Comment 24 for bug 870874

I also think this bug should get HIGH priority. LDAP is essential for so many deployments.

I also recommend testing that "sudo", "su -" and "sudo su -" work as expected from LDAP-only user accounts. I'm experiencing this bug with LDAP user accounts, but I worked around it using instructions found in this bug report. However, there's an additional problem probably related to this, which doesn't go away:

I have a user account "johndoe" that only exists in LDAP. That user account belongs to local groups "sudo" and "admin" as specified in /etc/group.

 ~# getent passwd johndoe
 johndoe:x:10003:10003:John Doe:/home/johndoe:/bin/bash

 ~# getent group sudo
 sudo:x:27:johndoe

 ~# getent group admin
 admin:x:118:johndoe

 ~# cat /etc/sudoers | grep '%[admin|sudo]'
 %admin ALL=(ALL) ALL
 %sudo ALL=(ALL:ALL) ALL

I have NOT set ignore_local_sudoers so it should work with LDAP and local /etc/sudoers file.
But sudo is not working. What happens instead is:

 johndoe@host:~$ sudo su
 sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
 johndoe@host:~$ su -
 Password: ***CORRECT*PASSWORD***
 su: Authentication failure
 johndoe@host:~$ sudo cat /etc/group
 sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

These problems may be related, so I recommend checking sudo and su as well when investigating and testing this bug.