It's 2010 now. Flying cars, etc. I want central authentication across a small network of Ubuntu machines - no Windows machines are expected. Ultimately I'd like multi-master (I believe 389, formerly Fedora DS/Netscape Directory Server does this; and OpenLDAP does not?) so I don't have to think too much about failover/redundancy. Please, someone, tell me there is a better solution? Is there a turn-key method for this?
I haven't used it myself, but I think you may be looking for FreeIPA. "FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools." Does scripted installs for both server and client, and expects to have full reign over the server install. Also looks like it prefers Fedora or RHEL for both client and server, but there is some noise about packaging for ubuntu, and I suspect rejigging the client setup script to work with ubuntu won't be too much of a problem. If you can deal with the server side of stuff, then ubuntu has an "ldap-auth-client" and "ldap-auth-config" set of metapackages, that install and configure everything needed for ldap auth. This includes a pam-auth snippet, which if you haven't come across before, is like debconf for pam configurations. Kindof. These don't do kerberos AFAIK, so they may not work so well against a freeipa server, but they also may work just fine. Finally, a lot of the pain we had in the past regarding LDAP setup was around custom schema and getting samba integrated with it If you're not doing windows desktop clients, then straight LDAP as a backend becomes a lot cleaner, and you could easily just use something like phpldapadmin or ldap-account-manager pointing at fairly default openldap server. No need for messing round with samba stuff, which was where most of the suffering originated from. No need to mess with LDIFs either.