Authentication schemes

To: debian-isp@lists.debian.org
Subject: Authentication schemes
From: elyograg <elyograg@wolsi.com>
Date: Wed, 25 Apr 2001 10:15:29 -0600 (MDT)
Message-id: <200104251615.KAA18575@segfault.in.wolsi.com>

Everyone,

These LDAP questions have sparked me to ask something I've been
pondering for a while.

Currently we're using NIS.  Aside from potential security issues, this
solution is inelegant and has led to problems that wouldn't be
experienced with standard unix authentication.  Our mail server is
running sendmail, so we're doing the normal domain-hosting hack,
requiring that we set up redirection to accounts in our own domain.
The whole mess is ugly and does NOT scale well.

I had decided I was going to write a set of scripts to maintain a
master authentication database that would be able to rebuild password
databases on every server, as well as generate config files for qmail,
vpopmail, and whatever else we set up to deal with virtual domain
hosting.  Someone told me I should investigate LDAP.

Some goals for whatever we implement:

- Ability for owners of our hosted domains to administer
  their own user databases.
- True virtual domain hosting.  This means that we won't need to
  create local accounts in our own domain to hold email, run
  user scripts on the web server, etc.
- Make only applicable accounts visible to each server.  The web
  server should not know about any of the mail accounts, and the
  shell server should only see accounts that have been granted
  shell access.  If the account doesn't apply, it should be as if
  it isn't even in the database.
- Ability for any applicable account to be able to own a file in
  the file system with a globally unique UID/GID.  Not every account
  would have this requirement, email-only accounts likely don't need
  to own any files.  It would probably only apply to accounts with
  shell and/or web-hosting rights.
- Maildir support for SMTP, POP3, and IMAP.

Can LDAP do this, and what combination of software would be best
for the email side of it?  Our webserver is Roxen (from source, not
packaged), and we are using the IMHO plugin for web-based email.
Unless we can't get this scheme to work with Roxen, we have no plans
to change webserver software.

I had thought to use qmail, vpopmail, courier-imap to handle the email
services.  If there are other choices that are either easier to
implement or offer advantages I haven't thought of, please let me
know.

Thanks,
Shawn Heisey
Western Online Services, Inc.

Reply to:

Follow-Ups:
- Re: Authentication schemes
  - From: Gavin Hamill <gdh@acentral.co.uk>
- Re: Authentication schemes
  - From: Stephane Bortzmeyer <bortzmeyer@netaktiv.com>

Prev by Date: Re: Web chat
Next by Date: Re: Web chat
Previous by thread: Re: LDAP as userdatabase for UNIX & W2k
Next by thread: Re: Authentication schemes
Index(es):
- Date
- Thread