Best practices for application account management is to have all application dependent accounts and groups local to the server.
These accounts should be locked, so no interactive logins can happen. Ssh keys could still be used for automation from trusted hosts.
On Linux, the application accounts should be added to nss_initgroups_ignoreusers in /etc/ldap.conf to insure accounts do not hang on account or group lookups.
On Red Hat 6, “
nss_initgroups_ignoreusers ALLLOCAL" user can be used.