Mike Fröhner
2016-Dec-13  14:47 UTC
public folder subscriptions sync issue with ldap user/group in dovecot-acl
Hello people, I am having an issue with 'doveadm sync'. I am currently trying to have two dovecots behind an haproxy (works fine). Therefore I configured these two dovecot server (imap-1/imap-2) to sync throught dsync. This works just partly. The sync of the maiboxes is fine, but the sync of the subscriptions file just works partly. It works for private folder subscription, but not completly for public folder subscription. I found two issues, if I am using LDAP (user/groups) in dovecot ACLs. 1. I would like to subscribe 2 public folder (public/test/test1 and public/test/test2). My user (ldaptestuser) is an ldap user and this user is member of the ldap group (ldaptestgroup) which does have all dovecot-acl rights on these folders. imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl group=ldaptestgroup akxeilprwts group=ldaptestgroup akxeilprwts I am now connecting with my mail client to imap-1 (throught haproxy) and the subscription to this folder works. The file which is written looks like: imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 publictest/test/test2 Now I am awaiting the synch to imap-2, but the file which it written looks like: imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent If I modify the dovecot-acl for .test1 to imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl group=ldaptestgroup akxeilprwts user=ldaptestuser akxeilprwts and execute the subscription again - the synced file looks like: imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions Sent publictest/test/test1 The subscription of public folder test2 will also been synced, if I add my ldaptestuser to the acl file for this folder. 2. Another issue is to unsubscribe a public folder. If I unsubscribe folder test1, it is written to subscriptions file on the imap where I am connected, but it is NOT synced even if my user and group are configured at the dovecot-acl file. If I then unsubscribe a not public folder (like Sent), the former unsubscribed folder test1 is (faulty) subscribed again. But both imap do have the same subscriptions for my ldaptestuser user. I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on CentOS-7 (selinux disabled). If you need more information like the dovecot -n or some other stuff give me a short notice. Mike;
Mike Fröhner
2016-Dec-14  09:16 UTC
public folder subscriptions sync issue with ldap user/group in dovecot-acl
I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below. Do groups in dovecot-acl intendedly not work? On 12/13/2016 03:47 PM, Mike Fr?hner wrote:> Hello people, > > I am having an issue with 'doveadm sync'. I am currently trying to have > two dovecots behind an haproxy (works fine). Therefore I configured > these two dovecot server (imap-1/imap-2) to sync throught dsync. This > works just partly. The sync of the maiboxes is fine, but the sync of the > subscriptions file just works partly. It works for private folder > subscription, but not completly for public folder subscription. I found > two issues, if I am using LDAP (user/groups) in dovecot ACLs. > > 1. I would like to subscribe 2 public folder (public/test/test1 and > public/test/test2). > > My user (ldaptestuser) is an ldap user and this user is member of the > ldap group (ldaptestgroup) which does have all dovecot-acl rights on > these folders. > > imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl > group=ldaptestgroup akxeilprwts > group=ldaptestgroup akxeilprwts > > I am now connecting with my mail client to imap-1 (throught haproxy) and > the subscription to this folder works. The file which is written looks > like: > > imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions > Sent > publictest/test/test1 > publictest/test/test2 > > Now I am awaiting the synch to imap-2, but the file which it written > looks like: > > imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions > Sent > > If I modify the dovecot-acl for .test1 to > > imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl > group=ldaptestgroup akxeilprwts > user=ldaptestuser akxeilprwts > > and execute the subscription again - the synced file looks like: > > imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions > Sent > publictest/test/test1 > > The subscription of public folder test2 will also been synced, if I add > my ldaptestuser to the acl file for this folder. > > 2. Another issue is to unsubscribe a public folder. If I unsubscribe > folder test1, it is written to subscriptions file on the imap where I am > connected, but it is NOT synced even if my user and group are configured > at the dovecot-acl file. If I then unsubscribe a not public folder (like > Sent), the former unsubscribed folder test1 is (faulty) subscribed > again. But both imap do have the same subscriptions for my ldaptestuser > user. > > I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on > CentOS-7 (selinux disabled). > > If you need more information like the dovecot -n or some other stuff > give me a short notice. > > Mike; >
Timo Sirainen
2016-Dec-14  17:40 UTC
public folder subscriptions sync issue with ldap user/group in dovecot-acl
On 14 Dec 2016, at 11.16, Mike Fr?hner <mikefroehner at gmx.de> wrote:> > I made some additional tests and found that also local unix groups are not working in replacement for my ldap groups as discribed below. > > Do groups in dovecot-acl intendedly not work?http://wiki2.dovecot.org/ACL <http://wiki2.dovecot.org/ACL> -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script).> > On 12/13/2016 03:47 PM, Mike Fr?hner wrote: >> Hello people, >> >> I am having an issue with 'doveadm sync'. I am currently trying to have >> two dovecots behind an haproxy (works fine). Therefore I configured >> these two dovecot server (imap-1/imap-2) to sync throught dsync. This >> works just partly. The sync of the maiboxes is fine, but the sync of the >> subscriptions file just works partly. It works for private folder >> subscription, but not completly for public folder subscription. I found >> two issues, if I am using LDAP (user/groups) in dovecot ACLs. >> >> 1. I would like to subscribe 2 public folder (public/test/test1 and >> public/test/test2). >> >> My user (ldaptestuser) is an ldap user and this user is member of the >> ldap group (ldaptestgroup) which does have all dovecot-acl rights on >> these folders. >> >> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl >> group=ldaptestgroup akxeilprwts >> group=ldaptestgroup akxeilprwts >> >> I am now connecting with my mail client to imap-1 (throught haproxy) and >> the subscription to this folder works. The file which is written looks >> like: >> >> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> publictest/test/test1 >> publictest/test/test2 >> >> Now I am awaiting the synch to imap-2, but the file which it written >> looks like: >> >> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> >> If I modify the dovecot-acl for .test1 to >> >> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl >> group=ldaptestgroup akxeilprwts >> user=ldaptestuser akxeilprwts >> >> and execute the subscription again - the synced file looks like: >> >> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> publictest/test/test1 >> >> The subscription of public folder test2 will also been synced, if I add >> my ldaptestuser to the acl file for this folder. >> >> 2. Another issue is to unsubscribe a public folder. If I unsubscribe >> folder test1, it is written to subscriptions file on the imap where I am >> connected, but it is NOT synced even if my user and group are configured >> at the dovecot-acl file. If I then unsubscribe a not public folder (like >> Sent), the former unsubscribed folder test1 is (faulty) subscribed >> again. But both imap do have the same subscriptions for my ldaptestuser >> user. >> >> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on >> CentOS-7 (selinux disabled). >> >> If you need more information like the dovecot -n or some other stuff >> give me a short notice. >> >> Mike; >>
Possibly Parallel Threads
- public folder subscriptions sync issue with ldap user/group in dovecot-acl
- public folder subscriptions sync issue with ldap user/group in dovecot-acl
- public folder subscriptions sync issue with ldap user/group in dovecot-acl
- dsync for subscription on public/shared folder
- Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)