AAPL_README
1Configure command line:
2
3./configure --with-password-timeout=0 --disable-setreuid --with-env-editor --with-pam --with-libraries=bsm --with-noexec=no --sysconfdir="/private/etc" --with-timedir="/var/db/sudo"
4
README
1The sudo philosophy
2===================
3Sudo is a program designed to allow a sysadmin to give limited root privileges
4to users and log root activity. The basic philosophy is to give as few
5privileges as possible but still allow people to get their work done.
6
7Where to find sudo
8==================
9Before you try and build sudo, *please* make sure you have the current
10version. The latest sudo may always be gotten via anonymous ftp from
11ftp.sudo.ws in the directory /pub/sudo/ or from the sudo web site,
12http://www.sudo.ws/
13
14The distribution is sudo-M.m.tar.gz where `M' is the major
15version number and `m' is the minor version number.
16BETA versions of sudo may also be available. If you join
17the `sudo-workers' mailing list you will get the BETA announcements
18(see the `Mailing lists' section below).
19
20What's new
21==========
22See the NEWS file for a list of major changes in this release.
23For a complete list of changes, see the ChangeLog file. For a
24summary of major changes to the current stable release, see the web
25page, http://www.sudo.ws/sudo/stable.html.
26
27If you are upgrading from an earlier version of Sudo, please see
28the UPGRADE file.
29
30For a history of sudo please see the HISTORY file.
31
32System requirements
33===================
34To build sudo from the source distribution you need a machine running
35Unix (most flavors of BSD, SYSV, or POSIX will do), a working C
36compiler, and the ar, make and ranlib utilities.
37
38If you wish to modify the parser then you will need flex version
392.5.2 or later and either bison or byacc (sudo comes with a pre-flex'd
40tokenizer and pre-yacc'd grammar parser). You'll also have to
41uncomment a few lines from the Makefile or run configure with the
42--with-devel option. You can get flex via anonymous ftp from
43ftp://ftp.ee.lbl.gov/pub/flex* as well as any GNU mirror. You can
44get GNU bison from ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU
45mirror.
46
47Building the release
48====================
49Please read the installation guide in the `INSTALL' file before
50trying to build sudo. Pay special attention to the "OS dependent notes"
51section.
52
53Copyright
54=========
55Sudo is distributed under an ISC-style license.
56Please refer to the `LICENSE' file included with the release for details.
57
58Mailing lists
59=============
60sudo-announce This list receives announcements whenever a new version
61 of sudo is released.
62 http://www.sudo.ws/mailman/listinfo/sudo-announce
63
64sudo-users This list is for questions and general discussion about sudo.
65 http://www.sudo.ws/mailman/listinfo/sudo-users
66
67sudo-workers This list is for people working on and porting sudo.
68 http://www.sudo.ws/mailman/listinfo/sudo-workers
69
70sudo-commits This list receives a message for each commit made to
71 the sudo source repository.
72 http://www.sudo.ws/mailman/listinfo/sudo-commits
73
74To subscribe to a list, visit its url (as listed above) and enter
75your email address to subscribe. Digest versions are available but
76these are fairly low traffic lists so the digest versions are not
77a significant win.
78
79Mailing list archives are also available. See the mailing list web sites
80for the appropriate links.
81
82Web page
83========
84There is a sudo web page at http://www.sudo.ws/ that contains
85an overview of sudo, documentation, downloads, information about
86beta versions and other useful info.
87
88Bug reports
89===========
90If you have found what you believe to be a bug, you can file a bug
91report in the sudo bug database, on the web at http://www.sudo.ws/bugs/.
92
93Please read over the `TROUBLESHOOTING' file *before* submitting a bug
94report. When reporting bugs, please be sure to include the version of
95sudo you are using as well as the platform you are running it on.
96
README.LDAP
1This file explains how to build the optional LDAP functionality of SUDO to
2store /etc/sudoers information. This feature is distinct from LDAP passwords.
3
4For general sudo LDAP configuration details, see the sudoers.ldap manual that
5comes with the sudo distribution. A pre-formatted version of the manual may
6be found in the sudoers.ldap.cat file.
7
8The sudo binary compiled with LDAP support should be totally backward
9compatible and be syntactically and source code equivalent to its
10non LDAP-enabled build.
11
12LDAP philosophy
13===============
14As times change and servers become cheap, an enterprise can easily have 500+
15UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
16others across an enterprise can greatly reduce the administrative overhead.
17
18In the past, sudo has used a single local configuration file, /etc/sudoers.
19While the same sudoers file can be shared among machines, no built-in
20mechanism exists to distribute it. Some have attempted to workaround this
21by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
22
23By using LDAP for sudoers we gain a centrally administered, globally
24available configuration source for sudo.
25
26For information on OpenLDAP, please see http://www.openldap.org/.
27
28Definitions
29===========
30Many times the word 'Directory' is used in the document to refer to the LDAP
31server, structure and contents.
