public folder subscriptions sync issue with ldap user/group in dovecot-acl
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
Do groups in dovecot-acl intendedly not work?
On 12/13/2016 03:47 PM, Mike Fröhner wrote:
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;
On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner@gmx.de> wrote:
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL <http://wiki2.dovecot.org/ACL> -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).
On 12/13/2016 03:47 PM, Mike Fröhner wrote:
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;
Thanks for your reply Timo.
On 12/14/2016 06:40 PM, Timo Sirainen wrote:
On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner@gmx.de <mailto:mikefroehner@gmx.de>> wrote:
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).
I think I have configured the userdb right, because the debug log tells me this:
imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1 imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup
On 12/13/2016 03:47 PM, Mike Fröhner wrote:
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;
Hi again,
here some more debugs:
On 12/16/2016 03:25 PM, Mike Fröhner wrote:
Thanks for your reply Timo.
On 12/14/2016 06:40 PM, Timo Sirainen wrote:
On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner@gmx.de <mailto:mikefroehner@gmx.de>> wrote:
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.
Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).
I think I have configured the userdb right, because the debug log tells me this:
imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1 imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup
Well, the IMAP debug lists/adds the groups, but not the doveadm:
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth PASS input: user=ldaptestuser Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth USER input: ldaptestuser home=/opt/mail/ldaptestuser mail=maildir:/opt/mail/ldaptestuser/Mails gid=991 uid=834603987 Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Added userdb setting: mail=maildir:/opt/mail/ldaptestuser/Mails Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Effective uid=834603987, gid=991, home=/opt/mail/ldaptestuser
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Namespace public-test: type=public, prefix=public/test/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/opt/mail/_public/test Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: maildir++: root=/opt/mail/_public/test, index=, indexpvt=, control=, inbox=, alt= Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: initializing backend with data: vfile Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: acl username = ldaptestuser Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: owner = 0 Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl vfile: Global ACLs disabled
The debug output equals on server imap-1 and imap-2.
On 12/13/2016 03:47 PM, Mike Fröhner wrote:
Hello people,
I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.
- I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).
My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.
imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts
I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:
imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2
Now I am awaiting the synch to imap-2, but the file which it written looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent
If I modify the dovecot-acl for .test1 to
imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts
and execute the subscription again - the synced file looks like:
imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1
The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.
- Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.
I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).
If you need more information like the dovecot -n or some other stuff give me a short notice.
Mike;
participants (2)
-
Mike Fröhner
-
Timo Sirainen