Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.

What happens if you do

userdb {
  driver = passwd-file
  args = ....
  skip = notfound
  result_failure = continue-ok
}

Aki

On 07.08.2018 12:58, Simeon Ott wrote:
Now the attributes are correctly read for the user test@onnet.ch, but other users are not able to authenticate anymore.

root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test@onnet.ch
field value
uid 5000
gid 5000
home /var/spool/postfix/virtual/onnet.ch/test/
mail maildir:~/Maildir
quota_rule *:bytes=1073741824
acl vfile:/etc/dovecot/dovecot-acl
acl_globals_only yes

root@buserver:/etc/dovecot# doveadm user test2@onnet.ch
field valueuserdb lookup: user test2@onnet.ch doesn't exist

I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch:::::::” to the passwd file, doveadm user works with test2@onnet.ch

root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2@onnet.ch
field value
uid 5000
gid 5000
home /var/spool/postfix/virtual/onnet.ch/test2/
mail maildir:~/Maildir
quota_rule *:bytes=1073741824

IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch is still able to share its own folders?!


On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:

Ah. You probably need to change ldap userdb so that you add

userdb {
 driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf
 result_success = continue-ok
}

so that the next one is processed.

you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.

Aki


On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a
standard client login

root@buserver:/etc/dovecot/conf.d# doveconf -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = syslog
disable_plaintext_auth = no
info_log_path = syslog
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_debug = yes
mail_gid = 5000
mail_location = maildir:~/Maildir
mail_plugins = zlib quota acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace {
  hidden = no
  ignore_on_failure = no
  inbox = no
  list = children
  location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes
  quota = maildir:User quota
  quota_exceeded_message = 4.2.2 Mailbox full
  quota_rule = *:storage=1G
  quota_rule2 = INBOX.Trash:storage=+100M
  quota_rule3 = INBOX.Spam:ignore
  quota_warning = storage=95%% quota-warning 95 %u
  sieve = ~/.dovecot.sieve
  sieve_before = /var/lib/dovecot/sieve/default.sieve
  sieve_dir = ~/sieve
  sieve_max_actions = 32
  sieve_max_redirects = 4
  sieve_max_script_size = 1M
  sieve_quota_max_scripts = 0
  sieve_quota_max_storage = 0
}
protocols = " imap lmtp sieve pop3"
service auth {
  group = dovecot
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
  user = dovecot
}
service lmtp {
  unix_listener lmtp {
    mode = 0666
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
userdb {
  args = username_format=%Lu /etc/dovecot/share.passwd
  driver = passwd-file
}
protocol lmtp {
  mail_plugins = zlib quota acl sieve
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  deliver_log_format = msgid=%m: %$
  mail_plugins = zlib quota acl sieve
  postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch>
}
protocol imap {
  mail_plugins = zlib quota acl imap_quota imap_acl
}
protocol sieve {
  info_log_path = /var/log/sieve.log
  log_path = /var/log/sieve.log
  mail_max_userip_connections = 10
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_logout_format = bytes=%i/%o
  managesieve_max_compile_errors = 5
  managesieve_max_line_length = 65536
}

root@buserver:/etc/dovecot# cat dovecot-acl
root@buserver:/etc/dovecot#

—> means empty file

root@buserver:/etc/dovecot# cat share.passwd 
test@onnet.ch
<mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl
userdb_acl_globals_only=yes

root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf
hosts = localhost
uris = ldap://localhost:389/
debug_level = 10
auth_bind = yes
ldap_version = 3
base = ou=domains,dc=intra,dc=onnet,dc=ch
deref = never
scope = subtree
user_attrs =
homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
iterate_attrs = mail=user
iterate_filter = (objectClass=CourierMailAccount)
default_pass_scheme = CRYPT

root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug  7 11:17:27"
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
<http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1
1/dovecot-acl not found
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: reading file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl
<http://onnet.ch/test//Maildir/.super/dovecot-acl>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: reading file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello
<http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
<http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found
Aug  7 11:17:27 buserver dovecot: auth: Debug: auth client connected
(pid=3203)
Aug  7 11:17:27 buserver dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng==
(previous base64 data may contain sensitive data)
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search:
base=ou=domains,dc=intra,dc=onnet,dc=ch
filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch
<mailto:mail=test@onnet.ch>))
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
mail=test@onnet.ch <mailto:mail=test@onnet.ch>
Aug  7 11:17:27 buserver dovecot: auth: Debug: client passdb out:
OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch>
Aug  7 11:17:27 buserver dovecot: auth: Debug: master in:
REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search:
base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree
filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch
<mailto:mail=test@onnet.ch>))
fields=homeDirectory,uidNumber,gidNumber,quota
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
uidNumber=5000 quota=1073741824 gidNumber=5000
homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>;
homeDirectory,uidNumber,quota,gidNumber unused
Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
uidNumber=5000 quota=1073741824 gidNumber=5000
homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>
Aug  7 11:17:27 buserver dovecot: auth: Debug: master userdb out:
USER#0113718250497#011test@onnet.ch
<mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201
<http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201>
Aug  7 11:17:27 buserver dovecot: imap-login: Login:
user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN,
rip=192.168.56.1, lip=192.168.56.50, mpid=3206
Aug  7 11:17:27 buserver dovecot: imap: Debug: Loading modules from
directory: /usr/lib/dovecot/modules
Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib01_acl_plugin.so
Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_quota_plugin.so
Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib20_zlib_plugin.so
Aug  7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting:
plugin/quota_rule=*:bytes=1073741824
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000,
home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota root: name=User quota
backend=maildir args=
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=*
bytes=1073741824 messages=0
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota
mailbox=INBOX.Trash bytes=+104857600 messages=0
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota
mailbox=INBOX.Spam ignored
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%)
messages=0 reverse=no command=quota-warning 95 test@onnet.ch
<mailto:test@onnet.ch>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota grace: root=User quota
bytes=107374182 (10%)
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Namespace inbox: type=private,
prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
location=maildir:~/Maildir
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: maildir++:
root=/var/spool/postfix/virtual/onnet.ch/test//Maildir
<http://onnet.ch/test//Maildir>, index=, indexpvt=, control=,
inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir
<http://onnet.ch/test//Maildir>, alt=
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch
<mailto:test@onnet.ch>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: owner = 1
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Namespace : type=shared,
prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children,
subscriptions=yes
location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u
<http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=,
indexpvt=, control=, inbox=, alt=
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch
<mailto:test@onnet.ch>
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: owner = 0
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled
Aug  7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457

thanks for looking into this

On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi
<mailto:aki.tuomi@dovecot.fi>> wrote:

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the
userdb ones.

Aki