Pick last match in LDAP sudoers too

doc/sudoers.ldap.pod

@@ -158,8 +158,9 @@ floating point value for LDAP servers that support it) that is used
 to sort the matching entries.  This allows LDAP-based sudoers entries
 to more closely mimic the behaviour of the sudoers file, where the
 of the entries influences the result.  If multiple entries match,
-the entry with the lowest B<sudoOrder> attribute is chosen.  If the
-B<sudoOrder> attribute is not present, a value of 0 is assumed.
+the entry with the highest B<sudoOrder> attribute is chosen.  This
+corresponds to the "last match" behavior of the sudoers file.  If
+the B<sudoOrder> attribute is not present, a value of 0 is assumed.
 
 =back
 

plugins/sudoers/ldap.c

@@ -2112,7 +2112,7 @@ done:
 }
 
 /*
- * Sort comparison function for ldap_entry_wrapper structures.
+ * Comparison function for ldap_entry_wrapper structures, descending order.
  */
 static int
 ldap_entry_compare(const void *a, const void *b)
@@ -2120,8 +2120,8 @@ ldap_entry_compare(const void *a, const void *b)
     const struct ldap_entry_wrapper *aw = a;
     const struct ldap_entry_wrapper *bw = b;
 
-    return(aw->order < bw->order ? -1 :
-	(aw->order > bw->order ? 1 : 0));
+    return(bw->order < aw->order ? -1 :
+	(bw->order > aw->order ? 1 : 0));
 }
 
 /*