Hello Oliver;
I may be wrong, but I think that LDAP alone will just work as a storage backend for the users and their passwords, but it won't provide single-sign-on. As a result, one would still have to login to every haiku site.
You are quite right; LDAP alone won't provide single-sign-on. The suggestion now is doing this in two chunks of work to break it up. First; deploy HDS writing to and authenticating against LDAP directly without OpenID. The second phase would then involve introducing OpenID (eg; Richard's suggestion of Crowd or another server) backed by the same LDAP server and authenticating for HDS.
And of course openLDAP doesn't have a decent interface, so the administrative management of the users would require another tool. If someone can recommend a decent LDAP frontend, please share ...
I downloaded this [1] and it has an SWT administration console called "Apache Directory Studio", but I haven't actually had the time to try it out just yet.
P.S.: I believe migrating authentication data to LDAP should be quite simple (using a perl or python script), provided that the password storage format is compatible. Andrew: which format is used for storing the passwords in the haikudepotserver-DB?
Yes I can imagine that we can make an LDIF of current data, but since there are few people involved (~20), they could be asked to change their password and allow that to trickle through to the LDAP server.
The passwords are stored in the HDS database as SHA1 hashes of a stored salt + password.
[1] http://directory.apache.org/ cheers. -- Andrew Lindesay