In the meantime, the patch isn't exactly something I'd want to take
upstream either, but it at least addresses the most obvious problem, and
more problematically I don't see a better way of addressing it other than
saying "well, anyone without a system-wide ldap.conf loses." And I
wouldn't be comfortable trying to defend that position.
I suppose another possible workaround specific to the NSS module (and
probably the PAM module as well) would be to proactively check whether
there's a system-wide ldap.conf file and fail immediately if there isn't.
That leaves the problem open for other setuid uses of the LDAP libraries,
but I don't expect there are a lot of those and what ones there may be are
more likely to be able to use the LDAPNOINIT flag.