A good idea is to do a service you can easily test first (say, pop3) and make sure everything's working. You could also temporarily delete your user or a user you care little about from /etc/passwd, /etc/shadow and /etc/group, to ensure that it really is getting things from LDAP. I'm not sure how much of a brilliant idea this is, but if you're careful it should be okay. DON'T REMOVE ROOT FROM /etc/passwd. root isn't in the ldap server. 

  

 So once you can telnet to the pop3 port and log on with pop3 against LDAP, start shifting some other services over, and test them as you go. Note that ssh likes to be restarted after you change it's pam.d file, this caught me out. Be careful shifting things like 'login' over. :) 

  

 __The End__ 

  

 And that's it! After the services you want to use are shifted over, you're now running a system authenticating off LDAP. Delete your local users and leave the LDAP ones there. Don't delete user root, and don't put root on the LDAP server. It's probably not a good idea. Things may be going a little slowly, so you might want to install nscd(8) to speed things up, as it caches all ldap requests. To set up other machines to authenticate off this server, just perform the steps from "Setting up PAM" and onwards on the other machine, but using the IP of your real LDAP server instead of 127.0.0.1 (obviously).