I would start with comparing logs for a 'working' and a
'non-working'
client. The config looks OK to me and in general the plain LDAP provider
should only ever generate the gidNumber value if
ldap_auto_private_groups is set to True
Thanks for answer! There was a local user with same login.
Such a silly reason...