question on autch cache parameters
matthias lay
matthias.lay at securepoint.de
Thu Aug 27 12:30:11 UTC 2015
hi teemu,
thx for your reply.
the user is a masteruser that hast a static passwd file. this is where
the ACL_GROUPS is applied
############
cat /etc/dovecot/passwd.masteruser
master at uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
##########
* the standard lookup method for users is ldap. only masterusers are in
static user/passdbs
* auth cache is enabled
I cant post my whole conf but will paste the parts you requested.
if its not enough for you to reproduce, I will setup a clean instance
and reproduce it there.
######################################################################################################################
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.15.10-dist i686
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
#### snip
default namespace: (maildir gets overwritten by ldap lookup on most
users)
namespace {
hidden = no
inbox = no
list = children
location =
maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
subscriptions = no
type = shared
}
userdb {
args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln
driver = static
}
....
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
mail_plugins = acl notify mailbox_alias imap_acl
ssl = yes
ssl_cert = </etc/ssl/certs/imap.cert
ssl_key = </etc/ssl/private/imap.key
userdb {
args = /etc/dovecot/dovecot-imap-ldap.conf.ext
driver = ldap
name =
}
}
##########################
content of dovecot-imap-ldap.conf.ext:
base = "dc=spdev, dc=local"
# Filter for user lookups.
user_filter =
(&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(&(sAMAccountType=805306368)))
# User attributes are given in LDAP-name=dovecot-internal-name list.
user_attrs = name=home=/var/data/vmail/private/%Ln,
=spuser=private/%L{ldap:sAMAccountName}
####################
several masteruser passdbs
passdb {
args = /etc/dovecot/passwd.masteruser
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.system
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.email-shredder
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.imap-set-del-flag
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
driver = ldap
}
############# contents of ldap-passdb.conf
# LDAP base.
base = "dc=spdev, dc=local"
# Filter for user lookups.
user_filter =
(&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
############
protocols = imap
service auth {
unix_listener auth-client {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-login {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-master {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = $default_internal_user
}
unix_listener login/login {
group =
mode = 0666
user = $default_internal_user
}
user = $default_internal_user
}
##########################################################################################################
We use a global ACL file. where masterusers have different rights and
the one mentioned is the only one that gets a ACL_GROUP in passdb.
my guess: it might be related to the "several masteruser passdbs" point.
but thats just a guess from the outside ;)
hope this helps, if not let me know
greetz Matze
On Thu, 27 Aug 2015 14:37:59 +0300
Teemu Huovila <teemu.huovila at dovecot.fi> wrote:
> Hello
>
> Thank you for your report. We really appreciate it, especially when
> you can pinpoint a commit.
>
> However, I am unable to reproduce this. Could you post your doveconf
> -n please? Im especially interested in your passdb and userdb
> configurations and auth-cache settings.
>
> br,
> Teemu Huovila
>
>
> On 08/06/2015 01:07 PM, matthias lay wrote:
> > hi timo,
> >
> > I checked out the commit causing this.
> >
> > its this one:
> >
> > http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
> >
> >
> > if I move this block back as it was. everything is fine
> >
> >
> > diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
> > --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300
> > +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300
> > @@ -618,30 +627,28 @@
> > auth_request_want_skip_passdb(request, next_passdb))
> > next_passdb = next_passdb->next;
> >
> > + if (*result == PASSDB_RESULT_OK) {
> > + /* this passdb lookup succeeded, preserve its
> > extra fields */
> > + auth_fields_snapshot(request->extra_fields);
> > + request->snapshot_have_userdb_prefetch_set =
> > + request->userdb_prefetch_set;
> > + if (request->userdb_reply != NULL)
> > +
> > auth_fields_snapshot(request->userdb_reply);
> > + } else {
> > + /* this passdb lookup failed, remove any extra
> > fields it set */
> > + auth_fields_rollback(request->extra_fields);
> > + if (request->userdb_reply != NULL) {
> > +
> > auth_fields_rollback(request->userdb_reply);
> > + request->userdb_prefetch_set =
> > +
> > request->snapshot_have_userdb_prefetch_set;
> > + }
> > + }
> > +
> > if (passdb_continue && next_passdb != NULL) {
> > /* try next passdb. */
> > request->passdb = next_passdb;
> > request->passdb_password = NULL;
> >
> > - if (*result == PASSDB_RESULT_OK) {
> > - /* this passdb lookup succeeded, preserve
> > its extra
> > - fields */
> > -
> > auth_fields_snapshot(request->extra_fields);
> > - request->snapshot_have_userdb_prefetch_set
> > =
> > - request->userdb_prefetch_set;
> > - if (request->userdb_reply != NULL)
> > -
> > auth_fields_snapshot(request->userdb_reply);
> > - } else {
> > - /* this passdb lookup failed, remove any
> > extra fields
> > - it set */
> > -
> > auth_fields_rollback(request->extra_fields);
> > - if (request->userdb_reply != NULL) {
> > -
> > auth_fields_rollback(request->userdb_reply);
> > - request->userdb_prefetch_set =
> > -
> > request->snapshot_have_userdb_prefetch_set;
> > - }
> > - }
> > -
> > if (*result == PASSDB_RESULT_USER_UNKNOWN) {
> > /* remember that we did at least one
> > successful passdb lookup */
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 08/05/2015 05:33 PM, matthias lay wrote:
> >> just tested against dovecot 2.2.15
> >>
> >> everythings works fine. so might be a bug introduced between
> >> 2.2.16 and 2.2.18
> >>
> >>
> >>
> >>
> >>
> >> On 08/05/2015 04:30 PM, matthias lay wrote:
> >>> Hi list,
> >>>
> >>> I have a question on auth caching in 2.2.18.
> >>>
> >>> I am using acl_groups for a master user, appended in a static
> >>> userdb file
> >>>
> >>> # snip ###############################
> >>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
> >>> allow_nets=127.0.0.1
> >>> # snap ###############################
> >>>
> >>> and use this group in a global ACL file.
> >>> I discovered this only works on first NOT-cached login
> >>>
> >>>
> >>>
> >>> environment in imap-postlogin script on first login:
> >>>
> >>>
> >>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
> >>> MASTER_USER=master at uma
> >>> SPUSER=private/pdf
> >>> LOCAL_IP=127.0.0.1
> >>> USER=pdf
> >>> AUTH_USER=master at uma
> >>> PWD=/var/run/dovecot
> >>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN
> >>> AUTH_USER SHLVL=1
> >>> HOME=/var/data/vmail/private/pdf
> >>> ACL_GROUPS=umareadmaster
> >>> IP=127.0.0.1
> >>> _=/usr/bin/env
> >>>
> >>>
> >>> on the second cached login it looks like this
> >>>
> >>>
> >>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
> >>> MASTER_USER=master at uma
> >>> SPUSER=private/pdf
> >>> LOCAL_IP=127.0.0.1
> >>> USER=pdf
> >>> AUTH_USER=master at uma
> >>> PWD=/var/run/dovecot
> >>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> >>> SHLVL=1
> >>> HOME=/var/data/vmail/private/pdf
> >>> IP=127.0.0.1
> >>> _=/usr/bin/env
> >>>
> >>> so the ACL_GROUPS is gone.
> >>>
> >>> is this intended to be like that.
> >>> so groups not included in cache and I have to find another
> >>> approach?
> >>>
> >>> anybody else encountered similar problems with some auth
> >>> Variables and caching?
> >>>
> >>>
> >>> Greetz Matze
> >>>
> >>
More information about the dovecot
mailing list