Actually, as far as LDAP, we used a 'pwcheck-ldap' type thing to do
basically this. An example implementation of this is at
http://www.wwa.com/~donley/. We eventually moved to Netscape Messaging
server, which also allows us to use LDAP for authentication and access
The actual patch that we used is not the one posted, but is somewhat
similar A better way to implement this functionality would be to have
the pwcheck daemon do the following.
- Check for Null password (NULL passwords succeed as a reference bind)
- Search for DN using UID (filter might include checking for the
current hostname in a 'mailhost' attribute)
- Bind to LDAP server using DN and Password Specified
- On Successful bind, login correct...
Thus, you are actually having the LDAP server validate a person's
password, with the mail server simply verifying that your mail is
actually on the server you connected and that you can correctly bind to
the LDAP server.
This would basically allow all users to be administered in an LDAP
directory. Simply set their password and mailhost information in LDAP.
You would still need to create the mailbox and set permissios, but this
is relatively easy to do with Cyrus using IMAP.
As for security, some servers (Netscape) support SSL and many LDAPv3
servers will eventually start supporting TLS (next version of SSL).
> > Incidentially, if anyone knows of a freely availible blackbox account
> > database, I'd like to know about it. Lots of people are unhappy with
> > the /etc/passwd support -- they, quite reasonably, want to put the
> > password database somewhere else -- but this code shouldn't be a part of
> > Cyrus.
> > If anyone is interested in setting up something else, or has done so and
> > is willing to package up and distribute the code (freely), please let me
> > know.
> Couldn't you use the University of Michigan LDAP server (code is available),
> an LDAP SDK (code is available) for talking to the server and use LDAP as
> your user database? Once you've done that, you can then leverage this with
> as many other applications as you wish.
> In essence, this is the way all of Netscape's servers work. It's an
> open-standard, it's scalable, replicatable and straightforward to manage.