Re: [exim] Having a heck of a time with check_local_user

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mike Cardwell
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Having a heck of a time with check_local_user
> Quite a long time back I spent a lot of time doing something similar
> (local users in an LDAP backend, pam_ldap and nss_ldap to extract their
> information for a web hosting system) and found that:
>
> 1. If you're binding to the directory using LDAP auth (either by using a
> "secret" file or by having the password in /etc/ldap.conf), then that
> password must be readable by all users, or
> 2. If you're using an anonymous bind
>
> then
>
> All your local users with shell/cgi access can pull all information out
> of the directory. That may not apply to Jason (although he did say that
> they're real, local, system users so it just as easily might apply), but
> the net effect is that the Exim user *must* be able to read the secret
> file or the full ldap.conf file; (from memory) that means that simply
> having the Exim user in an appropriate group may not work because Exim
> itself probably won't do a chgrp() call to an arbitrary group before
> trying the lookup. You could have the config file/secret grouped as
> something:exim I guess, which might work, but only if it doesn't break
> anything else.
>
> In the end I think we dropped LDAP lookups and ended up doing something
> else, but I'm no longer in that job so can't look back at it.


I had the same problem until I created a workaround:

unknown_login = ${run{/etc/exim/getuser.pl "$caller_uid"}}

Where /etc/exim/getuser.pl is a script that does the ldap lookup, and is
owned by root:exim with 750 perms.

I also wrote a custom identd server that does ldap lookups to figure out
the username in case cgi scripts sent email by connecting to
localhost:25 rather than running the exim binary.

This allows me to leave /etc/ldap.conf owned by root:root with 600
perms.

Performance of calling an external script wasn't an issue as this is a
webserver, not a mail server and it sends very few emails.

Mike