| 3 |
- |
1 |
## BINDDN DN
|
|
|
2 |
## The BINDDN parameter specifies the identity, in the form of a Dis‐
|
|
|
3 |
## tinguished Name (DN), to use when performing LDAP operations. If
|
|
|
4 |
## not specified, LDAP operations are performed with an anonymous
|
|
|
5 |
## identity. By default, most LDAP servers will allow anonymous
|
|
|
6 |
## access.
|
|
|
7 |
##
|
|
|
8 |
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
|
|
9 |
|
|
|
10 |
## BINDPW secret
|
|
|
11 |
## The BINDPW parameter specifies the password to use when performing
|
|
|
12 |
## LDAP operations. This is typically used in conjunction with the
|
|
|
13 |
## BINDDN parameter.
|
|
|
14 |
##
|
|
|
15 |
#bindpw secret
|
|
|
16 |
|
|
|
17 |
## SSL start_tls
|
|
|
18 |
## If the SSL parameter is set to start_tls, the LDAP server connec‐
|
|
|
19 |
## tion is initiated normally and TLS encryption is begun before the
|
|
|
20 |
## bind credentials are sent. This has the advantage of not requiring
|
|
|
21 |
## a dedicated port for encrypted communications. This parameter is
|
|
|
22 |
## only supported by LDAP servers that honor the start_tls extension,
|
|
|
23 |
## such as the OpenLDAP and Tivoli Directory servers.
|
|
|
24 |
##
|
|
|
25 |
#ssl start_tls
|
|
|
26 |
|
|
|
27 |
## TLS_CACERTFILE file name
|
|
|
28 |
## The path to a certificate authority bundle which contains the cer‐
|
|
|
29 |
## tificates for all the Certificate Authorities the client knows to
|
|
|
30 |
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
|
|
|
31 |
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
|
|
|
32 |
## use the same certificate database for CA and client certificates
|
|
|
33 |
## (see TLS_CERT).
|
|
|
34 |
##
|
|
|
35 |
#tls_cacertfile /path/to/CA.crt
|
|
|
36 |
|
|
|
37 |
## TLS_CHECKPEER on/true/yes/off/false/no
|
|
|
38 |
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
|
|
|
39 |
## cated to be verified. If the server's TLS certificate cannot be
|
|
|
40 |
## verified (usually because it is signed by an unknown certificate
|
|
|
41 |
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
|
|
|
42 |
## is disabled, no check is made. Note that disabling the check cre‐
|
|
|
43 |
## ates an opportunity for man-in-the-middle attacks since the
|
|
|
44 |
## server's identity will not be authenticated. If possible, the CA's
|
|
|
45 |
## certificate should be installed locally so it can be verified.
|
|
|
46 |
## This option is not supported by the Tivoli Directory Server LDAP
|
|
|
47 |
## libraries.
|
|
|
48 |
#tls_checkpeer yes
|
|
|
49 |
|
|
|
50 |
##
|
|
|
51 |
## URI ldap[s]://[hostname[:port]] ...
|
|
|
52 |
## Specifies a whitespace-delimited list of one or more
|
|
|
53 |
## URIs describing the LDAP server(s) to connect to.
|
|
|
54 |
##
|
|
|
55 |
#uri ldap://ldapserver
|
|
|
56 |
|
|
|
57 |
##
|
|
|
58 |
## SUDOERS_BASE base
|
|
|
59 |
## The base DN to use when performing sudo LDAP queries.
|
|
|
60 |
## Multiple SUDOERS_BASE lines may be specified, in which
|
|
|
61 |
## case they are queried in the order specified.
|
|
|
62 |
##
|
|
|
63 |
#sudoers_base ou=SUDOers,dc=example,dc=com
|
|
|
64 |
|
|
|
65 |
##
|
|
|
66 |
## BIND_TIMELIMIT seconds
|
|
|
67 |
## The BIND_TIMELIMIT parameter specifies the amount of
|
|
|
68 |
## time to wait while trying to connect to an LDAP server.
|
|
|
69 |
##
|
|
|
70 |
#bind_timelimit 30
|
|
|
71 |
|
|
|
72 |
##
|
|
|
73 |
## TIMELIMIT seconds
|
|
|
74 |
## The TIMELIMIT parameter specifies the amount of time
|
|
|
75 |
## to wait for a response to an LDAP query.
|
|
|
76 |
##
|
|
|
77 |
#timelimit 30
|
|
|
78 |
|
|
|
79 |
##
|
|
|
80 |
## SUDOERS_DEBUG debug_level
|
|
|
81 |
## This sets the debug level for sudo LDAP queries. Debugging
|
|
|
82 |
## information is printed to the standard error. A value of 1
|
|
|
83 |
## results in a moderate amount of debugging information.
|
|
|
84 |
## A value of 2 shows the results of the matches themselves.
|
|
|
85 |
##
|
|
|
86 |
#sudoers_debug 1
|