diff -Nru nss-pam-ldapd-0.8.4ubuntu0.3/debian/changelog nss-pam-ldapd-0.8.4ubuntu0.4/debian/changelog
--- nss-pam-ldapd-0.8.4ubuntu0.3/debian/changelog	2014-07-29 11:16:53.000000000 -0300
+++ nss-pam-ldapd-0.8.4ubuntu0.4/debian/changelog	2014-08-14 07:28:09.000000000 -0300
@@ -1,3 +1,13 @@
+nss-pam-ldapd (0.8.4ubuntu0.4) precise; urgency=low
+
+  * [bzr lp:ubuntu/nss-pam-ldapd revno:19 tag:0.8.8-1]:
+    - debian/nslcd.config: properly handle preseeding and reading values
+    from the configuration file by forcefully overwriting debconf values
+    from nslcd.conf and not overwriting debconf values when reading other
+    configuration files. (LP: #1229713)
+
+ -- Rafael David Tinoco <rafael.tinoco@canonical.com>  Thu, 14 Aug 2014 07:27:54 -0300
+
 nss-pam-ldapd (0.8.4ubuntu0.3) precise-security; urgency=low
 
   * SECURITY UPDATE: denial of service related to incorrect use 
diff -Nru nss-pam-ldapd-0.8.4ubuntu0.3/debian/nslcd.config nss-pam-ldapd-0.8.4ubuntu0.4/debian/nslcd.config
--- nss-pam-ldapd-0.8.4ubuntu0.3/debian/nslcd.config	2012-07-18 16:34:10.000000000 -0300
+++ nss-pam-ldapd-0.8.4ubuntu0.4/debian/nslcd.config	2014-08-11 22:10:35.000000000 -0300
@@ -26,11 +26,14 @@
 {
   debconf_param="$1"
   cfg_param="$2"
-  # overwrite debconf value if different from config file
   db_get "$debconf_param"
-  debconf_value="$RET"
-  cfgfile_value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
-  [ -n "$cfgfile_value" ] && [ "$debconf_value" != "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value"
+  # ignore already-set debconf values unless force is used
+  if [ -z "$RET" ] || [ "$force" = "force" ]
+  then
+    # the first part avoids getting options that have an option MAP parameter
+    cfgfile_value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
+    [ -n "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value"
+  fi
   # we're done
   return 0
 }
@@ -148,12 +151,13 @@
 # parse a LDAP-like configuration file
 parsecfg()
 {
-  cfgfile="$1"
+  force="$1"
+  cfgfile="$2"
   # check existance
   [ -f "$cfgfile" ] || return 0
   # find uri/host/port combo
   db_get nslcd/ldap-uris
-  if [ -z "$RET" ]
+  if [ -z "$RET" ] || [ "$force" = "force" ]
   then
     uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '`
     if [ -z "$uris" ]
@@ -184,7 +188,7 @@
   read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
   # check ssl option
   db_get nslcd/ldap-starttls
-  if [ -z "$RET" ]
+  if [ -z "$RET" ] || [ "$force" = "force" ]
   then
     if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile"
     then
@@ -196,7 +200,7 @@
   fi
   # check reqcert option
   db_get nslcd/ldap-reqcert
-  if [ -z "$RET" ]
+  if [ -z "$RET" ] || [ "$force" = "force" ]
   then
     reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
     # normalise value
@@ -212,7 +216,7 @@
 if [ -f "$CONFFILE" ]
 then
   # parse current configuration
-  parsecfg "$CONFFILE"
+  parsecfg force "$CONFFILE"
   # deduce auth-type from configuration file
   if grep -qi '^sasl_mech[[:space:]]' "$CONFFILE"
   then
@@ -225,10 +229,10 @@
   fi
 else
   # first match wins
-  parsecfg /etc/libnss-ldap.conf
-  parsecfg /etc/pam_ldap.conf
-  parsecfg /etc/ldap/ldap.conf
-  parsecfg /etc/ldap.conf
+  parsecfg noforce /etc/libnss-ldap.conf
+  parsecfg noforce /etc/pam_ldap.conf
+  parsecfg noforce /etc/ldap/ldap.conf
+  parsecfg noforce /etc/ldap.conf
   parsesys
   # fallback default values
   db_get nslcd/ldap-uris