[Dovecot] you got chocolate in my peanut butter?!

[Rich West]

If all of your users reside in LDAP, it would be safest to bypass 
nss_ldap and pam_ldap all together and have dovecot talk directly to the 
LDAP database.

We've had nothing but success since we made the change on our end.  Not 
only did it eliminate the problems that we were seeing, it also makes 
the authentication path a bit more efficient (why have a 'monkey in the 
middle' when you can talk right to LDAP?).

IMHO, I've always seen pam_ldap/nss_ldap as a band-aid type of hack.. :)

-Rich