Am Montag, den 19.03.2007, 05:40 +0900 schrieb John Summerfield:
You can authenticate against AD.
In principal you could use standard LDAP tools to extract the info and insert it into openldap, but I don't know about passwords, and probably you will want to keep AD anyway.
AD is more or less LDAP + Kerberos 5 you can always use nss_winbindd or nss_ldap (which requires MSSFU schema extensions in the AD) + pam_krb5 or even a kerberized mailserver to do authentication. In fact you can even forget the nss-stuff if you use a mailserver that doesn't require users to have a system account (e.g. cyrus-imapd)
You *cannot* forbid root to do anything. And if you could you woudln't want to do it. The only way I could think of is enctypting the mailstore with the users password, but if a user forgets his password you're lost.
kind regards, Andreas Rogge