A note on using an LDAP group to grant sudo access

In order for sudo to perform an LDAP lookup you might need to add the “sudoers_base” parameter to the ldap.conf file with a distinguished name to use as a search base. Depends on how the rest of your ldap.conf file is configured
Example: sudoers_base ou=someOU,dc=someDomain,dc=com

Also, in order for sudo to validate that you are a member of an LDAP group your UID must be associated with the group. My particular LDAP directory is Active Directory with the Microsoft Services for Unix installed. Each group has additional Unix attributes available that can contain the UIDs of it's members.


If LDAP users or groups are not working with sudo you can add the “sudoers_debug” parameter to the ldap.conf file with a value of “2”.
Example: sudoers_debug2

You can then use “sudo -l” to get a better idea of why the LDAP lookups may be failing

Show php error messages