Blame | Last modification | View Log | RSS feed
## BINDDN DN## The BINDDN parameter specifies the identity, in the form of a Dis‐## tinguished Name (DN), to use when performing LDAP operations. If## not specified, LDAP operations are performed with an anonymous## identity. By default, most LDAP servers will allow anonymous## access.###binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com## BINDPW secret## The BINDPW parameter specifies the password to use when performing## LDAP operations. This is typically used in conjunction with the## BINDDN parameter.###bindpw secret## SSL start_tls## If the SSL parameter is set to start_tls, the LDAP server connec‐## tion is initiated normally and TLS encryption is begun before the## bind credentials are sent. This has the advantage of not requiring## a dedicated port for encrypted communications. This parameter is## only supported by LDAP servers that honor the start_tls extension,## such as the OpenLDAP and Tivoli Directory servers.###ssl start_tls## TLS_CACERTFILE file name## The path to a certificate authority bundle which contains the cer‐## tificates for all the Certificate Authorities the client knows to## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries## use the same certificate database for CA and client certificates## (see TLS_CERT).###tls_cacertfile /path/to/CA.crt## TLS_CHECKPEER on/true/yes/off/false/no## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐## cated to be verified. If the server's TLS certificate cannot be## verified (usually because it is signed by an unknown certificate## authority), sudo will be unable to connect to it. If TLS_CHECKPEER## is disabled, no check is made. Note that disabling the check cre‐## ates an opportunity for man-in-the-middle attacks since the## server's identity will not be authenticated. If possible, the CA's## certificate should be installed locally so it can be verified.## This option is not supported by the Tivoli Directory Server LDAP## libraries.#tls_checkpeer yes#### URI ldap[s]://[hostname[:port]] ...## Specifies a whitespace-delimited list of one or more## URIs describing the LDAP server(s) to connect to.###uri ldap://ldapserver#### SUDOERS_BASE base## The base DN to use when performing sudo LDAP queries.## Multiple SUDOERS_BASE lines may be specified, in which## case they are queried in the order specified.###sudoers_base ou=SUDOers,dc=example,dc=com#### BIND_TIMELIMIT seconds## The BIND_TIMELIMIT parameter specifies the amount of## time to wait while trying to connect to an LDAP server.###bind_timelimit 30#### TIMELIMIT seconds## The TIMELIMIT parameter specifies the amount of time## to wait for a response to an LDAP query.###timelimit 30#### SUDOERS_DEBUG debug_level## This sets the debug level for sudo LDAP queries. Debugging## information is printed to the standard error. A value of 1## results in a moderate amount of debugging information.## A value of 2 shows the results of the matches themselves.###sudoers_debug 1