Having serious doubts about the LDAP direction. Doing some research/play with openid found this guy who built a drupal module support for it:
http://jirwin.net/openid-5-2.tar.gz - it is not yet ready for drupal 5.
duh - i finally found it. its not listed among the modules for some reason:
http://drupal.org/project/openid
UPDATE system set status = 0 WHERE name = [module name];
.net
http://cs.nerdbank.net/blogs/jmpinline/archive/2007/01/09/Getting-OpenID-user-profile-information-using-JanRain_2700_s-.NET-assembly.aspx
http://lists.openidenabled.com/mailman/listinfo/dev What i like about openid (if i can actually get it working). is that it separates and solves a single very important problem and answers a primary question - who is this user? knowing that and not having to maintain separate user accounts and passwords and password retrievers, reseters, etc. etc. is a big deal. getting a unique id from every user is a big deal. its also a big deal to force someone to go create a secondary openid, which they won't likely do, but they would create a second id on our system.
What openID will not do for us is groups. we will need some process/mechanism to tell each drupal site or .net service what group someone is in, and therefore what access rights they have.
Also, openid seems like a good thing to put in exchange contacts web address field - urn:schemas:contacts:businesshomepage in order to CRU contact information in a self-service manner using webdav for exchange
