nss-ldap is extremely brittle and has various serious bugs, like bug 581306. Let's try replace it with sys-auth/nss-pam-ldapd.
I don't object to the overall proposal, but it's NOT a drop-in replacement. We'll need lots of news to users about it. https://arthurdejong.org/nss-pam-ldapd/README ==== unsupported features -------------------- Since nss-pam-ldapd was forked from nss_ldap most of the features that came with nss_ldap are available. The most important differences: - the configuration file formats are not fully compatible ... Some things work a little different in nss-pam-ldapd. For instance the attribute defaults and overrides of nss_ldap are implemented with mapping expressions and pam_ldap's pam_check_*_attr options can be implemented with the pam_authz_search option. ==== It will definetly take some porting for all users switching. Consider this from the infra config: === pam_filter &(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_passwd ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_shadow ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_group ou=groups,dc=gentoo,dc=org?one?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org) === I don't see a fast 1:1 mapping of those into the nslcd.conf. Also, I found this buried comment that outright scares me: https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5 "If the LDAP server is unavailable during start-up nslcd will not start." That means disconnected reboots are NOT safe, because nslcd won't start on boot, and after the network returns, you'll have to login another way to start nslcd. Mostly thinking of a case where there is a power interruption, and the host boots much faster than switchgear.