On 14 Dec 2016, at 11.16, Mike Fröhner <mikefroeh...@gmx.de> wrote: > > I made some additional tests and found that also local unix groups are not > working in replacement for my ldap groups as discribed below. > > Do groups in dovecot-acl intendedly not work?
http://wiki2.dovecot.org/ACL <http://wiki2.dovecot.org/ACL> -> ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to. User's UNIX groups have no effect on ACLs (you can "enable" them by using a special post-login script). > > On 12/13/2016 03:47 PM, Mike Fröhner wrote: >> Hello people, >> >> I am having an issue with 'doveadm sync'. I am currently trying to have >> two dovecots behind an haproxy (works fine). Therefore I configured >> these two dovecot server (imap-1/imap-2) to sync throught dsync. This >> works just partly. The sync of the maiboxes is fine, but the sync of the >> subscriptions file just works partly. It works for private folder >> subscription, but not completly for public folder subscription. I found >> two issues, if I am using LDAP (user/groups) in dovecot ACLs. >> >> 1. I would like to subscribe 2 public folder (public/test/test1 and >> public/test/test2). >> >> My user (ldaptestuser) is an ldap user and this user is member of the >> ldap group (ldaptestgroup) which does have all dovecot-acl rights on >> these folders. >> >> imap-1 # cat /opt/mail/_public/publictest/.test*/dovecot-acl >> group=ldaptestgroup akxeilprwts >> group=ldaptestgroup akxeilprwts >> >> I am now connecting with my mail client to imap-1 (throught haproxy) and >> the subscription to this folder works. The file which is written looks >> like: >> >> imap-1 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> publictest/test/test1 >> publictest/test/test2 >> >> Now I am awaiting the synch to imap-2, but the file which it written >> looks like: >> >> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> >> If I modify the dovecot-acl for .test1 to >> >> imap-1 # cat /opt/mail/_public/publictest/.test1/dovecot-acl >> group=ldaptestgroup akxeilprwts >> user=ldaptestuser akxeilprwts >> >> and execute the subscription again - the synced file looks like: >> >> imap-2 # cat /opt/mail/ldaptestuser/Mails/subscriptions >> Sent >> publictest/test/test1 >> >> The subscription of public folder test2 will also been synced, if I add >> my ldaptestuser to the acl file for this folder. >> >> 2. Another issue is to unsubscribe a public folder. If I unsubscribe >> folder test1, it is written to subscriptions file on the imap where I am >> connected, but it is NOT synced even if my user and group are configured >> at the dovecot-acl file. If I then unsubscribe a not public folder (like >> Sent), the former unsubscribed folder test1 is (faulty) subscribed >> again. But both imap do have the same subscriptions for my ldaptestuser >> user. >> >> I do have the behavior with dovecot-2.2.26 and dovecot-2.2.27 on >> CentOS-7 (selinux disabled). >> >> If you need more information like the dovecot -n or some other stuff >> give me a short notice. >> >> Mike; >>
