[sudo-users] ignore_local_sudoers does not work as expected
Todd C. Miller
Todd.Miller at courtesan.com
Fri Dec 6 10:25:21 MST 2013
Yes, the order in nsswitch.conf matters. If you have "files" first
then the local sudoers file is already parsed by the time that the
LDAP rules are read. The ignore_local_sudoers option predates the
nsswitch.conf integration. You are probably better off just using:
sudoers: ldap
in nsswitch.conf if you want to prevent the local sudoers file from
being read.
However, if you want the local sudoers file to be used when the
LDAP server is not reachable (and only then) you can configure
nswitch.conf as:
sudoers: ldap files
and then set ignore_local_sudoers in the LDAP rules. This will
allow the use of a fallback local sudoers file when LDAP is not
working.
- todd
More information about the sudo-users
mailing list