We use LDAP to maintain user accounts and groups. We wrote a whole set of in house apps to allow us to reset passwords, edit groups etc... through simple web interfaces.
When I first started setting up LDAP, one of the techknowledgy (hehe) wanna-bes told me to be careful what I did, because if you make some changes in LDAP you can't back them out.
I started using OpenLDAP, and found I could do just about anything with it once I figured out how to build ldif files (ldif is ldap date import files) to feed it i could make any changes I wanted and remove them at my will. I thought the guy was crazy.
Then my boss told me to try out netscape Iplanet Directory server from sun. THEN I understood what the guy was talking about before. What utter crap. Add an object class to a user account, and you can never remove it. You have to dump the whole thing, hand edit it, and reimport it to make those kinds of changes in most of the LDAP servers out there.
By taking our time and learning OpenLDAP we've been blessed with deep understanding of LDAP, a VERY stable server capable of handing quite a bit of load, and a set of simple editing tools that keep people from getting a case of the stupids.
Take a look at www.openldap.org when you get a chance. It's quite a nice way to handle authentication. You can also put lots more in it than just user accounts, you can run the equivalent of Sun's NIS through it, and other neato things. But ours just keeps a whole lotta servers happy and logging in.
