These LDAP questions have sparked me to ask something I've been
pondering for a while.
Currently we're using NIS. Aside from potential security issues, this
solution is inelegant and has led to problems that wouldn't be
experienced with standard unix authentication. Our mail server is
running sendmail, so we're doing the normal domain-hosting hack,
requiring that we set up redirection to accounts in our own domain.
The whole mess is ugly and does NOT scale well.
I had decided I was going to write a set of scripts to maintain a
master authentication database that would be able to rebuild password
databases on every server, as well as generate config files for qmail,
vpopmail, and whatever else we set up to deal with virtual domain
hosting. Someone told me I should investigate LDAP.
Some goals for whatever we implement:
- Ability for owners of our hosted domains to administer
their own user databases.
- True virtual domain hosting. This means that we won't need to
create local accounts in our own domain to hold email, run
user scripts on the web server, etc.
- Make only applicable accounts visible to each server. The web
server should not know about any of the mail accounts, and the
shell server should only see accounts that have been granted
shell access. If the account doesn't apply, it should be as if
it isn't even in the database.
- Ability for any applicable account to be able to own a file in
the file system with a globally unique UID/GID. Not every account
would have this requirement, email-only accounts likely don't need
to own any files. It would probably only apply to accounts with
shell and/or web-hosting rights.
- Maildir support for SMTP, POP3, and IMAP.
Can LDAP do this, and what combination of software would be best
for the email side of it? Our webserver is Roxen (from source, not
packaged), and we are using the IMHO plugin for web-based email.
Unless we can't get this scheme to work with Roxen, we have no plans
to change webserver software.
I had thought to use qmail, vpopmail, courier-imap to handle the email
services. If there are other choices that are either easier to
implement or offer advantages I haven't thought of, please let me
Western Online Services, Inc.