Bruno Galindro da Costa
2014-Jun-05 18:30 UTC
[Dovecot] doveadm index - Bug or expected behaviour?
My ldap config is using the variable %d in base search for domain
replacement when dovecot will search for users in LDAP. Its works fine for
dovecot operation.
But, for doveadm index, not. It ignores that variable and tries to pass a
base search without domain. So, the search will not working.
This is the command:
# doveadm -v index -A INBOX
This is my config:
# cat /etc/dovecot/dovecot-ldap-userdb.conf
hosts = 10.0.0.1
tls = no
auth_bind = no
ldap_version = 3
base = ou=%d,ou=mail,ou=services,dc=domain
scope = subtree
deref = never
user_filter = (& (cn=%n)(objectclass=nisMailAlias)(ContaAtiva=TRUE) )
user_attrs
cn=rfc822mailmember,EmailQuota=quota_rule=*:storage=%$M,EmailQuotaSpecial=quota_rule=*:storage=%$M,eduPersonPrincipalName=eppn
iterate_filter
(&(objectclass=nisMailAlias)(ContaAtiva=TRUE)(!(EmailQuota=0)))
iterate_attrs = rfc822mailmember=user
This is the error reported by doveadm index:
doveadm(root): Error: User listing returned failure
doveadm: Error: Failed to iterate through some users
If you put a tcpdump to monitor the search, you i'll see 3 packets. The
first is the LDAP searchRequest message, with this content:
LDAPMessage searchRequest(3) "*ou=,*ou=mail,ou=services,dc=domain"
wholeSubtree
If I change the base parameter of config file to this, it works perfectly:
base = ou=net.domain,ou=mail,ou=services,dc=domain
tcpdump:
LDAPMessage searchRequest(3)
"*ou=**net.domain**,*ou=mail,ou=services,dc=domain"
wholeSubtree
# dovecot -n
# 2.2.13 (5c877bca95e5): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-63-virtual x86_64 Ubuntu 12.04.4 LTS zfs
auth_cache_negative_ttl = 1 mins
auth_cache_size = 1 k
auth_cache_ttl = 10 mins
auth_username_chars
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@~
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = mail
mail_home = /var/mail/mailboxes/%d/%n/home
mail_location maildir:/var/mail/mailboxes/%d/%n:INDEX=/var/mail.indexes/%d/%n
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location prefix type = private
}
namespace spam {
list = yes
location = maildir:/var/mail.spam/%d/%n
mailbox Filtrados {
auto = subscribe
}
prefix = SPAM.
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passdb.v3.1.sh
driver = checkpassword
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename flag_change save mailbox_create
mail_log_fields = uid box msgid from subject size vsize
quota = maildir:DefaultQuota
quota_exceeded_message = O destinatario desta mensagem esta com a caixa
postal cheia. A sua mensagem so pode ser entregue se o destinatario apagar
algumas das mensagens.
quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 %u
quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90 %u
sieve = /var/mail/sieve_scripts/%d/%n/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/default.sieve
sieve_dir = /var/mail/sieve_scripts/%d/%n/sieve
sieve_global_dir = /etc/dovecot/sieve
sieve_global_path = /etc/dovecot/sieve/default.sieve
trash = /etc/dovecot/dovecot-trash.conf
}
protocols = imap sieve pop3
service anvil {
client_limit = 1603
}
service auth {
client_limit = 1600
unix_listener auth-client {
mode = 0660
}
unix_listener auth-master {
group = mail
mode = 0600
user = vmail
}
user = root
vsz_limit = 256 M
}
service imap-login {
client_limit = 1500
inet_listener imap {
address = *,[::]
port = 143
}
inet_listener imaps {
address = *,[::]
port = 993
}
process_limit = 500
service_count = 0
user = dovecot
vsz_limit = 256 M
}
service imap {
process_limit = 2048
vsz_limit = 450 M
}
service managesieve-login {
client_limit = 1500
executable = /usr/lib/dovecot/managesieve-login
process_limit = 500
service_count = 0
user = dovecot
vsz_limit = 256 M
}
service managesieve {
executable = /usr/lib/dovecot/managesieve
process_limit = 2048
vsz_limit = 450 M
}
service pop3-login {
client_limit = 1500
inet_listener pop3s {
address = *,[::]
port = 2221
}
process_limit = 500
service_count = 0
user = dovecot
vsz_limit = 256 M
}
service pop3 {
process_limit = 2048
vsz_limit = 450 M
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf
driver = ldap
}
protocol imap {
mail_fsync = never
mail_max_userip_connections = 2048
mail_plugins = quota imap_quota trash zlib mail_log notify
ssl_ca = </etc/dovecot/ca.crt
ssl_cert = </etc/dovecot/domain.crt
ssl_key = </etc/dovecot/domain.key
}
protocol pop3 {
mail_fsync = never
mail_plugins = quota
pop3_uidl_format = %08Xu%08Xv
ssl_ca = </etc/dovecot/ca.crt
ssl_cert = </etc/dovecot/domain.crt
ssl_key = </etc/dovecot/domain.key
}
protocol sieve {
managesieve_implementation_string = Cyrus timsieved v2.2.13
managesieve_logout_format = bytes=%i/%o
ssl_ca = </etc/dovecot/ca.crt
ssl_cert = </etc/dovecot/domain.crt
ssl_key = </etc/dovecot/domain.key
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_fsync = optimized
mail_plugins = quota sieve expire
postmaster_address = admin at domain
}
--
Att.
