===== rhel5 ldap authentication/authorization client, nscd =====
<code>
scp 192.168.4.12:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts
echo '192.168.4.12 rhel6b.site rhel6b' >>/etc/hosts
echo 'TLS_CACERT /etc/openldap/cacerts/cacert.pem' >>/etc/openldap/ldap.conf
yum install nscd openldap-clients

cd /etc/openldap/cacerts
for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done
authconfig --enableldap --enableldapauth --ldapserver=rhel5u6b.site --ldapbasedn="dc=fluxcoil,dc=net" \
  --enableldaptls --enablelocauthorize --enablemkhomedir --updateall

getent passwd   # shows ldap users
service nscd restart
chkconfig nscd on

# example /etc/ldap.conf:
base dc=fluxcoil,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://rhel5u6b.site/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
</code>