question on autch cache parameters
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
hi timo, I checked out the commit causing this. its this one: http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#... if I move this block back as it was. everything is fine diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300 +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300 @@ -618,30 +627,28 @@ auth_request_want_skip_passdb(request, next_passdb)) next_passdb = next_passdb->next; + if (*result == PASSDB_RESULT_OK) { + /* this passdb lookup succeeded, preserve its extra fields */ + auth_fields_snapshot(request->extra_fields); + request->snapshot_have_userdb_prefetch_set = + request->userdb_prefetch_set; + if (request->userdb_reply != NULL) + auth_fields_snapshot(request->userdb_reply); + } else { + /* this passdb lookup failed, remove any extra fields it set */ + auth_fields_rollback(request->extra_fields); + if (request->userdb_reply != NULL) { + auth_fields_rollback(request->userdb_reply); + request->userdb_prefetch_set = + request->snapshot_have_userdb_prefetch_set; + } + } + if (passdb_continue && next_passdb != NULL) { /* try next passdb. */ request->passdb = next_passdb; request->passdb_password = NULL; - if (*result == PASSDB_RESULT_OK) { - /* this passdb lookup succeeded, preserve its extra - fields */ - auth_fields_snapshot(request->extra_fields); - request->snapshot_have_userdb_prefetch_set = - request->userdb_prefetch_set; - if (request->userdb_reply != NULL) - auth_fields_snapshot(request->userdb_reply); - } else { - /* this passdb lookup failed, remove any extra fields - it set */ - auth_fields_rollback(request->extra_fields); - if (request->userdb_reply != NULL) { - auth_fields_rollback(request->userdb_reply); - request->userdb_prefetch_set = - request->snapshot_have_userdb_prefetch_set; - } - } - if (*result == PASSDB_RESULT_USER_UNKNOWN) { /* remember that we did at least one successful passdb lookup */ On 08/05/2015 05:33 PM, matthias lay wrote:
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
Hello Thank you for your report. We really appreciate it, especially when you can pinpoint a commit. However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and userdb configurations and auth-cache settings. br, Teemu Huovila On 08/06/2015 01:07 PM, matthias lay wrote:
hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#...
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300 +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300 @@ -618,30 +627,28 @@ auth_request_want_skip_passdb(request, next_passdb)) next_passdb = next_passdb->next;
+ if (*result == PASSDB_RESULT_OK) { + /* this passdb lookup succeeded, preserve its extra fields */ + auth_fields_snapshot(request->extra_fields); + request->snapshot_have_userdb_prefetch_set = + request->userdb_prefetch_set; + if (request->userdb_reply != NULL) + auth_fields_snapshot(request->userdb_reply); + } else { + /* this passdb lookup failed, remove any extra fields it set */ + auth_fields_rollback(request->extra_fields); + if (request->userdb_reply != NULL) { + auth_fields_rollback(request->userdb_reply); + request->userdb_prefetch_set = + request->snapshot_have_userdb_prefetch_set; + } + } + if (passdb_continue && next_passdb != NULL) { /* try next passdb. */ request->passdb = next_passdb; request->passdb_password = NULL;
- if (*result == PASSDB_RESULT_OK) { - /* this passdb lookup succeeded, preserve its extra - fields */ - auth_fields_snapshot(request->extra_fields); - request->snapshot_have_userdb_prefetch_set = - request->userdb_prefetch_set; - if (request->userdb_reply != NULL) - auth_fields_snapshot(request->userdb_reply); - } else { - /* this passdb lookup failed, remove any extra fields - it set */ - auth_fields_rollback(request->extra_fields); - if (request->userdb_reply != NULL) { - auth_fields_rollback(request->userdb_reply); - request->userdb_prefetch_set = - request->snapshot_have_userdb_prefetch_set; - } - } - if (*result == PASSDB_RESULT_USER_UNKNOWN) { /* remember that we did at least one successful passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
hi teemu, thx for your reply. the user is a masteruser that hast a static passwd file. this is where the ACL_GROUPS is applied ############ cat /etc/dovecot/passwd.masteruser master@uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 ########## * the standard lookup method for users is ldap. only masterusers are in static user/passdbs * auth cache is enabled I cant post my whole conf but will paste the parts you requested. if its not enough for you to reproduce, I will setup a clean instance and reproduce it there. ###################################################################################################################### # 2.2.16: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: Linux 3.15.10-dist i686 auth_cache_negative_ttl = 30 mins auth_cache_size = 10 k auth_master_user_separator = * #### snip default namespace: (maildir gets overwritten by ldap lookup on most users) namespace { hidden = no inbox = no list = children location = maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX prefix = public/%%u/ separator = / subscriptions = no type = shared } userdb { args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln driver = static } .... protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_plugins = acl notify mailbox_alias imap_acl ssl = yes ssl_cert = wrote:
Hello
Thank you for your report. We really appreciate it, especially when you can pinpoint a commit.
However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and userdb configurations and auth-cache settings.
br, Teemu Huovila
On 08/06/2015 01:07 PM, matthias lay wrote:
hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#...
