question on autch cache parameters[Bug]

Matthias Lay matthias.lay at securepoint.de
Mon Aug 31 13:02:01 UTC 2015


hi again,

On Thu, 27 Aug 2015 14:37:59 +0300
Teemu Huovila <teemu.huovila at dovecot.fi> wrote:


> 
> However, I am unable to reproduce this. Could you post your doveconf
> -n please? Im especially interested in your passdb and userdb
> configurations and auth-cache settings.
> 

just reproduced the bug with a fresh clean 2.2.18 install

ldap userdb an 2 masterusers with the ACL_GROUP attribut in passwd file


env output in imap-postlogin

first login:
AUTH_TOKEN=4adba75022f765fc3215ac5243337fd99adfdbf5
MASTER_USER=master2
SPUSER=private/johnd
LOCAL_IP=127.0.0.1
USER=johnd
AUTH_USER=master2
PWD=/run/dovecot
USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER 
SHLVL=1
HOME=/home/vmail/private/johnd
ACL_GROUPS=umareadmaster
IP=127.0.0.1
_=/usr/bin/env


logout and next login:

AUTH_TOKEN=83d7ede27b4fbc4de2abad58e84e65ac1073e4ec
MASTER_USER=master2
SPUSER=private/johnd
LOCAL_IP=127.0.0.1
USER=johnd
AUTH_USER=master2
PWD=/run/dovecot
USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER 
SHLVL=1
HOME=/home/vmail/private/johnd
IP=127.0.0.1
_=/usr/bin/env


##############################
% doveconf -n:


# 2.2.18: /etc/dovecot/dovecot.conf
# OS: Linux 3.12.44-gentoo x86_64 Gentoo Base System release 2.2 
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
auth_use_winbind = yes
auth_username_chars = 
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_gid = vmail
mail_home = /home/vmail/private/%u
mail_location = maildir:~/Maildir:LAYOUT=fs:INBOX=~/Maildir/INBOX
mail_uid = vmail
namespace {
  inbox = yes
  location = 
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  prefix = 
  separator = /
  subscriptions = yes
  type = private
}
namespace {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/home/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/home/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/master-users1
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/master-users2
  driver = passwd-file
  master = yes
}
service auth {
  unix_listener auth-client {
    group = 
    mode = 0600
    user = $default_internal_user
  }
  unix_listener auth-login {
    group = 
    mode = 0600
    user = $default_internal_user
  }
  unix_listener auth-master {
    group = 
    mode = 0600
    user = $default_internal_user
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = $default_internal_user
  }
  unix_listener login/login {
    group = 
    mode = 0666
    user = $default_internal_user
  }
  user = $default_internal_user
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
service imap-postlogin {
  executable = script-login /usr/libexec/dovecot/imap-postlogin
  user = vmail
}
service imap {
  executable = imap imap-postlogin
}
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
protocol imap {
  userdb {
    args = /etc/dovecot/dovecot-imap-ldap.conf.ext
    driver = ldap
    name = 
  }
  userdb {
    args = /etc/dovecot/dovecot-imap-ldap.conf.ext
    driver = ldap
    name = 
  }
}



###################################
% cat auth-master.conf.ext 


# Authentication for master users. Included from 10-auth.conf.

# By adding master=yes setting inside a passdb you make the passdb a
list # of "master users", who can log in as anyone else.
# <doc/wiki/Authentication.MasterUsers.txt>

auth_master_user_separator = *

# Example master user passdb using passwd-file. You can use any passdb
though. passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users1

  # Unless you're using PAM, you probably still want the destination
  user to # be looked up from passdb that it really exists. pass=yes
  does that. #pass = yes
}
passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users2

  # Unless you're using PAM, you probably still want the destination
  user to # be looked up from passdb that it really exists. pass=yes
  does that. #pass = yes
}


###############################################
% cat /etc/dovecot/master-users1

master1:{SHA}xxxxxxx=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1




master2 is the same. 


Greetz





More information about the dovecot mailing list