If the problem was so easy that a simple nss_ldap invocation handled it
properly, we would not have 'wasted' so much time on winbind. It was
developed for a very real reason.
I agree with Andrew here - nss-ldap is a piece of crap for 2 reasons:
- the whole ldap library is loaded with every NSS library call
- no caching
- called in the user context, so can not use machine credentials to
- extra configuration needed
All these problems are hopefully to be solved with the upcoming
nss-ldapd but it is not stable enough yet. So I vote for winbind, too.
The only problem with winbind is (as I already mentioned) limited system
databases support (to passwd and group)...