Re: Authentication schemes
On Wed, Apr 25, 2001 at 10:15:29AM -0600,
elyograg <elyograg@wolsi.com> wrote
a message of 57 lines which said:
> Some goals for whatever we implement:
We have almost exactly the same goals. We seem more advanced (we have
an experimental LDAP testbed) but it is not yet in production so take
it with a grain of salt.
We plan (but it is not yet decided) to use a DBMS for all information
management and to export it to a LDAP base. Which means LDAP would be
mostly read-only for the users.
> - Ability for owners of our hosted domains to administer
> their own user databases.
Easy with LDAP, where ACLs are per-branch. But it means you need to
study your scheme: we plan to have a branch per group of customers (we
don't have individual customers).
> - True virtual domain hosting. This means that we won't need to
> create local accounts in our own domain to hold email, run
> user scripts on the web server, etc.
It works fine in our testbed (mostly with PAM and NSS).
> - Make only applicable accounts visible to each server. The web
> server should not know about any of the mail accounts, and the
> shell server should only see accounts that have been granted
> shell access. If the account doesn't apply, it should be as if
> it isn't even in the database.
Easy with the LDAP filters. Both PAM and NSS allow you to specify an
arbitrary LDAP filter (NSS is stricter, the filter is for all
services).
> - Ability for any applicable account to be able to own a file in
> the file system with a globally unique UID/GID. Not every account
> would have this requirement, email-only accounts likely don't need
> to own any files.
It costs nothing to give an UID to everyone (in 'woody', all the
programs use 32-bits UID) so we plan to give it to everybody.
> - Maildir support for SMTP, POP3, and IMAP.
It works in our testbed, with Postfix, Courier-POP and Courier-IMAP
(only free software, as you see, I believe Cyrus and Cucipop are not
free).
> for the email side of it? Our webserver is Roxen (from source, not
> packaged), and we are using the IMHO plugin for web-based email.
> Unless we can't get this scheme to work with Roxen, we have no plans
> to change webserver software.
We use Apache and LDAP authentication works fine.
Reply to: