Bugzilla – Bug 849
LDAP sortOrder doesn't work properly
Last modified: 2018-09-05 06:27:43 MDT
After updating to 1.8.24, LDAP sortOrder doesn't work properly. I guess this is caused by ldap_entry_compare() in ldap.c. 1736 debug_return_int(bw->order < aw->order ? -1 : 1737 (bw->order > aw->order ? 1 : 0)); should be 1736 debug_return_int(aw->order < bw->order ? -1 : 1737 (aw->order > bw->order ? 1 : 0)); I think f9be3a48a221560671bd3dc6425f3aac348329b4 change made this behaviour. Sudo man page suggests that the last match is used when multiple matches occur. However, I used the following LDIF to let the group member use sudo without authentication for some commands and this worked fine until 1.8.23. Since 1.8.24, I have to add sudoOrder: 200 to cn=admin. dn: cn=admin,ou=SUDOers,dc=example,dc=com cn: admin objectClass: top objectClass: sudoRole sudoUser: %admin sudoCommand: ALL sudoHost: ALL sudoRunAsUser: ALL dn: cn=admin-noauth,ou=SUDOers,dc=example,dc=com cn: admin-noauth objectClass: top objectClass: sudoRole sudoUser: %admin sudoCommand: COMMAND sudoOption: !authenticate sudoHost: ALL sudoRunAsUser: ALL sudoOrder: 100
Starting in sudo 1.8.24 the LDAP backend converts the entries to a sudoers-style parse tree. As a result, entries now need to be sorted in ascending, not descending order. This was already correct for the LDIF parsing code in cvtsudoers but had not been changed in ldap.c itself. It is fixed by the following commit which will be present in sudo 1.8.25: https://www.sudo.ws/repos/sudo/rev/9f23126cded8
Fixed in sudo 1.8.25