WARNING: USE AT YOUR OWN RISK! This software comes with NO WARRANTY. I make no guarantees that this software will work on your system, that it will compile on your system, or that it won't irrecoverably destroy your system. Nothing bad should happen, but as soon as you say it is usually when it does. Active Directory Qmail programs: checkadpassword ad_getpw create_alias_files REQUIREMENTS: the LDAP libraries and header files must be present to compile, as well as most of the standard C header files and libs. You can get LDAP here: http://www.openldap.org TO INSTALL: 1) Create the control files. Typically in /var/qmail/control, these files must be created. These are the default names, they can be changed in ad_func.h if you really want to: ad_uid - The user id of the local user that will handle delivering the mail. This user should have rights to all of the mail delivery directories ad_gid - The group id of the local user that will handle delivering the mail. This group should probably be restrictive so that malicious mail users are limited. ad_defaultuserdn - The full distinguished name of the general user that has rights to search the active directory. ad_defaultpass - The password of the general user for active directory. This file should be chmod 640 and chgrp nofiles. ad_servername - The server name of the active directory server. Should be a fully qualified domain name or ip address. ad_basedn - The base dn that the search will start from. ad_domain - The domain in which the email will be found. ad_shell - The default shell of the local user. /bin/false is a good choice. ad_mailroot - The root directory in which the mail user's mail directory can be found. Right now the mail delivery directory must be the same as the email user's login name. eg. /mailroot/mailuser Make sure you chmod 640 on ad_defaultpass to keep anyone besides root and the nofiles group (needed for qmail-adgetpw to access the active directory) from lookin in that file for a password. something like: # chmod 640 ad_defaultpass # chgrp nofiles ad_defaultpass The general Active Directory LDAP lookup user doesn't really need much rights, only enough to do general queries and bind to the Active Directory server. Unfortunately, it's rather difficult to restrict rights in AD without completely restricting access to the AD... 2) Update some of the stuff in ad_func.h or create_alias_files.h to whatever you want. To use SSL or not, the file locations, etc. 3) Compile. gcc -Wall -O2 -lldap checkadpassword.c ad_func.c -o checkadpassword gcc -Wall -O2 -lldap qmail-adgetpw.c ad_func.c -o qmail-adgetpw gcc -Wall -O2 -lldap create_alias_files.c ad_func.c -o create_alias_files 3b) If you feel like removing the debugging symbols then: strip -s ./checkadpassword strip -s ./ad_getpw strip -s ./create_alias_files 4a) Test Make sure that all the files are in the right place and that it actually talks to whatever its going to talk to. qmail-popup blah checkadpassword id Put in a valid username and password and it should give you the results of id. Do the same with pwd to make sure that the user, group and directory are correct. Do it again with an invalid username and password to verify that it will actually reject failures. Check the auth log to verify that the failure occurred. 4b) Test some more Next test the ad_getpw ad_getpw user It should return the user, uid, gid, homedir, separated by NUL character '\0' 4c) Just using create_alias_files will let you know if it works... Do ./create_alias_files -h for more info. 5) Copy the compiled programs someplace. After your done, make sure that you copy the files somewhere nice: checkadpassword /usr/bin or /usr/local/bin. chmod 700 checkadpassword for security's sake. qmail-adgetpw /var/qmail/bin or whereever your qmail/bin dir is. chown root.qmail qmail-adgetpw chmod 711 qmail-adgetpw Copy the original someplace and rename: mv ./qmail-getpw ./qmail-getpw_old; mv ./qmail-adgetpw ./qmail-getpw create_alias_files Since root or someone important will need to use it because of the file rights: chown root.root create_alias_files chmod 700 create_alias_files Move somewhere like /usr/sbin or wherever you want. 6) Relax with a nice beer and some cheese maybe, then update your qmail pop scripts and restart. Run some trial tests. Have another beer.