At the moment, I'm pretty peeved at the designs of nss_ldap and pam_ldap, which both execute in-process. This, even when they might need access to sensitive credential information to authenticate to a directory server to, you know, work. And when that's not allowed, you're just screwed. Aaargh.

It's all but enough to make me dig up splatbind and go to work on finishing it. Sure, I'd have to add a "password check" query, and it needs an offline (cold) cache for disconnected operation, and the config file setup is crap, and the implementation is slightly too complicated to be trivially maintainable, but [incoherent gnashing of teeth].