uid conflict option of false for parameter check-uid-conflicts (4295870)

On the nss module I am using the default option of false for parameter check-uid-conflicts. But the user is not able to login the message says:
pam_vas: Authentication <failed> for <Active Directory> user: test reason: <User has a UID conflict>

The user that has the UID conflict is being denied by the PAM module which is the correct behavior. The check-uid-conflicts setting is for applications that bypass the PAM module so that they would be denied by the NSS module.

In this case, you must resolve the UID conflict before the Active Directory user can log in. This is to avoid inadvertent elevation of privileges or cases where users could gain access to files they don't own.

To resolve this issue, please see KB article "User cannot log in, messages states there is a UID conflict" :
https://support.quest.com/SUPPORT/index?page=solution&id=SOL24317&pmv=true&ct=1

Here is from the vas.conf man page:
check-uid-conflicts = <true | false>
Default value: false

To help avoid security problems that result from users sharing UIDs, the pam_vas module will perform a UID conflict check for each VAS user login to ensure that their UID is unique before they are granted access to the system. In the case that a given Unix system has applications that authenticate users but bypass the pam_authenticate() function call, you can set this option to true, which will cause nss_vas to perform a UID conflict check for users during the getpwnam function. If users have a UID conflict, then their login shell will be set to /bin/false or to the value of the access-denied-shell option.

Note that enabling this check does impact the performance of the getpwnam. Only enable this check if necessary and after verifying that the performance impact does not severely impact your environment.

The following example shows how to turn on UID conflict checking during getpwnam() calls for Active Directory Users handled by nss_vas.

[nss_vas]
check-uid-conflicts = true