dovecot - Dec 2016 - public folder subscriptions sync issue with ldap user/group in dovecot-acl

On 14 Dec 2016, at 11.16, Mike Fr?hner <mikefroehner at gmx.de>
wrote:
> 
> I made some additional tests and found that also local unix groups are not
working in replacement for my ldap groups as discribed below.
> 
> Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL <http://wiki2.dovecot.org/ACL> -> ACL
groups support works by returning a comma-separated acl_groups extra field from
userdb, which contains all the groups the user belongs to. User's UNIX
groups have no effect on ACLs (you can "enable" them by using a
special post-login script).
> 
> On 12/13/2016 03:47 PM, Mike Fr?hner wrote:
>> Hello people,
>> 
>> I am having an issue with 'doveadm sync'. I am currently trying
to have
>> two dovecots behind an haproxy (works fine). Therefore I configured
>> these two dovecot server (imap-1/imap-2) to sync throught dsync. This
>> works just partly. The sync of the maiboxes is fine, but the sync of
the
>> subscriptions file just works partly. It works for private folder
>> subscription, but not completly for public folder subscription. I found
>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>> 
>> 1. I would like to subscribe 2 public folder (public/test/test1 and
>> public/test/test2).
>> 
>> My user (ldaptestuser) is an ldap user and this user is member of the
>> ldap group (ldaptestgroup) which does have all dovecot-acl rights on
>> these folders.
>> 
>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>> group=ldaptestgroup akxeilprwts
>> group=ldaptestgroup akxeilprwts
>> 
>> I am now connecting with my mail client to imap-1 (throught haproxy)
and
>> the subscription to this folder works. The file which is written looks
>> like:
>> 
>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>> publictest/test/test1
>> publictest/test/test2
>> 
>> Now I am awaiting the synch to imap-2, but the file which it written
>> looks like:
>> 
>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>> 
>> If I modify the dovecot-acl for .test1 to
>> 
>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>> group=ldaptestgroup akxeilprwts
>> user=ldaptestuser akxeilprwts
>> 
>> and execute the subscription again - the synced file looks like:
>> 
>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>> Sent
>> publictest/test/test1
>> 
>> The subscription of public folder test2 will also been synced, if I add
>> my ldaptestuser to the acl file for this folder.
>> 
>> 2. Another issue is to unsubscribe a public folder. If I unsubscribe
>> folder test1, it is written to subscriptions file on the imap where I
am
>> connected, but it is NOT synced even if my user and group are
configured
>> at the dovecot-acl file. If I then unsubscribe a not public folder
(like
>> Sent), the former unsubscribed folder test1 is (faulty) subscribed
>> again. But both imap do have the same subscriptions for my ldaptestuser
>> user.
>> 
>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on
>> CentOS-7 (selinux disabled).
>> 
>> If you need more information like the dovecot -n or some other stuff
>> give me a short notice.
>> 
>> Mike;
>>

Thanks for your reply Timo.

On 12/14/2016 06:40 PM, Timo Sirainen wrote:
> On 14 Dec 2016, at 11.16, Mike Fr?hner <mikefroehner at gmx.de
> <mailto:mikefroehner at gmx.de>> wrote:
>>
>> I made some additional tests and found that also local unix groups are
>> not working in replacement for my ldap groups as discribed below.
>>
>> Do groups in dovecot-acl intendedly not work?
>
> http://wiki2.dovecot.org/ACL -> ACL groups support works by returning a
> comma-separated acl_groups extra field from userdb, which contains all
> the groups the user belongs to. User's UNIX groups have no effect on
> ACLs (you can "enable" them by using a special post-login
script).
I think I have configured the userdb right, because the debug log tells 
me this:

imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser
imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1
imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers
imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup
>
>>
>> On 12/13/2016 03:47 PM, Mike Fr?hner wrote:
>>> Hello people,
>>>
>>> I am having an issue with 'doveadm sync'. I am currently
trying to have
>>> two dovecots behind an haproxy (works fine). Therefore I configured
>>> these two dovecot server (imap-1/imap-2) to sync throught dsync.
This
>>> works just partly. The sync of the maiboxes is fine, but the sync
of the
>>> subscriptions file just works partly. It works for private folder
>>> subscription, but not completly for public folder subscription. I
found
>>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>>>
>>> 1. I would like to subscribe 2 public folder (public/test/test1 and
>>> public/test/test2).
>>>
>>> My user (ldaptestuser) is an ldap user and this user is member of
the
>>> ldap group (ldaptestgroup) which does have all dovecot-acl rights
on
>>> these folders.
>>>
>>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>>> group=ldaptestgroup akxeilprwts
>>> group=ldaptestgroup akxeilprwts
>>>
>>> I am now connecting with my mail client to imap-1 (throught
haproxy) and
>>> the subscription to this folder works. The file which is written
looks
>>> like:
>>>
>>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>> publictest/test/test1
>>> publictest/test/test2
>>>
>>> Now I am awaiting the synch to imap-2, but the file which it
written
>>> looks like:
>>>
>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>>
>>> If I modify the dovecot-acl for .test1 to
>>>
>>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>>> group=ldaptestgroup akxeilprwts
>>> user=ldaptestuser akxeilprwts
>>>
>>> and execute the subscription again - the synced file looks like:
>>>
>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>> Sent
>>> publictest/test/test1
>>>
>>> The subscription of public folder test2 will also been synced, if I
add
>>> my ldaptestuser to the acl file for this folder.
>>>
>>> 2. Another issue is to unsubscribe a public folder. If I
unsubscribe
>>> folder test1, it is written to subscriptions file on the imap where
I am
>>> connected, but it is NOT synced even if my user and group are
configured
>>> at the dovecot-acl file. If I then unsubscribe a not public folder
(like
>>> Sent), the former unsubscribed folder test1 is (faulty) subscribed
>>> again. But both imap do have the same subscriptions for my
ldaptestuser
>>> user.
>>>
>>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on
>>> CentOS-7 (selinux disabled).
>>>
>>> If you need more information like the dovecot -n or some other
stuff
>>> give me a short notice.
>>>
>>> Mike;
>>>
>

