[sudo-users] sudo-ldap and precedence

Andreas Heinlein aheinlein at gmx.com
Tue Apr 27 02:48:29 EDT 2010

Am 26.04.2010 17:49, schrieb Mark Janssen:
> On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein <aheinlein at gmx.com> wrote:
>> Hello,
>> I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04.
>> We have
>> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any
>> command, but have to enter their password
>> b) some commands that everyone in the users group can execute *without*
>> a password. At the moment, this works for "normal" users but not for
>> users which are also in the admin group, these stille have to enter
>> their passwordv (%users ALL NOPASSWD:/usr/bin/...).
>> As I understand, order of entries should not matter since there is no
>> guarantee that LDAP entries are returned in any particular order. But in
>> this case it seems to matter because the first entry for the admin group
>> seems to be the effective one, instead of the second one (the closer
>> match). Is this intended behaviour? Is there any way to change this?
> Can you post an LDIF of these rules.
> Do you have an 'sudoOption: !authenticate' on your NOPASSWD rule
> What do your 'defaults' say

see attached LDIF. As you can see, I have !authenticate on said rule. It
works fine for users *not* in the admin group.


More information about the sudo-users mailing list