Comment 2 for bug 644632

OK, so rolling around some ideas on how to handle this. One simple way, one somewhat complex, but kind of neat, way.

Method 1:
Use a config file for nssldap-update-ignoreusers. Probably /etc/default/nssldap-update-ignoreusers. Have a single line something like:

nss_initgroups_okusers=user1,user2,user3,etc.

If a user was in that list, nssldap-update-ignoreusers would not include the user in the nss_initgroups_ignoreuses line when it updates the ldap.conf file.

Method 2:
Create a new system-level group named something like nss_okusers. Then, if a user was a member of that group, nssldap-update-ignoreusers would not include the user in the nss_initgroups_ignoreuses line when it updates the ldap.conf file. But that's abusing groups for system configuration, which I'm not sure is the best idea.

Comments? Questions?

We're talking about five lines at most of shell code. I believe it would be a worthwhile addition to nssldap-update-ignoreusers.

I might just work it up and attach a patch. :)