When setting up OpenLDAP for the first time, what are some things to keep in mind?

A partial list in no particular order:

• Use cn=config (see man slapd-config).
• Set up Master-Master replication at your core.
• Always use some sort of encryption for authentication.
• LDAPS (port 636) is deprecated in favor of STARTTLS for LDAP.
• SASL-GSSAPI and SASL-EXTERNAL are useful if you don't like entering passwords a lot.
• Disable SASL mechanism you don't support.
• Don't use the root DN when you don't have to.
• Pay attention to your ACLs (e.g. users should not have write access to uidNumber and gidNumber).
• ldapseach -x -H $URI is a an anonymous search. (ldapwhoami -x -H $URI).
• Limited local replicas can be much better than nscd (self access via ldapi:///).
• Overlay memberof is very handy for group membership.

Probably important:
Understand the documentation. It's not everything you need, but it sure helps.

SSL Libraries

Debian(and thus Ubuntu) package OpenLDAP compiled against gnuTLS instead of OpenSSL. This is fine for playing around, but gnuTLS has been significantly slower on our network. I always rebuild the Ubuntu package compiled against OpenSSL.

Other distros may do the same or different.

Kerberos

Kerberos doesn't really seem useful in my environment(~200 linux workstations, ~40 macs, nfs servers, imap, smtp, web server). None of our common client applications support kerberos authentication(Firefox, Thunderbird). It would just be used on a host level for NFS and as a PAM module for authentication. I think SSL can do just as good a job at keeping passwords secret.

If you do use kerberos, you should use Heimdal for integration with the OpenLDAP smbk5pwd overlay.

Client Libraries

The default library for nss from PADL is a bit bloated and troublesome. I recommend you try SSS or nss-pam-ldapd. They both work very well in my environment.

SSS does so much more than PADL's libraries. It includes caching, so you don't need nscd.

nss-pam-ldapd is a rewrite of the PADL libraries made to be much more efficient.

Managing your data

I am a big fan of phpLDAPAdmin. It makes it very easy to view your schemas and modify individual entries.

Other LDAP Servers

They may be slower, but they have more advanced features.

You might want to try ApacheDS since it has builtin kerberos.

This question is really too broad to answer, and any answer would be heavily dependent on your environment.

Some things I would consider are:

• Does LDAP make sense as the authentication system?
  • If not, what might be better?
• Does LDAP make sense as the authorization system?
  (authorization would be things like sudoers)
  • If not, what might be better?
• What kind of security makes sense?
  • SSL? (pretty much definitely)
  • Kerberos? (Does everything support it? WILL everything support it in the future?)
  • What about security within LDAP itself (ACLs)
    • Object/Subtree permissions
    • Browsable/Searchable by... (anyone (anonymous), registered users, admins, etc...)
    • How will users change their password?
• How will we get the individual workstations to respect LDAP information?
  • pam_ldap/nss_ldap? (old & busted, but works)
  • pam_ldapd (new hotness: Fewer LDAP connections, other benefits, but some unimplemented features)
• Will we have to interact with Windows - EVER?
  (If you say "yes" here you really need to use AD as the LDAP server)