Hi list,
I have a question on auth caching in 2.2.18.
I am using acl_groups for a master user, appended in a static userdb file
# snip ###############################
master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
# snap ###############################
and use this group in a global ACL file.
I discovered this only works on first NOT-cached login
environment in imap-postlogin script on first login:
AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
MASTER_USER=master at uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master at uma
PWD=/var/run/dovecot
USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
SHLVL=1
HOME=/var/data/vmail/private/pdf
ACL_GROUPS=umareadmaster
IP=127.0.0.1
_=/usr/bin/env
on the second cached login it looks like this
AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
MASTER_USER=master at uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master at uma
PWD=/var/run/dovecot
USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
SHLVL=1
HOME=/var/data/vmail/private/pdf
IP=127.0.0.1
_=/usr/bin/env
so the ACL_GROUPS is gone.
is this intended to be like that.
so groups not included in cache and I have to find another approach?
anybody else encountered similar problems with some auth Variables and
caching?
Greetz Matze
just tested against dovecot 2.2.15 everythings works fine. so might be a bug introduced between 2.2.16 and 2.2.18 On 08/05/2015 04:30 PM, matthias lay wrote:> Hi list, > > I have a question on auth caching in 2.2.18. > > I am using acl_groups for a master user, appended in a static userdb file > > # snip ############################### > master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster > allow_nets=127.0.0.1 > # snap ############################### > > and use this group in a global ACL file. > I discovered this only works on first NOT-cached login > > > > environment in imap-postlogin script on first login: > > > AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c > MASTER_USER=master at uma > SPUSER=private/pdf > LOCAL_IP=127.0.0.1 > USER=pdf > AUTH_USER=master at uma > PWD=/var/run/dovecot > USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER > SHLVL=1 > HOME=/var/data/vmail/private/pdf > ACL_GROUPS=umareadmaster > IP=127.0.0.1 > _=/usr/bin/env > > > on the second cached login it looks like this > > > AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f > MASTER_USER=master at uma > SPUSER=private/pdf > LOCAL_IP=127.0.0.1 > USER=pdf > AUTH_USER=master at uma > PWD=/var/run/dovecot > USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER > SHLVL=1 > HOME=/var/data/vmail/private/pdf > IP=127.0.0.1 > _=/usr/bin/env > > so the ACL_GROUPS is gone. > > is this intended to be like that. > so groups not included in cache and I have to find another approach? > > anybody else encountered similar problems with some auth Variables and > caching? > > > Greetz Matze >-------------- next part -------------- A non-text attachment was scrubbed... Name: 0x7BCC653A.asc Type: application/pgp-keys Size: 3116 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20150805/f61c7c09/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150805/f61c7c09/attachment.sig>
hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
--- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300
+++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300
@@ -618,30 +627,28 @@
auth_request_want_skip_passdb(request, next_passdb))
next_passdb = next_passdb->next;
+ if (*result == PASSDB_RESULT_OK) {
+ /* this passdb lookup succeeded, preserve its extra fields */
+ auth_fields_snapshot(request->extra_fields);
+ request->snapshot_have_userdb_prefetch_set +
request->userdb_prefetch_set;
+ if (request->userdb_reply != NULL)
+ auth_fields_snapshot(request->userdb_reply);
+ } else {
+ /* this passdb lookup failed, remove any extra fields it set */
+ auth_fields_rollback(request->extra_fields);
+ if (request->userdb_reply != NULL) {
+ auth_fields_rollback(request->userdb_reply);
+ request->userdb_prefetch_set +
request->snapshot_have_userdb_prefetch_set;
+ }
+ }
+
if (passdb_continue && next_passdb != NULL) {
/* try next passdb. */
request->passdb = next_passdb;
request->passdb_password = NULL;
- if (*result == PASSDB_RESULT_OK) {
- /* this passdb lookup succeeded, preserve its extra
- fields */
- auth_fields_snapshot(request->extra_fields);
- request->snapshot_have_userdb_prefetch_set -
request->userdb_prefetch_set;
- if (request->userdb_reply != NULL)
- auth_fields_snapshot(request->userdb_reply);
- } else {
- /* this passdb lookup failed, remove any extra fields
- it set */
- auth_fields_rollback(request->extra_fields);
- if (request->userdb_reply != NULL) {
- auth_fields_rollback(request->userdb_reply);
- request->userdb_prefetch_set -
request->snapshot_have_userdb_prefetch_set;
- }
- }
-
if (*result == PASSDB_RESULT_USER_UNKNOWN) {
/* remember that we did at least one successful
passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:> just tested against dovecot 2.2.15
>
> everythings works fine. so might be a bug introduced between 2.2.16 and
> 2.2.18
>
>
>
>
>
> On 08/05/2015 04:30 PM, matthias lay wrote:
>> Hi list,
>>
>> I have a question on auth caching in 2.2.18.
