Blame SOURCES/sudo-ldap.conf

0eb21d
## BINDDN DN
0eb21d
##  The BINDDN parameter specifies the identity, in the form of a Dis‐
0eb21d
##  tinguished Name (DN), to use when performing LDAP operations.  If
0eb21d
##  not specified, LDAP operations are performed with an anonymous
0eb21d
##  identity.  By default, most LDAP servers will allow anonymous
0eb21d
##  access.
0eb21d
##
0eb21d
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
0eb21d
0eb21d
## BINDPW secret
0eb21d
##  The BINDPW parameter specifies the password to use when performing
0eb21d
##  LDAP operations.  This is typically used in conjunction with the
0eb21d
##  BINDDN parameter.
0eb21d
##
0eb21d
#bindpw secret
0eb21d
0eb21d
## SSL start_tls
0eb21d
##  If the SSL parameter is set to start_tls, the LDAP server connec‐
0eb21d
##  tion is initiated normally and TLS encryption is begun before the
0eb21d
##  bind credentials are sent.  This has the advantage of not requiring
0eb21d
##  a dedicated port for encrypted communications.  This parameter is
0eb21d
##  only supported by LDAP servers that honor the start_tls extension,
0eb21d
##  such as the OpenLDAP and Tivoli Directory servers.
0eb21d
##
0eb21d
#ssl start_tls
0eb21d
0eb21d
## TLS_CACERTFILE file name
0eb21d
##  The path to a certificate authority bundle which contains the cer‐
0eb21d
##  tificates for all the Certificate Authorities the client knows to
0eb21d
##  be valid, e.g. /etc/ssl/ca-bundle.pem.  This option is only sup‐
0eb21d
##  ported by the OpenLDAP libraries.  Netscape-derived LDAP libraries
0eb21d
##  use the same certificate database for CA and client certificates
0eb21d
##  (see TLS_CERT).
0eb21d
##
0eb21d
#tls_cacertfile /path/to/CA.crt
0eb21d
0eb21d
## TLS_CHECKPEER on/true/yes/off/false/no
0eb21d
##  If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
0eb21d
##  cated to be verified.  If the server's TLS certificate cannot be
0eb21d
##  verified (usually because it is signed by an unknown certificate
0eb21d
##  authority), sudo will be unable to connect to it.  If TLS_CHECKPEER
0eb21d
##  is disabled, no check is made.  Note that disabling the check cre‐
0eb21d
##  ates an opportunity for man-in-the-middle attacks since the
0eb21d
##  server's identity will not be authenticated.  If possible, the CA's
0eb21d
##  certificate should be installed locally so it can be verified.
0eb21d
##  This option is not supported by the Tivoli Directory Server LDAP
0eb21d
##  libraries.
0eb21d
#tls_checkpeer yes
0eb21d
0eb21d
##
0eb21d
## URI ldap[s]://[hostname[:port]] ...
0eb21d
##  Specifies a whitespace-delimited list of one or more
0eb21d
##  URIs describing the LDAP server(s) to connect to. 
0eb21d
##
0eb21d
#uri ldap://ldapserver
0eb21d
0eb21d
##
0eb21d
## SUDOERS_BASE base
0eb21d
##  The base DN to use when performing sudo LDAP queries.
0eb21d
##  Multiple SUDOERS_BASE lines may be specified, in which
0eb21d
##  case they are queried in the order specified.
0eb21d
##
0eb21d
#sudoers_base ou=SUDOers,dc=example,dc=com
0eb21d
0eb21d
##
0eb21d
## BIND_TIMELIMIT seconds
0eb21d
##  The BIND_TIMELIMIT parameter specifies the amount of
0eb21d
##  time to wait while trying to connect to an LDAP server.
0eb21d
##
0eb21d
#bind_timelimit 30
0eb21d
0eb21d
##
0eb21d
## TIMELIMIT seconds
0eb21d
##  The TIMELIMIT parameter specifies the amount of time
0eb21d
##  to wait for a response to an LDAP query.
0eb21d
##
0eb21d
#timelimit 30
0eb21d
0eb21d
##
0eb21d
## SUDOERS_DEBUG debug_level
0eb21d
##  This sets the debug level for sudo LDAP queries. Debugging
0eb21d
##  information is printed to the standard error. A value of 1
0eb21d
##  results in a moderate amount of debugging information.
0eb21d
##  A value of 2 shows the results of the matches themselves.
0eb21d
##
0eb21d
#sudoers_debug 1