Move from LDAP auth to Kerberos
Then we can do proper shit like NFSv4 user privs and stuff.
There is a redhat way of using SSSD to convert people userPassword entries to kerberos passwords, it sits on clients (silver, desktops etc...), tries kerberos, if there isn't a kerberos password, it'll auth against LDAP, then use that password to generate kerberos passwords and update LDAP to point to kerberos.