Well, OpenLDAP + pam_ldap is not single sign-on: if you SSH into host A and, from host A, you SSH again to host B, you will get prompted for a user name and password.

Oh, I see. With Kerberos authenticate once, and all systems recognize you. I interpreted "single sign on" as "single password for all services", using a probably old early-90 IBM definition (we were trying to do that "single password signon" with OS/2 back then :-) Indeed, it's a really nice thing to have.

That would take a lot of time, but I will try to resume it. ... ... administration (well, nearly since passwords must be set using Kerberos, but there are ways to integrate password changes with Kerberos V).

Really interesting and helpful! Many thanks! I'll try if I can get started, and if I'm able to reach the end I'll try to put somewhere a little Howto :-) Ciao, Roberto!