Quite some time ago I've started migrating my mail server and XMPP server set-up towards a new VPS where LDAP was to be the focal point. The idea was to have Postfix, Dovecot, ejabberd, and Roundcube utilise the same LDAP DIT for authentication and authorization purposes.
In addition to that I was planning on reinstalling my former web server VPS so I could have a fresh Debian Squeeze installation.
The first thing I had to lay-out was the LDAP tree structure. I've settled for a relatively simple layout, having a separate tree for the people and services. Each service gets its own subtree so that it can store all of its related data there (if possible). The people tree provides part of data to services (like valid mails, or jabber addresses), and allows users to have their own address book. The people tree also provides unified login credentials.
For the mail part I've deployed Postfix + Dovecot, and a simple ClamAV milter replacing the amavisd-new (just didn't feel like setting it up). Postfix uses its own services sub-tree for storing information about domains it serves, as well as aliases. The people tree is used for figuring out valid mail accounts which should be accepted (provided that the domain is also in the list of supported ones). The authentication is taken care of using the Dovecot IMAP server. Dovect on the other hand authenticates the users through the LDAP, using a simple static user database (since Postfix carries out the verification of incoming mails anyway).
The same machine also sports a webmail client - Roundcube. Roundcube is set-up to provide address books stored in the LDAP tree (each person gets their own private address book). The first version of client I attempted using had a small problem where it couldn't figure out the particular user without using anonymous bind (which was really not so nice security-wise). I'm not much of a PHP programmer, but first I tried fixing this issue myself, and actually had a working patch at some point. But, as it turns out, by the time I got back to setting-up the server, new version of Roundcube was out, and someone beat me to it (which is good, I guess, better for someone experienced to do it). With this out of the way, it was relatively easy to have Roundcube use LDAP instead of database for storing contact information. There are still some quirks, though. For one thing, the vCard import function doesn't seem to get along with the LDAP-backed address book. I can export, but not import (or at least not the most important information - mail). The second problem is that it seems to be a bit touchy on what it can store in the LDAP database, so sometimes adding contact will fail if you provide extra data (I think I'll probably solve this by removing some field from the configuration, but I need to check upon this). The problem I had was some kind of "district" field. As for the rest of it, it works ok, although the auto-complete e-mail address feature when composing a mail feels a bit slow (but I don't think that the SQL address book was much faster, to be honest).
For the XMPP I've decided to stick to the Erlang-based ejabberd. This piece of software proved to work quite decently with very small memory footprint. Erlang, for the good or bad, doesn't store most of its data in the LDAP tree, though. I've let it use its own Mnesia database. The LDAP integration went well, except that I wasn't able to use STARTTLS for the LDAP, and had to settle for the plain LDAPS instead. A small problem I had was when I was dumping and restoring the ejabberd database, but a few quick searches on Google (sic) have found the answer to that one. To cut the story short - something changed in the ejabberd database layout, so new server wouldn't import one of the extra tables.
Oh, and as a final comment - I decided to the OpenLDAP's slapd LDAP server. I've set it up on several occasions already, and got myself rather familiarised with it. I've went for as strict control as possible with it as well.
The one thing I haven't actually played yet much with is syncing contacts on the various mail apps I use through the LDAP server. I've managed to get Claws Mail connected to the LDAP server, and I can add accounts and all, but I'm not satisfied with the layout the Claws Mail is using when creating DN's (it insists on having it like email=blah,blah,blah, while I want to use cn=Name Lastname,blah,blah). It might be time to look at the Claws Mail code and see how hard it'd be to make a change and submit a patch upstream, but we'll see about that (got a huge backlog already).
All in all, I'm very satisfied with what I've done so far with the LDAP. I've also just finished the migration/redeployment of my web server, but I'll cover that at some later point (since I've went with somewhat unusual set-up there, and it might be interesting to others as well).
Copyright (C) 2012 Branko Majic. Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice is preserved. Code snippets found throughout the articles are licensed under GPLv3 or later.