You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
3.1 KiB
86 lines
3.1 KiB
## BINDDN DN |
|
## The BINDDN parameter specifies the identity, in the form of a Dis‐ |
|
## tinguished Name (DN), to use when performing LDAP operations. If |
|
## not specified, LDAP operations are performed with an anonymous |
|
## identity. By default, most LDAP servers will allow anonymous |
|
## access. |
|
## |
|
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com |
|
|
|
## BINDPW secret |
|
## The BINDPW parameter specifies the password to use when performing |
|
## LDAP operations. This is typically used in conjunction with the |
|
## BINDDN parameter. |
|
## |
|
#bindpw secret |
|
|
|
## SSL start_tls |
|
## If the SSL parameter is set to start_tls, the LDAP server connec‐ |
|
## tion is initiated normally and TLS encryption is begun before the |
|
## bind credentials are sent. This has the advantage of not requiring |
|
## a dedicated port for encrypted communications. This parameter is |
|
## only supported by LDAP servers that honor the start_tls extension, |
|
## such as the OpenLDAP and Tivoli Directory servers. |
|
## |
|
#ssl start_tls |
|
|
|
## TLS_CACERTFILE file name |
|
## The path to a certificate authority bundle which contains the cer‐ |
|
## tificates for all the Certificate Authorities the client knows to |
|
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ |
|
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries |
|
## use the same certificate database for CA and client certificates |
|
## (see TLS_CERT). |
|
## |
|
#tls_cacertfile /path/to/CA.crt |
|
|
|
## TLS_CHECKPEER on/true/yes/off/false/no |
|
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ |
|
## cated to be verified. If the server's TLS certificate cannot be |
|
## verified (usually because it is signed by an unknown certificate |
|
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER |
|
## is disabled, no check is made. Note that disabling the check cre‐ |
|
## ates an opportunity for man-in-the-middle attacks since the |
|
## server's identity will not be authenticated. If possible, the CA's |
|
## certificate should be installed locally so it can be verified. |
|
## This option is not supported by the Tivoli Directory Server LDAP |
|
## libraries. |
|
#tls_checkpeer yes |
|
|
|
## |
|
## URI ldap[s]://[hostname[:port]] ... |
|
## Specifies a whitespace-delimited list of one or more |
|
## URIs describing the LDAP server(s) to connect to. |
|
## |
|
#uri ldap://ldapserver |
|
|
|
## |
|
## SUDOERS_BASE base |
|
## The base DN to use when performing sudo LDAP queries. |
|
## Multiple SUDOERS_BASE lines may be specified, in which |
|
## case they are queried in the order specified. |
|
## |
|
#sudoers_base ou=SUDOers,dc=example,dc=com |
|
|
|
## |
|
## BIND_TIMELIMIT seconds |
|
## The BIND_TIMELIMIT parameter specifies the amount of |
|
## time to wait while trying to connect to an LDAP server. |
|
## |
|
#bind_timelimit 30 |
|
|
|
## |
|
## TIMELIMIT seconds |
|
## The TIMELIMIT parameter specifies the amount of time |
|
## to wait for a response to an LDAP query. |
|
## |
|
#timelimit 30 |
|
|
|
## |
|
## SUDOERS_DEBUG debug_level |
|
## This sets the debug level for sudo LDAP queries. Debugging |
|
## information is printed to the standard error. A value of 1 |
|
## results in a moderate amount of debugging information. |
|
## A value of 2 shows the results of the matches themselves. |
|
## |
|
#sudoers_debug 1
|
|
|