LDAP pass_filter seems to be not working

Balázs Zeller transglob at gmail.com
Tue Mar 10 12:25:20 EET 2020 

Hi,

we are using dovecot --version: 2.3.9.3 (9f41b88fa) with LDAP integration

Just discovered the the config which was working for a while is not working
now. (we are constantly upgrading dovecot).
we have smtp/imap/pop3/sieveEnabled field in our LDAP directory to control
which user is able to use witch services.
The pass filter was used for control the usage for years now with
%LsEnabled filter (see below at config dump)
We just discovered that this filter is not working anymore! We not even see
any pass_filter queries in LDAP.
We see user_filter queries but no pass_filter queries.
Did we miss something in the changelog?

*LDAP configuration:*
grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext
uris = ldap://ldap.services/
dn = cn=administrator,dc=top
dnpass = ************
debug_level = 1
auth_bind = yes
auth_bind_userdn = mail=%u,ou=service_mail,dc=top
ldap_version = 3
base = ou=service_mail,dc=top
deref = never
scope = subtree
user_attrs = mailQuota=quota_rule=*:bytes=%$,mailLocation=mail
user_filter = (&(objectClass=customMail)(!(mailEnabled=FALSE))(mail=%u))
pass_attrs = =user=%{ldap:mail}
pass_filter =
(&(objectClass=customMail)(!(mailEnabled=FALSE))(mail=%u)(%LsEnabled=TRUE))
iterate_attrs = mail=user
iterate_filter = (objectClass=demonMail)
default_pass_scheme = SSHA

*Dovecot main config:*
dovecot -n
# 2.3.9.3 (9f41b88fa): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.9 (db4e9a2f)
# OS: Linux 4.19.87-1.ph3-esx x86_64  xfs
# Hostname: 26feef366ef9
auth_cache_negative_ttl = 1 mins
auth_cache_size = 10 M
auth_cache_ttl = 1 mins
auth_debug = yes
auth_master_user_separator = *
auth_mechanisms = login plain
auth_verbose = yes
default_vsz_limit = 512 M
disable_plaintext_auth = no
doveadm_api_key = # hidden, use -P to show it
first_valid_gid = 901
first_valid_uid = 901
hostname = mail.****.**
imap_client_workarounds = tb-extra-mailbox-sep
imapc_features = rfc822.size fetch-headers
imapc_host = x.x.x.x
imapc_master_user = masteruser
imapc_password = # hidden, use -P to show it
imapc_user = %u
last_valid_gid = 901
last_valid_uid = 901
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_gid = 901
mail_home = /vmail/%d/%n/
mail_location = maildir:/vmail/%d/%n/
mail_plugins = " quota zlib trash fts fts_solr"
mail_prefetch_count = 20
mail_privileged_group = mail
mail_uid = 901
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
plugin {
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://hostname:8983/solr/dovecot/
  quota = dict:user::file:/vmail/%d/%n/dovecot.quota
  quota_exceeded_message = The quota of the recipient is full, please try
it again later
  sieve = /vmail/%d/%n/dovecot.sieve
  sieve_dir = /vmail/.sieve/%u
  sieve_max_redirects = 20
  trash = /etc/dovecot/dovecot-trash.conf.ext
  zlib_save = gz
  zlib_save_level = 6
}
pop3_client_workarounds = outlook-no-nuls
postmaster_address = postmaster at hostname.com
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service doveadm {
  inet_listener http {
    port = 8099
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 4
  service_count = 0
  vsz_limit = 2 G
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service stats {
  unix_listener stats-reader {
    group = mail
    mode = 0666
    user =
  }
  unix_listener stats-writer {
    group = mail
    mode = 0666
    user =
  }
}
ssl_ca = </etc/ssl/certs/ca-certificates.crt
ssl_cert = </ssl/cert.pem
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lda {
  mail_plugins = " quota zlib trash fts fts_solr sieve quota zlib"
}
protocol imap {
  mail_max_userip_connections = 50
  mail_plugins = " quota zlib trash fts fts_solr imap_quota zlib"
}
protocol pop3 {
  mail_plugins = " quota zlib trash fts fts_solr quota"
}

Regards Balazs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200310/006fbe05/attachment.html>

More information about the dovecot mailing list