A common requirement (I imagine) is to hook Nevow/Guard authentication out to system auth; even more commonly PAM, though maybe not. This is a relatively straightforward recipie that works for me. See: http://deadbeefbabe.org/paste/1939 Basically, a Cred checker for IUsernamePassword is written; it writes the u/p down the unix socket to Cyrus SASLs "saslauthd", and callbacks or errbacks a deferred as appropriate. My RHEL3 box has: /etc/sysconfig/saslauthd:: FLAGS="-c -n 0" MECH="pam" ...and /etc/pam.d/MYSERVICE: #%PAM-1.0 auth required /lib/security/$ISA/pam_krb5.so no_user_check account required /lib/security/$ISA/pam_permit.so password required /lib/security/$ISA/pam_permit.so session required /lib/security/$ISA/pam_permit.so ...Kerberos being used to hand off to AD. There's also some code in there to handle jumping "straight in" to a guarded hiearchy; specifically the locateChild and data_misc / "form(action=T.slot('action'))" idiom. I *think* this is right, but may not be completely general. I'd appreciate comments.