nss_base_XXX options being ignored in /etc/ldap.conf

Binary package hint: libnss-ldap

From /etc/ldap.conf:
*************************************************
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.

nss_base_passwd ou=users,
nss_base_shadow ou=users,
nss_base_group ou=groups,
*************************************************

my base dn is dc=domain,dc=com. I have samba workstation accounts listed in ou=workstations. When I run 'getent passwd' I see my users, and the workstaion accounts. I should only see the users in ou=users. I've tried using the fully qualified dn (ou=users,dc=domain,dc=com) with no change. I've tried putting just these lines in /etc/libnss-ldap.conf. I've tried linking libnss-ldap.conf -> ldap.conf. I've tried sacrificing a chicken, then a goat. No luck.

Ncsd is not installed. I can login as my ldap users, both locally and with ssh. Everything else works. With the exception of these lines, /etc/ldap.conf was created by debconf.

This works in Feisty. I don't have a Gutsy system to test. In Feisty the file is /etc/libnss-ldap.conf as this unification to /etc/ldap.conf seems to be new.