Author: Graeme Fowler Date: To: exim-users Subject: Re: [exim] Having a heck of a time with check_local_user
On 04/07/2006 09:33, Nigel Wade wrote: > Can you debug the LDAP communication between the client and the LDAP server? If
> it isn't using ldaps you should be able to capture the packets using something
> like ethereal and see how the client is binding to the server, what request it
> is actually making, and what response the server is returning.
Quite a long time back I spent a lot of time doing something similar
(local users in an LDAP backend, pam_ldap and nss_ldap to extract their
information for a web hosting system) and found that:
1. If you're binding to the directory using LDAP auth (either by using a
"secret" file or by having the password in /etc/ldap.conf), then that
password must be readable by all users, or
2. If you're using an anonymous bind
then
All your local users with shell/cgi access can pull all information out
of the directory. That may not apply to Jason (although he did say that
they're real, local, system users so it just as easily might apply), but
the net effect is that the Exim user *must* be able to read the secret
file or the full ldap.conf file; (from memory) that means that simply
having the Exim user in an appropriate group may not work because Exim
itself probably won't do a chgrp() call to an arbitrary group before
trying the lookup. You could have the config file/secret grouped as
something:exim I guess, which might work, but only if it doesn't break
anything else.
In the end I think we dropped LDAP lookups and ended up doing something
else, but I'm no longer in that job so can't look back at it.
