From 1ed28e78dc483175fbfab93f3a0d23cefffaf2f9 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 18 Dec 2010 14:31:52 -0500 Subject: [PATCH] Pick last match in LDAP sudoers too --HG-- branch : 1.7 --- ldap.c | 6 +++--- sudoers.ldap.pod | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ldap.c b/ldap.c index 7ab90e1a4..6845d96dc 100644 --- a/ldap.c +++ b/ldap.c @@ -2187,7 +2187,7 @@ done: } /* - * Sort comparison function for ldap_entry_wrapper structures. + * Comparison function for ldap_entry_wrapper structures, descending order. */ static int ldap_entry_compare(a, b) @@ -2197,8 +2197,8 @@ ldap_entry_compare(a, b) const struct ldap_entry_wrapper *aw = a; const struct ldap_entry_wrapper *bw = b; - return(aw->order < bw->order ? -1 : - (aw->order > bw->order ? 1 : 0)); + return(bw->order < aw->order ? -1 : + (bw->order > aw->order ? 1 : 0)); } /* diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index ee0c5a147..6341b16a9 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -158,8 +158,9 @@ floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, -the entry with the lowest B attribute is chosen. If the -B attribute is not present, a value of 0 is assumed. +the entry with the highest B attribute is chosen. This +corresponds to the "last match" behavior of the sudoers file. If +the B attribute is not present, a value of 0 is assumed. =back -- 2.50.1