Comment 42 for bug 1024475

I just submitted

#1739833

The postinst script for libnss-ldap invokes "invoke-rc.d" but invoke-rc.d will not do anything unless the Default-Start runlevel of /etc/init.d/libnss-ldap contains runlevel 5.

Because /etc/init.d/libnss-ldap comes without any default runlevels, the action does nothing and the service is not started, causing the service to also not be stopped, and nssldap-update-ignoreusers to not be run on reboot.

This in turn prevents the system users from being added to the ignore list which then causes the boot to fail because it tries to source them from LDAP.

This is probably of particular relevance to groups, but I don't remember, this is long ago for me.

(And it still hasn't been fixed, even though I have been sending emails about this too to devel-discuss).

The ostensibly newer package libnss-ldapd contains the option "ALLLOCAL" which generates this "exclusion list" automatically on boot.