Steve Thompson <smt at vgersoft.com> wrote: >> <https://bugzilla.redhat.com/show_bug.cgi?id=182464> > > I disagree that this is a bug. It's not a problem if you configure > ldap.conf properly. For example, using > > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus That was identified fairly early on, and you'll notice the example config I sent includes those users (and is in fact the default config in CentOS 5.4). It doesn't seem to always solve the problem. This problem seems to be very sensitive to configs (some sites exhibit it, some don't) and also sensitive to changes in boot sequence from release to release. If it works for you, great. It doesn't seem to be globally sufficient, though. It's been closed a few times but just keeps popping up. Note this paragraph from <https://bugzilla.redhat.com/show_bug.cgi?id=182464#c10> which, to the best of my knowledge, has not been addressed: I did some splunking with strace, followed by code inspection of libnss_ldap. It turns out that the information referenced by nss_initgroups_ignoreusers is only used _after_ the library attempts to connect to the ldap server. However, that said, this is getting a bit off topic from the original question, so I won't dwell on it any more. Devin -- One should forgive one's enemies, but not before they are hanged. - Heinrich Heine