David and Katherine Goodwin

My advice would be to avoid LDAP in your case; slaves not being able to synchronize with a master can be a right pain in the arse. Should DNS break down and your boxes be unable to resolve their 'local' LDAP server logins are going to be totally stuffed.

(Addition: So yes, machines which don't have 24x7 internet access are probably a bad idea to LDAP!)

There's 5-6 little things which make life hell with LDAP, so unless you've got a *big* infrastructure and want 'Single Sign On' across a whole bunch of stuff (ie: Apache can use LDAP to authenticate, as can PHP applications) then I'd go with #1 :) Save your sanity.

As an aside, if you wish to maintain logins across multiple boxes and be able to 'easily' remove staff - take a peek at either Puppet (recommended) or CFengine (bit of an arse).... Maintain a master list of staff (inc. hashes) on one of your boxes -- every $period something like Puppet can check /etc/passwd, /etc/group and /etc/shadow on all your boxes. It can add staff who should be there and remove staff who should no longer have access. :) Just needs to tweak (add/remove/edit) the one line for each user.

Beware: do not just distribute /etc/passwd and /etc/shadow files, different distributions require different users/groups for services with specific uid/gids and this sometimes even changes between versions of ;) I found this one out the hard way and it wasn't at all pretty!