[sudo-users] Rule ordering problem with users present in multiple groups in LDAP

Jos Backus jos at catnook.com
Wed May 14 16:03:57 EDT 2008

sudo-users-request at courtesan.com
Reply-To: jos at catnook.com


I have a question about sudo's LDAP support.

If a user is a member of multiple groups, how does one control which group
"wins"? In /etc/sudoers this is controlled through entry order (since order is
significant), but there appears to be no way to achieve the same effect using
LDAP, which returns entries in (essentially) random order.

For example: a user is a member two groups -- one has the !authenticate
sudoOption and one doesn't.  If the last group retrieved from LDAP doesn't
have !authenticate it wins and this breaks unattended scripts.

One way around this would be to add a sudoOrder attribute which could be used
to sort the entries, just like in the /etc/sudoers case.


Jos Backus
jos at catnook.com

More information about the sudo-users mailing list