Regarding PAM...
Let's not forget that PAM deals with authentication and *only* authentication. There's no way to find out the user's names, or any information whatsoever about the user via PAM. That's what the name service switch (/etc/nsswitch.conf) is for.
In the OS world, you can configure different sources for authentication (PAM) and account information (NSS). I think we should also separate authentication from information retrieval for account creation. What if I want my users to authenticate using LDAP but want to get their information from another source (like another database)?
Just a thought...
Regards,
-Oscar
