Is the LDAP stuff in SA usable for global tests, or is it per-user only, or is there less of a difference than I am imagining here?
The LDAP stuff is to replace user_prefs, not the global test list.
Since you need to get as far as parsing the site config before you can even get the LDAP DSN to look in, all of /usr/share/spamassassin/*.cf and /etc/mail/spamassassin/*.cf will be parsed before LDAP or SQL are even looked at.
Also, unless you've got "allow_user_rules" set to 1 in your local.cf, no body, rawbody, header, uri, or meta statements will be honored.
Some privileged settings will not be honored at this level even if allow_user_rules is set. Take a look at man Mail::SpamAssassin::Conf and keep in mind that this is a form of user_prefs.
