On 31/03/2026 02:25 EEST Johannes Nohl via dovecot <dovecot@dovecot.org> wrote:
I am using dovecot 2.4.2 (almost) with new config language and I have a working configuration. However, the check for disabled users throws permanently errors in the log file, whenever a user is missing the ldap attribute for disabled. This is - in my view - due to a misfunction of Filter "default".
passdb ldap { driver = ldap ldap_bind = yes ldap_filter = (&(|(objectClass=posixAccount)(objectClass=mailAccount))(uid=%{user})) fields { user = %{ldap:uid} nologin = %{ldap:shadowInactive | default(null)} reason = The account for this email address is disabled. } }
This results in the following log line: 2026-03-31T00:46:31.102690+02:00 mailserver dovecot: auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute 'shadowinactive'
The right behaviour would be no logging on login success. Because the Filter "default" is intended to suppress any errors ("When value is missing or empty, you can use the default filter to provide value. Missing variables will cause errors and must be negated with default. This does not apply to all providers, some providers return empty when value is missing."). https://doc.dovecot.org/2.4.2/core/settings/variables.html#variable-expansio...
As you may have seen I had to borrow null-value from sql db config also to make nologin ignoring a non present attribute. This is undocumented obviously. Instead, a non-working tip is provided ("Changed: 2.4.0 Extra fields can now also be set to empty string, "). However, the following does not work: "nologin = {ldap:shadowinactive | default("")}". https://doc.dovecot.org/2.4.2/core/settings/variables.html
Also, the documentation is missing/hiding the part which explains that "default()" can be used to avoid error logs. PR regarding the documentation source is sent already. See "Fails if the attribute is not present, unless the ` <missing part>" https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#ldap-spec...
Is there another way to verify if account is disabled?
Johannes Nohl postmaster i-t-cloud
-- Johannes Nohl postmaster@i-t-cloud.de I am using dovecot 2.4.2 (almost) with new config language and I have a working configuration. However, the check for disabled users throws permanently errors in the log file, whenever a user is missing the ldap attribute for disabled. This is - in my view - due to a misfunction of Filter "default". passdb ldap { driver = ldap ldap_bind = yes ldap_filter = (&(|(objectClass=posixAccount)(objectClass=mailAccount))(uid=%{user})) fields { user = %{ldap:uid} nologin = %{ldap:shadowInactive | default(null)} reason = The account for this email address is disabled. } } This results in the following log line: *2026-03-31T00:46:31.102690+02:00 mailserver dovecot: auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute 'shadowinactive' The right behaviour would be no logging on login success. Because the Filter "default" is intended to suppress any errors ("When value is missing or empty, you can use the default filter to provide value. Missing variables will cause errors and must be negated with default. This does not apply to all providers, some providers return empty when value is missing."). https://doc.dovecot.org/2.4.2/core/settings/variables.html#variable-expansio... As you may have seen I had to borrow null-value from sql db config also to make nologin ignoring a non present attribute. This is undocumented obviously. Instead, a non-working tip is provided ("Changed: 2.4.0 Extra fields can now also be set to empty string, "). However, the following does not work: "nologin = {ldap:shadowinactive | default("")}". https://doc.dovecot.org/2.4.2/core/settings/variables.html Also, the documentation is missing/hiding the part which explains that "default()" can be used to avoid error logs. PR regarding the documentation source is sent already. See "Fails if the attribute is not present, unless the ` <missing part>" https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#ldap-spec... Is there another way to verify if account is disabled?
Johannes Nohl postmaster i-t-cloud
Hi!
Try %{ldap:shadowInactive | default}
default(null) refers to variable null, which does not exist.
Aki