Patrick, LDAP is definitely the way to go. Over the past six to seven years it has transformed from a mere gateway to the industry standard directory service. All big commercial entities are incorporating support for LDAP (Sun, Netscape, Microsoft, Novell, Oracle, etc.) in their products, and there is a large movement in the open source community, as well. It only makes sense to have a standard, here. That being said, all of the Courier products support LDAP as their directory service, and it works quite well this way. There are many commercial and a couple of opensource radius servers that support LDAP. Solaris and Linux support using the NSS and PAM LDAP packages from www.padl.com. These two packages make using LDAP for general authentication in the OS a breeze. There is an option to include support for LDAP authentication in RedHat's GUI installer, which makes it completely painless to setup the padl packages. Padl also has an NIS to LDAP for easy transition. Many people on this list use OpenLDAP without a problem with Courier and many other products. If you are a large ISP with thousands up to millions of users, you might have a problem. I have heard that OpenLDAP does not scale very well. I use Netscape Directory Server 4.x. It is the fastest LDAP server around, crushing MS ADS, Novell eNDS, and Oracle OID (to name a few) in performance tests: http://www.nwfusion.com/reviews/2000/0515rev2.html (I would hope so, considering that Netscape hired the guys that originally decided to transform LDAP from a gateway into a full directory service.) I chose Netscape DS because I wanted to run Corporate Time Calendar Server 5.x which needed LDAPv3 support. OpenLDAP 2.x was not out/stable at the time. I'm very pleased with Netscape DS 4.x, though. (BTW, Netscape DS 5.x will support multi-master replication... it's in beta, now). Pretty much any LDAP server supports replication for load balancing and high availability. Netscape DS also has a utility to sync NT Domain accounts to and from the LDAP tree. I believe that iPlanet Meta Directory will have support for Win2000... There are other cool commercial products that can keep DS info synched across multiple OS's using LDAP as a backend, as well. Check out TotalNET Advanced Server, http://www.syntax.com/totalnet/totalnet60.htm Get ready to shell out some bucks, though. I would have liked to run FreeBSD in my setup. I know that it has many great features and can be very stable; however, many of the applications that I run will not or are not certified to run on FreeBSD (Netscape Directory Server, Corporate Time, PAM/NSS LDAP, etc.). I had the choice of using Linux or going with a commercial UN*X. I chose Linux because I'm very familiar with it, I know how to make it stable, and it was the most cost effective for my setup, by far. I know that Linux is very "messy" compared to FreeBSD, but it's been very stable for me. I just took down our old Redhat 5.2 qmail mail server that was up for 460+ days without a reboot or a problem (I upgraded to a new machine). Many high profile sites use Linux without a problem. In the end, it came down to what applications I needed to run. That made my choice very simple.

Go with the standard, LDAP. Magnitudes more products support authentication with LDAP. You will have far less problems.

Hope my ramblings help ;)

Patrick Price wrote: