public folder subscriptions sync issue with ldap user/group in dovecot-acl
Mike Fröhner
mikefroehner at gmx.de
Fri Dec 16 14:25:53 UTC 2016
Thanks for your reply Timo.
On 12/14/2016 06:40 PM, Timo Sirainen wrote:
> On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner at gmx.de
> <mailto:mikefroehner at gmx.de>> wrote:
>>
>> I made some additional tests and found that also local unix groups are
>> not working in replacement for my ldap groups as discribed below.
>>
>> Do groups in dovecot-acl intendedly not work?
>
> http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a
> comma-separated acl_groups extra field from userdb, which contains all
> the groups the user belongs to. User's UNIX groups have no effect on
> ACLs (you can "enable" them by using a special post-login script).
I think I have configured the userdb right, because the debug log tells
me this:
imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser
imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1
imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers
imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup
>
>>
>> On 12/13/2016 03:47 PM, Mike Fröhner wrote:
>>> Hello people,
>>>
>>> I am having an issue with 'doveadm sync'. I am currently trying to have
>>> two dovecots behind an haproxy (works fine). Therefore I configured
>>> these two dovecot server (imap-1/imap-2) to sync throught dsync. This
>>> works just partly. The sync of the maiboxes is fine, but the sync of the
>>> subscriptions file just works partly. It works for private folder
>>> subscription, but not completly for public folder subscription. I found
>>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>>>
>>> 1. I would like to subscribe 2 public folder (public/test/test1 and
>>> public/test/test2).
>>>
>>> My user (ldaptestuser) is an ldap user and this user is member of the
>>> ldap group (ldaptestgroup) which does have all dovecot-acl rights on
>>> these folders.
>>>
>>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>>> group=ldaptestgroup akxeilprwts
>>> group=ldaptestgroup akxeilprwts
>>>
>>> I am now connecting with my mail client to imap-1 (throught haproxy) and
>>> the subscription to this folder works. The file which is written looks
>>> like:
>>>
>>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>> publictest/test/test1
>>> publictest/test/test2
>>>
>>> Now I am awaiting the synch to imap-2, but the file which it written
>>> looks like:
>>>
>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>>
>>> If I modify the dovecot-acl for .test1 to
>>>
>>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>>> group=ldaptestgroup akxeilprwts
>>> user=ldaptestuser akxeilprwts
>>>
>>> and execute the subscription again - the synced file looks like:
>>>
>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>> publictest/test/test1
>>>
>>> The subscription of public folder test2 will also been synced, if I add
>>> my ldaptestuser to the acl file for this folder.
>>>
>>> 2. Another issue is to unsubscribe a public folder. If I unsubscribe
>>> folder test1, it is written to subscriptions file on the imap where I am
>>> connected, but it is NOT synced even if my user and group are configured
>>> at the dovecot-acl file. If I then unsubscribe a not public folder (like
>>> Sent), the former unsubscribed folder test1 is (faulty) subscribed
>>> again. But both imap do have the same subscriptions for my ldaptestuser
>>> user.
>>>
>>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on
>>> CentOS-7 (selinux disabled).
>>>
>>> If you need more information like the dovecot -n or some other stuff
>>> give me a short notice.
>>>
>>> Mike;
>>>
>
More information about the dovecot
mailing list