This is still a draft; it might even get discarded when restoring the wiki.
All user accounts are kept in a LDAP directory; this allows them to be shared across all servers. The directory is currently hosted on OpenLDAP and mirrored across three servers using syncrepl; writes to any peer are instantly propagated to all others. Kerberos is used for secure authentication and removes the need to completely trust all servers with your password, as opposed to pure LDAP. (The LDAP directory also stores Kerberos realm data, which makes kprop unnecessary.)
Most information in the LDAP directory is accessible either anonymously or to all logged-in users, so you can browse it using
ldapsearch, Apache Directory Studio, and various other tools.
For users, Kerberos (aka SASL GSSAPI or GS2-KRB5) is the preferred authentication method when accessing the directory manually, but TLS certificates (SASL EXTERNAL) or plain-text passwords (SASL PLAIN) are also available. To use EXTERNAL, you'll need to obtain a certificate with subject
CN=You,OU=People,O=Cluenet from Cluenet's CA. To use PLAIN, specify your Kerberos principal as the auth ID; e.g.
ldapwhoami -U You@CLUENET.ORG.
kerberos.cluenet.orgif not possible
ldap.cluenet.orgif not possible