sudo/sme9/sudo-1.7.4p5-sudo-ldap.conf

## BINDDN DN
##  The BINDDN parameter specifies the identity, in the form of a Dis‐
##  tinguished Name (DN), to use when performing LDAP operations.  If
##  not specified, LDAP operations are performed with an anonymous
##  identity.  By default, most LDAP servers will allow anonymous
##  access.
##
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

## BINDPW secret
##  The BINDPW parameter specifies the password to use when performing
##  LDAP operations.  This is typically used in conjunction with the
##  BINDDN parameter.
##
#bindpw secret

## SSL start_tls
##  If the SSL parameter is set to start_tls, the LDAP server connec‐
##  tion is initiated normally and TLS encryption is begun before the
##  bind credentials are sent.  This has the advantage of not requiring
##  a dedicated port for encrypted communications.  This parameter is
##  only supported by LDAP servers that honor the start_tls extension,
##  such as the OpenLDAP and Tivoli Directory servers.
##
#ssl start_tls

## TLS_CACERTFILE file name
##  The path to a certificate authority bundle which contains the cer‐
##  tificates for all the Certificate Authorities the client knows to
##  be valid, e.g. /etc/ssl/ca-bundle.pem.  This option is only sup‐
##  ported by the OpenLDAP libraries.  Netscape-derived LDAP libraries
##  use the same certificate database for CA and client certificates
##  (see TLS_CERT).
##
#tls_cacertfile /path/to/CA.crt

## TLS_CHECKPEER on/true/yes/off/false/no
##  If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
##  cated to be verified.  If the server's TLS certificate cannot be
##  verified (usually because it is signed by an unknown certificate
##  authority), sudo will be unable to connect to it.  If TLS_CHECKPEER
##  is disabled, no check is made.  Note that disabling the check cre‐
##  ates an opportunity for man-in-the-middle attacks since the
##  server's identity will not be authenticated.  If possible, the CA's
##  certificate should be installed locally so it can be verified.
##  This option is not supported by the Tivoli Directory Server LDAP
##  libraries.
#tls_checkpeer yes

##
## URI ldap[s]://[hostname[:port]] ...
##  Specifies a whitespace-delimited list of one or more
##  URIs describing the LDAP server(s) to connect to. 
##
#uri ldap://ldapserver

##
## SUDOERS_BASE base
##  The base DN to use when performing sudo LDAP queries.
##  Multiple SUDOERS_BASE lines may be specified, in which
##  case they are queried in the order specified.
##
#sudoers_base ou=SUDOers,dc=example,dc=com

##
## BIND_TIMELIMIT seconds
##  The BIND_TIMELIMIT parameter specifies the amount of
##  time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30

##
## TIMELIMIT seconds
##  The TIMELIMIT parameter specifies the amount of time
##  to wait for a response to an LDAP query.
##
#timelimit 30

##
## SUDOERS_DEBUG debug_level
##  This sets the debug level for sudo LDAP queries. Debugging
##  information is printed to the standard error. A value of 1
##  results in a moderate amount of debugging information.
##  A value of 2 shows the results of the matches themselves.
##
#sudoers_debug 1
1	jpp	1.1	## BINDDN DN
2			## The BINDDN parameter specifies the identity, in the form of a Dis‐
3			## tinguished Name (DN), to use when performing LDAP operations. If
4			## not specified, LDAP operations are performed with an anonymous
5			## identity. By default, most LDAP servers will allow anonymous
6			## access.
7			##
8			#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
9
10			## BINDPW secret
11			## The BINDPW parameter specifies the password to use when performing
12			## LDAP operations. This is typically used in conjunction with the
13			## BINDDN parameter.
14			##
15			#bindpw secret
16
17			## SSL start_tls
18			## If the SSL parameter is set to start_tls, the LDAP server connec‐
19			## tion is initiated normally and TLS encryption is begun before the
20			## bind credentials are sent. This has the advantage of not requiring
21			## a dedicated port for encrypted communications. This parameter is
22			## only supported by LDAP servers that honor the start_tls extension,
23			## such as the OpenLDAP and Tivoli Directory servers.
24			##
25			#ssl start_tls
26
27			## TLS_CACERTFILE file name
28			## The path to a certificate authority bundle which contains the cer‐
29			## tificates for all the Certificate Authorities the client knows to
30			## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
31			## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
32			## use the same certificate database for CA and client certificates
33			## (see TLS_CERT).
34			##
35			#tls_cacertfile /path/to/CA.crt
36
37			## TLS_CHECKPEER on/true/yes/off/false/no
38			## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
39			## cated to be verified. If the server's TLS certificate cannot be
40			## verified (usually because it is signed by an unknown certificate
41			## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
42			## is disabled, no check is made. Note that disabling the check cre‐
43			## ates an opportunity for man-in-the-middle attacks since the
44			## server's identity will not be authenticated. If possible, the CA's
45			## certificate should be installed locally so it can be verified.
46			## This option is not supported by the Tivoli Directory Server LDAP
47			## libraries.
48			#tls_checkpeer yes
49
50			##
51			## URI ldap[s]://[hostname[:port]] ...
52			## Specifies a whitespace-delimited list of one or more
53			## URIs describing the LDAP server(s) to connect to.
54			##
55			#uri ldap://ldapserver
56
57			##
58			## SUDOERS_BASE base
59			## The base DN to use when performing sudo LDAP queries.
60			## Multiple SUDOERS_BASE lines may be specified, in which
61			## case they are queried in the order specified.
62			##
63			#sudoers_base ou=SUDOers,dc=example,dc=com
64
65			##
66			## BIND_TIMELIMIT seconds
67			## The BIND_TIMELIMIT parameter specifies the amount of
68			## time to wait while trying to connect to an LDAP server.
69			##
70			#bind_timelimit 30
71
72			##
73			## TIMELIMIT seconds
74			## The TIMELIMIT parameter specifies the amount of time
75			## to wait for a response to an LDAP query.
76			##
77			#timelimit 30
78
79			##
80			## SUDOERS_DEBUG debug_level
81			## This sets the debug level for sudo LDAP queries. Debugging
82			## information is printed to the standard error. A value of 1
83			## results in a moderate amount of debugging information.
84			## A value of 2 shows the results of the matches themselves.
85			##
86			#sudoers_debug 1