mirror of
https://github.com/sudo-project/sudo.git
synced 2025-09-01 06:45:10 +00:00
Break schema out into separate files.
This commit is contained in:
Todd C. Miller
17
Makefile.in
17
Makefile.in
@@ -137,14 +137,15 @@ LIB_OBJS = @LIBOBJS@ @ALLOCA@
|
|||||||
VERSION = 1.7
|
VERSION = 1.7
|
||||||
|
|
||||||
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
|
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
|
||||||
LICENSE Makefile.in PORTING README README.LDAP TODO \
|
LICENSE Makefile.in PORTING README README.LDAP TODO \
|
||||||
TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \
|
TROUBLESHOOTING UPGRADE aclocal.m4 acsite.m4 aixcrypt.exp \
|
||||||
config.guess config.h.in config.sub configure configure.in \
|
config.guess config.h.in config.sub configure configure.in \
|
||||||
def_data.in indent.pro install-sh ltmain.sh mkdefaults \
|
def_data.in indent.pro install-sh ltmain.sh mkdefaults \
|
||||||
mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
|
mkinstalldirs pathnames.h.in sample.pam sample.syslog.conf \
|
||||||
sample.sudoers sudo.cat sudo.man.in sudo.pod sudo.psf sudoers \
|
sample.sudoers schema.OpenLDAP schema.iPlanet sudo.cat \
|
||||||
sudoers.cat sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \
|
sudo.man.in sudo.pod sudo.psf sudoers sudoers.cat \
|
||||||
visudo.man.in visudo.pod auth/API
|
sudoers.man.in sudoers.pod sudoers2ldif visudo.cat \
|
||||||
|
visudo.man.in visudo.pod auth/API
|
||||||
|
|
||||||
BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
|
BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
|
||||||
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
|
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
|
||||||
|
|||||||
84
README.LDAP
84
README.LDAP
@@ -94,19 +94,17 @@ Design Features
|
|||||||
Build instructions
|
Build instructions
|
||||||
==================
|
==================
|
||||||
The most simplest way to build sudo with LDAP support is to include the
|
The most simplest way to build sudo with LDAP support is to include the
|
||||||
'--with-ldap' option. I recommend including the '--with-pam' option on those
|
'--with-ldap' option.
|
||||||
system with PAM so that if you decide to use LDAP for authentication, you won't
|
|
||||||
need to recompile sudo.
|
|
||||||
|
|
||||||
$ ./configure --with-ldap --with-pam
|
$ ./configure --with-ldap
|
||||||
|
|
||||||
If your ldap libraries and headers are in a non standard place, you will need
|
If your ldap libraries and headers are in a non-standard place, you will need
|
||||||
to specify them at configure time.
|
to specify them at configure time. E.g.
|
||||||
|
|
||||||
$ ./configure --with-ldap=/usr/local/ldapsdk --with-pam
|
$ ./configure --with-ldap=/usr/local/ldapsdk
|
||||||
|
|
||||||
Sudo is tested against OpenLDAP's implementation. Other LDAP implementations
|
Sudo is developed using OpenLDAP. Other LDAP implementations may
|
||||||
may require adding '-lldif' to SUDO_LIBS in the Makefile.
|
require adding '-lldif' to SUDO_LIBS in the Makefile.
|
||||||
|
|
||||||
Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org>
|
Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org>
|
||||||
know what combinations worked best for your OS & LDAP Combinations so we can
|
know what combinations worked best for your OS & LDAP Combinations so we can
|
||||||
@@ -118,69 +116,15 @@ HP-UX 11.23 (gcc3) Galen Johnson <Galen.Johnson@sas.com>
|
|||||||
|
|
||||||
Schema Changes
|
Schema Changes
|
||||||
==============
|
==============
|
||||||
Add the following schema to your LDAP server so that it may contain sudoer
|
Add the appropriate schema to your LDAP server so that it may contain
|
||||||
content. In OpenLDAP, simply place this into a new file and 'include' it
|
sudoers content.
|
||||||
in your slapd.conf and restart slapd. For other LDAP servers, provide this
|
|
||||||
to your LDAP Administrator. Make sure to index the attribute 'sudoUser'.
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# schema file for sudo
|
|
||||||
#
|
|
||||||
|
|
||||||
attributetype ( 1.3.6.1.4.1.15953.9.1.1
|
|
||||||
NAME 'sudoUser'
|
|
||||||
DESC 'User(s) who may run sudo'
|
|
||||||
EQUALITY caseExactIA5Match
|
|
||||||
SUBSTR caseExactIA5SubstringsMatch
|
|
||||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
||||||
|
|
||||||
attributetype ( 1.3.6.1.4.1.15953.9.1.2
|
|
||||||
NAME 'sudoHost'
|
|
||||||
DESC 'Host(s) who may run sudo'
|
|
||||||
EQUALITY caseExactIA5Match
|
|
||||||
SUBSTR caseExactIA5SubstringsMatch
|
|
||||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
||||||
|
|
||||||
attributetype ( 1.3.6.1.4.1.15953.9.1.3
|
|
||||||
NAME 'sudoCommand'
|
|
||||||
DESC 'Command(s) to be executed by sudo'
|
|
||||||
EQUALITY caseExactIA5Match
|
|
||||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
||||||
|
|
||||||
attributetype ( 1.3.6.1.4.1.15953.9.1.4
|
|
||||||
NAME 'sudoRunAs'
|
|
||||||
DESC 'User(s) impersonated by sudo'
|
|
||||||
EQUALITY caseExactIA5Match
|
|
||||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
||||||
|
|
||||||
attributetype ( 1.3.6.1.4.1.15953.9.1.5
|
|
||||||
NAME 'sudoOption'
|
|
||||||
DESC 'Options(s) followed by sudo'
|
|
||||||
EQUALITY caseExactIA5Match
|
|
||||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
||||||
|
|
||||||
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
|
|
||||||
DESC 'Sudoer Entries'
|
|
||||||
MUST ( cn )
|
|
||||||
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
|
|
||||||
description )
|
|
||||||
)
|
|
||||||
|
|
||||||
#
|
|
||||||
# Same thing as above, but imports better into SunONE or iPlanet
|
|
||||||
# (remove any leading spaces and save to a seperate file)
|
|
||||||
#
|
|
||||||
|
|
||||||
dn: cn=schema
|
|
||||||
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
||||||
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
||||||
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
||||||
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
||||||
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
||||||
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
|
|
||||||
|
|
||||||
|
For OpenLDAP, simply copy schema.OpenLDAP to the schema directory
|
||||||
|
(e.g. /etc/openldap/schema) and 'include' it in your slapd.conf and
|
||||||
|
restart slapd. For other LDAP servers, provide this to your LDAP
|
||||||
|
Administrator. Make sure to index the attribute 'sudoUser'.
|
||||||
|
|
||||||
|
For the SunONE or iPlanet LDAP server, use the schema.iPlanet file.
|
||||||
|
|
||||||
Importing /etc/sudoers to LDAP
|
Importing /etc/sudoers to LDAP
|
||||||
==============================
|
==============================
|
||||||
|
|||||||
Reference in New Issue
Block a user