John, am I correct in understanding that you are proposing to use an authentication plugin system as something like the current Roundup extensions? That is, in the tracker home there will be a certain directory (e.g. 'auth') in which the auth plugins will be located?

In this case, the solution to support LDAP authentication would be to provide out-of-the-box support for only those roles that are provided by default for that schema. And if the tracker needs to be configured to add additional roles, the LDAP plugin should also be customized.

Another idea is that the authenticator could get all the roles and then iterate through them to check the user's membership in each of them. But we need to somehow define their order. We can get it from a mapping file, for example. Alternatively, perhaps the order (and even the mapping of LDAP groups) could be set in the schema.py file and stored in the database.

For now these are the only things that come to mind.