From be034d5e7eeab79191b6ac1a33e1a03c7a51098c Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 21 Jan 2011 08:10:26 -0500
Subject: [PATCH] In sudo_ldap_lookup(), always do the initial sudoers check as
 the invoking user.  If we are listing another user's privs we will do a
 separate lookup using list_pw later.

---
 plugins/sudoers/ldap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 8533dbf95..0e8c8e276 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -2043,7 +2043,6 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
     LDAP *ld;
     LDAPMessage *entry;
     int i, rc, setenv_implied, matched = UNSPEC;
-    struct passwd *pw = list_pw ? list_pw : sudo_user.pw;
     struct ldap_result *lres = NULL;
 
     if (handle == NULL || handle->ld == NULL)
@@ -2051,7 +2050,7 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
     ld = handle->ld;
 
     /* Fetch list of sudoRole entries that match user and host. */
-    lres = sudo_ldap_result_get(nss, pw);
+    lres = sudo_ldap_result_get(nss, sudo_user.pw);
 
     /*
      * The following queries are only determine whether or not a