On 04/13/2010 09:39 AM, Curtis Griesel wrote:
> Why not authenticate via LDAP or some other directory server, then let
> the user manage their LDAP account via a web interface?
>
> You can also manage web user accounts with a simple database -- that is
> what most CMS systems do (Wordpress, Drupal, etc.). But LDAP is more
> robust.
>
> Using system accounts to manage web users sounds like making things more
> difficult than they need to be. If you want to provide a web front-end
> to your server, why not use a web-friendly account management tool like
> LDAP?
Reading this thread, my mind kept drifting to the same idea. If you
only want the users accessing web/FTP services, there's probably a
better authentication backend to use than the system-wide one. There
are plenty of implementations: LDAP (as mentioned), various SQL-backed
options (pam_mysql/nss_mysql come to mind), RADIUS (seems like overkill,
but hey), SMB (eww?), Kerberos (overkill?). Creating system users you
don't otherwise need seems like the wrong way to go about this,
particularly if you're concerned about security.
I myself have a rather advanced authentication framework based on
MySQL. Couldn't be happier with it.
Jima