We have a ldap group called ldapadmin defined on our LDAP servers running 389 Directory Server.

On the LDAP Client side. We have the following line added in /etc/sudoers

We are able to login as a LDAP user which is part of the ldapadmin group and are able to get sudo privileges for that user by calling sudo before a command.

Now these LDAP Client machines also have a local admin user which has been added to their local /etc/sudoers file. 

If we get our LDAP Servers down and try to do sudo when we are logged in as the local admin user, we are seeing a delay before sudo command can finish.

When we remove the line  %ldapadmin  ALL=(ALL:ALL) ALL from /etc/sudoers, the slowdowns do not happen anymore when we try to do sudo as the local admin user.

That means every time we are trying to do sudo, it is reading the sudoers file and on parsing the file when it comes across the line %ldapadmin  ALL=(ALL:ALL) ALL, it is not able to find this group since it is not a local group, but a group present on a LDAP Server which is currently unavailable.

My question is why sudo command is trying to do a lookup for ldapadmin group when it is ran by the local admin user? Is there any way to bypass this check, because our LDAPClients have the need to have a local admin user. Any help would be appreciated. 

Thank you

Abhishek Deb