Hi again,

here some more debugs:

On 12/16/2016 03:25 PM, Mike Fr?hner wrote:
> Thanks for your reply Timo.
>
> On 12/14/2016 06:40 PM, Timo Sirainen wrote:
>> On 14 Dec 2016, at 11.16, Mike Fr?hner <mikefroehner at gmx.de
>> <mailto:mikefroehner at gmx.de>> wrote:
>>>
>>> I made some additional tests and found that also local unix groups
are
>>> not working in replacement for my ldap groups as discribed below.
>>>
>>> Do groups in dovecot-acl intendedly not work?
>>
>> http://wiki2.dovecot.org/ACL -> ACL groups support works by
returning a
>> comma-separated acl_groups extra field from userdb, which contains all
>> the groups the user belongs to. User's UNIX groups have no effect
on
>> ACLs (you can "enable" them by using a special post-login
script).
>
> I think I have configured the userdb right, because the debug log tells
> me this:
>
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: acl username = ldaptestuser
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: owner = 1
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: mailusers
> imap-1 dovecot: imap(ldaptestuser): Debug: acl: group added: ldaptestgroup
Well, the IMAP debug lists/adds the groups, but not the doveadm:

Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth PASS 
input: user=ldaptestuser
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: auth USER 
input: ldaptestuser home=/opt/mail/ldaptestuser 
mail=maildir:/opt/mail/ldaptestuser/Mails gid=991 uid=834603987
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Added 
userdb setting: mail=maildir:/opt/mail/ldaptestuser/Mails
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Effective 
uid=834603987, gid=991, home=/opt/mail/ldaptestuser



Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: Namespace 
public-test: type=public, prefix=public/test/, sep=/, inbox=no, 
hidden=no, list=yes, subscriptions=no 
location=maildir:/opt/mail/_public/test
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: maildir++: 
root=/opt/mail/_public/test, index=, indexpvt=, control=, inbox=, altDec 16
16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl:
initializing backend with data: vfile
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: acl 
username = ldaptestuser
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl: owner = 0
Dec 16 16:36:12 imap-1 dovecot: doveadm(ldaptestuser): Debug: acl vfile: 
Global ACLs disabled

The debug output equals on server imap-1 and imap-2.
>
>>
>>>
>>> On 12/13/2016 03:47 PM, Mike Fr?hner wrote:
>>>> Hello people,
>>>>
>>>> I am having an issue with 'doveadm sync'. I am
currently trying to have
>>>> two dovecots behind an haproxy (works fine). Therefore I
configured
>>>> these two dovecot server (imap-1/imap-2) to sync throught
dsync. This
>>>> works just partly. The sync of the maiboxes is fine, but the
sync of
>>>> the
>>>> subscriptions file just works partly. It works for private
folder
>>>> subscription, but not completly for public folder subscription.
I found
>>>> two issues, if I am using LDAP (user/groups) in dovecot ACLs.
>>>>
>>>> 1. I would like to subscribe 2 public folder (public/test/test1
and
>>>> public/test/test2).
>>>>
>>>> My user (ldaptestuser) is an ldap user and this user is member
of the
>>>> ldap group (ldaptestgroup) which does have all dovecot-acl
rights on
>>>> these folders.
>>>>
>>>> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl
>>>> group=ldaptestgroup akxeilprwts
>>>> group=ldaptestgroup akxeilprwts
>>>>
>>>> I am now connecting with my mail client to imap-1 (throught
haproxy)
>>>> and
>>>> the subscription to this folder works. The file which is
written looks
>>>> like:
>>>>
>>>> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>> publictest/test/test1
>>>> publictest/test/test2
>>>>
>>>> Now I am awaiting the synch to imap-2, but the file which it
written
>>>> looks like:
>>>>
>>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>>
>>>> If I modify the dovecot-acl for .test1 to
>>>>
>>>> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl
>>>> group=ldaptestgroup akxeilprwts
>>>> user=ldaptestuser akxeilprwts
>>>>
>>>> and execute the subscription again - the synced file looks
like:
>>>>
>>>> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions
>>>> Sent
>>>> publictest/test/test1
>>>>
>>>> The subscription of public folder test2 will also been synced,
if I add
>>>> my ldaptestuser to the acl file for this folder.
>>>>
>>>> 2. Another issue is to unsubscribe a public folder. If I
unsubscribe
>>>> folder test1, it is written to subscriptions file on the imap
where
>>>> I am
>>>> connected, but it is NOT synced even if my user and group are
>>>> configured
>>>> at the dovecot-acl file. If I then unsubscribe a not public
folder
>>>> (like
>>>> Sent), the former unsubscribed folder test1 is (faulty)
subscribed
>>>> again. But both imap do have the same subscriptions for my
ldaptestuser
>>>> user.
>>>>
>>>> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27
on
>>>> CentOS-7 (selinux disabled).
>>>>
>>>> If you need more information like the dovecot -n or some other
stuff
>>>> give me a short notice.
>>>>
>>>> Mike;
>>>>
>>
>