[sudo-users] sudo-ldap and precedence

Mark Janssen maniac.nl at gmail.com
Mon Apr 26 11:49:47 EDT 2010

On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein <aheinlein at gmx.com> wrote:
> Hello,
> I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04.
> We have
> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any
> command, but have to enter their password
> b) some commands that everyone in the users group can execute *without*
> a password. At the moment, this works for "normal" users but not for
> users which are also in the admin group, these stille have to enter
> their passwordv (%users ALL NOPASSWD:/usr/bin/...).
> As I understand, order of entries should not matter since there is no
> guarantee that LDAP entries are returned in any particular order. But in
> this case it seems to matter because the first entry for the admin group
> seems to be the effective one, instead of the second one (the closer
> match). Is this intended behaviour? Is there any way to change this?

Can you post an LDIF of these rules.
Do you have an 'sudoOption: !authenticate' on your NOPASSWD rule
What do your 'defaults' say

Mark Janssen  --  maniac(at)maniac.nl  --  pgp: 0x357D2178 |   ,''`.  |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl |  : :' :  |
Maniac.nl      MarkJanssen.nl      NerdNet.nl      Unix.nl |  `. `'   |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |    `-    |

More information about the sudo-users mailing list