This package consists of three programs: checkadpassword qmail-adgetpw create_alias_files Before using, READ INSTALL! Checkadpassword is a program based on the mighty D. J. Bernstein's checkpassword program. Qmail-adgetpw is also based on Bernstein's software. This time it's qmail-getpw Create_alias_files is based on nothing, but will create alias files (.qmail- style) from the active directory's groups. WHAT THEY DO Instead of checking in the unix password file for verification and delivery directories, checkadpassword checks an active directory server. Active directory is used in Microsoft server environments where the PDC is a Win2k or 2003 server. (I haven't actually tested this thing with Win 2003 server, so if anyone has and it works, please let me know!) These program defaults to using the global catalog, so numerous subdomains can be included without having to query them all individually. NOTE: Using the network password for email authentication realistically isn't a very good idea because it requires all of the mail users to have their passwords the same as their system passwords. It also requires them to have a system account. What this boils down to is badness when the passwords may be getting sent in clear text to the pop server in the first place. Granted the email name may not be the same as the windows username, but chances are, they're pretty close. I highly suggest this be used only in an enclosed environment behind a good firewall, or that ssl be employed on the POP3 side, or both. ANOTHER NOTE: I made these programs for the purpose of using an Active Directory server with zero changes to the AD schema. This means that there is no adding to the schema and that the program needs to function within the confines of a possibly changing AD scheme so it needs to remain very basic. Which is why the only attributes which are accessed are sAMAccountName, mail, and for groups member. This does, however, destroy some of the nice flexibility which was inherent in qmail, but in a single AD, single domain environment, the flexibility wouldn't really be all that necessary anyway. HOW checkadpassword DOES IT: 1) It collects the username and password from file descriptors for what to retrieve. 2) Uses a general user to bind to the AD server, then requests the full distinguished name for the person attempting to authenticate. 3) It disconnects and tries to reconnect and bind with the dn it retrieved from step 2 and the password from step 1. 4) Upon success it sets the uid and gid from values retrieved from control files, sets environmental variables, changes the current directory and executes the programs that followed. AND HOW ABOUT qmail-adgetpw qmail-adgetpw works much the same way, but it binds the first time to the AD server just to verify that the username exists. It then returns the homedirectory formed from the value found in the directory base file concactenated with the username. If it cannot find the requested user, then it gives out the format to check the aliases for a match. Just like qmail-getpw. AND create_alias_files all the connection stuff is the same, it seeks out groups in the AD that have an email address (mail in AD). When it finds one it gets the user list and each users email address to put in the alias file. The alias file is named to match the group email address. One thing to note if you use the Global Catalog to span several sites, the GC doesn't keep group members unless it's a Universal group. This makes it hard to get group lists. I added an option to request the info from the separate site's ADs, but just LDAP, without SSL. This was because the LDAP connection request (site.domain) name wouldn't match the answering server's name so the SSL connection would fail. Overriding the SSL option was a quick and dirty solution that will probably change sometime, just not now... For any information specific to these programs: http://www.fo2k.com/qmail-activedir/ For any general information on checkadpassword or its use, you can also look to the original checkpassword's site: http://cr.yp.to/checkpwd.html For any general information on qmail-adgetpw or what it's supposed to do, you can also look to the qmail site: http://www.qmail.org Or a good reference for qmail-getpw and all the qmail programs: http://www.qmail.org/man/index.html specifically: http://www.qmail.org/man/man8/qmail-getpw.html Questions or comments should be directed to: prok@fo2k.com