On Sun, 2007-03-18 at 22:09 +0100, Andreas Rogge wrote: > Am Montag, den 19.03.2007, 05:40 +0900 schrieb John Summerfield: > > You can authenticate against AD. > > > > In principal you could use standard LDAP tools to extract the info and > > insert it into openldap, but I don't know about passwords, and probably > > you will want to keep AD anyway. > > > > AD is more or less LDAP + Kerberos 5 > you can always use nss_winbindd or nss_ldap (which requires MSSFU schema > extensions in the AD) + pam_krb5 or even a kerberized mailserver to do > authentication. > In fact you can even forget the nss-stuff if you use a mailserver that > doesn't require users to have a system account (e.g. cyrus-imapd) > > You *cannot* forbid root to do anything. And if you could you woudln't > want to do it. > The only way I could think of is enctypting the mailstore with the users > password, but if a user forgets his password you're lost. This is what some commercial e-mail systems do ... though the mail server it self has access to the key and so it's possible. For a resourceful administrators to read the mail anyways. Even if you could keep root from accessing the files unencrypted, if you are authenticating against OpenLDAP it would be possible for the administrator to save off the current password, change it to something they know, read the mail and then set it back. I can think of a work-around to root reading the mail unless it arrives at the server PGP encrypted with a private key and decrypted at the client. So the only way you could pull it off is to configure clients to only send messages PGP encrypted internally, a bit of work. Regards, Paul Berger