo.man.in sudo.pod sudo.psf sudoers \ - sudoers.cat sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \ - visudo.man.in visudo.pod auth/API + LICENSE Makefile.in PORTING README README.LDAP TODO \ + TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \ + config.guess config.h.in config.sub configure configure.in \ + def_data.in indent.pro install-sh ltmain.sh mkdefaults \ + mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \ + sample.sudoers schema.OpenLDAP schema.iPlanet sudo.cat \ + sudo.man.in sudo.pod sudo.psf sudoers sudoers.cat \ + sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \ + visudo.man.in visudo.pod auth/API BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ diff --git a/README.LDAP b/README.LDAP index b88d9620b..aea3f1c1a 100644 --- a/README.LDAP +++ b/README.LDAP @@ -94,19 +94,17 @@ Design Features Build instructions ================== The most simplest way to build sudo with LDAP support is to include the -'--with-ldap' option. I recommend including the '--with-pam' option on those -system with PAM so that if you decide to use LDAP for authentication, you won't -need to recompile sudo. +'--with-ldap' option. - $ ./configure --with-ldap --with-pam + $ ./configure --with-ldap -If your ldap libraries and headers are in a non standard place, you will need -to specify them at configure time. +If your ldap libraries and headers are in a non-standard place, you will need +to specify them at configure time. E.g. - $ ./configure --with-ldap=/usr/local/ldapsdk --with-pam + $ ./configure --with-ldap=/usr/local/ldapsdk -Sudo is tested against OpenLDAP's implementation. Other LDAP implementations -may require adding '-lldif' to SUDO_LIBS in the Makefile. +Sudo is developed using OpenLDAP. Other LDAP implementations may +require adding '-lldif' to SUDO_LIBS in the Makefile. Your Mileage may vary. Please let Aaron Spangler know what combinations worked best for your OS & LDAP Combinations so we can @@ -118,69 +116,15 @@ HP-UX 11.23 (gcc3) Galen Johnson Schema Changes ============== -Add the following schema to your LDAP server so that it may contain sudoer -content. In OpenLDAP, simply place this into a new file and 'include' it -in your slapd.conf and restart slapd. For other LDAP servers, provide this -to your LDAP Administrator. Make sure to index the attribute 'sudoUser'. - - - # - # schema file for sudo - # - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ - description ) - ) - - # - # Same thing as above, but imports better into SunONE or iPlanet - # (remove any leading spaces and save to a seperate file) - # - - dn: cn=schema - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) +Add the appropriate schema to your LDAP server so that it may contain +sudoers content. +For OpenLDAP, simply copy schema.OpenLDAP to the schema directory +(e.g. /etc/openldap/schema) and 'include' it in your slapd.conf and +restart slapd. For other LDAP servers, provide this to your LDAP +Administrator. Make sure to index the attribute 'sudoUser'. +For the SunONE or iPlanet LDAP server, use the schema.iPlanet file. Importing /etc/sudoers to LDAP ==============================