I'd say base it on OpenLDAP. As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf: <http://freshmeat.net/projects/cgipaf/> Although you already have to provide your old password to do an update, putting it behind http-basic authentication will allow you to use things like fail2ban to protect against brute forcing. Devin