Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.
What happens if you do
Now the attributes are correctly read for the user test@onnet.ch, but other users are not able to authenticate anymore.
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test@onnet.chfield valueuid 5000gid 5000home /var/spool/postfix/virtual/onnet.ch/test/mail maildir:~/Maildirquota_rule *:bytes=1073741824acl vfile:/etc/dovecot/dovecot-aclacl_globals_only yes
root@buserver:/etc/dovecot# doveadm user test2@onnet.chfield valueuserdb lookup: user test2@onnet.ch doesn't exist
I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch:::::::” to the passwd file, doveadm user works with test2@onnet.ch
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2@onnet.chfield valueuid 5000gid 5000home /var/spool/postfix/virtual/onnet.ch/test2/mail maildir:~/Maildirquota_rule *:bytes=1073741824
IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch is still able to share its own folders?!
On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Ah. You probably need to change ldap userdb so that you add
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf
result_success = continue-ok
}
so that the next one is processed.
you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.
Aki
On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a
standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = syslog
disable_plaintext_auth = no
info_log_path = syslog
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_debug = yes
mail_gid = 5000
mail_location = maildir:~/Maildir
mail_plugins = zlib quota acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace {
hidden = no
ignore_on_failure = no
inbox = no
list = children
location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
plugin {
acl = vfile
acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes
quota = maildir:User quota
quota_exceeded_message = 4.2.2 Mailbox full
quota_rule = *:storage=1G
quota_rule2 = INBOX.Trash:storage=+100M
quota_rule3 = INBOX.Spam:ignore
quota_warning = storage=95%% quota-warning 95 %u
sieve = ~/.dovecot.sieve
sieve_before = /var/lib/dovecot/sieve/default.sieve
sieve_dir = ~/sieve
sieve_max_actions = 32
sieve_max_redirects = 4
sieve_max_script_size = 1M
sieve_quota_max_scripts = 0
sieve_quota_max_storage = 0
}
protocols = " imap lmtp sieve pop3"
service auth {
group = dovecot
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
}
user = dovecot
}
service lmtp {
unix_listener lmtp {
mode = 0666
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
process_min_avail = 0
service_count = 1
vsz_limit = 64 M
}
ssl = no
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
userdb {
args = username_format=%Lu /etc/dovecot/share.passwd
driver = passwd-file
}
protocol lmtp {
mail_plugins = zlib quota acl sieve
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
deliver_log_format = msgid=%m: %$
mail_plugins = zlib quota acl sieve
postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch>
}
protocol imap {
mail_plugins = zlib quota acl imap_quota imap_acl
}
protocol sieve {
info_log_path = /var/log/sieve.log
log_path = /var/log/sieve.log
mail_max_userip_connections = 10
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_logout_format = bytes=%i/%o
managesieve_max_compile_errors = 5
managesieve_max_line_length = 65536
}
root@buserver:/etc/dovecot# cat dovecot-acl
root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd
test@onnet.ch
<mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl
userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf
hosts = localhost
uris = ldap://localhost:389/
debug_level = 10
auth_bind = yes
ldap_version = 3
base = ou=domains,dc=intra,dc=onnet,dc=ch
deref = never
scope = subtree
user_attrs =
homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
iterate_attrs = mail=user
iterate_filter = (objectClass=CourierMailAccount)
default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27"
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
<http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1
1/dovecot-acl not found
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: reading file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl
<http://onnet.ch/test//Maildir/.super/dovecot-acl>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: reading file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello
<http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: file
/var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
<http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found
Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected
(pid=3203)
Aug 7 11:17:27 buserver dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng==
(previous base64 data may contain sensitive data)
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search:
base=ou=domains,dc=intra,dc=onnet,dc=ch
filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch
<mailto:mail=test@onnet.ch>))
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
mail=test@onnet.ch <mailto:mail=test@onnet.ch>
Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out:
OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch>
Aug 7 11:17:27 buserver dovecot: auth: Debug: master in:
REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search:
base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree
filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch
<mailto:mail=test@onnet.ch>))
fields=homeDirectory,uidNumber,gidNumber,quota
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
uidNumber=5000 quota=1073741824 gidNumber=5000
homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>;
homeDirectory,uidNumber,quota,gidNumber unused
Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch
<mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
uidNumber=5000 quota=1073741824 gidNumber=5000
homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>
Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out:
USER#0113718250497#011test@onnet.ch
<mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201
<http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201>
Aug 7 11:17:27 buserver dovecot: imap-login: Login:
user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN,
rip=192.168.56.1, lip=192.168.56.50, mpid=3206
Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from
directory: /usr/lib/dovecot/modules
Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib01_acl_plugin.so
Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_quota_plugin.so
Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
/usr/lib/dovecot/modules/lib20_zlib_plugin.so
Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting:
plugin/quota_rule=*:bytes=1073741824
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000,
home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota root: name=User quota
backend=maildir args=
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=*
bytes=1073741824 messages=0
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota
mailbox=INBOX.Trash bytes=+104857600 messages=0
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota rule: root=User quota
mailbox=INBOX.Spam ignored
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%)
messages=0 reverse=no command=quota-warning 95 test@onnet.ch
<mailto:test@onnet.ch>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Quota grace: root=User quota
bytes=107374182 (10%)
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Namespace inbox: type=private,
prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
location=maildir:~/Maildir
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: maildir++:
root=/var/spool/postfix/virtual/onnet.ch/test//Maildir
<http://onnet.ch/test//Maildir>, index=, indexpvt=, control=,
inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir
<http://onnet.ch/test//Maildir>, alt=
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch
<mailto:test@onnet.ch>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: owner = 1
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: Namespace : type=shared,
prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children,
subscriptions=yes
location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u
<http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=,
indexpvt=, control=, inbox=, alt=
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch
<mailto:test@onnet.ch>
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl: owner = 0
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled
Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch
<mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi
<mailto:aki.tuomi@dovecot.fi>> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the
userdb ones.
Aki