Re: question on autch cache parameters

27 Aug 2015

hi teemu,

thx for your reply.

the user is a masteruser that hast a static passwd file. this is where
the ACL_GROUPS is applied

############
cat /etc/dovecot/passwd.masteruser 
master@uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
##########

* the standard lookup method for users is ldap. only masterusers are in
static user/passdbs
* auth cache is enabled

I cant post my whole conf but will paste the parts you requested.

if its not enough for you to reproduce, I will setup a clean instance
and reproduce it there.


######################################################################################################################
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.15.10-dist i686  
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
#### snip

default namespace: (maildir gets overwritten by ldap lookup on most
users)

namespace {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
  subscriptions = no
  type = shared
}

userdb {
  args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln
  driver = static
}

....

protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = acl notify mailbox_alias imap_acl 
  ssl = yes 
  ssl_cert =  wrote:
...
Hello
Thank you for your report. We really appreciate it, especially when
you can pinpoint a commit.
However, I am unable to reproduce this. Could you post your doveconf
-n please? Im especially interested in your passdb and userdb
configurations and auth-cache settings.
br,
Teemu Huovila
On 08/06/2015 01:07 PM, matthias lay wrote:
...
hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#...
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c

--- a/src/auth/auth-request.c	Tue May 05 13:35:52 2015 +0300
+++ b/src/auth/auth-request.c	Tue May 05 14:16:31 2015 +0300
@@ -618,30 +627,28 @@
         auth_request_want_skip_passdb(request, next_passdb))
      next_passdb = next_passdb->next;
+	if (*result == PASSDB_RESULT_OK) {
+		/* this passdb lookup succeeded, preserve its
extra fields */
+		auth_fields_snapshot(request->extra_fields);
+		request->snapshot_have_userdb_prefetch_set =
+			request->userdb_prefetch_set;
+		if (request->userdb_reply != NULL)
+
auth_fields_snapshot(request->userdb_reply);
+	} else {
+		/* this passdb lookup failed, remove any extra
fields it set */
+		auth_fields_rollback(request->extra_fields);
+		if (request->userdb_reply != NULL) {
+
auth_fields_rollback(request->userdb_reply);
+			request->userdb_prefetch_set =
+
request->snapshot_have_userdb_prefetch_set;
+		}
+	}
+
  if (passdb_continue && next_passdb != NULL) {
      /* try next passdb. */
                 request->passdb = next_passdb;
      request->passdb_password = NULL;
-		if (*result == PASSDB_RESULT_OK) {
-			/* this passdb lookup succeeded, preserve
its extra
-			   fields */
-
auth_fields_snapshot(request->extra_fields);
-			request->snapshot_have_userdb_prefetch_set
=
-				request->userdb_prefetch_set;
-			if (request->userdb_reply != NULL)
-
auth_fields_snapshot(request->userdb_reply);
-		} else {
-			/* this passdb lookup failed, remove any
extra fields
-			   it set */
-
auth_fields_rollback(request->extra_fields);
-			if (request->userdb_reply != NULL) {
-
auth_fields_rollback(request->userdb_reply);
-				request->userdb_prefetch_set =
-
request->snapshot_have_userdb_prefetch_set;
-			}
-		}
-
      if (*result == PASSDB_RESULT_USER_UNKNOWN) {
      	/* remember that we did at least one
successful passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:
...
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between
2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
...
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static
userdb file
# snip ###############################
master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
# snap ###############################
and use this group in a global ACL file.
I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
MASTER_USER=master@uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master@uma
PWD=/var/run/dovecot
USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN
AUTH_USER SHLVL=1
HOME=/var/data/vmail/private/pdf
ACL_GROUPS=umareadmaster
IP=127.0.0.1
_=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
MASTER_USER=master@uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master@uma
PWD=/var/run/dovecot
USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
SHLVL=1
HOME=/var/data/vmail/private/pdf
IP=127.0.0.1
_=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that.
so groups not included in cache and I have to find another
approach?
anybody else encountered similar problems with some auth
Variables and caching?
Greetz Matze

    