[NTLUG:Discuss] Enterprise PC Authentication

[Kelledin]

On Monday 26 August 2002 11:29 am, chris.gamble at CPBINC.com wrote:
> I am looking for a way to authenticate a corporation of PC's
> using either pam_ldap or pam_pgsql with the appropriate NSS
> libraries. The services offered will be sendmail and some
> pop/imap server, and standard pc logins for linux and windows
> (using samba for windows).

In most setups, Sendmail doesn't care much about authentication; 
that's usually not an SMTP server's job.

(By the way, you might want to consider an alternative to 
Sendmail, like postfix or qmail.  Sendmail is very mature and 
very respectable, but just about all the other major MTAs are 
rather faster.)

For POP/IMAP, I prefer using Cyrus-IMAP.  It authenticates using 
Cyrus-SASL, which in turn can authenticate through PAM or 
several other methods.

> I have been looking at ldap because I know that has been done
> at least a few times before, but I almost prefer to try to
> stick to the postgres database system since I know rdbms very
> well, whereas I do not know ldap at all.
>
> Anyone have any thoughts or suggestions they would like to
> share? Is pam_pgsql a good option, etc?

As far as maintaining a password database, either would do the 
job just fine.  LDAP holds a minor advantage in that you can 
compile many apps (including Cyrus-SASL) to authenticate through 
LDAP directly--but you still might not want to do that, as PAM 
is much more modular.

If you're running an NT domain, you might also consider using 
pam_smbpass to authenticate everything against your domain's 
password server.  The main selling point of this that it makes 
it easier to keep passwords synced between Windows accounts and 
*NIX accounts; samba has certain limitations using PAM with NT 
password encryption handshakes.

-- 
Kelledin
"If a server crashes in a server farm and no one pings it, does 
it still cost four figures to fix?"