On 14 Dec 2016, at 11.16, Mike Fröhner mikefroehner@gmx.de wrote:
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).
On 12/13/2016 03:47 PM, Mike Fröhner wrote:
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;