diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
index 7cab6cb99..a8907ebe9 100644
--- a/plugins/sudoers/cvtsudoers.c
+++ b/plugins/sudoers/cvtsudoers.c
@@ -106,7 +106,7 @@ int
 main(int argc, char *argv[])
 {
     struct sudoers_parse_tree_list parse_trees = TAILQ_HEAD_INITIALIZER(parse_trees);
-    struct sudoers_context ctx = { { 0 } };
+    struct sudoers_context ctx = { { NULL } };
     struct sudoers_parse_tree merged_tree, *parse_tree = NULL;
     struct cvtsudoers_config *conf = NULL;
     enum sudoers_formats output_format = format_ldif;
diff --git a/plugins/sudoers/group_plugin.c b/plugins/sudoers/group_plugin.c
index a71f2c58f..3a9eee6ed 100644
--- a/plugins/sudoers/group_plugin.c
+++ b/plugins/sudoers/group_plugin.c
@@ -130,9 +130,9 @@ done:
  * the value from the plugin's init function.
  */
 static int
-group_plugin_load(const char *plugin_info)
+group_plugin_load(const struct sudoers_context *ctx, const char *plugin_info)
 {
-    const char *plugin_dir = policy_path_plugin_dir();
+    const char *plugin_dir = ctx->settings.plugin_dir;
     char *args, path[PATH_MAX];
     char **argv = NULL;
     int len, rc = -1;
@@ -272,7 +272,7 @@ group_plugin_query(const char *user, const char *group,
  */
 
 static int
-group_plugin_load(const char *plugin_info)
+group_plugin_load(const struct sudoers_context *ctx, const char *plugin_info)
 {
     debug_decl(group_plugin_load, SUDOERS_DEBUG_UTIL);
     debug_return_int(false);
@@ -308,6 +308,6 @@ cb_group_plugin(struct sudoers_context *ctx, const char *file,
     /* Unload any existing group plugin before loading a new one. */
     group_plugin_unload();
     if (sd_un->str != NULL)
-	rc = group_plugin_load(sd_un->str);
+	rc = group_plugin_load(ctx, sd_un->str);
     debug_return_bool(rc);
 }
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index c6420dc2c..af2011439 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -178,7 +178,8 @@ sudo_ldap_join_uri(struct ldap_config_str_list *uri_list)
  * Returns LDAP_SUCCESS on success, else non-zero.
  */
 static int
-sudo_ldap_init(LDAP **ldp, const char *host, int port)
+sudo_ldap_init(const struct sudoers_context *ctx, LDAP **ldp, const char *host,
+    int port)
 {
     LDAP *ld;
     int ret;
@@ -226,7 +227,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
 		ldapssl_err2string(ret));
 	    if (ldap_conf.tls_certfile == NULL)
 		sudo_warnx(U_("you must set TLS_CERT in %s to use SSL"),
-		    policy_path_ldap_conf());
+		    ctx->settings.ldap_conf);
 	    goto done;
 	}
 
@@ -1562,7 +1563,7 @@ sudo_ldap_open(struct sudoers_context *ctx, struct sudo_nss *nss)
 	sudo_ldap_close(ctx, nss);
     }
 
-    if (!sudo_ldap_read_config())
+    if (!sudo_ldap_read_config(ctx))
 	goto done;
 
     /* Prevent reading of user ldaprc and system defaults. */
@@ -1586,7 +1587,7 @@ sudo_ldap_open(struct sudoers_context *ctx, struct sudo_nss *nss)
 	free(buf);
     } else
 #endif
-	rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port);
+	rc = sudo_ldap_init(ctx, &ld, ldap_conf.host, ldap_conf.port);
     if (rc != LDAP_SUCCESS) {
 	sudo_warnx(U_("unable to initialize LDAP: %s"), ldap_err2string(rc));
 	goto done;
diff --git a/plugins/sudoers/ldap_conf.c b/plugins/sudoers/ldap_conf.c
index 11d1b7f2f..f989bf313 100644
--- a/plugins/sudoers/ldap_conf.c
+++ b/plugins/sudoers/ldap_conf.c
@@ -355,7 +355,7 @@ sudo_ldap_read_secret(const char *path)
     ssize_t len;
     debug_decl(sudo_ldap_read_secret, SUDOERS_DEBUG_LDAP);
 
