In -l mode, only check local sudoers file if def_ignore_sudoers is not set

and call LDAP versions from display_privs() and display_cmnd() instead
of directly from main().  Because of this we need to defer closing
the ldap connection until after -l processing has ocurred and we
must pass in the ldap pointer to display_privs() and display_cmnd().

parse.c

@@ -206,7 +206,8 @@ sudoers_lookup(pwflag)
  * Print out privileges for the specified user.
  */
 void
-display_privs(pw)
+display_privs(v, pw)
+    VOID *v;
     struct passwd *pw;
 {
     struct cmndspec *cs;
@@ -228,6 +229,7 @@ display_privs(pw)
     }
 #endif
 
+    if (!def_ignore_local_sudoers) {
 	display_defaults(pw);
 
 	print_priv3("User ", pw->pw_name,
@@ -273,6 +275,11 @@ display_privs(pw)
 	    }
 	}
     }
+#ifdef HAVE_LDAP
+    if (v != NULL)
+	sudo_ldap_display_privs(v, pw);
+#endif
+}
 
 /*
  * Display matching Defaults entries for the given user on this host.
@@ -392,14 +399,20 @@ display_bound_defaults(dtype)
  * command is allowed.
  */
 int
-display_cmnd(pw)
+display_cmnd(v, pw)
+    VOID *v;
     struct passwd *pw;
 {
     struct cmndspec *cs;
     struct member *match, *runas;
     struct privilege *priv;
     struct userspec *us;
+    int rval = 1;
 
+#ifdef HAVE_LDAP
+    rval = sudo_ldap_display_cmnd(v, pw);
+#endif
+    if (rval != 0 && !def_ignore_local_sudoers) {
 	for (match = NULL, us = userspecs; us != NULL; us = us->next) {
 	    if (user_matches(pw, us->user) != TRUE ||
 	      host_matches(us->privileges->hostlist) != TRUE)
@@ -416,11 +429,13 @@ display_cmnd(pw)
 		}
 	    }
 	}
-    if (match == NULL || match->negated)
+	if (match != NULL && !match->negated) {
-	return(1);
 	    printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
 		user_args ? user_args : "");
-    return(0);
+	    rval = 0;
+	}
+    }
+    return(rval);
 }
 
 /*

sudo.c

@@ -152,9 +152,7 @@ main(argc, argv)
     int sudo_mode;
     int pwflag;
     sigaction_t sa;
-#ifdef HAVE_LDAP
+    VOID *ld = NULL;
-    VOID *ld;
-#endif
     extern char **environ;
 
 #ifdef HAVE_SETLOCALE
@@ -294,10 +292,8 @@ main(argc, argv)
     cmnd_status = set_cmnd(sudo_mode);
 
 #ifdef HAVE_LDAP
-    if (ld != NULL) {
+    if (ld != NULL)
 	validated = sudo_ldap_check(ld, pwflag);
-	sudo_ldap_close(ld);
-    }
     /* Fallback to sudoers if we are allowed to and we aren't validated. */
     if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
 #endif
@@ -373,15 +369,19 @@ main(argc, argv)
 	if (sudo_mode == MODE_VALIDATE)
 	    exit(0);
 	else if (sudo_mode == MODE_CHECK)
-	    exit(display_cmnd(list_pw ? list_pw : sudo_user.pw));
+	    exit(display_cmnd(ld, list_pw ? list_pw : sudo_user.pw));
 	else if (sudo_mode == MODE_LIST) {
-	    display_privs(list_pw ? list_pw : sudo_user.pw);
+	    display_privs(ld, list_pw ? list_pw : sudo_user.pw);
-#ifdef HAVE_LDAP
-	    sudo_ldap_display_privs();	/* XXX - use list_pw */
-#endif
 	    exit(0);
 	}
 
+#ifdef HAVE_LDAP
+	if (ld != NULL) {
+	    sudo_ldap_close(ld);
+	    ld = NULL;
+	}
+#endif
+
 #ifdef HAVE_SYSTRACE 
 	if (def_monitor)
 	    systrace_attach(getpid());

sudo.h

@@ -216,7 +216,8 @@ int sudoers_lookup	__P((int));
 int parse_sudoers	__P((const char *));
 #ifdef HAVE_LDAP
 int sudo_ldap_check	__P((VOID *, int));
-void sudo_ldap_display_privs __P((void));
+void sudo_ldap_display_privs __P((VOID *, struct passwd *));
+int sudo_ldap_display_cmnd __P((VOID *, struct passwd *));
 void sudo_ldap_update_defaults __P((VOID *));
 VOID *sudo_ldap_open	__P((void));
 void sudo_ldap_close	__P((VOID *));
@@ -251,8 +252,8 @@ int pam_prep_user	__P((struct passwd *));
 void zero_bytes		__P((volatile VOID *, size_t));
 int gettime		__P((struct timespec *));
 FILE *open_sudoers	__P((const char *, int *));
-void display_privs	__P((struct passwd *));
+void display_privs	__P((VOID *, struct passwd *));
-int display_cmnd	__P((struct passwd *));
+int display_cmnd	__P((VOID *, struct passwd *));
 void sudo_setgrent	__P((void));
 void sudo_endgrent	__P((void));
 void sudo_setpwent	__P((void));