[KLUG Members] debug ldap failure

Adam Williams members@kalamazoolinux.org
Mon, 15 Dec 2003 20:45:27 -0500

Previous message: [KLUG Members] debug ldap failure
Next message: [KLUG Members] debug ldap failure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > :slapd -d4
> > > connection_get(12)
> > > ==> bdb_bind: dn: cn=admin,dc=home,dc=ricksweb,dc=info
> > > send_ldap_result: err=0 matched="" text=""
> > > connection_get(12)
> > > deferring operation
> > > SRCH "dc=home,dc=ricksweb,dc=info" 2 0    0 0 0
> > >      filter: (mail=rharding)
> > >      attrs: homeDirectory Maildir cn userPassword uidNumber mail
> > Other than I'm deeply concerned that it is reading userPassword, this
> > looks normal. (except I also wonder why a MTA needs uidNumber or home
> > directory).  The security of this authentication module has got to be a
> > complete farce;  clearly written by someone who has no clue what their
> > doing.  I'd recommend just scrapping this and finding someother software
> > package that exhibits even moderate competence of design.
> Exim, for example, runs as user mail|exim when bound to port 25. It
> reexecutes itself as the local user when delivering locally. It also
> searches for ~/.procmailrc ; if it finds it, it hands the mail to
> procmail.

That is has assumed to context of the local user is exactly the reason
it has no need for the uidnumber, homedirectory, etc...  It acquires
thesevalues  via NSS when it makes the system call to change user id. 
There really isn't any harm in asking for these, it is just
superfluous;  adding in the fact that it also requests the userPassword
makes this baby look like the idea candidate to trojan a system - and it
is processing mail messages - Yikes!

Previous message: [KLUG Members] debug ldap failure
Next message: [KLUG Members] debug ldap failure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]