[BBLISA] best practices for web-driven user account registration process

[John Stoffel]

>>>>> "Michael" == Michael R Phelan <mphelan at cs.umb.edu> writes:

Michael> One of the problems with this design is that unverified
Michael> Active Directory uses get left in the Active Directory
Michael> domain. This is a result of people registering, but never
Michael> verifying, their account. These need to be cleaned out
Michael> periodically. We've discussed keeping the unverified accounts
Michael> in a secondary data storage area, such as a relational
Michael> database. This would allow us to no longer keep unverified
Michael> account information in Active Directory. We're just concerned
Michael> about having a second data storage area for users. We're
Michael> concerned that we would just have to clean up the secondary
Michael> data storage area instead, or in addition to, the Active
Michael> Directory domain.

No matter what you do, you're going to have to expiration of accounts
which are unverified by end users.  So just setup a nightly cronjob to
go through and find all acounts past the time out limit and expire
them.

As for whether to put the initial data into LDAP or an external DB, it
all depends on how comfortable you are with each tool.  I'd probably
go with an external DB, since I can't imagine it's going to be large,
and if it does get lost, it's not a problem.  But if someone's data
gets into the LDAP, but you don't set the "Unverified" status, then
you've opened up a security hole possibly.  

Also, if you lose the unverified users, it's not a big deal, you can
just have them resubmit their information.  Once they're in the LDAP,
you want to be more conservative probably.  

In any case, I think you've got the right ideas here amd it's just a
matter of implementation.  I personally think you're on the right
path.

John