Bug 715

Summary: LDAP sudoers: Allow negations on hosts, commands and runas to work
Product: Sudo Reporter: Kelly Block <kelly.block>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement CC: kelly.block
Priority: low    
Version: 1.8.14   
Hardware: All   
OS: Linux   

Description Kelly Block 2015-08-24 10:40:54 MDT 
Overview: 
According to the docs for Sudoers LDAP:
Negations on the Host, User or Runas are currently ignored

Without this functionality, we are unable to get away from flat files for sudoers and LDAP sudoers is essentially useless for us.

Steps to Reproduce:
In LDAP: matches all hosts including web01
sudoHost: ALL
sudoHost: !web01

Expected Results if this limitation was fixed:
In LDAP: matches all hosts except web01
sudoHost: ALL
sudoHost: !web01
Comment 1 Todd C. Miller 2015-08-24 10:53:45 MDT 
There's no technical reason this cannot be supported but do be aware that because there is no guaranteed ordering within the LDAP results a negative match must always override a positive one, regardless of the order of the rule in the original LDIF.
Comment 2 Todd C. Miller 2017-05-10 10:38:46 MDT 
Support for negated sudoHost entries was added in sudo 1.8.18