Given that the PADL migration scripts don't specify a minimum UID or GID for migration, and that one may wish to use an LDAP store across multiple distros where UIDs and GIDs may not always be the same at install, and where new accounts may be created during the installation of software, how much of that data should we really have in our LDAP servers?

The gentoo ldap document even goes so far as to test the function of nss-ldap after migration by using getent to test for multiple root accounts.

 As far as I can imagine, the only groups and users we should have in LDAP are those which are associated with human and automated logins which we wish to administrate from a central location and wish to make available across systems and/or applications.

 However, where an account needs to be a part of a group created by the system, this brings up the obvious question. Either location we decide to locate this information creates a potential for inconsistency. The lesser of two evils appears to be to add LDAP users to file based groups on a system by system basis, which then creates another type of management overhead.

 If we are to keep all the migrated information in LDAP, then do we leave all or some of the duplicated entries in the system? Do we leave system sensitive accounts such as root in LDAP?

It isn't a good idea to remove the root account (among others) from the system files as tempting a thought as it is to have a centrally managed root password (there are better ways to deal with root access anyway), and how do we then manage the concept of multiple distributions with differing uid/gid setups? Much of the latter has been mitigated by a fairly standard stock set of uid/gid mappings, and through the creation of many accounts on an install basis. I am not sure at all that any given package will check first to see that an account/group has been previously created via some reliable method (getent) before performing a creation, which could create another overhead in administration.

What are your experiences with, and solutions to, managing authentication data across a collection of systems using LDAP?