Two-legged means that Candlepin/Pulp don't authenticate a user, but rather authenticate Katello using a shared secret. Katello passes Candlepin/Pulp the username via a HTTP header.
IMHO, the comparable case for us is Conductor authenticating against IWHD and Image Factory.
As well as Katello -> Conductor and Conductor -> Katello.
Sorry if I'm jumping into the discussion a little late but why are all these services authenticating against each other?
For that matter why do we store any authentication details in the db?
Why not setup a single central LDAP server and have everything authenticate against that, eg conductor, katello, candlepin, pulp, etc.
This may just be my opinion but I feel we replicate way too much data w/ aeolus, LDAP is meant for high performance authentication, and is simple to setup and use.
-Mo