From 93e963584279a4e068ce9619cee1b0be1e5edffb Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 20 Dec 2010 16:37:44 -0500
Subject: [PATCH] Pick last match in LDAP sudoers too

---
 doc/sudoers.ldap.pod   | 5 +++--
 plugins/sudoers/ldap.c | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/doc/sudoers.ldap.pod b/doc/sudoers.ldap.pod
index ee0c5a147..6341b16a9 100644
--- a/doc/sudoers.ldap.pod
+++ b/doc/sudoers.ldap.pod
@@ -158,8 +158,9 @@ floating point value for LDAP servers that support it) that is used
 to sort the matching entries.  This allows LDAP-based sudoers entries
 to more closely mimic the behaviour of the sudoers file, where the
 of the entries influences the result.  If multiple entries match,
-the entry with the lowest B<sudoOrder> attribute is chosen.  If the
-B<sudoOrder> attribute is not present, a value of 0 is assumed.
+the entry with the highest B<sudoOrder> attribute is chosen.  This
+corresponds to the "last match" behavior of the sudoers file.  If
+the B<sudoOrder> attribute is not present, a value of 0 is assumed.
 
 =back
 
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 89d4fda99..a1091c756 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -2112,7 +2112,7 @@ done:
 }
 
 /*
- * Sort comparison function for ldap_entry_wrapper structures.
+ * Comparison function for ldap_entry_wrapper structures, descending order.
  */
 static int
 ldap_entry_compare(const void *a, const void *b)
@@ -2120,8 +2120,8 @@ ldap_entry_compare(const void *a, const void *b)
     const struct ldap_entry_wrapper *aw = a;
     const struct ldap_entry_wrapper *bw = b;
 
-    return(aw->order < bw->order ? -1 :
-	(aw->order > bw->order ? 1 : 0));
+    return(bw->order < aw->order ? -1 :
+	(bw->order > aw->order ? 1 : 0));
 }
 
 /*
-- 
2.40.0