[sudo-users] LDAP Group Evaluation order

Paul Cantle paul at cantle.me
Mon Nov 2 12:09:42 MST 2015

Hi all,

Apologies if this has been answered previously.

I’m using SSSD to source my Sudo groups from LDAP (Active Directory in my case).

Is there any way to control (when a user is a member of 2 groups), which one is sourced first? I’m guessing it uses “least privileged” by default, but for some users or groups, I don’t necessarily want this.

For example.

User joe is a member of SSSD Role: System_Admins. Within this role is %wheel. The %wheel group gets ALL with !authenticate (This all works fine)

If I add joe to another SSSD Role: DB_Server_Admins (Let’s say he has to be in this role due to nested grouping and Role Based Access Control). Within this role is %dbadmins. The %dbadmins group also gets ALL on this particular server but has to authenticate.

When joe runs any sudo command now, it asks him for a password (and ignores the !authenticate from his %wheel group membership).

Output of sudo -ll

User joe may run the following commands on this host:

SSSD Role: DB_Server_Admins
    RunAsUsers: ALL

SSSD Role: System_Admins
    RunAsUsers: ALL
    Options: !authenticate

Is there anyway to specify for joe or for %wheel that even if joe is a member of another group, ensure that his %wheel group privs are the ones used and not any other groups?



More information about the sudo-users mailing list