Bug report: filter `default` in LDAP context does not suppress error logging
Bug report: Expanding variables with filter default in LDAP context does not suppress error logging if LDAP attribute is missing.
Expected behaviour: Missing LDAP attribute does not throw an error. Example nologin = %{ldap:missingAttribute | default}
Details:
Please note: The missing attribute is called shadowInactive in reality. There might be another issue, the field nologin is boolean and set true if any value is assigned -- while default without parameter returns empty (thus, you cannot use default with nologin without workaround).
The intended behaviour is documented clearly, however due to a bug in rendering you need to look into the doc sources (my PR for that was accepted already: https://doc.dovecot.org/2.4.2/core/config/auth/databases/ldap.html#ldap-spec... https://github.com/dovecot/documentation/pull/1478#pullrequestreview-4034616...
Full context:
passdb ldap { driver = ldap ldap_filter = (&(objectClass=posixAccount)(mail=%{user})) fields { user = %{ldap:uid} nologin = %{ldap:shadowInactive | default} reason = The account for this email address is disabled. } }
The same error was reported already a year ago, although among others, see point 4: https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/TLJ2OQ...
Please excuse my first attempt of 31-03-2026. It was unreadable. Aki already tried to help but was - I guess - distracted from the main point. I found a workaround for the missing attribute translation to boolean fields (if someone is interested) https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/67Z4CZ...
I tested with dovecot 2.4.2 and 2.4.3 (openSUSE repos) against local LDAP. The check for disabled users throws permanently errors in the log file, whenever the user is missing the ldap attribute for disabled. Thus, for each login of all enabled users (you will probably agree that this not acceptable). This results in the following log line:
2026-03-31T00:46:31.102690+02:00 mailserver dovecot: auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute 'shadowinactive'
Thank you Johannes
-- Johannes Nohl postmaster@i-t-cloud.de
Bug report: Expanding variables with filter
defaultin LDAP context does not suppress error logging if LDAP attribute is missing.[...] This results in the following log line:
> 2026-03-31T00:46:31.102690+02:00 mailserver dovecot:
auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute 'shadowinactive'
In case anybody is hit by the issue and for reference: With Linux you can block the error messages in systemd respectively the logging facility:
- for systemd unit add file
/etc/systemd/system/dovecot.service.d/override.conf
[Service] LogFilterPatterns=~Error: ldap-dn: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute 'shadowinactive'$
- for rsyslog add file
/etc/rsyslog.d/dovecot-ldap-errors.frule
if ($syslogfacility-text == 'mail') and \ ($msg endswith 'Error: ldap-dn: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/nologin setting variables: ldap: No such attribute \'shadowinactive\'') \ then { stop }
With openSUSE you need both. Make sure you adapt it to your attribute (and the syslog faciity). Finally run systemctl daemon-reload and systemctl restart rsyslog.
Best, Johannes
-- Johannes Nohl postmaster@i-t-cloud.de
participants (1)
-
Johannes Nohl