hi teemu, thx for your reply. the user is a masteruser that hast a static passwd file. this is where the ACL_GROUPS is applied ############ cat /etc/dovecot/passwd.masteruser master@uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 ########## * the standard lookup method for users is ldap. only masterusers are in static user/passdbs * auth cache is enabled I cant post my whole conf but will paste the parts you requested. if its not enough for you to reproduce, I will setup a clean instance and reproduce it there. ###################################################################################################################### # 2.2.16: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: Linux 3.15.10-dist i686 auth_cache_negative_ttl = 30 mins auth_cache_size = 10 k auth_master_user_separator = * #### snip default namespace: (maildir gets overwritten by ldap lookup on most users) namespace { hidden = no inbox = no list = children location = maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX prefix = public/%%u/ separator = / subscriptions = no type = shared } userdb { args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln driver = static } .... protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_plugins = acl notify mailbox_alias imap_acl ssl = yes ssl_cert = </etc/ssl/certs/imap.cert ssl_key = </etc/ssl/private/imap.key userdb { args = /etc/dovecot/dovecot-imap-ldap.conf.ext driver = ldap name = } } ########################## content of dovecot-imap-ldap.conf.ext: base = "dc=spdev, dc=local" # Filter for user lookups. user_filter = (&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(&(sAMAccountType=805306368))) # User attributes are given in LDAP-name=dovecot-internal-name list. user_attrs = name=home=/var/data/vmail/private/%Ln, =spuser=private/%L{ldap:sAMAccountName} #################### several masteruser passdbs passdb { args = /etc/dovecot/passwd.masteruser driver = passwd-file master = yes } passdb { args = /etc/dovecot/passwd.system driver = passwd-file master = yes } passdb { args = /etc/dovecot/passwd.email-shredder driver = passwd-file master = yes } passdb { args = /etc/dovecot/passwd.imap-set-del-flag driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } ############# contents of ldap-passdb.conf # LDAP base. base = "dc=spdev, dc=local" # Filter for user lookups. user_filter = (&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) ############ protocols = imap service auth { unix_listener auth-client { group = mode = 0600 user = $default_internal_user } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = $default_internal_user } unix_listener auth-userdb { group = vmail mode = 0660 user = $default_internal_user } unix_listener login/login { group = mode = 0666 user = $default_internal_user } user = $default_internal_user } ########################################################################################################## We use a global ACL file. where masterusers have different rights and the one mentioned is the only one that gets a ACL_GROUP in passdb. my guess: it might be related to the "several masteruser passdbs" point. but thats just a guess from the outside ;) hope this helps, if not let me know greetz Matze On Thu, 27 Aug 2015 14:37:59 +0300 Teemu Huovila <teemu.huovila@dovecot.fi> wrote:
Hello
Thank you for your report. We really appreciate it, especially when you can pinpoint a commit.
However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and userdb configurations and auth-cache settings.
br, Teemu Huovila
On 08/06/2015 01:07 PM, matthias lay wrote:
hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#...
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300 +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300 @@ -618,30 +627,28 @@ auth_request_want_skip_passdb(request, next_passdb)) next_passdb = next_passdb->next;
+ if (*result == PASSDB_RESULT_OK) { + /* this passdb lookup succeeded, preserve its extra fields */ + auth_fields_snapshot(request->extra_fields); + request->snapshot_have_userdb_prefetch_set = + request->userdb_prefetch_set; + if (request->userdb_reply != NULL) + auth_fields_snapshot(request->userdb_reply); + } else { + /* this passdb lookup failed, remove any extra fields it set */ + auth_fields_rollback(request->extra_fields); + if (request->userdb_reply != NULL) { + auth_fields_rollback(request->userdb_reply); + request->userdb_prefetch_set = + request->snapshot_have_userdb_prefetch_set; + } + } + if (passdb_continue && next_passdb != NULL) { /* try next passdb. */ request->passdb = next_passdb; request->passdb_password = NULL;
- if (*result == PASSDB_RESULT_OK) { - /* this passdb lookup succeeded, preserve its extra - fields */ - auth_fields_snapshot(request->extra_fields); - request->snapshot_have_userdb_prefetch_set = - request->userdb_prefetch_set; - if (request->userdb_reply != NULL) - auth_fields_snapshot(request->userdb_reply); - } else { - /* this passdb lookup failed, remove any extra fields - it set */ - auth_fields_rollback(request->extra_fields); - if (request->userdb_reply != NULL) { - auth_fields_rollback(request->userdb_reply); - request->userdb_prefetch_set = - request->snapshot_have_userdb_prefetch_set; - } - } - if (*result == PASSDB_RESULT_USER_UNKNOWN) { /* remember that we did at least one successful passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze