LDAP and user duplicated with replication
Hi,
I have two IMAP/LMTP Dovecot server in replica (version 2.3.4.1), I use LDAP/AD for /userdb, /replica is working.
When I do a search like:
/doveadm replicator status '*'/
I receive user duplicated, with and without the domain part, for example:
/test/
/test@domain.com/
but they are the same user; this lead the replicator doing twice the work of replication.
I think this is related to //etc/dovecot/dovecot-ldap.conf/ that is configured in this way:
/hosts = xxx/
/base = dc=xxx,dc=xxx ldap_version=3 auth_bind = yes dn = cn=xxx,cn=Users,dc=xxx,dc=xxx dnpass = xxx scope = subtree user_attrs = sAMAccountName=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501 pass_attrs = sAMAccountName=user user_filter = (&(objectclass=person)(samaccountname=%n)) pass_filter= (&(objectclass=person)(samaccountname=%n)) iterate_attrs = sAMAccountName=user
With following filter we exclude all objects without an email address,
all computers and all inactive accounts /
/iterate_filter = (&(objectCategory=person)(mail=*)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) /
I think that *iterate_attrs* and *iterate_filter* should be fixed, but I don't know how/./
Please could someone give me any hints?
Thanks/ /
Regards/ /
Anybody can help here?
Thanks
On 02/12/21 17:54, Claudio Corvino wrote:
Hi,
I have two IMAP/LMTP Dovecot server in replica (version 2.3.4.1), I use LDAP/AD for /userdb, /replica is working.
When I do a search like:
/doveadm replicator status '*'/
I receive user duplicated, with and without the domain part, for example:
/test/
/test@domain.com/
but they are the same user; this lead the replicator doing twice the work of replication.
I think this is related to //etc/dovecot/dovecot-ldap.conf/ that is configured in this way:
/hosts = xxx/
/base = dc=xxx,dc=xxx ldap_version=3 auth_bind = yes dn = cn=xxx,cn=Users,dc=xxx,dc=xxx dnpass = xxx scope = subtree user_attrs = sAMAccountName=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501 pass_attrs = sAMAccountName=user user_filter = (&(objectclass=person)(samaccountname=%n)) pass_filter= (&(objectclass=person)(samaccountname=%n)) iterate_attrs = sAMAccountName=user
With following filter we exclude all objects without an email
address, all computers and all inactive accounts /
/iterate_filter = (&(objectCategory=person)(mail=*)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) /
I think that *iterate_attrs* and *iterate_filter* should be fixed, but I don't know how/./
Please could someone give me any hints?
Thanks/ /
Regards/ /
Hello
Am 02.12.21 um 17:54 schrieb Claudio Corvino:
Hi,
I have two IMAP/LMTP Dovecot server in replica (version 2.3.4.1), I use LDAP/AD for /userdb, /replica is working.
When I do a search like:
/doveadm replicator status '*'/
I receive user duplicated, with and without the domain part, for example:
/test/ /test@domain.com/
but they are the same user; this lead the replicator doing twice the work of replication.
I think this is related to //etc/dovecot/dovecot-ldap.conf/ that is configured in this way:
/hosts = xxx/
/base = dc=xxx,dc=xxx ldap_version=3 auth_bind = yes dn = cn=xxx,cn=Users,dc=xxx,dc=xxx dnpass = xxx scope = subtree user_attrs = sAMAccountName=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501 [...]
This is for sure wrong.
Try: user_attrs = sAMAccountName=user,=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501
Kind regards, Christian Mack
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416
Hi Christian,
if I try:
/user_attrs = sAMAccountName=user,=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501/
then the result on node A is:
/# doveadm user its-test// //field value// //uid 501// //gid 501// //home /mnt/mail-storage-lv0007/// //mail maildir:~/Maildir:INDEX=/var/indexes/its-test/
on node B where I didn't change anything the result is:
/# doveadm user its-test field value uid 501 gid 501 home /mnt/mail-storage-lv0007/its-test mail maildir:~/Maildir:INDEX=/var/indexes/its-test/
I think that the home is correct on node B, don't you?
Then when I do a search like this:
/doveadm replicator status '*'/
I have the same result on both nodes:
/# doveadm replicator status '*'// //username priority fast sync full sync success sync failed// //its-test low 00:04:05 19:57:52 19:58:47 - // //its-test2 none 19:59:43 19:59:43 44:01:24 - /
I have to specify that in these days I did some tests and removed all the users with domain part in the name with the following command:
/doveadm replicator remove its-test2@domain.com/
/doveadm replicator remove its-test@domain.com/
But I don't know if this is useful, I have executed the same command in production servers and all the users with the domain part in the name reappeared after a few minutes; in test environment anyway after /doveadm replicator remove/ command, these users are not reappearing ... I don't know why.
Thanks for your help!
Kind Regards
On 06/12/21 14:43, Christian Mack wrote:
Hello
Am 02.12.21 um 17:54 schrieb Claudio Corvino:
Hi,
I have two IMAP/LMTP Dovecot server in replica (version 2.3.4.1), I use LDAP/AD for /userdb, /replica is working.
When I do a search like:
/doveadm replicator status '*'/
I receive user duplicated, with and without the domain part, for example:
/test/ /test@domain.com/
but they are the same user; this lead the replicator doing twice the work of replication.
I think this is related to //etc/dovecot/dovecot-ldap.conf/ that is configured in this way:
/hosts = xxx/
/base = dc=xxx,dc=xxx ldap_version=3 auth_bind = yes dn = cn=xxx,cn=Users,dc=xxx,dc=xxx dnpass = xxx scope = subtree user_attrs = sAMAccountName=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501 [...]
This is for sure wrong.
Try: user_attrs = sAMAccountName=user,=home=/mnt/mail-storage-lv0007/%$,=uid=501,=gid=501
Kind regards, Christian Mack
participants (2)
-
Christian Mack
-
Claudio Corvino