-    if ((fp = fopen(policy_path_ldap_secret(), "r")) != NULL) {
+    if ((fp = fopen(path, "r")) != NULL) {
 	len = getdelim(&line, &linesize, '\n', fp);
 	if (len != -1) {
 	    /* trim newline */
@@ -384,8 +384,8 @@ sudo_ldap_read_secret(const char *path)
  * Returns true if found, else false.
  */
 static bool
-sudo_ldap_parse_keyword(const char *keyword, const char *value,
-    struct ldap_config_table *table)
+sudo_ldap_parse_keyword(const struct sudoers_context *ctx, const char *keyword,
+    const char *value, struct ldap_config_table *table)
 {
     struct ldap_config_table *cur;
     const char *errstr;
@@ -428,8 +428,8 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
 		*(int *)(cur->valp) = (int)sudo_strtonum(value, INT_MIN, INT_MAX,
 		    &errstr);
 		if (errstr != NULL) {
-		    sudo_warnx(U_("%s: %s: %s: %s"),
-			policy_path_ldap_conf(), keyword, value, U_(errstr));
+		    sudo_warnx(U_("%s: %s: %s: %s"), ctx->settings.ldap_conf,
+			keyword, value, U_(errstr));
 		}
 		break;
 	    case CONF_STR:
@@ -535,7 +535,7 @@ sudo_check_krb5_ccname(const char *ccname)
 #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
 
 bool
-sudo_ldap_read_config(void)
+sudo_ldap_read_config(const struct sudoers_context *ctx)
 {
     char *cp, *keyword, *value, *line = NULL;
     struct ldap_config_str *conf_str;
@@ -566,7 +566,7 @@ sudo_ldap_read_config(void)
 	debug_return_bool(false);
     }
 
-    if ((fp = fopen(policy_path_ldap_conf(), "r")) == NULL)
+    if ((fp = fopen(ctx->settings.ldap_conf, "r")) == NULL)
 	debug_return_bool(false);
 
     while (sudo_parseln(&line, &linesize, NULL, fp, PARSELN_COMM_BOL|PARSELN_CONT_IGN) != -1) {
@@ -586,8 +586,8 @@ sudo_ldap_read_config(void)
 	value = cp;
 
 	/* Look up keyword in config tables */
-	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
-	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+	if (!sudo_ldap_parse_keyword(ctx, keyword, value, ldap_conf_global))
+	    sudo_ldap_parse_keyword(ctx, keyword, value, ldap_conf_conn);
     }
     free(line);
     fclose(fp);
@@ -786,7 +786,7 @@ sudo_ldap_read_config(void)
 
     /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
     if (ldap_conf.rootbinddn) {
-	sudo_ldap_read_secret(policy_path_ldap_secret());
+	sudo_ldap_read_secret(ctx->settings.ldap_secret);
     } else if (ldap_conf.bindpw) {
 	cp = sudo_ldap_decode_secret(ldap_conf.bindpw);
 	if (cp != NULL) {
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index f48cd9879..9b8cb8418 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -56,9 +56,6 @@ static const char *interfaces_string;
 sudo_conv_t sudo_conv;
 sudo_printf_t sudo_printf;
 struct sudo_plugin_event * (*plugin_event_alloc)(void);
-static const char *path_ldap_conf = _PATH_LDAP_CONF;
-static const char *path_ldap_secret = _PATH_LDAP_SECRET;
-static const char *path_plugin_dir = _PATH_SUDO_PLUGIN_DIR;
 static const char *path_sudoers = _PATH_SUDOERS;
 static bool session_opened;
 int sudoedit_nfiles;
@@ -172,12 +169,12 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
 	    }
 	    if (MATCHES(*cur, "ldap_conf=")) {
 		CHECK(*cur, "ldap_conf=");
-		path_ldap_conf = *cur + sizeof("ldap_conf=") - 1;
+		ctx->settings.ldap_conf = *cur + sizeof("ldap_conf=") - 1;
 		continue;
 	    }
 	    if (MATCHES(*cur, "ldap_secret=")) {
 		CHECK(*cur, "ldap_secret=");
-		path_ldap_secret = *cur + sizeof("ldap_secret=") - 1;
+		ctx->settings.ldap_secret = *cur + sizeof("ldap_secret=") - 1;
 		continue;
 	    }
 	}
@@ -396,7 +393,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
 #ifdef ENABLE_SUDO_PLUGIN_API
 	if (MATCHES(*cur, "plugin_dir=")) {
 	    CHECK(*cur, "plugin_dir=");
-	    path_plugin_dir = *cur + sizeof("plugin_dir=") - 1;
+	    ctx->settings.plugin_dir = *cur + sizeof("plugin_dir=") - 1;
 	    continue;
 	}
 #endif
@@ -646,30 +643,6 @@ policy_sudoers_conf(void)
     return &sudoers_conf;
 }
 
-/* Return the path to the sudo plugin directory. */
-/* XXX */
-const char *
-policy_path_plugin_dir(void)
-{
-    return path_plugin_dir;
-}
-
-/* Return the path to ldap.conf file, which may be set in the plugin args. */
-/* XXX */
-const char *
-policy_path_ldap_conf(void)
-{
-    return path_ldap_conf;
-}
-
-/* Return the path to ldap.secret file, which may be set in the plugin args. */
-/* XXX */
-const char *
-policy_path_ldap_secret(void)
-{
-    return path_ldap_secret;
-}
-
 /*
  * Store the execution environment and other front-end settings.
  * Builds up the command_info list and sets argv and envp.
@@ -1325,6 +1298,9 @@ sudoers_policy_list(int argc, char * const argv[], int verbose,
 static int
 sudoers_policy_version(int verbose)
 {
+#ifdef HAVE_LDAP
+    const struct sudoers_context *ctx = sudoers_get_context();
+#endif
     debug_decl(sudoers_policy_version, SUDOERS_DEBUG_PLUGIN);
 
