public folder subscriptions sync issue with ldap user/group in dovecot-acl
Timo Sirainen
tss at iki.fi
Wed Dec 14 17:40:27 UTC 2016
On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner at gmx.de> wrote:
>
> I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
>
> Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL <http://wiki2.dovecot.org/ACL> -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).
>
> On 12/13/2016 03:47 PM, Mike Fröhner wrote:
>> Hello people,
>>
>> I am having an issue with 'doveadm sync'. I am currently trying to have
>> two dovecots behind an haproxy (works fine). Therefore I configured
>> these two dovecot server (imap-1/imap-2) to sync throught dsync. This
>> works just partly. The sync of the maiboxes is fine, but the sync of the
>> subscriptions file just works partly. It works for private folder
>> subscription, but not completly for public folder subscription. I found
>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>>
>> 1. I would like to subscribe 2 public folder (public/test/test1 and
>> public/test/test2).
>>
>> My user (ldaptestuser) is an ldap user and this user is member of the
>> ldap group (ldaptestgroup) which does have all dovecot-acl rights on
>> these folders.
>>
>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>> group=ldaptestgroup akxeilprwts
>> group=ldaptestgroup akxeilprwts
>>
>> I am now connecting with my mail client to imap-1 (throught haproxy) and
>> the subscription to this folder works. The file which is written looks
>> like:
>>
>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>> publictest/test/test1
>> publictest/test/test2
>>
>> Now I am awaiting the synch to imap-2, but the file which it written
>> looks like:
>>
>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>>
>> If I modify the dovecot-acl for .test1 to
>>
>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>> group=ldaptestgroup akxeilprwts
>> user=ldaptestuser akxeilprwts
>>
>> and execute the subscription again - the synced file looks like:
>>
>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>> publictest/test/test1
>>
>> The subscription of public folder test2 will also been synced, if I add
>> my ldaptestuser to the acl file for this folder.
>>
>> 2. Another issue is to unsubscribe a public folder. If I unsubscribe
>> folder test1, it is written to subscriptions file on the imap where I am
>> connected, but it is NOT synced even if my user and group are configured
>> at the dovecot-acl file. If I then unsubscribe a not public folder (like
>> Sent), the former unsubscribed folder test1 is (faulty) subscribed
>> again. But both imap do have the same subscriptions for my ldaptestuser
>> user.
>>
>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on
>> CentOS-7 (selinux disabled).
>>
>> If you need more information like the dovecot -n or some other stuff
>> give me a short notice.
>>
>> Mike;
>>
More information about the dovecot
mailing list