Fed up with manually copying over /etc/passwd etc. again lost hairs with NISPLUS?
I searched for a long time on the net, look at the list below and read at least partly 3 books.
Very time consuming, therefor I'm going to describe an simple setup with a Debian LDAP server (slapd) and some Debian clients. Most stuff will also apply to other distrbutions.
IMPORTANT: If you have questions whatever, contact me: christian@leber.de

General Notes

In this example the following things apply:

Step for Step to a working LDAP setup

First we have to install slapd on the server we are going to use. Even when we don´t want to use automount on the LDAP server, we´ll very likely need the supplied schema to use the LDAP server for automount/autofs entries.
(on woody add: "deb http://www.ecology.uni-kiel.de/mirrors/debian/backports.org/debian/dists/woody/openldap2/ ./" or another mirror from backports.org to your /etc/apt/sources.list
and put this file http://debian.christian-leber.de/ldap/automount.schema in your /etc/ldap/schema directory)
apt-get install slapd autofs-ldap
So debconf will ask us some stuff, probably not everything what's here, don't worry: this will give us a slapd.conf like this one: http://debian.christian-leber.de/ldap/01/slapd.conf
Now we allready have some stuff in the database (debconf), just run slapcat and get about this:
dn: dc=leber
objectClass: top
objectClass: dcObject
objectClass: organization
o: Some organisation
dc: leber
structuralObjectClass: organization
entryUUID: 06d98d7e-f466-1027-990b-83a2de42985c
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040216005140Z
modifyTimestamp: 20040216005140Z
entryCSN: 2004021600:51:40Z#0x0001#0#0000

dn: cn=admin,dc=leber
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fVFmWU8vQVJGSllyM0E=
structuralObjectClass: organizationalRole
entryUUID: 06e5b7b6-f466-1027-990c-83a2de42985c
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040216005140Z
modifyTimestamp: 20040216005140Z
entryCSN: 2004021600:51:40Z#0x0002#0#0000
Now you can pipe this to a file, and you have a nice backup: slapcat >backup We have allready installed autofs-ldap, we probably don´t need the automounter on the server, but we need the included schema later for automounting, so add:
include         /etc/ldap/schema/automount.schema
directly after the other include lines. and also this to the global directives:
password-hash {SSHA}
While doing something with slapd we may allready set TLS up.
First we need a private key and a certificate, we just go to our /etc/ldap and do the following.
The Common Name is _VERY_ important it needs to be the full hostname of your ldap server. (get it with hostname IP-ADDRESS)
openssl genrsa -out ldap.key 1024
openssl req -new -key ldap.key -out ldap.csr
Now we are doing our own CA:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.cert
And we sign our key for 10 years...
openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 3650
now just add the following to the slapd.conf within the Global Directives Section:
TLSCertificateFile /etc/ldap/ldap.cert
TLSCertificateKeyFile /etc/ldap/ldap.key
TLSCACertificateFile /etc/ldap/ca.cert
Ok, so now slapd is fine and we need to add some stuff to our LDAP database
I suggest using phpldapadmin, because it's easy to set up and actually works, like probably a lot of other tools.
Installation is really easy, just get it and untar it to /var/www somewhere. (it's here: http://phpldapadmin.sourceforge.net/)
as long as the most recent release is 0.9.3 get this cvs snapshot, you'll need it for the Automount entries: http://debian.christian-leber.de/ldap/phpldapadmin_20040219.tar.bz2
Rename is to a name without version number, change to the dir and copy config.php.example to config.php
You need to adjust some parameters:
$servers[$i]['host'] = 'craptop.home';
$servers[$i]['base'] = 'dc=leber';
$servers[$i]['auth_type'] = 'form';
$servers[$i]['login_dn'] = 'cn=admin,dc=leber';
$servers[$i]['default_hash'] = 'ssha';
(FIXME: TLS etc. mit phpldapadmin)

Under dc=leber we create the Organizational Units "people" and "group".
Now we create at least one "Posix Group" byond group and add at least one user beyond people.

