sudo, unix-groups and ldap

Aaron Spangler aaron at
Wed Dec 10 00:26:46 EST 2003

Hello Heinz,

I believe having a group listed in both local & LDAP is confusing your Linux box. (Its like 
having your account listed both in /etc/passwd and in LDAP.)

I recommend the following two changes:
1. In LDAP, remove xf01070 from the ldap group 'nobody'.
2. Change the primary group id (GID) of the ldap user xf01070 to be 65534.  This way you are 
guaranteed to get the group that you want.  You will need to logout & login for Linux to pick up 
your changes.

Also before running sudo, try running 'id -a' and verifying that you belong to the groups you 
believe you belong to.

I hope this helps.



> Message: 1
> Date: Wed, 3 Dec 2003 14:06:01 +0100 (MET)
> From: "Heinz Ahrens" <xf01070 at>
> Subject: sudo, unix-groups and ldap
> To: sudo-users at
> Message-ID: <26029.1070456761 at>
> Content-Type: text/plain; charset="iso-8859-1"
> Hallo sudo-users,
> i have got a problem and i can not get the answer. I want to use sudo with
> ldap on SuSE United Linux 1.0:
> In my example i have get the local group in /etc/group and one over ldap:
> xf01070 at nilix:~> getent group|fgrep nogroup
> nogroup:x:65534:nobody                                        -> local entry
> nogroup:x:65534:xf01070                                      -> remote entry
> because of /etc/nsswitch.conf:
> group:  files ldap
> And here is the problem. In /etc/suders i want that my user xf01070 get
> access because of the unix-group:
> Cmnd_Alias      ID              = /usr/bin/id
> %nogroup  ALL=(nobody) NOPASSWD: ID
> Because of the sequence "files ldap" and not "ldap files" the user is not in
> the group "%nogroup". But i can not change the squence to "ldap files"
> because of problems with booting.
> Perhaps someone can help me
>   Heinz Ahrens
>   xf01070 at
> -- 
> +++ GMX - die erste Adresse für Mail, Message, More +++
> Neu: Preissenkung für MMS und FreeMMS!

More information about the sudo-users mailing list