diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
index 989274dd2..6f9511687 100644
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -539,9 +539,6 @@ init_defaults(void)
 #ifdef HAVE_SELINUX
     def_selinux = true;
 #endif
-#ifdef HAVE_INNETGR
-    def_use_netgroups = true;
-#endif
 #ifdef _PATH_SUDO_ADMIN_FLAG
     if ((def_admin_flag = strdup(_PATH_SUDO_ADMIN_FLAG)) == NULL)
 	goto oom;
@@ -550,6 +547,7 @@ init_defaults(void)
 	goto oom;
     def_intercept_type = dso;
     def_intercept_verify = true;
+    def_use_netgroups = true;
     def_netgroup_tuple = false;
     def_sudoedit_checkdir = true;
     def_iolog_mode = S_IRUSR|S_IWUSR;
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 37b1efd19..15fac4334 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -297,8 +297,11 @@ sudo_ldap_get_values_len(LDAP *ld, LDAPMessage *entry, const char *attr, int *rc
  * A matching entry that is negated will always return false.
  */
 static int
-sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
+sudo_ldap_check_non_unix_group(const struct sudo_nss *nss, LDAPMessage *entry,
+    struct passwd *pw)
 {
+    struct sudo_ldap_handle *handle = nss->handle;
+    LDAP *ld = handle->ld;
     struct berval **bv, **p;
     bool ret = false;
     int rc;
@@ -325,8 +328,7 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
 	    negated = true;
 	}
 	if (*val == '+') {
-	    /* Custom innetgr() function not used here. */
-	    if (netgr_matches(NULL, val,
+	    if (netgr_matches(nss, val,
 		def_netgroup_tuple ? user_runhost : NULL,
 		def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
 		ret = true;
@@ -1845,7 +1847,7 @@ sudo_ldap_result_get(const struct sudo_nss *nss, struct passwd *pw)
 		LDAP_FOREACH(entry, ld, result) {
 		    if (pass != 0) {
 			/* Check non-unix group in 2nd pass. */
-			switch (sudo_ldap_check_non_unix_group(ld, entry, pw)) {
+			switch (sudo_ldap_check_non_unix_group(nss, entry, pw)) {
 			case -1:
 			    goto oom;
 			case false:
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 0d0a70858..49b9e94d2 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -671,7 +671,7 @@ sudo_getdomainname(void)
  * in which case that argument is not checked...
  */
 bool
-netgr_matches(struct sudo_nss *nss, const char *netgr,
+netgr_matches(const struct sudo_nss *nss, const char *netgr,
     const char *lhost, const char *shost, const char *user)
 {
     const char *domain;
diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h
index c012696a7..e868986bd 100644
--- a/plugins/sudoers/parse.h
+++ b/plugins/sudoers/parse.h
@@ -435,7 +435,7 @@ struct group;
 struct passwd;
 bool group_matches(const char *sudoers_group, const struct group *gr);
 bool hostname_matches(const char *shost, const char *lhost, const char *pattern);
-bool netgr_matches(struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user);
+bool netgr_matches(const struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user);
 bool usergr_matches(const char *group, const char *user, const struct passwd *pw);
 bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
 int cmnd_matches(const struct sudoers_parse_tree *parse_tree, const struct member *m, const char *runchroot, struct cmnd_info *info);