Configure by default to fail, quickly, requests for supplemental group information for "root", "ldap", and assorted other users as whom services run. This patch will never be pretty. I will never be free. --- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400 +++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500 @@ -177,6 +177,9 @@ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one +# Just assume that there are no supplemental groups for these named users +nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm + # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute