[sudo-users] LDAP defaults for commands

Todd C. Miller Todd.Miller at sudo.ws
Wed Dec 6 15:52:24 MST 2017

On Wed, 06 Dec 2017 23:46:59 +0100, Daniele Palumbo wrote:

> This will satisfy
> "Defaults:millert !authenticate"
> But not
> "Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
> Defaults!PAGERS noexec"
> I am trying to sort it out... But I think this is not correct...
> # Defaults-PAGERS, SUDOers, courtesan.com
> dn: cn=Defaults-PAGERS,ou=SUDOers,dc=courtesan,dc=com <-- will it work?
> Defaults will be a duplicated, correct?
> objectClass: top
> objectClass: sudoRole
> cn: Defaults-PAGERS
> sudoRunAsUser: ALL
> sudoRunAsGroup: ALL
> sudoHost: ALL
> sudoOption: noexec
> sudoCommand: /usr/bin/more, /usr/bin/pg, /usr/bin/less <-- I think this will
> grant the commands to all of the users, am I wrong?

That sudoRole will never match a query because there is no sudoUser
in it.  You would need to add one or more sudoUser entries to grant
the privileges to a user or group of users.

Unfortunately, there is no way to specify per-command options in
sudoers LDAP.  The options are either global or specific to a given

 - todd

More information about the sudo-users mailing list