Can an externally hosted Sakai instance tie into campus LDAP system for authentication?

Yes, a Sakai instance hosted off-campus can tie into campus LDAP for authentication.

An externally hosted Sakai instance can make use of existing campus LDAP for authentication. Implementation of this solution requires sufficient access by the hosted Sakai instance to the campus LDAP (which may include creation of privileged users for privileged query access and may include opening firewall policies to allow the access).

As an implementation detail, some Sakai uses of LDAP (beyond initial user login) may be "chatty" between the Sakai server and the LDAP server (e.g., querying for user attributes of an entire roster of users). If latency between Sakai and the campus LDAP server is an issue (it may or may not be an issue depending upon the latency and responsiveness between the servers) solutions may include mirroring campus LDAP into an adhoc LDAP instance co-hosted with Sakai, provisioning user attributes into the Sakai database, or other solutions.

In short, the answer is, yes, Sakai can tie into LDAP, and externally hosted Sakai instances can tie into on-premise LDAP servers. To the extent that this use of LDAP goes beyond simple user authentication, complexities may or may not arise in ensuring that the remoteness of the LDAP instance from the Sakai instance does not degrade performance, and Unicon is prepared to work with clients in resolving these complexities.