We've already analized NetIQ Advanced Authentication Framework as initially we thought it was the best option, but we discarded it as it has Active Directory as a requirement.
This customer is a Novell only shop, with no AD in place.
That's refreshing to hear!

In that case you will need to use the NESCM method in the fist link I provided.