Forum OpenACS Q&A: Response to optionally using unix passwords for OpenACS auth

Hi all,

I work with Matt and am following up on his original post.

LDAP or not, I think what we're really asking about is a two-tiered authentication hierarchy because of concerns about password and cookie security.

I envision something like this: we have a group called, for instance, "staff". Everyone in staff is forced to log in every time, i.e. they never get a cookie except perhaps for a very short-term so it acts as a timeout. Everyone else (non-employee community members) gets cookies so they rarely have to enter a password.

Has anyone done anything similar, any kind of user or group level security policy? What about granting access based on IP address?

Secondly, what about password security. If you set EncryptPasswordsInDBP, how does security on the database itself compare to security on /etc/shadow, and how does it compare to LDAP? We would like to sync our staff's passwords systemwide, so cracking the DB would be pretty serious.

Thanks