What version of sudo is this? The first thing to try is to enable sudoers debugging in ldap.conf. E.g. sudoers_debug 2 That should tell you what exactly is matching (and how). - todd