limit sharing ability to certain users
Aki Tuomi
aki.tuomi at dovecot.fi
Tue Aug 7 13:05:05 EEST 2018
Hmm. if you put it *after* the ldap userdb, it should not have prevented
users from logging in.
What happens if you do
userdb {
driver = passwd-file
args = ....
skip = notfound
result_failure = continue-ok
}
Aki
On 07.08.2018 12:58, Simeon Ott wrote:
> Now the attributes are correctly read for the user test at onnet.ch
> <mailto:test at onnet.ch>, but other users are not able to authenticate
> anymore.
>
> root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super#
> <http://onnet.ch/test/Maildir/.super#> doveadm user test at onnet.ch
> <mailto:test at onnet.ch>
> fieldvalue
> uid5000
> gid5000
> home/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
> mailmaildir:~/Maildir
> quota_rule*:bytes=1073741824
> aclvfile:/etc/dovecot/dovecot-acl
> acl_globals_onlyyes
>
> root at buserver:/etc/dovecot# doveadm user test2 at onnet.ch
> <mailto:test2 at onnet.ch>
> fieldvalueuserdb lookup: user test2 at onnet.ch <mailto:test2 at onnet.ch>
> doesn't exist
>
> I need to add all users to the passwd too to let other users
> authenticate properly. This is not an option for our productive
> server, because the LDAP directory should be the main db for user
> administration. After adding “test at onnet.ch
> <mailto:test at onnet.ch>:::::::” to the passwd file, doveadm user works
> with test2 at onnet.ch <mailto:test2 at onnet.ch>
>
> root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super#
> <http://onnet.ch/test/Maildir/.super#> doveadm user test2 at onnet.ch
> <mailto:test2 at onnet.ch>
> fieldvalue
> uid5000
> gid5000
> home/var/spool/postfix/virtual/onnet.ch/test2/ <http://onnet.ch/test2/>
> mailmaildir:~/Maildir
> quota_rule*:bytes=1073741824
>
> IMPORTANT NOTE: anyway.. even with this options set (acl and
> acl_globals_only) the user test at onnet.ch <mailto:test at onnet.ch> is
> still able to share its own folders?!
>
>
>> On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi at dovecot.fi
>> <mailto:aki.tuomi at dovecot.fi>> wrote:
>>
>> Ah. You probably need to change ldap userdb so that you add
>>
>> userdb {
>> driver = ldap
>> args = /etc/dovecot/dovecot-ldap.conf
>> result_success = continue-ok
>> }
>>
>> so that the next one is processed.
>>
>> you can use 'doveadm user test at onnet.ch <mailto:test at onnet.ch>' to
>> verify that the attributes are read for this user, and with another
>> username that they are not.
>>
>> Aki
>>
>>
>> On 07.08.2018 12:23, Simeon Ott wrote:
>>> … attached the dovecot -n, linked files, debug log lines during a
>>> standard client login
>>>
>>> root at buserver:/etc/dovecot/conf.d# doveconf -n
>>> # 2.2.13: /etc/dovecot/dovecot.conf
>>> # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11
>>> auth_debug = yes
>>> auth_debug_passwords = yes
>>> auth_mechanisms = plain login
>>> auth_verbose = yes
>>> auth_verbose_passwords = plain
>>> debug_log_path = syslog
>>> disable_plaintext_auth = no
>>> info_log_path = syslog
>>> lda_mailbox_autocreate = yes
>>> lda_mailbox_autosubscribe = yes
>>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
>>> mail_debug = yes
>>> mail_gid = 5000
>>> mail_location = maildir:~/Maildir
>>> mail_plugins = zlib quota acl
>>> mail_uid = 5000
>>> managesieve_notify_capability = mailto
>>> managesieve_sieve_capability = fileinto reject envelope
>>> encoded-character vacation subaddress comparator-i;ascii-numeric
>>> relational regex imap4flags copy include variables body enotify
>>> environment mailbox date ihave
>>> namespace {
>>> hidden = no
>>> ignore_on_failure = no
>>> inbox = no
>>> list = children
>>> location =
>>> maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u
>>> prefix = shared/%%u/
>>> separator = /
>>> subscriptions = yes
>>> type = shared
>>> }
>>> namespace inbox {
>>> inbox = yes
>>> location =
>>> mailbox Drafts {
>>> auto = subscribe
>>> special_use = \Drafts
>>> }
>>> mailbox Sent {
>>> auto = subscribe
>>> special_use = \Sent
>>> }
>>> mailbox "Sent Messages" {
>>> special_use = \Sent
>>> }
>>> mailbox Spam {
>>> auto = subscribe
>>> special_use = \Junk
>>> }
>>> mailbox Trash {
>>> auto = subscribe
>>> special_use = \Trash
>>> }
>>> prefix =
>>> separator = /
>>> type = private
>>> }
>>> passdb {
>>> args = /etc/dovecot/dovecot-ldap.conf
>>> driver = ldap
>>> }
>>> plugin {
>>> acl = vfile
>>> acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes
>>> quota = maildir:User quota
>>> quota_exceeded_message = 4.2.2 Mailbox full
