sudo groups in PAM LDAP

Aaron Spangler aaron at
Thu Feb 26 14:12:23 EST 2004


If you don't want your sudoers to be in ldap, then ignore everything in
README.LDAP.  Just follow the normal sudo docs.

If you already have unix groups in ldap, then I assume you already have
this part working before you start using sudo.  Sudo will use whatever
unix groups you belong to when you run sudo.  If you have nss_ldap mapping
that back to LDAP, then sudo gets group information from LDAP.  (See also
Todd's notes at the end)

Example, lets says that that "people" is an LDAP group and joe is a member.

If you are logged in as joe, type 'id'  (or 'id -a' on some systems)
  uid=19243(joe) gid=19243(joe) groups=1782(people)

If you configure sudo to allow commands to the 'people' group, then joe
can use those sudo commands.

For more information on nss_ldap take a look at


> In message <1077812541.8300.6.camel at>
> 	so spake Ezsra McDonald (Ezsra_McDonald):
>> I grabbed 1.6.8 from the CVS last week and compiled it. I read the
>> README.LDAP file. I really did not want to store my sudoers file in
>> LDAP. I just want to have sudo use the unix groups I have stored in
>> LDAP.
> This sounds like an OS config problem.  Sudo doesn't do anything
> special to get at group info--it just uses the standard getgrnam()
> function.  My guess is that your /etc/nsswitch.conf is incorrect,
> but I don't actually use LDAP so I can't say for sure.
> If you have something like:
>     group:          files ldap
> you might try reversing that order so that ldap is first.
>  - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at>
> For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list