LDAP
LDAP is used as the backing tree for authentication for everything except servers directly (where Unix accounts are managed by Puppet). Keycloak is used as a web-based SSO and and user management portal.
The current implementation is a single server running OpenLDAP/slapd.