>>> quota_rule = *:storage=1G
>>> quota_rule2 = INBOX.Trash:storage=+100M
>>> quota_rule3 = INBOX.Spam:ignore
>>> quota_warning = storage=95%% quota-warning 95 %u
>>> sieve = ~/.dovecot.sieve
>>> sieve_before = /var/lib/dovecot/sieve/default.sieve
>>> sieve_dir = ~/sieve
>>> sieve_max_actions = 32
>>> sieve_max_redirects = 4
>>> sieve_max_script_size = 1M
>>> sieve_quota_max_scripts = 0
>>> sieve_quota_max_storage = 0
>>> }
>>> protocols = " imap lmtp sieve pop3"
>>> service auth {
>>> group = dovecot
>>> unix_listener /var/spool/postfix/private/auth {
>>> group = postfix
>>> mode = 0666
>>> user = postfix
>>> }
>>> unix_listener auth-master {
>>> group = vmail
>>> mode = 0666
>>> user = vmail
>>> }
>>> unix_listener auth-userdb {
>>> group = vmail
>>> mode = 0666
>>> user = vmail
>>> }
>>> user = dovecot
>>> }
>>> service lmtp {
>>> unix_listener lmtp {
>>> mode = 0666
>>> }
>>> }
>>> service managesieve-login {
>>> inet_listener sieve {
>>> port = 4190
>>> }
>>> inet_listener sieve_deprecated {
>>> port = 2000
>>> }
>>> process_min_avail = 0
>>> service_count = 1
>>> vsz_limit = 64 M
>>> }
>>> ssl = no
>>> userdb {
>>> args = /etc/dovecot/dovecot-ldap.conf
>>> driver = ldap
>>> }
>>> userdb {
>>> args = username_format=%Lu /etc/dovecot/share.passwd
>>> driver = passwd-file
>>> }
>>> protocol lmtp {
>>> mail_plugins = zlib quota acl sieve
>>> }
>>> protocol lda {
>>> auth_socket_path = /var/run/dovecot/auth-master
>>> deliver_log_format = msgid=%m: %$
>>> mail_plugins = zlib quota acl sieve
>>> postmaster_address = postmaster at onnet.ch
>>> <mailto:postmaster at onnet.ch> <mailto:postmaster at onnet.ch>
>>> }
>>> protocol imap {
>>> mail_plugins = zlib quota acl imap_quota imap_acl
>>> }
>>> protocol sieve {
>>> info_log_path = /var/log/sieve.log
>>> log_path = /var/log/sieve.log
>>> mail_max_userip_connections = 10
>>> managesieve_implementation_string = Dovecot Pigeonhole
>>> managesieve_logout_format = bytes=%i/%o
>>> managesieve_max_compile_errors = 5
>>> managesieve_max_line_length = 65536
>>> }
>>>
>>> root at buserver:/etc/dovecot# cat dovecot-acl
>>> root at buserver:/etc/dovecot#
>>>
>>> —> means empty file
>>>
>>> root at buserver:/etc/dovecot# cat share.passwd
>>> test at onnet.ch <mailto:test at onnet.ch>
>>> <mailto:test at onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl
>>> userdb_acl_globals_only=yes
>>>
>>> root at buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf
>>> hosts = localhost
>>> uris = ldap://localhost:389/
>>> debug_level = 10
>>> auth_bind = yes
>>> ldap_version = 3
>>> base = ou=domains,dc=intra,dc=onnet,dc=ch
>>> deref = never
>>> scope = subtree
>>> user_attrs =
>>> homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$
>>> user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
>>> pass_attrs = mail=user,userPassword=password
>>> pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
>>> iterate_attrs = mail=user
>>> iterate_filter = (objectClass=CourierMailAccount)
>>> default_pass_scheme = CRYPT
>>>
>>> root at buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7
>>> 11:17:27"
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: file
>>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
>>> <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1
>>> 1/dovecot-acl not found
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file
>>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl
>>> <http://onnet.ch/test//Maildir/.super/dovecot-acl>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file
>>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello
>>> <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: file
>>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
>>> <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected
>>> (pid=3203)
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: client in:
>>> AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng==
>>> (previous base64 data may contain sensitive data)
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search:
>>> base=ou=domains,dc=intra,dc=onnet,dc=ch
>>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch
>>> <mailto:mail=test at onnet.ch>))
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>>> mail=test at onnet.ch <mailto:mail=test at onnet.ch>; mail unused
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>>> mail=test at onnet.ch <mailto:mail=test at onnet.ch>
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out:
>>> OK#0111#011user=test at onnet.ch <mailto:OK#0111#011user=test at onnet.ch>
