public folder subscriptions sync issue with ldap user/group in dovecot-acl

Mike Fröhner

13 Dec 2016 13 Dec '16

4:47 p.m.

Hello people,

I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.

I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).

My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.

imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts

I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:

imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2

Now I am awaiting the synch to imap-2, but the file which it written looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent

If I modify the dovecot-acl for .test1 to

imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts

and execute the subscription again - the synced file looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1

The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.

Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.

I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).

If you need more information like the dovecot -n or some other stuff give me a short notice.

Mike;

Show replies by date

Mike Fröhner

14 Dec 14 Dec

11:16 a.m.

I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.

Do groups in dovecot-acl intendedly not work?

On 12/13/2016 03:47 PM, Mike Fröhner wrote:

...

Hello people,

I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.

I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).

My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.

imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts

I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:

imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2

Now I am awaiting the synch to imap-2, but the file which it written looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent

If I modify the dovecot-acl for .test1 to

imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts

and execute the subscription again - the synced file looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1

The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.

Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.

I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).

If you need more information like the dovecot -n or some other stuff give me a short notice.

Mike;

Timo Sirainen

7:40 p.m.

On 14 Dec 2016, at 11.16, Mike Fröhner mikefroehner@gmx.de wrote:

...

I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.

Do groups in dovecot-acl intendedly not work?

http://wiki2.dovecot.org/ACL http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).

...

On 12/13/2016 03:47 PM, Mike Fröhner wrote:

...
Hello people,

I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.

I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).

My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.

imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts

I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:

imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2

Now I am awaiting the synch to imap-2, but the file which it written looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent

If I modify the dovecot-acl for .test1 to

imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts

and execute the subscription again - the synced file looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1

The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.

Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.

I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).

If you need more information like the dovecot -n or some other stuff give me a short notice.

Mike;

Mike Fröhner

16 Dec 16 Dec

4:25 p.m.

Thanks for your reply Timo.

On 12/14/2016 06:40 PM, Timo Sirainen wrote:

...

On 14 Dec 2016, at 11.16, Mike Fröhner mailto:mikefroehner@gmx.de> wrote:

...
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.

Do groups in dovecot-acl intendedly not work?

http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).

I think I have configured the userdb right, because the debug log tells me this:

imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1 imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup

...

...
On 12/13/2016 03:47 PM, Mike Fröhner wrote:

...
Hello people,

I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.

I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).

My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.

imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts

I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:

imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2

Now I am awaiting the synch to imap-2, but the file which it written looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent

If I modify the dovecot-acl for .test1 to

imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts

and execute the subscription again - the synced file looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1

The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.

Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.

I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).

If you need more information like the dovecot -n or some other stuff give me a short notice.

Mike;

Mike Fröhner

5:41 p.m.

Hi again,

here some more debugs:

On 12/16/2016 03:25 PM, Mike Fröhner wrote:

...

Thanks for your reply Timo.

On 12/14/2016 06:40 PM, Timo Sirainen wrote:

...
On 14 Dec 2016, at 11.16, Mike Fröhner mailto:mikefroehner@gmx.de> wrote:

...
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below.

Do groups in dovecot-acl intendedly not work?

http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).

I think I have configured the userdb right, because the debug log tells me this:

imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1 imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup

Well, the IMAP debug lists/adds the groups, but not the doveadm:

Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth PASS input: user=ldaptestuser Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth USER input: ldaptestuser home=/opt/mail/ldaptestuser mail=maildir:/opt/mail/ldaptestuser/Mails gid=991 uid=834603987 Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Added userdb setting: mail=maildir:/opt/mail/ldaptestuser/Mails Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Effective uid=834603987, gid=991, home=/opt/mail/ldaptestuser

Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Namespace public-test: type=public, prefix=public/test/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/opt/mail/_public/test Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: maildir++: root=/opt/mail/_public/test, index=, indexpvt=, control=, inbox=, alt= Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: initializing backend with data: vfile Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: acl username = ldaptestuser Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: owner = 0 Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl vfile: Global ACLs disabled

The debug output equals on server imap-1 and imap-2.

...

...
...
On 12/13/2016 03:47 PM, Mike Fröhner wrote:

...
Hello people,

I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs.

I would like to subscribe 2 public folder (public/test/test1 and public/test/test2).

My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders.

imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts

I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like:

imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2

Now I am awaiting the synch to imap-2, but the file which it written looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent

If I modify the dovecot-acl for .test1 to

imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts

and execute the subscription again - the synced file looks like:

imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1

The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder.

Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user.

I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled).

If you need more information like the dovecot -n or some other stuff give me a short notice.

Mike;

2852

Age (days ago)

2855

Last active (days ago)

List overview

4 comments

2 participants

participants (2)

Mike Fröhner
Timo Sirainen