Now the attributes are correctly read for the user test at onnet.ch <mailto:test at onnet.ch>, but other users are not able to authenticate anymore. root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test at onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes root at buserver:/etc/dovecot# doveadm user test2 at onnet.ch field valueuserdb lookup: user test2 at onnet.ch doesn't exist I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding ?test at onnet.ch:::::::? to the passwd file, doveadm user works with test2 at onnet.ch root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2 at onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test2/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test at onnet.ch <mailto:test at onnet.ch> is still able to share its own folders?!> On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > Ah. You probably need to change ldap userdb so that you add > > userdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap.conf > result_success = continue-ok > } > > so that the next one is processed. > > you can use 'doveadm user test at onnet.ch' to verify that the attributes are read for this user, and with another username that they are not. > > Aki > > > On 07.08.2018 12:23, Simeon Ott wrote: >> ? attached the dovecot -n, linked files, debug log lines during a >> standard client login >> >> root at buserver:/etc/dovecot/conf.d# doveconf -n >> # 2.2.13: /etc/dovecot/dovecot.conf >> # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 >> auth_debug = yes >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> debug_log_path = syslog >> disable_plaintext_auth = no >> info_log_path = syslog >> lda_mailbox_autocreate = yes >> lda_mailbox_autosubscribe = yes >> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c >> mail_debug = yes >> mail_gid = 5000 >> mail_location = maildir:~/Maildir >> mail_plugins = zlib quota acl >> mail_uid = 5000 >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date ihave >> namespace { >> hidden = no >> ignore_on_failure = no >> inbox = no >> list = children >> location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u >> prefix = shared/%%u/ >> separator = / >> subscriptions = yes >> type = shared >> } >> namespace inbox { >> inbox = yes >> location = >> mailbox Drafts { >> auto = subscribe >> special_use = \Drafts >> } >> mailbox Sent { >> auto = subscribe >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Spam { >> auto = subscribe >> special_use = \Junk >> } >> mailbox Trash { >> auto = subscribe >> special_use = \Trash >> } >> prefix = >> separator = / >> type = private >> } >> passdb { >> args = /etc/dovecot/dovecot-ldap.conf >> driver = ldap >> } >> plugin { >> acl = vfile >> acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes >> quota = maildir:User quota >> quota_exceeded_message = 4.2.2 Mailbox full >> quota_rule = *:storage=1G >> quota_rule2 = INBOX.Trash:storage=+100M >> quota_rule3 = INBOX.Spam:ignore >> quota_warning = storage=95%% quota-warning 95 %u >> sieve = ~/.dovecot.sieve >> sieve_before = /var/lib/dovecot/sieve/default.sieve >> sieve_dir = ~/sieve >> sieve_max_actions = 32 >> sieve_max_redirects = 4 >> sieve_max_script_size = 1M >> sieve_quota_max_scripts = 0 >> sieve_quota_max_storage = 0 >> } >> protocols = " imap lmtp sieve pop3" >> service auth { >> group = dovecot >> unix_listener /var/spool/postfix/private/auth { >> group = postfix >> mode = 0666 >> user = postfix >> } >> unix_listener auth-master { >> group = vmail >> mode = 0666 >> user = vmail >> } >> unix_listener auth-userdb { >> group = vmail >> mode = 0666 >> user = vmail >> } >> user = dovecot >> } >> service lmtp { >> unix_listener lmtp { >> mode = 0666 >> } >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> } >> inet_listener sieve_deprecated { >> port = 2000 >> } >> process_min_avail = 0 >> service_count = 1 >> vsz_limit = 64 M >> } >> ssl = no >> userdb { >> args = /etc/dovecot/dovecot-ldap.conf >> driver = ldap >> } >> userdb { >> args = username_format=%Lu /etc/dovecot/share.passwd >> driver = passwd-file >> } >> protocol lmtp { >> mail_plugins = zlib quota acl sieve >> } >> protocol lda { >> auth_socket_path = /var/run/dovecot/auth-master >> deliver_log_format = msgid=%m: %$ >> mail_plugins = zlib quota acl sieve >> postmaster_address = postmaster at onnet.ch <mailto:postmaster at onnet.ch> >> } >> protocol imap { >> mail_plugins = zlib quota acl imap_quota imap_acl >> } >> protocol sieve { >> info_log_path = /var/log/sieve.log >> log_path = /var/log/sieve.log >> mail_max_userip_connections = 10 >> managesieve_implementation_string = Dovecot Pigeonhole >> managesieve_logout_format = bytes=%i/%o >> managesieve_max_compile_errors = 5 >> managesieve_max_line_length = 65536 >> } >> >> root at buserver:/etc/dovecot# cat dovecot-acl >> root at buserver:/etc/dovecot# >> >> ?