Now we should have a working LDAP server with at least one group and one user.
We'll take care for automounting $home of the users later.

Setting up a Debian client box to use LDAP

First we install the Name Service Cache Daemon:
apt-get install nscd
The next thing is the NSS module for LDAP:
apt-get install libnss-ldap
The config file of libnss-ldap ist btw. /etc/libnss-ldap.conf, we'll probably have to change it later.
As of now LDAP is not used, we have to change the /etc/libnss.conf to use it, therefore change the passwd,group and shadow line that it looks like this:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
Now we can try it:
root@igor3:~# touch /tmp/testfile
root@igor3:~# chown 1097 /tmp/testfile
root@igor3:~# ls -l /tmp/testfile
-rw-r--r--    1 christian root            0 2004-02-28 21:45 /tmp/testfile
Excellenti, it works!
Hopefully not only on my box. :-)

For logging in to a computer PAM will be used the client will send the password to the LDAP server that says if the password is ok or not.
apt-get install libpam-ldap	
Now PAM needs to know about the new authentification Method, on debian sarge or newer it's enough to have the following stuff:
The configuration file of libpam-ldap is btw.: /etc/pam_ldap.conf

Now we have to do some changes to use TLS for authentification. restarting sshd is probably a good idea: /etc/init.d/ssh restart
Now you should be able to login with ssh, you probably also have to restart other services before they work.

Setting up autofs/automount

-add stuff
create custom  with ou=auto.master, choose the ObjectClass automountMap
create beyond auto.master a object with cn=/home where the ObjectClass is automount
automountInformation is: ldap:,ou=Automount,dc=leber rsize=8192,wsize=8192

-edit /etc/defaults/autofs
-add to /etc/nsswitch.conf
automount: ldap

On the client (debian sarge+):
apt-get install ldap-utils
BASE    dc=leber
URI     ldap://


software for LDAP

ldots.org: LDAP Authentication HOWTO
metaconsultancy.com: Using OpenLDAP
metaconsultancy.com: LDAP Authentication for Linux
Pam Module for Solaris
LDAP: Integrating Authentication Across Operating Systems and ...
Secure LDAP for Solaris (via TLS/SSL)
compiling openssl, openldap and the pam module for solaris 8 Naming and Directory Services in the Solaris 9 Operating Environment Data Sheet
Christof Meerwald: Quick-Start Guide to LDAP (Lightweight Directory Access Protocol)
Christof Meerwald: Backports to woody (debian 3.0) (libpam-ldap, directory-administrator)
Automount über LDAP
wiki.debian.net: Configuring LDAP Authentication for Debian

Setting up an replicator server

add to the /etc/slapd.conf global section:
replogfile	/var/lib/ldap/slapd.replog


Now we need a key for our replica server, so we go to /etc/ldap on our master and do:

openssl genrsa -out replica.key 1024
openssl req -new -key replica.key -out replica.csr

Remember, Common Name NEEDS to be the host name of your replica server.

No we sign our key with the CA we have done earlier.

openssl x509 -req -in replica.csr -out replica.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 365

So now we have to get a replica server, without replica is not very helpfull, you know?

We install it, configuration doesn't matter, better nothing automatic.

apt-get install slapd autofs-ldap

now stop it /etc/init.d/slapd stop
delete the database in /var/lib/ldap, we'll migrate our own stuff from our master server

Now copy over the /etc/ldap/slapd.conf from the master to the replica.

It will stay the same, besides that we remove the replogfile and the replica stuff
and add all in the Database section:
rootdn	"replica,dc=leber"
rootpw	{SSHA}....
  (Use slappasswd to generate the password.)
updatedn        "cn=replica,dc=leber"
updateref	ldap://craptop.home

on the master /etc/init.d/slapd stop
on the replica /etc/init.d/slapd start
on the master /etc/init.d/slapd start

Now we go again to our clients...

damn, doesn't work

How to backup/save/dump the whole LDAP database?
/etc/init.d/slapd stop
slapcat > backup.ldif
/etc/init.d/slapd start