## BINDDN DN ## The BINDDN parameter specifies the identity, in the form of a Dis‐ ## tinguished Name (DN), to use when performing LDAP operations. If ## not specified, LDAP operations are performed with an anonymous ## identity. By default, most LDAP servers will allow anonymous ## access. ## #binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com ## BINDPW secret ## The BINDPW parameter specifies the password to use when performing ## LDAP operations. This is typically used in conjunction with the ## BINDDN parameter. ## #bindpw secret ## SSL start_tls ## If the SSL parameter is set to start_tls, the LDAP server connec‐ ## tion is initiated normally and TLS encryption is begun before the ## bind credentials are sent. This has the advantage of not requiring ## a dedicated port for encrypted communications. This parameter is ## only supported by LDAP servers that honor the start_tls extension, ## such as the OpenLDAP and Tivoli Directory servers. ## #ssl start_tls ## TLS_CACERTFILE file name ## The path to a certificate authority bundle which contains the cer‐ ## tificates for all the Certificate Authorities the client knows to ## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ ## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries ## use the same certificate database for CA and client certificates ## (see TLS_CERT). ## #tls_cacertfile /path/to/CA.crt ## TLS_CHECKPEER on/true/yes/off/false/no ## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ ## cated to be verified. If the server's TLS certificate cannot be ## verified (usually because it is signed by an unknown certificate ## authority), sudo will be unable to connect to it. If TLS_CHECKPEER ## is disabled, no check is made. Note that disabling the check cre‐ ## ates an opportunity for man-in-the-middle attacks since the ## server's identity will not be authenticated. If possible, the CA's ## certificate should be installed locally so it can be verified. ## This option is not supported by the Tivoli Directory Server LDAP ## libraries. #tls_checkpeer yes ## ## URI ldap[s]://[hostname[:port]] ... ## Specifies a whitespace-delimited list of one or more ## URIs describing the LDAP server(s) to connect to. ## #uri ldap://ldapserver ## ## SUDOERS_BASE base ## The base DN to use when performing sudo LDAP queries. ## Multiple SUDOERS_BASE lines may be specified, in which ## case they are queried in the order specified. ## #sudoers_base ou=SUDOers,dc=example,dc=com ## ## BIND_TIMELIMIT seconds ## The BIND_TIMELIMIT parameter specifies the amount of ## time to wait while trying to connect to an LDAP server. ## #bind_timelimit 30 ## ## TIMELIMIT seconds ## The TIMELIMIT parameter specifies the amount of time ## to wait for a response to an LDAP query. ## #timelimit 30 ## ## SUDOERS_DEBUG debug_level ## This sets the debug level for sudo LDAP queries. Debugging ## information is printed to the standard error. A value of 1 ## results in a moderate amount of debugging information. ## A value of 2 shows the results of the matches themselves. ## #sudoers_debug 1