question on autch cache parameters

Thu Aug 27 11:37:59 UTC 2015

Hello

Thank you for your report. We really appreciate it, especially when you can pinpoint a commit.

However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and
userdb configurations and auth-cache settings.

br,
Teemu Huovila

On 08/06/2015 01:07 PM, matthias lay wrote:
> hi timo,
> 
> I checked out the commit causing this.
> 
> its this one:
> 
> http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
> 
> 
> if I move this block back as it was. everything is fine
> 
> 
> diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
> --- a/src/auth/auth-request.c	Tue May 05 13:35:52 2015 +0300
> +++ b/src/auth/auth-request.c	Tue May 05 14:16:31 2015 +0300
> @@ -618,30 +627,28 @@
>  	       auth_request_want_skip_passdb(request, next_passdb))
>  		next_passdb = next_passdb->next;
> 
> +	if (*result == PASSDB_RESULT_OK) {
> +		/* this passdb lookup succeeded, preserve its extra fields */
> +		auth_fields_snapshot(request->extra_fields);
> +		request->snapshot_have_userdb_prefetch_set =
> +			request->userdb_prefetch_set;
> +		if (request->userdb_reply != NULL)
> +			auth_fields_snapshot(request->userdb_reply);
> +	} else {
> +		/* this passdb lookup failed, remove any extra fields it set */
> +		auth_fields_rollback(request->extra_fields);
> +		if (request->userdb_reply != NULL) {
> +			auth_fields_rollback(request->userdb_reply);
> +			request->userdb_prefetch_set =
> +				request->snapshot_have_userdb_prefetch_set;
> +		}
> +	}
> +
>  	if (passdb_continue && next_passdb != NULL) {
>  		/* try next passdb. */
>                  request->passdb = next_passdb;
>  		request->passdb_password = NULL;
> 
> -		if (*result == PASSDB_RESULT_OK) {
> -			/* this passdb lookup succeeded, preserve its extra
> -			   fields */
> -			auth_fields_snapshot(request->extra_fields);
> -			request->snapshot_have_userdb_prefetch_set =
> -				request->userdb_prefetch_set;
> -			if (request->userdb_reply != NULL)
> -				auth_fields_snapshot(request->userdb_reply);
> -		} else {
> -			/* this passdb lookup failed, remove any extra fields
> -			   it set */
> -			auth_fields_rollback(request->extra_fields);
> -			if (request->userdb_reply != NULL) {
> -				auth_fields_rollback(request->userdb_reply);
> -				request->userdb_prefetch_set =
> -					request->snapshot_have_userdb_prefetch_set;
> -			}
> -		}
> -
>  		if (*result == PASSDB_RESULT_USER_UNKNOWN) {
>  			/* remember that we did at least one successful
>  			   passdb lookup */
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 08/05/2015 05:33 PM, matthias lay wrote:
>> just tested against dovecot 2.2.15
>>
>> everythings works fine. so might be a bug introduced between 2.2.16 and
>> 2.2.18
>>
>>
>>
>>
>>
>> On 08/05/2015 04:30 PM, matthias lay wrote:
>>> Hi list,
>>>
>>> I have a question on auth caching in 2.2.18.
>>>
>>> I am using acl_groups for a master user, appended in a static userdb file
>>>
>>> # snip ###############################
>>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
>>> allow_nets=127.0.0.1
>>> # snap ###############################
>>>
>>> and use this group in a global ACL file.
>>> I discovered this only works on first NOT-cached login
>>>
>>>
>>>
>>> environment in imap-postlogin script on first login:
>>>
>>>
>>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
>>> MASTER_USER=master at uma
>>> SPUSER=private/pdf
>>> LOCAL_IP=127.0.0.1
>>> USER=pdf
>>> AUTH_USER=master at uma
>>> PWD=/var/run/dovecot
>>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>>> SHLVL=1
>>> HOME=/var/data/vmail/private/pdf
>>> ACL_GROUPS=umareadmaster
>>> IP=127.0.0.1
>>> _=/usr/bin/env
>>>
>>>
>>> on the second cached login it looks like this
>>>
>>>
>>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
>>> MASTER_USER=master at uma
>>> SPUSER=private/pdf
>>> LOCAL_IP=127.0.0.1
>>> USER=pdf
>>> AUTH_USER=master at uma
>>> PWD=/var/run/dovecot
>>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>>> SHLVL=1
>>> HOME=/var/data/vmail/private/pdf
>>> IP=127.0.0.1
>>> _=/usr/bin/env
>>>
>>> so the ACL_GROUPS is gone.
>>>
>>> is this intended to be like that.
>>> so groups not included in cache and I have to find another approach?
>>>
>>> anybody else encountered similar problems with some auth Variables and
>>> caching?
>>>
>>>
>>> Greetz Matze
>>>
>>