Background: I have a collection of Linux-based servers (let's say a few dozen) that are hosted in different locations. Some servers are lone satellites while others are hosted together in the same data centers. Some are physical hardware servers, and others are virtual private servers. The servers provide services like email, web application hosting, databases, and the server-side parts of some custom applications. The servers themselves already have tools for managing the hardware, and the operating system-level management (administrator accounts, virtual server management, etc.) is also taken care of.

Problem: So far, authentication to different services on the application level has used a number of solutions. Sometimes, this has meant that account passwords have had to be stored in multiple locations. A better solution would be to have a single source authentication system with centralised management that would allow each service to authenticate a user from a single instance of their account, and would allow operating on a single data item instead of figuring out which locations need to be updated when creating, changing, and removing an account. The credential data could be replicated to provide redundancy. (Note that the goal here is different than single sign-on: you have to authenticate separately to each application, but your credentials are stored in a single location. See this question.)

Several previous questions suggest LDAP, and also talk about Kerberos. This question asks about LDAP security and asks for a comparison between LDAP and Kerberos. Kerberos is nice but the single sign-on capability is not needed in this case, so setting up Kerberos may be overkill and cause unneccessary administrative burden. This question extends the scope to include network devices, and the focus is more on the OS level than the application level. In my case, it's just the application level authentication that is needed. This also means there is a larger variety in the kinds of authentication protocols that have to be supported; PAM is not enough. This question asks for alternatives to LDAP, but the answers point to LDAP, anyway, for good reasons. NIS is another proposed solution, but it's really not suitable in this case because it just solves the distribution of password (and other) information, not the storage, management, and authentication methods. Finally, this question seems quite similar, but the focus is really on VPN authentication. (There is also a similar question here, but was not precise enough to fit ServerFault.)

LDAP is one of the authentication sources I currently use. However, not all applications can use LDAP. Some need an HTTP-based interface, while others work best with an SQL interface. For example, there is a need to run an OpenID provider, and some of the custom software I need to run for users can only be configured to authenticate via ODBC.

Another suggestion is FreeIPA http://freeipa.org/, but it also has the extra burden of Kerberos and looks more like a solution for the OS level. It's been in development for some time, but I'm not entirely convinced it's mature enough, and it may also have too much unneceassary features while still not providing the ones I really need.

I would like to separate the storage of authentication data (user names and passwords) from the authentication service. I would use a single, well-defined, and secure location for storing the data, and several authentication services that use the storing location to provide authentication using a variety of protocols/interfaces. At least an LDAP and an SQL interface are needed, and an OpenID provider is also high up on the list. I think LDAP is a good candidate for the storage, but I'm open to other options as well. Preferably, they should be Free/Open Source Software.

Question: What software should I choose for storing authentication credentials, and how do I provide the different interfaces for authenticating against those credentials?

What recommendations do you have?