> means empty file >> >> root at buserver:/etc/dovecot# cat share.passwd >> test at onnet.ch >> <mailto:test at onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl >> userdb_acl_globals_only=yes >> >> root at buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf >> hosts = localhost >> uris = ldap://localhost:389/ >> debug_level = 10 >> auth_bind = yes >> ldap_version = 3 >> base = ou=domains,dc=intra,dc=onnet,dc=ch >> deref = never >> scope = subtree >> user_attrs >> homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ >> user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) >> pass_attrs = mail=user,userPassword=password >> pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) >> iterate_attrs = mail=user >> iterate_filter = (objectClass=CourierMailAccount) >> default_pass_scheme = CRYPT >> >> root at buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: file >> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test >> <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 >> 1/dovecot-acl not found >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: reading file >> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl >> <http://onnet.ch/test//Maildir/.super/dovecot-acl> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: reading file >> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello >> <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: file >> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test >> <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found >> Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected >> (pid=3203) >> Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: >> AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng=>> (previous base64 data may contain sensitive data) >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: >> base=ou=domains,dc=intra,dc=onnet,dc=ch >> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch >> <mailto:mail=test at onnet.ch>)) >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >> mail=test at onnet.ch <mailto:mail=test at onnet.ch>; mail unused >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >> mail=test at onnet.ch <mailto:mail=test at onnet.ch> >> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: >> OK#0111#011user=test at onnet.ch <mailto:OK#0111#011user=test at onnet.ch> >> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: >> REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: >> base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree >> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch >> <mailto:mail=test at onnet.ch>)) >> fields=homeDirectory,uidNumber,gidNumber,quota >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >> uidNumber=5000 quota=1073741824 gidNumber=5000 >> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; >> homeDirectory,uidNumber,quota,gidNumber unused >> Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >> uidNumber=5000 quota=1073741824 gidNumber=5000 >> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> >> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: >> USER#0113718250497#011test at onnet.ch >> <mailto:USER#0113718250497#011test at onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 >> <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> >> Aug 7 11:17:27 buserver dovecot: imap-login: Login: >> user=<test at onnet.ch <mailto:test at onnet.ch>>, method=PLAIN, >> rip=192.168.56.1, lip=192.168.56.50, mpid=3206 >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from >> directory: /usr/lib/dovecot/modules >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >> /usr/lib/dovecot/modules/lib01_acl_plugin.so >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >> /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >> /usr/lib/dovecot/modules/lib10_quota_plugin.so >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >> /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >> /usr/lib/dovecot/modules/lib20_zlib_plugin.so >> Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: >> plugin/quota_rule=*:bytes=1073741824 >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Effective uid=5000, gid=5000, >> home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota root: name=User quota >> backend=maildir args>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota mailbox=* >> bytes=1073741824 messages=0 >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota >> mailbox=INBOX.Trash bytes=+104857600 messages=0 >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota >> mailbox=INBOX.Spam ignored >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) >> messages=0 reverse=no command=quota-warning 95 test at onnet.ch >> <mailto:test at onnet.ch> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Quota grace: root=User quota >> bytes=107374182 (10%) >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Namespace inbox: type=private, >> prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes >> location=maildir:~/Maildir >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: maildir++: >> root=/var/spool/postfix/virtual/onnet.ch/test//Maildir >> <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, >> inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir >> <http://onnet.ch/test//Maildir>, alt>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: vfile >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch >> <mailto:test at onnet.ch> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: owner = 1 >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: Namespace : type=shared, >> prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, >> subscriptions=yes >> location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u >> <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, >> indexpvt=, control=, inbox=, alt>> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: vfile >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch >> <mailto:test at onnet.ch> >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl: owner = 0 >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled >> Aug 7 11:17:27 buserver dovecot: imap(test at onnet.ch >> <mailto:test at onnet.ch>): Disconnected: Logged out in=30 out=457 >> >> thanks for looking into this >> >>> On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi at dovecot.fi >>> <mailto:aki.tuomi at dovecot.fi>> wrote: >>> >>> Can you provide your doveconf -n after adding the database *after* LDAP. >>> >>> You probably need to add 'noauthenticate' as one parameter after the >>> userdb ones. >>> >>> Aki >>> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/d9d98411/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3696 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/d9d98411/attachment-0001.p7s>
Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in. What happens if you do userdb { ? driver = passwd-file ? args = .... ? skip = notfound ? result_failure = continue-ok } Aki On 07.08.2018 12:58, Simeon Ott wrote:> Now the attributes are correctly read for the user test at onnet.ch > <mailto:test at onnet.ch>, but other users are not able to authenticate > anymore. > > root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# > <http://onnet.ch/test/Maildir/.super#> doveadm user test at onnet.ch > <mailto:test at onnet.ch> > fieldvalue > uid5000 > gid5000 > home/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> > mailmaildir:~/Maildir > quota_rule*:bytes=1073741824 > aclvfile:/etc/dovecot/dovecot-acl > acl_globals_onlyyes > > root at buserver:/etc/dovecot# doveadm user test2 at onnet.ch > <mailto:test2 at onnet.ch> > fieldvalueuserdb lookup: user test2 at onnet.ch <mailto:test2 at onnet.ch> > doesn't exist > > I need to add all users to the passwd too to let other users > authenticate properly. This is not an option for our productive > server, because the LDAP directory should be the main db for user > administration. After adding ?test at onnet.ch > <mailto:test at onnet.ch>:::::::? to the passwd file, doveadm user works > with test2 at onnet.ch <mailto:test2 at onnet.ch> > > root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# > <http://onnet.ch/test/Maildir/.super#> doveadm user test2 at onnet.ch > <mailto:test2 at onnet.ch> > fieldvalue > uid5000 > gid5000 > home/var/spool/postfix/virtual/onnet.ch/test2/ <http://onnet.ch/test2/> > mailmaildir:~/Maildir > quota_rule*:bytes=1073741824 > > IMPORTANT NOTE: anyway.. even with this options set (acl and > acl_globals_only) the user test at onnet.ch <mailto:test at onnet.ch>?is > still able to share its own folders?! > > >> On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi at dovecot.fi >> <mailto:aki.tuomi at dovecot.fi>> wrote: >> >> Ah. You probably need to change ldap userdb so that you add >> >> userdb { >> ?driver = ldap >> ? args = /etc/dovecot/dovecot-ldap.conf >> ?result_success = continue-ok >> } >> >> so that the next one is processed. >> >> you can use 'doveadm user test at onnet.ch <mailto:test at onnet.ch>' to >> verify that the attributes are read for this user, and with another >> username that they are not. >> >> Aki >> >> >> On 07.08.2018 12:23, Simeon Ott wrote: >>> ? attached the dovecot -n, linked files, debug log lines during a >>> standard client login >>> >>> root at buserver:/etc/dovecot/conf.d# doveconf -n >>> # 2.2.13: /etc/dovecot/dovecot.conf >>> # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11? >>> auth_debug = yes >>> auth_debug_passwords = yes >>> auth_mechanisms = plain login >>> auth_verbose = yes >>> auth_verbose_passwords = plain >>> debug_log_path = syslog >>> disable_plaintext_auth = no >>> info_log_path = syslog >>> lda_mailbox_autocreate = yes >>> lda_mailbox_autosubscribe = yes >>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c >>> mail_debug = yes >>> mail_gid = 5000 >>> mail_location = maildir:~/Maildir >>> mail_plugins = zlib quota acl >>> mail_uid = 5000 >>> managesieve_notify_capability = mailto >>> managesieve_sieve_capability = fileinto reject envelope >>> encoded-character vacation subaddress comparator-i;ascii-numeric >>> relational regex imap4flags copy include variables body enotify >>> environment mailbox date ihave >>> namespace { >>> ? hidden = no >>> ? ignore_on_failure = no >>> ? inbox = no >>> ? list = children >>> ? location >>> maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u >>> ? prefix = shared/%%u/ >>> ? separator = / >>> ? subscriptions = yes >>> ? type = shared >>> } >>> namespace inbox { >>> ? inbox = yes >>> ? location =? >>> ? mailbox Drafts { >>> ? ? auto = subscribe >>> ? ? special_use = \Drafts >>> ? } >>> ? mailbox Sent { >>> ? ? auto = subscribe >>> ? ? special_use = \Sent >>> ? } >>> ? mailbox "Sent Messages" { >>> ? ? special_use = \Sent >>> ? } >>> ? mailbox Spam { >>> ? ? auto = subscribe >>> ? ? special_use = \Junk >>> ? } >>> ? mailbox Trash { >>> ? ? auto = subscribe >>> ? ? special_use = \Trash >>> ? } >>> ? prefix =? >>> ? separator = / >>> ? type = private >>> } >>> passdb { >>> ? args = /etc/dovecot/dovecot-ldap.conf >>> ? driver = ldap >>> } >>> plugin { >>> ? acl = vfile >>> ? acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes >>> ? quota = maildir:User quota >>> ? quota_exceeded_message = 4.2.2 Mailbox full >>> ? quota_rule = *:storage=1G >>> ? quota_rule2 = INBOX.Trash:storage=+100M >>> ? quota_rule3 = INBOX.Spam:ignore >>> ? quota_warning = storage=95%% quota-warning 95 %u >>> ? sieve = ~/.dovecot.sieve >>> ? sieve_before = /var/lib/dovecot/sieve/default.sieve >>> ? sieve_dir = ~/sieve >>> ? sieve_max_actions = 32 >>> ? sieve_max_redirects = 4 >>> ? sieve_max_script_size = 1M >>> ? sieve_quota_max_scripts = 0 >>> ? sieve_quota_max_storage = 0 >>> } >>> protocols = " imap lmtp sieve pop3" >>> service auth { >>> ? group = dovecot >>> ? unix_listener /var/spool/postfix/private/auth { >>> ? ? group = postfix >>> ? ? mode = 0666 >>> ? ? user = postfix >>> ? } >>> ? unix_listener auth-master { >>> ? ? group = vmail >>> ? ? mode = 0666 >>> ? ? user = vmail >>> ? } >>> ? unix_listener auth-userdb { >>> ? ? group = vmail >>> ? ? mode = 0666 >>> ? ? user = vmail >>> ? } >>> ? user = dovecot >>> } >>> service lmtp { >>> ? unix_listener lmtp { >>> ? ? mode = 0666 >>> ? } >>> } >>> service managesieve-login { >>> ? inet_listener sieve { >>> ? ? port = 4190 >>> ? } >>> ? inet_listener sieve_deprecated { >>> ? ? port = 2000 >>> ? } >>> ? process_min_avail = 0 >>> ? service_count = 1 >>> ? vsz_limit = 64 M >>> } >>> ssl = no >>> userdb { >>> ? args = /etc/dovecot/dovecot-ldap.conf >>> ? driver = ldap >>> } >>> userdb { >>> ? args = username_format=%Lu /etc/dovecot/share.passwd >>> ? driver = passwd-file >>> } >>> protocol lmtp { >>> ? mail_plugins = zlib quota acl sieve >>> } >>> protocol lda { >>> ? auth_socket_path = /var/run/dovecot/auth-master >>> ? deliver_log_format = msgid=%m: %$ >>> ? mail_plugins = zlib quota acl sieve >>> ? postmaster_address = postmaster at onnet.ch >>> <mailto:postmaster at onnet.ch> <mailto:postmaster at onnet.ch> >>> } >>> protocol imap { >>> ? mail_plugins = zlib quota acl imap_quota imap_acl >>> } >>> protocol sieve { >>> ? info_log_path = /var/log/sieve.log >>> ? log_path = /var/log/sieve.log >>> ? mail_max_userip_connections = 10 >>> ? managesieve_implementation_string = Dovecot Pigeonhole >>> ? managesieve_logout_format = bytes=%i/%o >>> ? managesieve_max_compile_errors = 5 >>> ? managesieve_max_line_length = 65536 >>> } >>> >>> root at buserver:/etc/dovecot# cat dovecot-acl >>> root at buserver:/etc/dovecot# >>> >>> ?> means empty file >>> >>> root at buserver:/etc/dovecot# cat share.passwd? >>> test at onnet.ch <mailto:test at onnet.ch> >>> <mailto:test at onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl >>> userdb_acl_globals_only=yes >>> >>> root at buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf >>> hosts = localhost >>> uris = ldap://localhost:389/ >>> debug_level = 10 >>> auth_bind = yes >>> ldap_version = 3 >>> base = ou=domains,dc=intra,dc=onnet,dc=ch >>> deref = never >>> scope = subtree >>> user_attrs >>> homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ >>> user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) >>> pass_attrs = mail=user,userPassword=password >>> pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) >>> iterate_attrs = mail=user >>> iterate_filter = (objectClass=CourierMailAccount) >>> default_pass_scheme = CRYPT >>> >>> root at buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug? 7 >>> 11:17:27" >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: file >>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test >>> <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 >>> 1/dovecot-acl not found >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file >>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl >>> <http://onnet.ch/test//Maildir/.super/dovecot-acl> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file >>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello >>> <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: file >>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test >>> <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: auth client connected >>> (pid=3203) >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: client in: >>> AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng=>>> (previous base64 data may contain sensitive data) >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: >>> base=ou=domains,dc=intra,dc=onnet,dc=ch >>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch >>> <mailto:mail=test at onnet.ch>)) >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >>> mail=test at onnet.ch <mailto:mail=test at onnet.ch>; mail unused >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >>> mail=test at onnet.ch <mailto:mail=test at onnet.ch> >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: >>> OK#0111#011user=test at onnet.ch <mailto:OK#0111#011user=test at onnet.ch> >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: master in: >>> REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: >>> base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree >>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch >>> <mailto:mail=test at onnet.ch>)) >>> fields=homeDirectory,uidNumber,gidNumber,quota >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >>> uidNumber=5000 quota=1073741824 gidNumber=5000 >>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; >>> homeDirectory,uidNumber,quota,gidNumber unused >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch >>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: >>> uidNumber=5000 quota=1073741824 gidNumber=5000 >>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> >>> Aug? 