Re: LDAP/mail interaction

[Stuart Lynne <sl@fireplug.net>]

On Thu, Jul 15, 1999 at 08:59:55PM +1000, David J N Begley wrote:
> On Wed, 14 Jul 1999, Jeff Clowser wrote:
> 
> > Second is that the side effect of this would be that users could also
> > log into the machine, ftp to it, etc - they could use whatever other
> > user based services are on that box, which could be bad.
> 
> Argh.. hit send too quickly.  You can "play games" to have the users "exist"
> (for services like email - Sendmail, etc.) on the Unix machine (ie., they
> still must have UIDs and such) without actually letting them login (so
> home directories may not exist, or something).

And you can also do the opposite. Have email delivered to users who only
exist in the context of the mail system. I.e. they do not have any
relationship to the Unix passwd/group model. This implies that your MTA can
determine what to do with messages without consulting /etc/passwd (or
equivalent) and your popper can authenticate the user without access to
/etc/passwd. Which in turn implies that you have a policy database
accessible to both. Access to which can be done with LDAP.

For small scale installations where shell access is required PAM or
equivalent may be a suitable solution.

For large sealed server installations the extra levels of indirection you
get with PAM probably introduce unneeded complexity and overhead. Going
directly to the policy database is a good optimization.

-- 
Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://edge.fireplug.net>
PGP Fingerprint: 28  E2  A0  15  99  62  9A  00   88  EC  A3  EE  2D  1C  15  68