This package consists of three programs:
checkadpassword
qmail-adgetpw
create_alias_files

Before using, READ INSTALL!

Checkadpassword is a program based on the mighty 
D. J. Bernstein's checkpassword program.

Qmail-adgetpw is also based on Bernstein's software.
This time it's qmail-getpw

Create_alias_files is based on nothing, but will create
alias files (.qmail- style) from the active directory's 
groups.

WHAT THEY DO

Instead of checking in the unix password file for
verification and delivery directories, checkadpassword checks 
an active directory server.

Active directory is used in Microsoft server environments
where the PDC is a Windows 2000/2003/2008/2008 R2 server.

These program defaults to using the global catalog, so
numerous subdomains can be included without having to
query them all individually.

NOTE:
Using the network password for email authentication
realistically isn't a very good idea because it requires all
of the mail users to have their passwords the same as their
system passwords.  It also requires them to have a system account.
What this boils down to is badness when the passwords may be getting
sent in clear text to the pop server in the first place.  Granted the
email name may not be the same as the windows username, but chances are,
they're pretty close.

I highly suggest this be used only in an enclosed environment behind a 
good firewall, or that ssl be employed on the POP3 side, or both.


ANOTHER NOTE:
I made these programs for the purpose of using an Active Directory server
with zero changes to the AD schema.  This means that there is no adding to
the schema and that the program needs to function within the confines of
a possibly changing AD scheme so it needs to remain very basic.  Which is 
why the only attributes which are accessed are sAMAccountName, mail, and for
groups member.  This does, however, destroy some of the nice flexibility 
which was inherent in qmail, but in a single AD, single domain environment, 
the flexibility wouldn't really be all that necessary anyway.


HOW checkadpassword DOES IT:
1)	It collects the username and password from file descriptors 
	for what to retrieve.

2)	Uses a general user to bind to the AD server, then
	requests the full distinguished name for the person
	attempting to authenticate.

3)	It disconnects and tries to reconnect and bind with
the dn it retrieved from step 2 and the password from step 1.

4)	Upon success it sets the uid and gid from values retrieved
from control files, sets environmental variables, changes the 
current directory and executes the programs that followed.


AND HOW ABOUT qmail-adgetpw
qmail-adgetpw works much the same way, but it binds the first time
to the AD server just to verify that the username exists.  It then
returns the homedirectory formed from the value found in the 
directory base file concactenated with the username.  If it cannot find
the requested user, then it gives out the format to check the aliases 
for a match.  Just like qmail-getpw.

AND create_alias_files
all the connection stuff is the same, it seeks out groups in the 
AD that have an email address (mail in AD).  When it finds one it 
gets the user list and each users email address to put in the alias file.
The alias file is named to match the group email address.
One thing to note if you use the Global Catalog to span several sites,
the GC doesn't keep group members unless it's a Universal group.  This makes
it hard to get group lists.  I added an option to request the info from the 
separate site's ADs, but just LDAP, without SSL.  This was because the LDAP
connection request (site.domain) name wouldn't match the answering server's name
so the SSL connection would fail.  Overriding the SSL option was a quick and dirty
solution that will probably change sometime, just not now...

For any information specific to these programs:
http://www.fo2k.com/qmail-activedir/

For any general information on checkadpassword or its use, 
you can also look to the original checkpassword's site:
http://cr.yp.to/checkpwd.html

For any general information on qmail-adgetpw or what it's supposed to do,
you can also look to the qmail site:
http://www.qmail.org
Or a good reference for qmail-getpw and all the qmail programs:
http://www.qmail.org/man/index.html
specifically:
http://www.qmail.org/man/man8/qmail-getpw.html


Questions or comments should be directed to:
prok@fo2k.com

