Eventually I found the problem: nscd did bind anonymously and slapd was configured to prevent access to ldap information by anonymous users. I thought that specifying "rootbinddn" and the correct password in ldap.secret would prevent that but obviously nscd needs "binddn" and "bindpw" in ldap.conf. fs