Incidentally, some time ago I mentioned several options for single sign-on. These are also projects that support generic authentication layers on top of any application; one of the goals at Imaginary Landscape is to consolidate logins for all kinds of content -- Zope, Webware, PHP, Perl, and static content. And to do it with reasonable usability, which most Apache authentication does not provide.

In the end I dropped Pubcookie as too complex, and we're using mod_auth_tkt. This has a documented authentication ticket format that anyone can generate (based on a shared secret), and just enough features to support things like groups, without any extra features that you'll have to work around.

There's still a lot of infrastructure to build up around it to support a "full" user system, but I feel confident at least that it is a good foundation.