[sudo-users] ignore_local_sudoers does not work as expected

Todd C. Miller Todd.Miller at courtesan.com
Fri Dec 6 10:25:21 MST 2013

Yes, the order in nsswitch.conf matters.  If you have "files" first
then the local sudoers file is already parsed by the time that the
LDAP rules are read.  The ignore_local_sudoers option predates the
nsswitch.conf integration.  You are probably better off just using:

sudoers: ldap

in nsswitch.conf if you want to prevent the local sudoers file from
being read.

However, if you want the local sudoers file to be used when the
LDAP server is not reachable (and only then) you can configure
nswitch.conf as:

sudoers: ldap files

and then set ignore_local_sudoers in the LDAP rules.  This will
allow the use of a fallback local sudoers file when LDAP is not

 - todd

More information about the sudo-users mailing list