HOWTO use Lotus Domino as an LDAP Authentication server for POSIX systems.
Introduction
Lotus Domino, often seen just as an enterprise class Email and calendar application actually provides more services and supports more open standards than many people realise. This HOWTO addresses the Domino LDAP server and describes how to set up a Linux system to use the Domino directory as an authentication server. At the end of the process you will be able to log in to your linux box using your domino short name (first initial+surname usually) and your Domino internet password. Applications that use PAM (Pluggable Authentication Modules) will all use the Domino directory for their authentication data.

Setting up in Domino
on the server console type "Load LDAP" this will either start the LDAP service or tell you that it was already started.
you might want to full text index your domino directory - it makes things loads faster

Installing nss_ldap and pam_ldap
obtain nss_ldap and pam_ldap from http://www.padl.com
su to root or login as root
tip - open a couple of sessions as root and leave them open - you could lock yourself out of the system later on. (if you do then see the section entitled "woops I locked myself out")

gunzip
tar -xvf
cd nss_ldap
./configure
make
make install
cd ..
cd pam_ldap
./configure
make
make install

now lets do a quick test
ldapsearch -h 'waterfall.dominux.co.uk' -x -D'cn=Alan Bell,o=Dominux' -LLL -W 'uid=abell'
should ask you for a password and then display your details

now we need to tell the system where our LDAP server is. Edit /etc/ldap.conf in your favourite editor. If you don't have a favourite then use pico, it is very easy and basic but no bells and whistles all you need to know is press ctrl+x to exit and you will be prompted to save any changes.

pico /etc/ldap.conf (you are still root aren't you?)

leave the host line commented out and use a URL line instead (no particularly compelling reason to do this but it seems to be the favoured new syntax)
URL ldap://www.intec.co.uk

userdn - this is the distinguished name (fully canonicalised name in Domino speak) of a user of the directory that can read the directory. I set up a user in domino for this purpose
usersecret - the internet password of the user you just entered. This is plaintext so anyone who can read /etc/ldap.conf can log in to Domino with a browser as the ldap user if they want. Think about this for a while then continue . . .

rootdn the name of a user to use when root on the linux box does an ldap query, login runs as root.
there is no secret line to go with this, the secret for root is held in a separate file /etc/ldap.secret - we will create this when done editing ldap.conf

creating ldap.secret
echo password >/etc/ldap.secret
chmod ou-rw /etc/ldap.secret

Extending the domino directory to add the posixAccount objectclass
Out of the box domino does not have all the fields on the person document that are needed to support the posixAccount Schema, you can probably do something with schema mapping but I prefer to extend the domino directory.
Open the domino directory with Domino designer and add a new subform, call it "LDAP posixAccount Schema" (this name isn't crititcal, just a suggestion), on the subform add the following fields

note all are text, do not for a moment consider making the UIDNumber and GIDnumber numeric. if you do, then you are stuffed as the UNK table gets the wrong datatype.

UIDNumber - text!!!! editable, default value something to create a unique number, I used "@Text(@Integer(1000+(@Random*1000)))"

GIDNumber - text!!!! computed formula is "UIDNumber"

home directory - editable, default value "/home/"+@LowerCase(shortname)"

login shell - editable, default value "/bin/bash"

$objectclass - computed, allow multiple values, "posixAccount":"posixGroup"

add your subform to the existing subform $PersonExtensibleSchema

refresh a few person documents

go to your server console and type tell ldap reload schema.

you now have a nicely configured LDAP server.

on the client side (that is your linux machine)

open a couple of root shells, leave them open. you could lock yourself out in this process.

edit /etc/ldap.conf only the following lines should be uncommented:

host www.yourserver.com

binddn cn=Jean-Luc Picard,o=Enterprise

bindpw=makeitso

rootbinddn cn=Jean-Luc Picard,o=Enterprise

pam_password clear

ssl no

replace the bold stuff with a user and password that can read your NAB but not much else.

echo makeitso>/etc/ldap.secret

run authconfig, or edit /etc/pam.d/system-auth, mine looks like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

Woops I locked myself out
Oh dear.
You seem to be in a certain amount of bother, you can't log in as yourself, you can't log in as root, you don't have any root sessions open. A quite unfortunate state of affairs, but don't worry there is a way out (although your uptime will suffer!). Kick off any users on the system (but there won't be any because you aren't doing this on a production machine are you??) then shut it down with ctrl+alt+del or from the X login screen. Now bring up the system in single user mode, from LILO type Linux 1 from Grub ...
hopefully you are now at a # prompt, you are root. edit /etc/nsswitch.conf and remove ldap from pretty much every line it appears on. Restart your system again and you should be able to log in. Now open several root sessions and leave them open this time and resume the process.