I apologize for being so long in responding to this, I had asked the
original question in February and a couple of replies indicated that
they were unsure what I wanted. I believe that the following features
are critical on the client side:
Ability of the user to supply their context. I realize that this goes
beyond pam_ldap. Specifically, it will require that both graphical and
be able to accept a user name and context
pass it on to the 'authenticator' and deal with error conditions
(bad context, etc.)
Both NDS and AD have this ability. The NDS implementation is better
technically but surfaces the problem that users don't understand
context. AD accommodates the legacy NetBIOS domain thinking which is a
mistake in that it perpetuates flat rather than hierarchical thinking.
Their "email address" thinking might be better.
The second enhancement would be to provide a way to have password
encryption without having to go to a full cryptographic implementation.
The overhead is just a little too much.
If this raises more questions than answers I would be glad to correspond
with any one who is interested (and will do so in a little more timely