>>
>> I am using acl_groups for a master user, appended in a static userdb
file
>>
>> # snip ###############################
>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
>> allow_nets=127.0.0.1
>> # snap ###############################
>>
>> and use this group in a global ACL file.
>> I discovered this only works on first NOT-cached login
>>
>>
>>
>> environment in imap-postlogin script on first login:
>>
>>
>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
>> MASTER_USER=master at uma
>> SPUSER=private/pdf
>> LOCAL_IP=127.0.0.1
>> USER=pdf
>> AUTH_USER=master at uma
>> PWD=/var/run/dovecot
>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>> SHLVL=1
>> HOME=/var/data/vmail/private/pdf
>> ACL_GROUPS=umareadmaster
>> IP=127.0.0.1
>> _=/usr/bin/env
>>
>>
>> on the second cached login it looks like this
>>
>>
>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
>> MASTER_USER=master at uma
>> SPUSER=private/pdf
>> LOCAL_IP=127.0.0.1
>> USER=pdf
>> AUTH_USER=master at uma
>> PWD=/var/run/dovecot
>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>> SHLVL=1
>> HOME=/var/data/vmail/private/pdf
>> IP=127.0.0.1
>> _=/usr/bin/env
>>
>> so the ACL_GROUPS is gone.
>>
>> is this intended to be like that.
>> so groups not included in cache and I have to find another approach?
>>
>> anybody else encountered similar problems with some auth Variables and
>> caching?
>>
>>
>> Greetz Matze
>>
>
Fixed: http://hg.dovecot.org/dovecot-2.2/rev/b7f7ad2bc4d0> On 05 Aug 2015, at 17:30, matthias lay <matthias.lay at securepoint.de> wrote: > > Hi list, > > I have a question on auth caching in 2.2.18. > > I am using acl_groups for a master user, appended in a static userdb file > > # snip ############################### > master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster > allow_nets=127.0.0.1 > # snap ############################### > > and use this group in a global ACL file. > I discovered this only works on first NOT-cached login > > > > environment in imap-postlogin script on first login: > > > AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c > MASTER_USER=master at uma > SPUSER=private/pdf > LOCAL_IP=127.0.0.1 > USER=pdf > AUTH_USER=master at uma > PWD=/var/run/dovecot > USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER > SHLVL=1 > HOME=/var/data/vmail/private/pdf > ACL_GROUPS=umareadmaster > IP=127.0.0.1 > _=/usr/bin/env > > > on the second cached login it looks like this > > > AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f > MASTER_USER=master at uma > SPUSER=private/pdf > LOCAL_IP=127.0.0.1 > USER=pdf > AUTH_USER=master at uma > PWD=/var/run/dovecot > USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER > SHLVL=1 > HOME=/var/data/vmail/private/pdf > IP=127.0.0.1 > _=/usr/bin/env > > so the ACL_GROUPS is gone. > > is this intended to be like that. > so groups not included in cache and I have to find another approach? > > anybody else encountered similar problems with some auth Variables and > caching? > > > Greetz Matze