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in:
>>> REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search:
>>> base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree
>>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch
>>> <mailto:mail=test at onnet.ch>))
>>> fields=homeDirectory,uidNumber,gidNumber,quota
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>>> uidNumber=5000 quota=1073741824 gidNumber=5000
>>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>;
>>> homeDirectory,uidNumber,quota,gidNumber unused
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>>> uidNumber=5000 quota=1073741824 gidNumber=5000
>>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>
>>> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out:
>>> USER#0113718250497#011test at onnet.ch
>>> <mailto:USER#0113718250497#011test at onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201
>>> <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201>
>>> Aug 7 11:17:27 buserver dovecot: imap-login: Login:
>>> user=<test at onnet.ch <mailto:test at onnet.ch>>, method=PLAIN,
>>> rip=192.168.56.1, lip=192.168.56.50, mpid=3206
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from
>>> directory: /usr/lib/dovecot/modules
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>>> /usr/lib/dovecot/modules/lib01_acl_plugin.so
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>>> /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>>> /usr/lib/dovecot/modules/lib10_quota_plugin.so
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>>> /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>>> /usr/lib/dovecot/modules/lib20_zlib_plugin.so
>>> Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting:
>>> plugin/quota_rule=*:bytes=1073741824
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Effective uid=5000, gid=5000,
>>> home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota root: name=User quota
>>> backend=maildir args=
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota mailbox=*
>>> bytes=1073741824 messages=0
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota
>>> mailbox=INBOX.Trash bytes=+104857600 messages=0
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota
>>> mailbox=INBOX.Spam ignored
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%)
>>> messages=0 reverse=no command=quota-warning 95 test at onnet.ch
>>> <mailto:test at onnet.ch>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Quota grace: root=User quota
>>> bytes=107374182 (10%)
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Namespace inbox: type=private,
>>> prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
>>> location=maildir:~/Maildir
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: maildir++:
>>> root=/var/spool/postfix/virtual/onnet.ch/test//Maildir
>>> <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=,
>>> inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir
>>> <http://onnet.ch/test//Maildir>, alt=
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data:
>>> vfile
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch
>>> <mailto:test at onnet.ch>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: owner = 1
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: Namespace : type=shared,
>>> prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children,
>>> subscriptions=yes
>>> location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u
>>> <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: shared: root=/var/run/dovecot, index=,
>>> indexpvt=, control=, inbox=, alt=
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data:
>>> vfile
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch
>>> <mailto:test at onnet.ch>
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl: owner = 0
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled
>>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch
>>> <mailto:test at onnet.ch>): Disconnected: Logged out in=30 out=457
>>>
>>> thanks for looking into this
>>>
>>>> On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi at dovecot.fi
>>>> <mailto:aki.tuomi at dovecot.fi>> wrote:
>>>>
>>>> Can you provide your doveconf -n after adding the database *after*
>>>> LDAP.
>>>>
>>>> You probably need to add 'noauthenticate' as one parameter after the
>>>> userdb ones.
>>>>
>>>> Aki
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/5da29f1f/attachment-0001.html>
More information about the dovecot
mailing list