On Thu, 28 Apr 2011, Mattias Geniar wrote:
I read quite a few topics on that solving the issue, but it didn't seem to be that case in my environment. Are there other workarounds/tips if the bind_policy doesn't work? The rc.local hack seems ... ugly ... and embarrassing if a client would ever find it out. :-)
Automatic generation of the nss_initrgroups_ignoreusers line on boot? A creative patch to nss_ldap?
Current versions of sssd look really promising to me (I tested against a candidate for RHEL 6.1), and offer workable performance compared to a heavily hacked nss_ldap against a large LDAP tree (much better than an unmodified nss_ldap).
I also seemed to recall that bind_policy soft potentially opened you up to security issues. An allow all, deny denied-people would let someone in if ldap timed out. Variations on that would presumably leak if you throw nscd into the mix.
Newer versions of nss_ldap support nss_initgroups_minimum_uid 500, so presumably that has a good chance of solving your problem.
jh