WebAuth and LDAP

Andreas,

WebAuth really only requires that you use a Kerberos infrastructure for all of the web servers involved. It doesn't actually require that the user accounts be in Kerberos. That's the default, and the way verification is done by the WebKDC module, but the WebLogin front-end can also choose to do account verification itself and tell the WebKDC to trust it.

There is currently code in there to do this for the REMOTE_USER case but nothing specifically to do an LDAP modification. However, it should be a relatively straightforward modification to login.fcgi, and I'd certainly take a patch that made it a hook.

WebAuth still may not quite be what you want, but I wanted to throw the option out there.

Another thing you could look at is Shibboleth, which does the whole web single sign-on thing without assuming any particular authentication system. (You have to protect a URL on the IdP with the authentication system of our choice.) The SP is packaged for Debian but the IdP isn't, and the configuration syntax and the documentation are fairly horrible, but it works and has a lot of fancy features.