| 1 |
## BINDDN DN |
| 2 |
## The BINDDN parameter specifies the identity, in the form of a Dis‐ |
| 3 |
## tinguished Name (DN), to use when performing LDAP operations. If |
| 4 |
## not specified, LDAP operations are performed with an anonymous |
| 5 |
## identity. By default, most LDAP servers will allow anonymous |
| 6 |
## access. |
| 7 |
## |
| 8 |
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com |
| 9 |
|
| 10 |
## BINDPW secret |
| 11 |
## The BINDPW parameter specifies the password to use when performing |
| 12 |
## LDAP operations. This is typically used in conjunction with the |
| 13 |
## BINDDN parameter. |
| 14 |
## |
| 15 |
#bindpw secret |
| 16 |
|
| 17 |
## SSL start_tls |
| 18 |
## If the SSL parameter is set to start_tls, the LDAP server connec‐ |
| 19 |
## tion is initiated normally and TLS encryption is begun before the |
| 20 |
## bind credentials are sent. This has the advantage of not requiring |
| 21 |
## a dedicated port for encrypted communications. This parameter is |
| 22 |
## only supported by LDAP servers that honor the start_tls extension, |
| 23 |
## such as the OpenLDAP and Tivoli Directory servers. |
| 24 |
## |
| 25 |
#ssl start_tls |
| 26 |
|
| 27 |
## TLS_CACERTFILE file name |
| 28 |
## The path to a certificate authority bundle which contains the cer‐ |
| 29 |
## tificates for all the Certificate Authorities the client knows to |
| 30 |
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ |
| 31 |
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries |
| 32 |
## use the same certificate database for CA and client certificates |
| 33 |
## (see TLS_CERT). |
| 34 |
## |
| 35 |
#tls_cacertfile /path/to/CA.crt |
| 36 |
|
| 37 |
## TLS_CHECKPEER on/true/yes/off/false/no |
| 38 |
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ |
| 39 |
## cated to be verified. If the server's TLS certificate cannot be |
| 40 |
## verified (usually because it is signed by an unknown certificate |
| 41 |
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER |
| 42 |
## is disabled, no check is made. Note that disabling the check cre‐ |
| 43 |
## ates an opportunity for man-in-the-middle attacks since the |
| 44 |
## server's identity will not be authenticated. If possible, the CA's |
| 45 |
## certificate should be installed locally so it can be verified. |
| 46 |
## This option is not supported by the Tivoli Directory Server LDAP |
| 47 |
## libraries. |
| 48 |
#tls_checkpeer yes |
| 49 |
|
| 50 |
## |
| 51 |
## URI ldap[s]://[hostname[:port]] ... |
| 52 |
## Specifies a whitespace-delimited list of one or more |
| 53 |
## URIs describing the LDAP server(s) to connect to. |
| 54 |
## |
| 55 |
#uri ldap://ldapserver |
| 56 |
|
| 57 |
## |
| 58 |
## SUDOERS_BASE base |
| 59 |
## The base DN to use when performing sudo LDAP queries. |
| 60 |
## Multiple SUDOERS_BASE lines may be specified, in which |
| 61 |
## case they are queried in the order specified. |
| 62 |
## |
| 63 |
#sudoers_base ou=SUDOers,dc=example,dc=com |
| 64 |
|
| 65 |
## |
| 66 |
## BIND_TIMELIMIT seconds |
| 67 |
## The BIND_TIMELIMIT parameter specifies the amount of |
| 68 |
## time to wait while trying to connect to an LDAP server. |
| 69 |
## |
| 70 |
#bind_timelimit 30 |
| 71 |
|
| 72 |
## |
| 73 |
## TIMELIMIT seconds |
| 74 |
## The TIMELIMIT parameter specifies the amount of time |
| 75 |
## to wait for a response to an LDAP query. |
| 76 |
## |
| 77 |
#timelimit 30 |
| 78 |
|
| 79 |
## |
| 80 |
## SUDOERS_DEBUG debug_level |
| 81 |
## This sets the debug level for sudo LDAP queries. Debugging |
| 82 |
## information is printed to the standard error. A value of 1 |
| 83 |
## results in a moderate amount of debugging information. |
| 84 |
## A value of 2 shows the results of the matches themselves. |
| 85 |
## |
| 86 |
#sudoers_debug 1 |
Parent Directory
| 
Revision Log
| 
Revision Graph
