sudo, unix-groups and ldap

Aaron Spangler as at
Wed Dec 10 00:36:35 EST 2003

Hello Heinz,

I believe having a group listed in both local & LDAP is confusing your
Linux box. (Its like
having your account listed both in /etc/passwd and in LDAP.)

I recommend the following two changes:
1. In LDAP, remove xf01070 from the ldap group 'nobody'.
2. Change the primary group id (GID) of the ldap user xf01070 to be 65534.
 This way you are guaranteed to get the group that you want.  You will
need to logout & login for Linux to pick up your changes.

Also before running sudo, try running 'id -a' and verifying that you
belong to the groups you
believe you belong to.

I hope this helps.


> Date: Wed, 3 Dec 2003 14:06:01 +0100 (MET)
> From: "Heinz Ahrens" <xf01070 at>
> Subject: sudo, unix-groups and ldap
> To: sudo-users at
> Message-ID: <26029.1070456761 at>
> Content-Type: text/plain; charset="iso-8859-1"
> Hallo sudo-users,
> i have got a problem and i can not get the answer. I want to use sudo with
> ldap on SuSE United Linux 1.0:
> In my example i have get the local group in /etc/group and one over ldap:
> xf01070 at nilix:~> getent group|fgrep nogroup
> nogroup:x:65534:nobody                                        -> local
> nogroup:x:65534:xf01070                                      -> remote
> because of /etc/nsswitch.conf:
> group:  files ldap
> And here is the problem. In /etc/suders i want that my user xf01070 get
> access because of the unix-group:
> Cmnd_Alias      ID              = /usr/bin/id
> %nogroup  ALL=(nobody) NOPASSWD: ID
> Because of the sequence "files ldap" and not "ldap files" the user is
not in
> the group "%nogroup". But i can not change the squence to "ldap files"
> because of problems with booting.
> Perhaps someone can help me
>   Heinz Ahrens
>   xf01070 at

More information about the sudo-users mailing list