nss-ldap is extremely brittle and has various serious bugs, like bug 581306. Let's try replace it with sys-auth/nss-pam-ldapd.
I don't object to the overall proposal, but it's NOT a drop-in replacement. We'll need lots of news to users about it. https://arthurdejong.org/nss-pam-ldapd/README ==== unsupported features -------------------- Since nss-pam-ldapd was forked from nss_ldap most of the features that came with nss_ldap are available. The most important differences: - the configuration file formats are not fully compatible ... Some things work a little different in nss-pam-ldapd. For instance the attribute defaults and overrides of nss_ldap are implemented with mapping expressions and pam_ldap's pam_check_*_attr options can be implemented with the pam_authz_search option. ==== It will definetly take some porting for all users switching. Consider this from the infra config: === pam_filter &(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_passwd ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_shadow ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active) nss_base_group ou=groups,dc=gentoo,dc=org?one?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org) === I don't see a fast 1:1 mapping of those into the nslcd.conf. Also, I found this buried comment that outright scares me: https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5 "If the LDAP server is unavailable during start-up nslcd will not start." That means disconnected reboots are NOT safe, because nslcd won't start on boot, and after the network returns, you'll have to login another way to start nslcd. Mostly thinking of a case where there is a power interruption, and the host boots much faster than switchgear.
The above "If the LDAP server is unavailable during start-up nslcd will not start." only applies if "base" is not set and nslcd has to probe, otherwise, it does start up and stays up even if the server is inaccessible. As far as translating the above, I think it would look like this: base dc=gentoo,dc=org base passwd ou=devs,dc=gentoo,dc=org scope passwd subtree filter passwd (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)) base shadow ou=devs,dc=gentoo,dc=org scope shadow subtree filter shadow (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)) base group ou=groups,dc=gentoo,dc=org scope group one filter group (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org)) I think the pam_filter option is obsolete, the above statements should replace and it can be dropped with nss-pam-nslcd. I tested the configuration and filter for syntactical correctness, but of course I cannot test beyond that.