freebsd security - May 2011 - pam_ldap + nss_ldap, su(1), group wheel and pam_group

Hello, Freebsd-security.

  What is proper way to mix pam_ldap/nss_ldap (no users but root in local
files), su(1) and check for group `wheel'?

  "files" source should have precedence over "ldap" in
  /etc/nsswitch.conf, for changing user/group by daemons before full
  network configuration, and for local "root" has priority over any
  LDAP ones.

  Group `wheel' should be in /etc/group, because it seems, that it
  should be available in any conditions.

  But result of this is conflict, when id(1) shows that user is
  included into group `wheel' (on LDAP), because `id' uses
  getgroups(2), but su(1) refuses user, because it uses getgrnam(3),
  which found group "wheel" in /etc/grousp, where user doesn't
belong
  to group "wheel" :(

  Is here any `standard' solution to this problem? I know about
  sudo(8), but I affraid, that this inconsistency could bite somewhere
  else, and in any case, I want su(1) to work :)

  Is here any reasons why pam_group(8) is inconsistent with id(1) in
  way to determine ti which groups user belongs?

-- 
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>