|Les Stott||Mar 6, 2001 7:04 pm|
|Sam Varshavchik||Mar 6, 2001 7:48 pm|
|Patrick Price||Mar 7, 2001 12:01 pm|
|Leonid Andreev||Mar 7, 2001 12:28 pm|
|Leonid Andreev||Mar 7, 2001 12:38 pm|
|Brad Dameron||Mar 7, 2001 1:01 pm|
|Brad Dameron||Mar 7, 2001 1:20 pm|
|Leonid Andreev||Mar 7, 2001 1:49 pm|
|Nerijus Baliunas||Mar 7, 2001 3:02 pm|
|Ben Beuchler||Mar 7, 2001 3:25 pm|
|Sam Varshavchik||Mar 7, 2001 3:40 pm|
|Nerijus Baliunas||Mar 7, 2001 4:37 pm|
|Nerijus Baliunas||Mar 7, 2001 4:43 pm|
|Sam Varshavchik||Mar 7, 2001 5:12 pm|
|Patrick Price||Mar 7, 2001 6:02 pm|
|Patrick Price||Mar 7, 2001 6:04 pm|
|Clint Bullock||Mar 12, 2001 8:23 am|
|Georg Lutz||Mar 12, 2001 3:29 pm|
|Subject:||Re: [courier-users] Best unix distributed authentication method?|
|From:||Clint Bullock (cli...@ovpr.uga.edu)|
|Date:||Mar 12, 2001 8:23:10 am|
Patrick, LDAP is definitely the way to go. Over the past six to seven years it has transformed from a mere gateway to the industry standard directory service. All big commercial entities are incorporating support for LDAP (Sun, Netscape, Microsoft, Novell, Oracle, etc.) in their products, and there is a large movement in the open source community, as well. It only makes sense to have a standard, here. That being said, all of the Courier products support LDAP as their directory service, and it works quite well this way. There are many commercial and a couple of opensource radius servers that support LDAP. Solaris and Linux support using the NSS and PAM LDAP packages from www.padl.com. These two packages make using LDAP for general authentication in the OS a breeze. There is an option to include support for LDAP authentication in RedHat's GUI installer, which makes it completely painless to setup the padl packages. Padl also has an NIS to LDAP for easy transition. Many people on this list use OpenLDAP without a problem with Courier and many other products. If you are a large ISP with thousands up to millions of users, you might have a problem. I have heard that OpenLDAP does not scale very well. I use Netscape Directory Server 4.x. It is the fastest LDAP server around, crushing MS ADS, Novell eNDS, and Oracle OID (to name a few) in performance tests: http://www.nwfusion.com/reviews/2000/0515rev2.html (I would hope so, considering that Netscape hired the guys that originally decided to transform LDAP from a gateway into a full directory service.) I chose Netscape DS because I wanted to run Corporate Time Calendar Server 5.x which needed LDAPv3 support. OpenLDAP 2.x was not out/stable at the time. I'm very pleased with Netscape DS 4.x, though. (BTW, Netscape DS 5.x will support multi-master replication... it's in beta, now). Pretty much any LDAP server supports replication for load balancing and high availability. Netscape DS also has a utility to sync NT Domain accounts to and from the LDAP tree. I believe that iPlanet Meta Directory will have support for Win2000... There are other cool commercial products that can keep DS info synched across multiple OS's using LDAP as a backend, as well. Check out TotalNET Advanced Server, http://www.syntax.com/totalnet/totalnet60.htm Get ready to shell out some bucks, though. I would have liked to run FreeBSD in my setup. I know that it has many great features and can be very stable; however, many of the applications that I run will not or are not certified to run on FreeBSD (Netscape Directory Server, Corporate Time, PAM/NSS LDAP, etc.). I had the choice of using Linux or going with a commercial UN*X. I chose Linux because I'm very familiar with it, I know how to make it stable, and it was the most cost effective for my setup, by far. I know that Linux is very "messy" compared to FreeBSD, but it's been very stable for me. I just took down our old Redhat 5.2 qmail mail server that was up for 460+ days without a reboot or a problem (I upgraded to a new machine). Many high profile sites use Linux without a problem. In the end, it came down to what applications I needed to run. That made my choice very simple.
Go with the standard, LDAP. Magnitudes more products support authentication with LDAP. You will have far less problems.
Hope my ramblings help ;)
S. Clint Bullock Network Administrator University of Georgia Office of the Vice President for Research 626 Boyd GSRC Athens, GA 30602-7411 (706) 542-5936 (706) 542-3837 FAX
Patrick Price wrote:
This is a little off topic of Courier per se ....
If someone can point me in the right direction for FAQ's or HOWTO's ...
Presently I use NIS for unix username/password distribution, Radius using MySQL, and some authuserdb stuff for Courier.
What I need to know is, what good is LDAP? PAM? And which combination of these is best for a fault-tolerant, distributed password system which would support unix logins, ftp, radius, Courier, etc?
Key words being fault tolerant, distributed, and one administrative interface? Am I asking the impossible?
Here's what I have to deal with now:
1: /etc/passwd for unix logins, ftp 2: MySql for radius 3: authuserdb for virtual users for Courier 4: Rely on NIS to share /etc/passwd for multiple unix boxes
The administration of these is driving me crazy, and if NIS goes down I'm screwed.
Thanks for any input!
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net http://lists.sourceforge.net/lists/listinfo/courier-users