diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p7/plugins/sudoers/ldap.c

--- sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix	2016-05-09 15:33:10.933510674 +0200

+++ sudo-1.8.6p7/plugins/sudoers/ldap.c	2016-05-09 15:33:10.937510618 +0200

@@ -2735,22 +2735,37 @@ sudo_ldap_result_get(struct sudo_nss *ns

 	    result = NULL;

 	    rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,

 		NULL, 0, NULL, NULL, tvp, 0, &result);

-	    if (rc != LDAP_SUCCESS) {

+	    if (rc != LDAP_SUCCESS || result == NULL) {

 		DPRINTF(("nothing found for '%s'", filt), 1);

 		continue;

 	    }

-	    lres->user_matches = true;

+

+	    DPRINTF(("search result has %d entries (do_netgr=%s)",

+		     ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);

+	    /*

+	     * Only set user_matches if we got some results back and if we are

+	     * NOT searching for netgroup entries. For the netgroup case, user_maches

+	     * will be set only if a netgroup match was found.

+	     */

+	    lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;

 	    /* Add the seach result to list of search results. */

 	    DPRINTF(("adding search result"), 1);

 	    sudo_ldap_result_add_search(lres, ld, result);

 	    LDAP_FOREACH(entry, ld, result) {

-		if ((!do_netgr ||

-		    sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&

+	      if (do_netgr) {

+		if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&

 		    sudo_ldap_check_host(ld, entry)) {

-		    lres->host_matches = true;

-		    sudo_ldap_result_add_entry(lres, entry);

+		  lres->host_matches = true;

+		  lres->user_matches = true;

+		  sudo_ldap_result_add_entry(lres, entry);

+		}

+	      } else {

+		if (sudo_ldap_check_host(ld, entry)) {

+		  lres->host_matches = true;

+		  sudo_ldap_result_add_entry(lres, entry);

 		}

+	      }

 	    }

 	    DPRINTF(("result now has %d entries", lres->nentries), 1);

 	}