32
33Many times 'options' are used in this document to refer to sudoer 'defaults'.
34They are one and the same.
35
36Build instructions
37==================
38The simplest way to build sudo with LDAP support is to include the
39'--with-ldap' option.
40
41 $ ./configure --with-ldap
42
43If your ldap libraries and headers are in a non-standard place, you will need
44to specify them at configure time. E.g.
45
46 $ ./configure --with-ldap=/usr/local/ldapsdk
47
48Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
49(such as those present in Solaris) are also known to work.
50
51Your mileage may vary. Please let the sudo workers mailing list
52<sudo-workers@sudo.ws> know if special configuration was required
53to build an LDAP-enabled sudo so we can improve sudo.
54
55Schema Changes
56==============
57You must add the appropriate schema to your LDAP server before it
58can store sudoers content.
59
60For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
61(e.g. /etc/openldap/schema). You must then edit your slapd.conf and
62add an include line the new schema, e.g.
63
64 # Sudo LDAP schema
65 include /etc/openldap/schema/sudo.schema
66
67In order for sudoRole LDAP queries to be efficient, the server must index
68the attribute 'sudoUser', e.g.
69
70 # Indices to maintain
71 index sudoUser eq
72
73After making the changes to slapd.conf, restart slapd.
74
75For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
76copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
77
78On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
79For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
80
81After copying the schema file to the appropriate directory, restart
82the LDAP server.
83
84Finally, using an LDAP browser/editor, enable indexing by editing the
85client profile to provide a Service Search Descriptor (SSD) for sudoers,
86replacing example.com with your domain:
87
88 serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
89
90If using an Active Directory server, copy schema.ActiveDirectory
91to your Windows domain controller and run the following command:
92
93 ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
94
95Importing /etc/sudoers into LDAP
96================================
97Importing sudoers is a two-step process.
98
99Step 1:
100Ask your LDAP Administrator where to create the ou=SUDOers container.
101
102For instance, if using OpenLDAP:
103
104 dn: ou=SUDOers,dc=example,dc=com
105 objectClass: top
106 objectClass: organizationalUnit
107 ou: SUDOers
108
109(An example location is shown below). Then use the provided script to convert
110your sudoers file into LDIF format. The script will also convert any default
111options.
112
113 # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
114 # export SUDOERS_BASE
115 # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
116
117Step 2:
118Import into your directory server. The following example is for
119OpenLDAP. If you are using another directory, provide the LDIF
120file to your LDAP Administrator.
121
122 # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
123 -D cn=Manager,dc=example,dc=com -W -x
124
125Managing LDAP entries
126=====================
127Doing a one-time bulk load of your ldap entries is fine. However what if you
128need to make minor changes on a daily basis? It doesn't make sense to delete
129and re-add objects. (You can, but this is tedious).
130
131I recommend using any of the following LDAP browsers to administer your SUDOers.
132 * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
133 and since it is Schema aware, I don't need to create a sudoRole template.
134 http://biot.com/gq/
135
136 * phpQLAdmin - Open Source - phpQLAdmin is an administration tool,
137 originally for QmailLDAP, that supports editing sudoRole objects
138 in version 2.3.2 and higher.
139 http://phpqladmin.com/
140
141 * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
142 and Solaris. It runs anywhere in a Java Virtual Machine including
143 web pages. You have to make a template from an existing sudoRole entry.
144 http://www.iit.edu/~gawojar/ldap
145 http://www.mcs.anl.gov/~gawor/ldap
146 http://ldapmanager.com
147
148 * Apache Directory Studio - Open Source - an Eclipse-based LDAP
149 development platform. Includes an LDAP browser, and LDIF editor,
150 a schema editor and more.
151 http://directory.apache.org/studio
152
153 There are dozens of others, some Open Source, some free, some not.
154
155Configure your /etc/ldap.conf and /etc/nsswitch.conf
156====================================================
157The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
158and other ldap applications and modules. IBM Secureway unfortunately uses
159the same file name but has a different syntax. If you need to change where
160this file is stored, re-run configure with the --with-ldap-conf-file=PATH
161option.
162
163See the "Configuring ldap.conf" section in the sudoers.ldap manual
164for a list of supported ldap.conf parameters and an example ldap.conf
165
166Make sure you sudoers_base matches the location you specified when you
167imported the sudoers ldif data.
168
169After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
170to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
171section in the sudoers.ldap manual for details. Note that sudo will use
172/etc/nsswitch.conf even if the underlying operating system does not support it.
173To disable nsswitch support, run configure with the --with-nsswitch=no option.
174This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
175ignore_sudoers_file flag is set in the global LDAP options.
176
177Debugging your LDAP configuration
178=================================
179Enable debugging if you believe sudo is not parsing LDAP the way you think it
180should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
181debugging. A value of 2 shows the results of the matches themselves. Make
182sure to set the value back to zero so that other users don't get confused by
183the debugging messages.
184