Kreyszig

At least for the OSes which uses pam_ldap you shouldn't need read-access to the userPassword attribute to authenticate, as the authentication is done through the ldap bind operation, where validating the dn/password combination is done at the ldap server and not the client. Regardless, I'd suggest talking to the guys that manage the ldap-directory about what you want to do. You're probably also going to want user account information (equivalent of what you'll find in /etc/{passwd,shadow,group}. We've used the posixAccount, posixGroup and shadowAccount object-classes for this (and hopefully this is available, or at least something similar), which you're going to need read-access in some way (anonymous, or through some administrative/machine account). As for things regarding linux (and most likely other unixes) and ldap to look up on google and manpages: pam, pam_ldap, nss and nss_ldap.