Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.
What happens if you do
userdb { driver = passwd-file args = .... skip = notfound result_failure = continue-ok }
Aki
On 07.08.2018 12:58, Simeon Ott wrote:
Now the attributes are correctly read for the user test@onnet.ch <mailto:test@onnet.ch>, but other users are not able to authenticate anymore.
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# <http://onnet.ch/test/Maildir/.super#> doveadm user test@onnet.ch <mailto:test@onnet.ch> fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> mailmaildir:~/Maildir quota_rule*:bytes=1073741824 aclvfile:/etc/dovecot/dovecot-acl acl_globals_onlyyes
root@buserver:/etc/dovecot# doveadm user test2@onnet.ch <mailto:test2@onnet.ch> fieldvalueuserdb lookup: user test2@onnet.ch <mailto:test2@onnet.ch> doesn't exist
I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch <mailto:test@onnet.ch>:::::::” to the passwd file, doveadm user works with test2@onnet.ch <mailto:test2@onnet.ch>
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# <http://onnet.ch/test/Maildir/.super#> doveadm user test2@onnet.ch <mailto:test2@onnet.ch> fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test2/ <http://onnet.ch/test2/> mailmaildir:~/Maildir quota_rule*:bytes=1073741824
IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Ah. You probably need to change ldap userdb so that you add
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }
so that the next one is processed.
you can use 'doveadm user test@onnet.ch <mailto:test@onnet.ch>' to verify that the attributes are read for this user, and with another username that they are not.
Aki
On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch> <mailto:postmaster@onnet.ch> } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch <mailto:test@onnet.ch> <mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl <http://onnet.ch/test//Maildir/.super/dovecot-acl> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch <mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki