LDAP seems like a suitable choice for the first two, there is someone else who is worrying about provenance and auditing - all I have to do is make sure the hooks are in place.
My struggle with LDAP and Catalyst was metaphorically like building of the channel tunnel: working from two foreign lands and meeting in the middle. The benefit of this process is that I have a much better understanding of LDAP, and ultimatly, the system works.
LDAP is powerful and it is not obvious that this is the right tool for this deployment.
- It is mature, stable and well documented.
- It is scalable and can be integrated into existing infrastructure.
- Many tools support it.
- It is complicated to administer.
The mature, stable and widly deployed nature of LDAP means that the administration can be centralised.