The server decides what access a client should have based on the username and password provided.  For access to be granted, these credentials must be validated against one of the authentication mechanisms described below.

If servedat is run as an unprivileged user with no authentication options specified, it defaults to allowing anonymous users restricted to the current folder.  No username or password is required or permitted in this mode and absolute pathnames are blocked.

See the Adding Users section for step-by-step instructions on setting up users for common authentication types.

System Users

When servedat is run with sufficient privileges, it can access the host operating system's authentication databases.  This may include PAM, Active Directory, passwd, LDAP, NIS, or any other sources tied to operating system logon mechanisms.  If the server host is a network authentication client, servedat will inherit access to the remote authentication databases as well.  Operations performed using system logons will inherit whatever privileges and limitations are assigned by the operating system.

The preferred method to enable SysAuth is to set "SysAuth 1" in a configuration file, or specify "-S" on the command line.

SysAuth will be turned on by default if servedat is run as root or as a Windows service, and no AuthFile is specified.

See the SysAuth section for more details about System Authentication.

AuthFile Users

You can create private, ExpeDat / SyncDat only, user accounts independent of the operating system's logon databases by installing an AuthFile.

An AuthFile, is a flat text file with one line per username that lets you set the password, home directory, and access restrictions for that user.  On unix systems you can set user and group ids to govern each user's access.

AuthFile usernames take priority over SysAuth usernames.  So if a username exists in both databases, the AuthFile record will control access.

See the AuthFile section for more details about the Authentication File.

Shadow Users

AuthFile records can be used to shadow existing SysAuth records by specifying a single astrisk * in the password field.  The system logon databases will be used to authenticate the password and retrieve defaults for other fields.

Shadow Authentication can be used to limit the access rights of system users on an individual basis, and to restrict access to only approved system users.  See the Shadow Authentication section for details.

Authentication Handler

You may implement customized authentication by specifying an executable to receive authentication requests.  The AuthHandler will be run when a username is not found in an AuthFile and may choose to pass requests to SysAuth.

Anonymous Users

If no username is supplied by the client, the transaction is considered "anonymous".  When servedat is run as an unprivileged user with no authentication enabled, only anonymous users will be accepted and they will be given restricted access to the Default Home.  If SysAuth, AuthFile, or AuthHandler is enabled (either explicitly or by default), then anonymous users will be allowed only if the username "ANONYMOUS" is approved by one of those mechanisms.