--- nssldap-update-ignoreusers.orig	2010-09-22 11:29:00.148535946 -0700
+++ nssldap-update-ignoreusers	2010-09-22 13:23:52.658537121 -0700
@@ -30,6 +30,10 @@
 # Load threshold for ignoring uid's from $CONF
 MIN=`grep "^nss_initgroups_minimum_uid " $CONF | tail -n 1 | awk '{print $2}'`
 
+# Load list of users to explicitly not ignore (e.g. may be system users but
+# still members of groups defined in LDAP).
+OKUSERS=`grep "^nss_initgroups_okusers " $CONF | tail -n 1 | awk '{print $2}')`
+
 # If unspecified, set to 1000 (ignore local system id's) to prevent boot hang
 if [ -z $MIN ]; then
 	MIN=1000
@@ -39,7 +43,7 @@
 LOADED_USERS=`grep "^nss_initgroups_ignoreusers " $CONF | tail -n 1 | awk '{print $2}'`
 
 # Build list of users to ignore based on specified minimum UID
-users=`cat /etc/passwd | awk -F":" '{if ($3 <'$MIN') print $1 ","}' | xargs -i echo -n {}`
+users=`awk -v min="$MIN" -v okuser="$OKUSERS" -F: 'BEGIN{split(okuser,a,/,/);for (i in a) b[a[i]]} ($3 < min) && !($1 in b){printf "%s%s",s,$1;s=","}' /etc/passwd`
 
 # Merge the two lists, remove whitespace, sort alphabetically, prune duplicates
 users=`echo "$LOADED_USERS,$users" | sed "s/ //g" | sed "s/,/\n/g" | sort | uniq | xargs -i echo -n {},`