[OpenAFS] LDAP-AFS interaction (best practice?)

[Stephen Joyce]

My department is rather small (under 500 users), and until now we've gotten 
by without a real directory service. We currently use cfengine and custom 
scripts to manage /etc/passwd by sourcing a central file and checking AFS 
PTS group memberships to build the local file hourly.

For a number of reasons (among them better/easier MacOS and mobile Linux 
client support), I've been planning an LDAP (openldap) directory service.

I've been reading _LDAP System Administration_ (O'Reilly) and _Distributed 
Services with Openafs_ (Springer), which I won't review here. :-) If there 
are other recommended "must reads", please let me know.

I've noticed that the OpenAFS roadmap, 
<http://www.openafs.org/roadmap.html> has a section of LDAP integration, 
and it mentions a couple of past projects, but has no definite advice.

What's the current best practice for using LDAP in an OpenAFS environment? 
I primarily want to leverage LDAP for directory info for managed 
workstations, for our web directory, ane either continue using AFS PTS 
groups o(r LDAP groups) for workstation authorization for restricted-access 
workstations.

Does anyone have advice for things to look out for as I proceed? I want to 
avoid shooting myself in the foot, if possible--especially respecting any 
LDAP/PTS interaction in future versions of OpenAFS.

Cheers, Stephen