public folder subscriptions sync issue with ldap user/group in dovecot-acl

Mike Fröhner mikefroehner at gmx.de
Fri Dec 16 15:41:40 UTC 2016 

Hi again,

here some more debugs:

On 12/16/2016 03:25 PM, Mike Fröhner wrote:
> Thanks for your reply Timo.
>
> On 12/14/2016 06:40 PM, Timo Sirainen wrote:
>> On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroehner at gmx.de
>> <mailto:mikefroehner at gmx.de>> wrote:
>>>
>>> I made some additional tests and found that also local unix groups are
>>> not working in replacement for my ldap groups as discribed below.
>>>
>>> Do groups in dovecot-acl intendedly not work?
>>
>> http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a
>> comma-separated acl_groups extra field from userdb, which contains all
>> the groups the user belongs to. User's UNIX groups have no effect on
>> ACLs (you can "enable" them by using a special post-login script).
>
> I think I have configured the userdb right, because the debug log tells
> me this:
>
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup

Well, the IMAP debug lists/adds the groups, but not the doveadm:

Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth PASS 
input: user=ldaptestuser
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth USER 
input: ldaptestuser home=/opt/mail/ldaptestuser 
mail=maildir:/opt/mail/ldaptestuser/Mails gid=991 uid=834603987
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Added 
userdb setting: mail=maildir:/opt/mail/ldaptestuser/Mails
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Effective 
uid=834603987, gid=991, home=/opt/mail/ldaptestuser



Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Namespace 
public-test: type=public, prefix=public/test/, sep=/, inbox=no, 
hidden=no, list=yes, subscriptions=no 
location=maildir:/opt/mail/_public/test
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: maildir++: 
root=/opt/mail/_public/test, index=, indexpvt=, control=, inbox=, alt=
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: 
initializing backend with data: vfile
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: acl 
username = ldaptestuser
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: owner = 0
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl vfile: 
Global ACLs disabled

The debug output equals on server imap-1 and imap-2.

>
>>
>>>
>>> On 12/13/2016 03:47 PM, Mike Fröhner wrote:
>>>> Hello people,
>>>>
>>>> I am having an issue with 'doveadm sync'. I am currently trying to have
>>>> two dovecots behind an haproxy (works fine). Therefore I configured
>>>> these two dovecot server (imap-1/imap-2) to sync throught dsync. This
>>>> works just partly. The sync of the maiboxes is fine, but the sync of
>>>> the
>>>> subscriptions file just works partly. It works for private folder
>>>> subscription, but not completly for public folder subscription. I found
>>>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>>>>
>>>> 1. I would like to subscribe 2 public folder (public/test/test1 and
>>>> public/test/test2).
>>>>
>>>> My user (ldaptestuser) is an ldap user and this user is member of the
>>>> ldap group (ldaptestgroup) which does have all dovecot-acl rights on
>>>> these folders.
>>>>
>>>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>>>> group=ldaptestgroup akxeilprwts
>>>> group=ldaptestgroup akxeilprwts
>>>>
>>>> I am now connecting with my mail client to imap-1 (throught haproxy)
>>>> and
>>>> the subscription to this folder works. The file which is written looks
>>>> like:
>>>>
>>>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>> publictest/test/test1
>>>> publictest/test/test2
>>>>
>>>> Now I am awaiting the synch to imap-2, but the file which it written
>>>> looks like:
>>>>
>>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>>
>>>> If I modify the dovecot-acl for .test1 to
>>>>
>>>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>>>> group=ldaptestgroup akxeilprwts
>>>> user=ldaptestuser akxeilprwts
>>>>
>>>> and execute the subscription again - the synced file looks like:
>>>>
>>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>> publictest/test/test1
>>>>
>>>> The subscription of public folder test2 will also been synced, if I add
>>>> my ldaptestuser to the acl file for this folder.
>>>>
>>>> 2. Another issue is to unsubscribe a public folder. If I unsubscribe
>>>> folder test1, it is written to subscriptions file on the imap where
>>>> I am
>>>> connected, but it is NOT synced even if my user and group are
>>>> configured
>>>> at the dovecot-acl file. If I then unsubscribe a not public folder
>>>> (like
>>>> Sent), the former unsubscribed folder test1 is (faulty) subscribed
>>>> again. But both imap do have the same subscriptions for my ldaptestuser
>>>> user.
>>>>
>>>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on
>>>> CentOS-7 (selinux disabled).
>>>>
>>>> If you need more information like the dovecot -n or some other stuff
>>>> give me a short notice.
>>>>
>>>> Mike;
>>>>
>>
>

More information about the dovecot mailing list