Pick last match in LDAP sudoers too

--HG--
branch : 1.7

diff --git a/ldap.c b/ldap.c
index 7ab90e1a453209529f9a03b15c5e3a1377d61361..6845d96dccc8261577cfdf7f7cefea215799f873 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -2187,7 +2187,7 @@ done:
 }
 
 /*
- * Sort comparison function for ldap_entry_wrapper structures.
+ * Comparison function for ldap_entry_wrapper structures, descending order.
  */
 static int
 ldap_entry_compare(a, b)
@@ -2197,8 +2197,8 @@ ldap_entry_compare(a, b)
     const struct ldap_entry_wrapper *aw = a;
     const struct ldap_entry_wrapper *bw = b;
 
-    return(aw->order < bw->order ? -1 :
-       (aw->order > bw->order ? 1 : 0));
+    return(bw->order < aw->order ? -1 :
+       (bw->order > aw->order ? 1 : 0));
 }
 
 /*

diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod
index ee0c5a14790dbd6a10a52bf1dab162355c27bf80..6341b16a9726e4dc4ec1bc37c5a84f2e3001b6ac 100644 (file)
--- a/sudoers.ldap.pod
+++ b/sudoers.ldap.pod
@@ -158,8 +158,9 @@ floating point value for LDAP servers that support it) that is used
 to sort the matching entries.  This allows LDAP-based sudoers entries
 to more closely mimic the behaviour of the sudoers file, where the
 of the entries influences the result.  If multiple entries match,
-the entry with the lowest B<sudoOrder> attribute is chosen.  If the
-B<sudoOrder> attribute is not present, a value of 0 is assumed.
+the entry with the highest B<sudoOrder> attribute is chosen.  This
+corresponds to the "last match" behavior of the sudoers file.  If
+the B<sudoOrder> attribute is not present, a value of 0 is assumed.
 
 =back