In both cases we have to edit three files : BASE dc=domain, dc=com scope sub suffix "dc=domain,dc=com" ## when you want to change user's password by root rootbinddn cn=Manager,dc=domain,dc=com ## there are needed when your ldap dies timelimit 5 bind_timelimit 5 uri ldap://ldap.domain.com/ pam_password exop ldap_version 3 pam_filter objectclass=posix Account pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl auth required pam_auth sufficient pam_likeauth nullok auth sufficient pam_use_first_pass auth required pam_account sufficient pam_account sufficient pam_account required pam_password required pam_difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_nullok md5 shadow use_authtok password sufficient pam_use_first_pass password required pam_session required pam_session required pam_session optional pam_Time to test it. Pick a user from your system and issue: getent passwd | grep foouser You should get the result twice, if so the nss_ldap works fine.

Now when we have a proper config for slapd, we can start the daemon : /etc/init.d/slapd start Please remember to have something like that in the config file responsible for arguments passed to the slapd (the path should point to the slapd.sock): Now we can test if openldap is running and working properly.

We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com.

If you want to see a lot of hot movies with a lot of old woman sex, then you are in the perfect place!

Watch our mature ladies loving to get hard cocks in their mouths, assholes and willing pussies!

The lesser of two evils appears to be to add LDAP users to file based groups on a system by system basis, which then creates another type of management overhead.

If we are to keep all the migrated information in LDAP, then do we leave all or some of the duplicated entries in the system?

The gentoo ldap document even goes so far as to test the function of nss-ldap after migration by using getent to test for multiple root accounts.

As far as I can imagine, the only groups and users we should have in LDAP are those which are associated with human and automated logins which we wish to administrate from a central location and wish to make available across systems and/or applications.

However, where an account needs to be a part of a group created by the system, this brings up the obvious question.