     sudo_printf(SUDO_CONV_INFO_MSG, _("Sudoers policy plugin version %s\n"),
@@ -1338,8 +1314,10 @@ sudoers_policy_version(int verbose)
 # ifdef _PATH_NSSWITCH_CONF
 	sudo_printf(SUDO_CONV_INFO_MSG, _("nsswitch path: %s\n"), _PATH_NSSWITCH_CONF);
 # endif
-	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), path_ldap_conf);
-	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), path_ldap_secret);
+	if (ctx->settings.ldap_conf != NULL)
+	    sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), ctx->settings.ldap_conf);
+	if (ctx->settings.ldap_secret != NULL)
+	    sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), ctx->settings.ldap_secret);
 #endif
 	dump_auth_methods();
 	dump_defaults();
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
index 7c3775771..ad6c82916 100644
--- a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
@@ -197,7 +197,7 @@ static struct user_data {
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    struct sudoers_context ctx = { 0 };
+    struct sudoers_context ctx = { { NULL } };
     struct user_data *ud;
     struct sudo_nss sudo_nss_fuzz;
     struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
index 8f056ac1b..a42f0f235 100644
--- a/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
@@ -119,7 +119,7 @@ fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    struct sudoers_context ctx = { 0 };
+    struct sudoers_context ctx = { { NULL } };
     struct sudoers_parse_tree parse_tree;
     FILE *fp;
 
diff --git a/plugins/sudoers/sudo_ldap_conf.h b/plugins/sudoers/sudo_ldap_conf.h
index fadaabb39..d95265bb9 100644
--- a/plugins/sudoers/sudo_ldap_conf.h
+++ b/plugins/sudoers/sudo_ldap_conf.h
@@ -91,8 +91,9 @@ struct ldap_config {
 
 extern struct ldap_config ldap_conf;
 
+struct sudoers_context;
 const char *sudo_krb5_ccname_path(const char *old_ccname);
-bool sudo_ldap_read_config(void);
+bool sudo_ldap_read_config(const struct sudoers_context *ctx);
 int sudo_ldap_set_options_global(void);
 int sudo_ldap_set_options_conn(LDAP *ld);
 
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 4dd162da9..1c3d98797 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -82,7 +82,9 @@ static bool tty_present(struct sudoers_context *ctx);
 unsigned int sudo_mode;
 
 static char *prev_user;
-static struct sudoers_context sudoers_ctx;
+static struct sudoers_context sudoers_ctx = {
+    { _PATH_LDAP_CONF, _PATH_LDAP_SECRET, _PATH_SUDO_PLUGIN_DIR }
+};
 static struct sudo_nss_list *snl;
 static bool unknown_runas_uid;
 static bool unknown_runas_gid;
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 3bdfa95a2..0404ff9e1 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -148,11 +148,11 @@ struct sudoers_runas_context {
  * Settings passed in from the sudo front-end.
  */
 struct sudoers_plugin_settings {
-    unsigned int flags;
-    int max_groups;
     const char *plugin_dir;
     const char *ldap_conf;
     const char *ldap_secret;
+    unsigned int flags;
+    int max_groups;
 };
 
 /*
@@ -419,9 +419,6 @@ void sudoers_debug_deregister(void);
 unsigned int sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, struct defaults_list *defaults);
 bool sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted, char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
 const struct sudoers_parser_config *policy_sudoers_conf(void);
-const char *policy_path_ldap_conf(void);
-const char *policy_path_ldap_secret(void);
-const char *policy_path_plugin_dir(void);
 
 /* group_plugin.c */
 void group_plugin_unload(void);
diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c
index 815ad14c5..784d48472 100644
--- a/plugins/sudoers/testsudoers.c
+++ b/plugins/sudoers/testsudoers.c
@@ -93,7 +93,7 @@ int
 main(int argc, char *argv[])
 {
     struct sudoers_parser_config sudoers_conf = SUDOERS_PARSER_CONFIG_INITIALIZER;
-    struct sudoers_context test_ctx = { { 0 } };
+    struct sudoers_context test_ctx = { { _PATH_SUDO_PLUGIN_DIR } };
     struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
     enum sudoers_formats input_format = format_sudoers;
     struct sudo_nss testsudoers_nss;
@@ -780,12 +780,6 @@ done:
     debug_return;
 }
 
-const char *
-policy_path_plugin_dir(void)
-{
-    return _PATH_SUDO_PLUGIN_DIR;
-}
-
 static int
 testsudoers_output(const char * restrict buf)
 {
diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
index aadad992d..1570b5034 100644
--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
@@ -134,7 +134,7 @@ sudo_dso_public int main(int argc, char *argv[]);
 int
 main(int argc, char *argv[])
 {
-    struct sudoers_context ctx = { { 0 } };
+    struct sudoers_context ctx = { { NULL } };
     struct sudoersfile *sp;
     char *editor, **editor_argv;
     const char *export_path = NULL;