I struggled, fought, watched slapd spew log information, enabled debugging in libnss-ldap, and then finally discovered why it didn't work for users.
the file /etc/libnss-ldap.conf needs to be world readable for apps being run by the user to figure out what ldap server they should talk to. I felt victorious and then removed my identity from the password file.
Which promptly failed, after putting my IDs back in the password file I worked for another day, finally discovering that when I'd reinstalled libnss-ldap it changed the root bind name so which meant that all of the services running as root couldn't connect to the ldap server. Meaning no logins.
But I resolved both problems--after several days of trying.
At least I learned quite a bit about ldap in the process.
As soon as I figure out how to create certificates I can try SSL enabled ldap which can replace NIS.
Though AFS looks to be an interesting replacement for NFS and would require setting up kerberos as well.