I can think of two basic approaches: 1) Individually make each app refer to LDAP for authentication. For instance, it's pretty trivial to make Postfix/Dovecot do this (or hashes, or SQL, or anything really). Hooking up Apache and Ejabberd are pretty straightforward as well. Whether this works for you will depend on what you're running, obviously. 2) Make each app refer to PAM for authentication, and tie PAM into LDAP. If going this route you'd need to exclude SSH somehow. It might be easiest to go ahead and let SSH consult the LDAP tree, but then restrict SSH logins to a group, and only put your local users in that group. Making PAM refer to LDAP is well documented, but making your apps all talk to PAM will again vary by application. Other than that rather generic answer, specifics would depend on your use case's definition of "everything" (ie what software you're running).