Configure by default to fail, quickly, requests for supplemental group information for "root", "ldap", and assorted other users as whom services run or who are mentioned by the DBus configuration. This patch will never be pretty. --- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400 +++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500 @@ -177,6 +177,9 @@ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one +# Just assume that there are no supplemental groups for these named users +nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse + # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute