[sudo-users] ignore_local_sudoers does not work as expected

fabrice bessettes fabrice.b7 at gmail.com
Sat Dec 7 11:57:30 MST 2013

Thank you for the clarification.

In my case, there will be too much servers, managed by several admins.
I can recommend this kind of configuration, but there's no guaranty
(for me) that all servers plugged into openldap for sudo roles can't
use old local sudoers file.

Anyway, now I understand that the meaning of this option is how to
manage fallback to local sudoers when the ldap server is lost.

Best regards,


On Fri, Dec 6, 2013 at 12:25 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> Yes, the order in nsswitch.conf matters.  If you have "files" first
> then the local sudoers file is already parsed by the time that the
> LDAP rules are read.  The ignore_local_sudoers option predates the
> nsswitch.conf integration.  You are probably better off just using:
> sudoers: ldap
> in nsswitch.conf if you want to prevent the local sudoers file from
> being read.
> However, if you want the local sudoers file to be used when the
> LDAP server is not reachable (and only then) you can configure
> nswitch.conf as:
> sudoers: ldap files
> and then set ignore_local_sudoers in the LDAP rules.  This will
> allow the use of a fallback local sudoers file when LDAP is not
> working.
>  - todd

"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
mutant à l'énergie dense, jamais conçu pour la production en série,
trop bizarre pour vivre, et trop rare pour mourir..."

More information about the sudo-users mailing list