Comment 91 for bug 155947

Discussion on irc and phone resulted in the following solution:

Add a new configuration option 'nss_initgroups_ignoreusers_below_uid' (or similar) and have it default to '1000'. This option will be configurable in /etc/ldap.conf. Admins can adjust this to be any valid uid.