Bruno Galindro da Costa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Jun 2014, Bruno Galindro da Costa wrote:> My ldap config is using the variable %d in base search for domain > replacement when dovecot will search for users in LDAP. Its works fine for > dovecot operation.When an user logs into Dovecot, the login process can extract the domain part from the login username.> But, for doveadm index, not. It ignores that variable and tries to pass a > base search without domain. So, the search will not working. > > This is the command: > # doveadm -v index -A INBOXIf you iterate all users (-A), doveadm would need to guess all domains and iterate through them. So, in your case you cannot use -A. However, -u should work. That is, you call the command for each single user that you've iterated from LDAP via script.> base = ou=%d,ou=mail,ou=services,dc=domain[...]> iterate_filter > (&(objectclass=nisMailAlias)(ContaAtiva=TRUE)(!(EmailQuota=0))) > iterate_attrs = rfc822mailmember=user- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5Fcynz1H7kL/d9rAQI7IggAitRJlAU4olmkTzUqXxrxxPAtF0FMcm0c PqWdByrNM0aLr1WTIShN7y83OnTwFhznuuTg6oVO6s72KZ6Izo9COOK70kLvoGzZ G4TyNu9S671hDVWsasuI+FvChGZURM+6E4G+ctsqTSjY8N8MV6hEdwrNhxBWbbfE nQ0BEMDDaM0Qeycyiy59nhlOkLiSkv40P2NnOekkSvogxb3rpxt9FQ6vIrBkCxJd K1xlwAWzg7Hr4LIUw3PJm0YjT7T4H+1AmiIm7iaAnT8My/9SSB9WCtmFQpzFNWOD tpKc3RcQJykJMpC4oKjgTi0Vh6PTl6g3xMdA9yJ2jmgpLVqpU2fNKw==l3yY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Jun 2014, Bruno Galindro da Costa wrote:> My ldap config is using the variable %d in base search for domain > replacement when dovecot will search for users in LDAP. Its works fine for > dovecot operation.When an user logs into Dovecot, the login process can extract the domain part from the login username.> But, for doveadm index, not. It ignores that variable and tries to pass a > base search without domain. So, the search will not working. > > This is the command: > # doveadm -v index -A INBOXIf you iterate all users (-A), doveadm would need to guess all domains and iterate through them. So, in your case you cannot use -A. However, -u should work. That is, you call the command for each single user that you've iterated from LDAP via script.> base = ou=%d,ou=mail,ou=services,dc=domain[...]> iterate_filter > (&(objectclass=nisMailAlias)(ContaAtiva=TRUE)(!(EmailQuota=0))) > iterate_attrs = rfc822mailmember=user- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5Fcynz1H7kL/d9rAQI7IggAitRJlAU4olmkTzUqXxrxxPAtF0FMcm0c PqWdByrNM0aLr1WTIShN7y83OnTwFhznuuTg6oVO6s72KZ6Izo9COOK70kLvoGzZ G4TyNu9S671hDVWsasuI+FvChGZURM+6E4G+ctsqTSjY8N8MV6hEdwrNhxBWbbfE nQ0BEMDDaM0Qeycyiy59nhlOkLiSkv40P2NnOekkSvogxb3rpxt9FQ6vIrBkCxJd K1xlwAWzg7Hr4LIUw3PJm0YjT7T4H+1AmiIm7iaAnT8My/9SSB9WCtmFQpzFNWOD tpKc3RcQJykJMpC4oKjgTi0Vh6PTl6g3xMdA9yJ2jmgpLVqpU2fNKw==l3yY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Jun 2014, Bruno Galindro da Costa wrote:> My ldap config is using the variable %d in base search for domain > replacement when dovecot will search for users in LDAP. Its works finefor> dovecot