In _nss_ldap_search_s(), after we've cycled through how ever many search descriptors we need to in order to try to find an entry, return NOTFOUND if we run out of descriptors before we find an entry. In setnetgrent(), if _nss_ldap_getbyname returns NOTFOUND, return an error rather than postponing it to a subsequent call to getnetgrent(). Original patch from Jose Plans, modification to handle multiple search descriptors. Modified again to return errors from setnetgrent() for anything except success rather than just NOTFOUND. diff -up nss_ldap/ldap-netgrp.c nss_ldap/ldap-netgrp.c --- nss_ldap/ldap-netgrp.c 2008-03-26 14:03:59.000000000 -0400 +++ nss_ldap/ldap-netgrp.c 2008-03-26 14:19:21.000000000 -0400 @@ -372,6 +372,9 @@ _nss_ldap_setnetgrent (char *group, stru _nss_ldap_filt_getnetgrent, LM_NETGROUP, _nss_ldap_load_netgr); + if (stat != NSS_SUCCESS) + return stat; + LOOKUP_SETENT (_ngbe); } diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c --- nss_ldap/ldap-nss.c 2008-03-26 14:06:58.000000000 -0400 +++ nss_ldap/ldap-nss.c 2008-03-26 14:23:00.000000000 -0400 @@ -3073,6 +3073,10 @@ _nss_ldap_search_s (const ldap_args_t * } } + if ((stat == NSS_SUCCESS) && + (ldap_count_entries (__session.ls_conn, *res) == 0)) /* No results */ + stat = NSS_NOTFOUND; + debug ("<== _nss_ldap_search_s"); return stat;