I recently had to setup a couple of OpenLDAP servers in mirror replication mode, to authenticate users accessing Unix hosts, ranging from Fedora 11 to 14, and CentOS 6. I had already setup that kind of solution a few years ago, and I have to say it’s a lot more mature and stable now. I mean both the client and server side have been improved, especially with OpenLDAP 2.4.31 which prooves to be the first 2.4.x « production » version.
Also, most of the LDAP clients configuration keeps consistent now, while it used to be very heterogeneous in the past. Yet, some progress still needs to be done, in the encryption area, for example, where libraries are not always fully compatible from one client application to another, even on the same system.
Also, a newcomer (in comparison with PAM or NSS) in the authentication area now spreads to the different Linux flavours: SSSD. SSSD stands for System Security Services Daemon. It can be seen as a « nscd partner », but since it’s more recent, it also enhances the authentication process, especially when using a network authentication server like LDAP.
Indeed, sssd has the ability to work offline, (as far as users have already authenticated online once), which can be convenient on a laptop. Also, sssd runs over NSS and PAM, so it probably won’t break your existing authentication process, and actually improves it. There’re many options to configure it, especially to adjust its cache behaviour, so it can really make sense in some environments at least. Also, sssd efficiently deals with the boot process, especially when your LDAP server is down, and can also be used on the LDAP server itself, while configuring the LDAP server as its own client used to bring problems in the past. So, enjoy it !