diff options
Diffstat (limited to 'doc/sudoers.ldap.mdoc.in')
| -rw-r--r-- | doc/sudoers.ldap.mdoc.in | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 70f70a19d..891e3e1f9 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> +.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com> .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 30, 2013 +.Dd February 7, 2014 .Dt SUDOERS.LDAP @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -76,18 +76,18 @@ is no need for a specialized tool to check syntax. Another major difference between LDAP and file-based .Em sudoers is that in LDAP, -.Nm sudo Ns No -specific +.Nm sudo Ns -specific Aliases are not supported. .Pp For the most part, there is really no need for -.Nm sudo Ns No -specific +.Nm sudo Ns -specific Aliases. Unix groups, non-Unix groups (via the .Em group_plugin ) or user netgroups can be used in place of User_Aliases and Runas_Aliases. Host netgroups can be used in place of Host_Aliases. Since groups and netgroups can also be stored in LDAP there is no real need for -.Nm sudo Ns No -specific +.Nm sudo Ns -specific aliases. .Pp Cmnd_Aliases are not really required either since it is possible @@ -421,7 +421,7 @@ sudoHost: !web01 .Ed .Ss Sudoers schema In order to use -.Nm sudo Ns No 's +.Nm sudo Ns 's LDAP support, the .Nm sudo schema must be @@ -451,7 +451,7 @@ Sudo reads the file for LDAP-specific configuration. Typically, this file is shared between different LDAP-aware clients. As such, most of the settings are not -.Nm sudo Ns No -specific. +.Nm sudo Ns -specific. Note that .Nm sudo parses @@ -564,9 +564,9 @@ The parameter specifies the amount of time, in seconds, to wait while trying to connect to an LDAP server. If multiple -.Sy URI Ns No s +.Sy URI Ns s or -.Sy HOST Ns No s +.Sy HOST Ns s are specified, this is the amount of time to wait before trying the next one in the list. .It Sy NETWORK_TIMEOUT Ar seconds @@ -604,6 +604,11 @@ form .Li attribute=value or .Li (&(attribute=value)(attribute2=value2)) . +The default search filter is: +.Li objectClass=sudoRole . +If +.Ar ldap_filter +is omitted, no search filter will be used. .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no Whether or not to evaluate the .Li sudoNotBefore |