diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
index 4e14efe55..024430ca8 100644
--- a/plugins/sudoers/parse_ldif.c
+++ b/plugins/sudoers/parse_ldif.c
@@ -573,14 +573,12 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 		if (role->cn != NULL && strcmp(role->cn, "defaults") == 0) {
 		    ldif_store_options(parse_tree, role->options);
 		    sudo_role_free(role);
-		    role = NULL;
 		} else if (STAILQ_EMPTY(role->users) ||
 		    STAILQ_EMPTY(role->hosts) || STAILQ_EMPTY(role->cmnds)) {
 		    /* Incomplete role. */
 		    sudo_warnx(U_("ignoring incomplete sudoRole: cn: %s"),
 			role->cn ? role->cn : "UNKNOWN");
 		    sudo_role_free(role);
-		    role = NULL;
 		} else {
 		    /* Cache users, hosts, runasusers and runasgroups. */
 		    if (str_list_cache(usercache, &role->users) == -1 ||
@@ -638,14 +636,6 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 	    ungetc(ch, fp);
 	}
 
-	/* Allocate new role as needed. */
-	if (role == NULL) {
-	    if ((role = sudo_role_alloc()) == NULL) {
-		sudo_fatalx(U_("%s: %s"), __func__,
-		    U_("unable to allocate memory"));
-	    }
-	}
-
 	/* Parse dn and objectClass. */
 	if (strncasecmp(line, "dn:", 3) == 0) {
 	    /* Compare dn to base, if specified. */
@@ -676,8 +666,16 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 	    }
 	} else if (strncmp(line, "objectClass:", 12) == 0) {
 	    attr = ldif_parse_attribute(line + 12);
-	    if (attr != NULL && strcmp(attr, "sudoRole") == 0)
+	    if (attr != NULL && strcmp(attr, "sudoRole") == 0) {
+		/* Allocate new role as needed. */
+		if (role == NULL) {
+		    if ((role = sudo_role_alloc()) == NULL) {
+			sudo_fatalx(U_("%s: %s"), __func__,
+			    U_("unable to allocate memory"));
+		    }
+		}
 		in_role = true;
+	    }
 	}
 
 	/* Not in a sudoRole, keep reading. */