[sudo-users] LDAP defaults for commands

Daniele Palumbo daniele at retaggio.net
Wed Dec 6 15:46:59 MST 2017

This will satisfy

"Defaults:millert !authenticate" 

But not
"Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Defaults!PAGERS noexec"

I am trying to sort it out... But I think this is not correct...

# Defaults-PAGERS, SUDOers, courtesan.com
dn: cn=Defaults-PAGERS,ou=SUDOers,dc=courtesan,dc=com <-- will it work? Defaults will be a duplicated, correct?
objectClass: top
objectClass: sudoRole
cn: Defaults-PAGERS
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: ALL
sudoOption: noexec
sudoCommand: /usr/bin/more, /usr/bin/pg, /usr/bin/less <-- I think this will grant the commands to all of the users, am I wrong?

Thanks for the clarification,

Il 6 dicembre 2017 23:27:40 CET, "Todd C. Miller" <Todd.Miller at sudo.ws> ha scritto:
>The sudoers LDAP configuration handles the Defaults options
>differently.  There is no way to specify a set of options that are
>always applied to a user.  Instead, you specify the options inside
>the sudoRole object for that user or group.
>For example:
># millert, SUDOers, courtesan.com
>dn: cn=millert,ou=SUDOers,dc=courtesan,dc=com
>objectClass: top
>objectClass: sudoRole
>cn: millert
>sudoUser: millert
>sudoRunAsUser: ALL
>sudoRunAsGroup: ALL
>sudoHost: ALL
>sudoOption: !authenticate
>would allow user millert to execute any command without authenticating.
> - todd

More information about the sudo-users mailing list