On 04/13/2010 09:39 AM, Curtis Griesel wrote: > Why not authenticate via LDAP or some other directory server, then let > the user manage their LDAP account via a web interface? > > You can also manage web user accounts with a simple database -- that is > what most CMS systems do (Wordpress, Drupal, etc.). But LDAP is more > robust. > > Using system accounts to manage web users sounds like making things more > difficult than they need to be. If you want to provide a web front-end > to your server, why not use a web-friendly account management tool like > LDAP? Reading this thread, my mind kept drifting to the same idea. If you only want the users accessing web/FTP services, there's probably a better authentication backend to use than the system-wide one. There are plenty of implementations: LDAP (as mentioned), various SQL-backed options (pam_mysql/nss_mysql come to mind), RADIUS (seems like overkill, but hey), SMB (eww?), Kerberos (overkill?). Creating system users you don't otherwise need seems like the wrong way to go about this, particularly if you're concerned about security. I myself have a rather advanced authentication framework based on MySQL. Couldn't be happier with it. Jima