Re: Authentication schemes

To: elyograg <elyograg@wolsi.com>
Cc: debian-isp@lists.debian.org, Vishaal Golam <golam@internatif.org>
Subject: Re: Authentication schemes
From: Stephane Bortzmeyer <bortzmeyer@netaktiv.com>
Date: Fri, 27 Apr 2001 16:29:06 +0200
Message-id: <20010427162906.A13606@internatif.org>
In-reply-to: <200104251615.KAA18575@segfault.in.wolsi.com>; from elyograg@wolsi.com on Wed, Apr 25, 2001 at 10:15:29AM -0600
References: <200104251615.KAA18575@segfault.in.wolsi.com>

On Wed, Apr 25, 2001 at 10:15:29AM -0600,
 elyograg <elyograg@wolsi.com> wrote 
 a message of 57 lines which said:

> Some goals for whatever we implement:

We have almost exactly the same goals. We seem more advanced (we have
an experimental LDAP testbed) but it is not yet in production so take
it with a grain of salt.

We plan (but it is not yet decided) to use a DBMS for all information
management and to export it to a LDAP base. Which means LDAP would be
mostly read-only for the users.

> - Ability for owners of our hosted domains to administer
>   their own user databases.

Easy with LDAP, where ACLs are per-branch. But it means you need to
study your scheme: we plan to have a branch per group of customers (we
don't have individual customers).

> - True virtual domain hosting.  This means that we won't need to
>   create local accounts in our own domain to hold email, run
>   user scripts on the web server, etc.

It works fine in our testbed (mostly with PAM and NSS).

> - Make only applicable accounts visible to each server.  The web
>   server should not know about any of the mail accounts, and the
>   shell server should only see accounts that have been granted
>   shell access.  If the account doesn't apply, it should be as if
>   it isn't even in the database.

Easy with the LDAP filters. Both PAM and NSS allow you to specify an
arbitrary LDAP filter (NSS is stricter, the filter is for all
services).

> - Ability for any applicable account to be able to own a file in
>   the file system with a globally unique UID/GID.  Not every account
>   would have this requirement, email-only accounts likely don't need
>   to own any files. 

It costs nothing to give an UID to everyone (in 'woody', all the
programs use 32-bits UID) so we plan to give it to everybody.

> - Maildir support for SMTP, POP3, and IMAP.

It works in our testbed, with Postfix, Courier-POP and Courier-IMAP
(only free software, as you see, I believe Cyrus and Cucipop are not
free).

> for the email side of it?  Our webserver is Roxen (from source, not
> packaged), and we are using the IMHO plugin for web-based email.
> Unless we can't get this scheme to work with Roxen, we have no plans
> to change webserver software.

We use Apache and LDAP authentication works fine.

Reply to:

Follow-Ups:
- Re: Authentication schemes
  - From: Russell Coker <russell@coker.com.au>

References:
- Authentication schemes
  - From: elyograg <elyograg@wolsi.com>

Prev by Date: Re: system mirror
Next by Date: Re: Authentication schemes
Previous by thread: Re: Authentication schemes
Next by thread: Re: Authentication schemes
Index(es):
- Date
- Thread