operation. > > But, for doveadm index, not. It ignores that variable and tries topass a> base search without domain. So, the search will not working. > > This is the command: > # doveadm -v index -A INBOX > > > This is my config: > # cat /etc/dovecot/dovecot-ldap-userdb.conf > hosts = 10.0.0.1 > tls = no > auth_bind = no > ldap_version = 3 > base = ou=%d,ou=mail,ou=services,dc=domain > scope = subtree > deref = never > user_filter = (& (cn=%n)(objectclass=nisMailAlias)(ContaAtiva=TRUE) ) > user_attrs >cn=rfc822mailmember,EmailQuota=quota_rule=*:storage=%$M,EmailQuotaSpecial=quota_rule=*:storage=%$M,eduPersonPrincipalName=eppn Do you use rfc822mailmember and eppn somewhere? They are no Dovecot field names, IMHO. Same question applies to EmailQuota and EmailQuotaSpecial as they both expand to quota_rule.> iterate_filter > (&(objectclass=nisMailAlias)(ContaAtiva=TRUE)(!(EmailQuota=0))) > iterate_attrs = rfc822mailmember=userDoes rfc822mailmember contain the domain? - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5r7KHz1H7kL/d9rAQJtdwf/Z9dG1F16zPtRLyKnBWZM/G2hnrwhP43+ bWoVzcsRxSaP1U/Wku+mOsgJT+4tH/KjOgZHxgKn+/O91zlRWwQJwOGn+t3Qq+lH L3uiW0iZ93rvEbfTXYyxiSutJNCRMjVv9CU6ZfuR7wo0mqUhu6PNE4mJYplQ65ym 1nS1w2HTkCf+BixDJg1ZZ5vsW44T+da18dSu3bqzdWOEGybuJDknNk6W2hLjElQk oyxi5KISWzIimB7UJom1577I3Xzt7II6wOf/Wq9Rqg4jNn6Fwmy4lFuDcSScv9H+ GGC3TvtqmVLbOgEYkRSKgnx2MBpoXln1IhRTmpH6dPO97E3WCq9YGQ==q2h+ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Jun 2014, Bruno Galindro da Costa wrote:> My ldap config is using the variable %d in base search for domain > replacement when dovecot will search for users in LDAP. Its works finefor> dovecot operation. > > But, for doveadm index, not. It ignores that variable and tries topass a> base search without domain. So, the search will not working. > > This is the command: > # doveadm -v index -A INBOX > > > This is my config: > # cat /etc/dovecot/dovecot-ldap-userdb.conf > hosts = 10.0.0.1 > tls = no > auth_bind = no > ldap_version = 3 > base = ou=%d,ou=mail,ou=services,dc=domain > scope = subtree > deref = never > user_filter = (& (cn=%n)(objectclass=nisMailAlias)(ContaAtiva=TRUE) ) > user_attrs >cn=rfc822mailmember,EmailQuota=quota_rule=*:storage=%$M,EmailQuotaSpecial=quota_rule=*:storage=%$M,eduPersonPrincipalName=eppn Do you use rfc822mailmember and eppn somewhere? They are no Dovecot field names, IMHO. Same question applies to EmailQuota and EmailQuotaSpecial as they both expand to quota_rule.> iterate_filter > (&(objectclass=nisMailAlias)(ContaAtiva=TRUE)(!(EmailQuota=0))) > iterate_attrs = rfc822mailmember=userDoes rfc822mailmember contain the domain? - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5r7KHz1H7kL/d9rAQJtdwf/Z9dG1F16zPtRLyKnBWZM/G2hnrwhP43+ bWoVzcsRxSaP1U/Wku+mOsgJT+4tH/KjOgZHxgKn+/O91zlRWwQJwOGn+t3Qq+lH L3uiW0iZ93rvEbfTXYyxiSutJNCRMjVv9CU6ZfuR7wo0mqUhu6PNE4mJYplQ65ym 1nS1w2HTkCf+BixDJg1ZZ5vsW44T+da18dSu3bqzdWOEGybuJDknNk6W2hLjElQk oyxi5KISWzIimB7UJom1577I3Xzt7II6wOf/Wq9Rqg4jNn6Fwmy4lFuDcSScv9H+ GGC3TvtqmVLbOgEYkRSKgnx2MBpoXln1IhRTmpH6dPO97E3WCq9YGQ==q2h+ -----END PGP SIGNATURE-----