On Thu, 28 Apr 2011, Mattias Geniar wrote: > I read quite a few topics on that solving the issue, but it didn't seem > to be that case in my environment. > Are there other workarounds/tips if the bind_policy doesn't work? The > rc.local hack seems ... ugly ... and embarrassing if a client would > ever find it out. :-) Automatic generation of the nss_initrgroups_ignoreusers line on boot? A creative patch to nss_ldap? Current versions of sssd look really promising to me (I tested against a candidate for RHEL 6.1), and offer workable performance compared to a heavily hacked nss_ldap against a large LDAP tree (much better than an unmodified nss_ldap). I also seemed to recall that bind_policy soft potentially opened you up to security issues. An allow all, deny denied-people would let someone in if ldap timed out. Variations on that would presumably leak if you throw nscd into the mix. Newer versions of nss_ldap support nss_initgroups_minimum_uid 500, so presumably that has a good chance of solving your problem. jh