[sudo-users] sudo-ldap and precedence

Andreas Heinlein aheinlein at gmx.com
Mon Apr 26 10:35:19 EDT 2010


Hello,

I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04.

We have
a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any 
command, but have to enter their password
b) some commands that everyone in the users group can execute *without* 
a password. At the moment, this works for "normal" users but not for 
users which are also in the admin group, these stille have to enter 
their passwordv (%users ALL NOPASSWD:/usr/bin/...).

As I understand, order of entries should not matter since there is no 
guarantee that LDAP entries are returned in any particular order. But in 
this case it seems to matter because the first entry for the admin group 
seems to be the effective one, instead of the second one (the closer 
match). Is this intended behaviour? Is there any way to change this?

Thanks,
Andreas



More information about the sudo-users mailing list