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300 +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300 @@ -618,30 +627,28 @@ auth_request_want_skip_passdb(request, next_passdb)) next_passdb = next_passdb->next;
+ if (*result == PASSDB_RESULT_OK) { + /* this passdb lookup succeeded, preserve its extra fields */ + auth_fields_snapshot(request->extra_fields); + request->snapshot_have_userdb_prefetch_set = + request->userdb_prefetch_set; + if (request->userdb_reply != NULL) + auth_fields_snapshot(request->userdb_reply); + } else { + /* this passdb lookup failed, remove any extra fields it set */ + auth_fields_rollback(request->extra_fields); + if (request->userdb_reply != NULL) { + auth_fields_rollback(request->userdb_reply); + request->userdb_prefetch_set = + request->snapshot_have_userdb_prefetch_set; + } + } + if (passdb_continue && next_passdb != NULL) { /* try next passdb. */ request->passdb = next_passdb; request->passdb_password = NULL;
- if (*result == PASSDB_RESULT_OK) { - /* this passdb lookup succeeded, preserve its extra - fields */ - auth_fields_snapshot(request->extra_fields); - request->snapshot_have_userdb_prefetch_set = - request->userdb_prefetch_set; - if (request->userdb_reply != NULL) - auth_fields_snapshot(request->userdb_reply); - } else { - /* this passdb lookup failed, remove any extra fields - it set */ - auth_fields_rollback(request->extra_fields); - if (request->userdb_reply != NULL) { - auth_fields_rollback(request->userdb_reply); - request->userdb_prefetch_set = - request->snapshot_have_userdb_prefetch_set; - } - } - if (*result == PASSDB_RESULT_USER_UNKNOWN) { /* remember that we did at least one successful passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:
just tested against dovecot 2.2.15
everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18
On 08/05/2015 04:30 PM, matthias lay wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
hi again,
On Thu, 27 Aug 2015 14:37:59 +0300 Teemu Huovila teemu.huovila@dovecot.fi wrote:
However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and userdb configurations and auth-cache settings.
just reproduced the bug with a fresh clean 2.2.18 install
ldap userdb an 2 masterusers with the ACL_GROUP attribut in passwd file
env output in imap-postlogin
first login: AUTH_TOKEN=4adba75022f765fc3215ac5243337fd99adfdbf5 MASTER_USER=master2 SPUSER=private/johnd LOCAL_IP=127.0.0.1 USER=johnd AUTH_USER=master2 PWD=/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/home/vmail/private/johnd ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
logout and next login:
AUTH_TOKEN=83d7ede27b4fbc4de2abad58e84e65ac1073e4ec MASTER_USER=master2 SPUSER=private/johnd LOCAL_IP=127.0.0.1 USER=johnd AUTH_USER=master2 PWD=/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/home/vmail/private/johnd IP=127.0.0.1 _=/usr/bin/env
############################## % doveconf -n:
# 2.2.18: /etc/dovecot/dovecot.conf # OS: Linux 3.12.44-gentoo x86_64 Gentoo Base System release 2.2 auth_cache_negative_ttl = 30 mins auth_cache_size = 10 k auth_master_user_separator = * auth_use_winbind = yes auth_username_chars = auth_verbose = yes log_path = /var/log/dovecot.log mail_gid = vmail mail_home = /home/vmail/private/%u mail_location = maildir:~/Maildir:LAYOUT=fs:INBOX=~/Maildir/INBOX mail_uid = vmail namespace { inbox = yes location = mailbox Sent { auto = subscribe special_use = \Sent } prefix = separator = / subscriptions = yes type = private } namespace { hidden = no inbox = no list = children location = maildir:/home/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/home/vmail/public/%%Lu/Maildir/INBOX prefix = public/%%u/ separator = / subscriptions = no type = shared } passdb { args = /etc/dovecot/master-users1 driver = passwd-file master = yes } passdb { args = /etc/dovecot/master-users2 driver = passwd-file master = yes } service auth { unix_listener auth-client { group = mode = 0600 user = $default_internal_user } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = $default_internal_user } unix_listener auth-userdb { group = vmail mode = 0660 user = $default_internal_user } unix_listener login/login { group = mode = 0666 user = $default_internal_user } user = $default_internal_user } service imap-login { inet_listener imap { port = 143 } } service imap-postlogin { executable = script-login /usr/libexec/dovecot/imap-postlogin user = vmail } service imap { executable = imap imap-postlogin } ssl_cert =
################################### % cat auth-master.conf.ext
# Authentication for master users. Included from 10-auth.conf.
# By adding master=yes setting inside a passdb you make the passdb a
list # of "master users", who can log in as anyone else.
#
auth_master_user_separator = *
# Example master user passdb using passwd-file. You can use any passdb though. passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users1
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. #pass = yes } passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users2
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. #pass = yes }
############################################### % cat /etc/dovecot/master-users1
master1:{SHA}xxxxxxx=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1
master2 is the same.
Greetz
Fixed: http://hg.dovecot.org/dovecot-2.2/rev/b7f7ad2bc4d0
On 05 Aug 2015, at 17:30, matthias lay matthias.lay@securepoint.de wrote:
Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ############################### master@uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 # snap ###############################
and use this group in a global ACL file. I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f MASTER_USER=master@uma SPUSER=private/pdf LOCAL_IP=127.0.0.1 USER=pdf AUTH_USER=master@uma PWD=/var/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/var/data/vmail/private/pdf IP=127.0.0.1 _=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that. so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and caching?
Greetz Matze
participants (4)
-
matthias lay
-
Matthias Lay
-
Teemu Huovila
-
Timo Sirainen