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: >>> USER#0113718250497#011test at onnet.ch >>> <mailto:USER#0113718250497#011test at onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 >>> <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> >>> Aug? 7 11:17:27 buserver dovecot: imap-login: Login: >>> user=<test at onnet.ch <mailto:test at onnet.ch>>, method=PLAIN, >>> rip=192.168.56.1, lip=192.168.56.50, mpid=3206 >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from >>> directory: /usr/lib/dovecot/modules >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib01_acl_plugin.so >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib10_quota_plugin.so >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib20_zlib_plugin.so >>> Aug? 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: >>> plugin/quota_rule=*:bytes=1073741824 >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Effective uid=5000, gid=5000, >>> home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota root: name=User quota >>> backend=maildir args>>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota mailbox=* >>> bytes=1073741824 messages=0 >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota >>> mailbox=INBOX.Trash bytes=+104857600 messages=0 >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota >>> mailbox=INBOX.Spam ignored >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) >>> messages=0 reverse=no command=quota-warning 95 test at onnet.ch >>> <mailto:test at onnet.ch> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Quota grace: root=User quota >>> bytes=107374182 (10%) >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Namespace inbox: type=private, >>> prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes >>> location=maildir:~/Maildir >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: maildir++: >>> root=/var/spool/postfix/virtual/onnet.ch/test//Maildir >>> <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, >>> inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir >>> <http://onnet.ch/test//Maildir>, alt>>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: >>> vfile >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch >>> <mailto:test at onnet.ch> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: owner = 1 >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: Namespace : type=shared, >>> prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, >>> subscriptions=yes >>> location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u >>> <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, >>> indexpvt=, control=, inbox=, alt>>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: >>> vfile >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch >>> <mailto:test at onnet.ch> >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl: owner = 0 >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled >>> Aug? 7 11:17:27 buserver dovecot: imap(test at onnet.ch >>> <mailto:test at onnet.ch>): Disconnected: Logged out in=30 out=457 >>> >>> thanks for looking into this >>> >>>> On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi at dovecot.fi >>>> <mailto:aki.tuomi at dovecot.fi>> wrote: >>>> >>>> Can you provide your doveconf -n after adding the database *after* >>>> LDAP. >>>> >>>> You probably need to add 'noauthenticate' as one parameter after the >>>> userdb ones. >>>> >>>> Aki >>>> >>> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/5da29f1f/attachment-0001.html>
still the same? root at buserver:/etc/dovecot# doveadm user test2 at onnet.ch field valueuserdb lookup: user test2 at onnet.ch doesn't exist relevant config output from doveconf -n userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap result_success = continue-ok } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file result_failure = continue-ok skip = notfound } but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test at onnet.ch <mailto:test at onnet.ch> is still able to share its own folders?! root at buserver:/etc/dovecot# doveadm user test at onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes root at buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test at onnet.ch ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2 at onnet.ch lrwstipekxa . OK Setacl complete. . GETACL Inbox * ACL Inbox test2 at onnet.ch akxeilprwtscd test at onnet.ch lrwstipekxacd . OK Getacl completed. Cheers> On 7 Aug 2018, at 12:05, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in. > > What happens if you do > userdb { > driver = passwd-file > args = .... > skip = notfound > result_failure = continue-ok > } > > Aki >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/454617d2/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3696 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/454617d2/attachment.p7s>