An empty RunAsUser means run as the invoking user, similar to how

the sudoers files works.

plugins/sudoers/ldap.c

@@ -855,6 +855,12 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
 	    if (usergr_matches(val, runas_pw->pw_name, runas_pw))
 		ret = true;
 	    break;
+	case '\0':
+	    /* Empty RunAsUser means run as the invoking user. */
+	    if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+		strcmp(user_name, runas_pw->pw_name) == 0)
+		ret = true;
+	    break;
 	case 'A':
 	    if (strcmp(val, "ALL") == 0) {
 		ret = true;
@@ -2459,7 +2465,8 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
 	bv = ldap_get_values_len(ld, entry, "sudoRunAs");
     if (bv != NULL) {
 	for (p = bv; *p != NULL; p++) {
-	    sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
+	    sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "",
+		(*p)->bv_val[0] ? (*p)->bv_val : user_name);
 	}
 	ldap_value_free_len(bv);
 	no_runas_user = false;