Author: Mike Cardwell Date: To: exim-users Subject: Re: [exim] Having a heck of a time with check_local_user
> Quite a long time back I spent a lot of time doing something similar > (local users in an LDAP backend, pam_ldap and nss_ldap to extract their
> information for a web hosting system) and found that:
>
> 1. If you're binding to the directory using LDAP auth (either by using a
> "secret" file or by having the password in /etc/ldap.conf), then that
> password must be readable by all users, or
> 2. If you're using an anonymous bind
>
> then
>
> All your local users with shell/cgi access can pull all information out
> of the directory. That may not apply to Jason (although he did say that
> they're real, local, system users so it just as easily might apply), but
> the net effect is that the Exim user *must* be able to read the secret
> file or the full ldap.conf file; (from memory) that means that simply
> having the Exim user in an appropriate group may not work because Exim
> itself probably won't do a chgrp() call to an arbitrary group before
> trying the lookup. You could have the config file/secret grouped as
> something:exim I guess, which might work, but only if it doesn't break
> anything else.
>
> In the end I think we dropped LDAP lookups and ended up doing something
> else, but I'm no longer in that job so can't look back at it.
I had the same problem until I created a workaround:
Where /etc/exim/getuser.pl is a script that does the ldap lookup, and is
owned by root:exim with 750 perms.
I also wrote a custom identd server that does ldap lookups to figure out
the username in case cgi scripts sent email by connecting to
localhost:25 rather than running the exim binary.
This allows me to leave /etc/ldap.conf owned by root:root with 600
perms.
Performance of calling an external script wasn't an issue as this is a
webserver, not a mail server and it sends very few emails.
