Comment 21 for bug 155947

I have had some time to look at this more and do not believe it is a problem with non-existent groups. When ldap is supplied in ldap.conf, then glibc will check ldap when glibc's initgroups() is used. initgroups() is used by start-stop-daemon (which starts most daemons on boot). By definition, initgroups() tries to find all the groups a particular user is in, so glibc checks nsswitch.conf for all available nameservices (eg both 'file' and 'ldap'), and uses them.

With this in mind, I configured a feisty and gutsy machine to have identical /etc/nsswitch.conf files, and equivalent /etc/ldap.conf files (feisty uses /etc/libnss-ldap.conf instead of /etc/ldap.conf). Can you post your /etc/ldap.conf and /etc/libnss-ldap.conf-dpkg.old files (the second should be an automatic backup that was created with debconf if you decided to not manually configure). If you do not have /etc/libnss-ldap.conf-dpkg.old, please post your previous version of /etc/libnss-ldap.conf.