Everyone, These LDAP questions have sparked me to ask something I've been pondering for a while.
Currently we're using NIS. Aside from potential security issues, this solution is inelegant and has led to problems that wouldn't be experienced with standard unix authentication. Our mail server is running sendmail, so we're doing the normal domain-hosting hack, requiring that we set up redirection to accounts in our own domain. The whole mess is ugly and does NOT scale well. I had decided I was going to write a set of scripts to maintain a master authentication database that would be able to rebuild password databases on every server, as well as generate config files for qmail, vpopmail, and whatever else we set up to deal with virtual domain hosting. Someone told me I should investigate LDAP. Some goals for whatever we implement: - Ability for owners of our hosted domains to administer their own user databases. - True virtual domain hosting. This means that we won't need to create local accounts in our own domain to hold email, run user scripts on the web server, etc. - Make only applicable accounts visible to each server. The web server should not know about any of the mail accounts, and the shell server should only see accounts that have been granted shell access. If the account doesn't apply, it should be as if it isn't even in the database. - Ability for any applicable account to be able to own a file in the file system with a globally unique UID/GID. Not every account would have this requirement, email-only accounts likely don't need to own any files. It would probably only apply to accounts with shell and/or web-hosting rights. - Maildir support for SMTP, POP3, and IMAP. Can LDAP do this, and what combination of software would be best for the email side of it? Our webserver is Roxen (from source, not packaged), and we are using the IMHO plugin for web-based email. Unless we can't get this scheme to work with Roxen, we have no plans to change webserver software. I had thought to use qmail, vpopmail, courier-imap to handle the email services. If there are other choices that are either easier to implement or offer advantages I haven't thought of, please let me know. Thanks, Shawn Heisey Western Online Services, Inc.
