OK, built trusty's libnss-ldap with the patch referenced by the bug submitter. Indeed, it too resolved the issue.
So to summarize:
1) Only trusty's libnss-ldap seems to fail.
2) The bug seems fixable by any of the following:
a) patch in comment #1, or
b) updating trusty to xenial/yakkety libnss-ldap (with the caveat that I have no clue as to why this fixes it!)
c) updating to upstream, which also has the patch referenced in comment #1.
I'm leaning towards a because its intentionally the upstream fix for the bug, and even if I can't reproduce xenial/yakkety, it seems a safe enough fix (I will test this assumption) to apply there too. I also think the amount of changes in b) & c) are too numerous to safely put back to trusty.
OK, built trusty's libnss-ldap with the patch referenced by the bug submitter. Indeed, it too resolved the issue.
So to summarize:
1) Only trusty's libnss-ldap seems to fail.
2) The bug seems fixable by any of the following:
a) patch in comment #1, or
b) updating trusty to xenial/yakkety libnss-ldap (with the caveat that I have no clue as to why this fixes it!)
c) updating to upstream, which also has the patch referenced in comment #1.
I'm leaning towards a because its intentionally the upstream fix for the bug, and even if I can't reproduce xenial/yakkety, it seems a safe enough fix (I will test this assumption) to apply there too. I also think the amount of changes in b) & c) are too numerous to safely put back to trusty.