prefetch not working (for me) on ldap user backend

[Hector M. Jacas]

Dear Sir,

I'm having problems with the implementation of prefetch userdb.
Following the directives from the site 
(http://wiki2.dovecot.org/UserDatabase/Prefetch), I am unable to avoid 
the second search to the user backend (ldap).

Could give me any advice or tips to achieve my goal?


Thanks a lot,

Hector M. Jacas



My ldap has the following structure:

search base: ou=Domains,dc=test,dc=local

*******************************
domains tree:

    domain2.com: dc=domain2.com,ou=Domains,dc=test,dc=local

    Definition of mailuser1 on domail2.com:

       dn: uid=mailuser1,dc=domain2.com,ou=Domains,dc=test,dc=local
       uid: mailuser1
       cn: User mailuser1
       sn: User 1
       displayName: User mailuser1
       objectClass: inetOrgPerson
       objectClass: organizationalPerson
       objectClass: person
       objectClass: top
       mail: mailus...@domain2.com

*************************************
    domain1.com: dc=domain1.com,ou=Domains,dc=test,dc=local

    Definition of mailuser1 on domain1.com:

       dn: uid=mailuser1,dc=domain1.com,ou=Domains,dc=test,dc=local
       uid: mailuser1
       cn: User mailuser1
       sn: User 1
       displayName: User mailuser1
       objectClass: inetOrgPerson
       objectClass: organizationalPerson
       objectClass: person
       objectClass: top
       mail: mailus...@domain1.com

*************************************
/etc/dovecot/dovecot-ldap.conf.ext content:

hosts = ldapserver
auth_bind = yes
ldap_version = 3
tls = no
base = ou=Domains,dc=test,dc=local
scope = subtree

user_filter = (&(objectclass=inetOrgPerson)(mail=%u))
user_attrs = =home=/var/vmail/mailboxes/%Ld/%Ln/%Ln,=uid=500,=gid=500

default_pass_scheme = CRYPT

pass_filter = (&(objectclass=inetOrgPerson)(mail=%u))
pass_attrs = 
uid=user,password=userPassword,=userdb_home=/var/vmail/mailboxes/%Ld/%8Ln/%Ln, 
\
           =userdb_uid=500,=userdb_gid=500

iterate_attrs = mail=user
iterate_filter = (objectclass=inetOrgPerson)

************************************
auth test result for mailus...@domain2.com:

# doveadm mailus...@domain2.com password auth test
passdb: mailus...@domain2.com auth succeeded
Extra fields:
  user=mailuser1

And in /var/log/maillog (enabled debug auth options):

Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: auth client connected (pid=0)
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: client in: AUTH 1    
PLAIN    service=doveadm    resp=<hidden>
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: 
ldap(mailus...@domain2.com): bind search: 
base=ou=Domains,dc=test,dc=local 
filter=(&(objectclass=inetOrgPerson)(mail=mailus...@domain2.com))
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: 
ldap(mailus...@domain2.com): result: uid=mailuser1; uid unused
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: 
auth(mailus...@domain2.com): username changed mailus...@domain2.com -> 
mailuser1
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: ldap(mailuser1): result: 
uid=mailuser1
Apr 26 14:00:33 nfs-7-00 dovecot: auth: Debug: client passdb out: OK    
1    user=mailuser1


*****************************
mailus...@domain2.com doveadm user result:

# doveadm user mailus...@domain2.com
field value
uid 500
gid 500
home /var/vmail/mailboxes/domain2.com/mailuser1/mailuser1
maildir mail: 
/var/vmail/mailboxes/domain2.com/mailuser/mailuser1:INDEX=MEMORY

And in /var/log/maillog (enabled debug auth options):

Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: master in: USER 1    
mailus...@domain2.com    service=doveadm
Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: 
prefetch(mailus...@domain2.com): passdb didn't return userdb entries, 
trying the next userdb
Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: 
ldap(mailus...@domain2.com): user search: 
base=ou=Domains,dc=test,dc=local scope=subtree 
filter=(&(objectclass=inetOrgPerson)(mail=mailus...@domain2.com)) fields=
Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: 
ldap(mailus...@domain2.com): result: uid=mailuser1 cn=Usuario mailuser1 
sn=Usuario 1 displayName=Usuario mailuser1 
objectClass=inetOrgPerson,inetOrgPerson,inetOrgPerson,inetOrgPerson 
mail=mailus...@domain2.com; objectClass,cn,uid,mail,displayName,sn unused
Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: 
ldap(mailus...@domain2.com): result: uid=mailuser1 cn=Usuario mailuser1 
sn=Usuario 1 displayName=Usuario mailuser1 
objectClass=inetOrgPerson,inetOrgPerson,inetOrgPerson,inetOrgPerson 
mail=mailus...@domain2.com; objectClass,cn,uid,mail,displayName,sn unused
Apr 26 14:01:19 nfs-7-00 dovecot: auth: Debug: userdb out: USER 1    
mailus...@domain2.com 
home=/var/vmail/mailboxes/domain2.com/mailuser1/mailuser1 uid=500    gid=500


***************************
My base system is RHEL7, 24 CPUs and 16GB ram and for LDAP backend, 389 
DS 1.2.2 on RHEL 6.6

 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-123.20.1.el7.x86_64 x86_64 Red Hat Enterprise Linux 
Server release 7.0 (Maipo) nfs4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_client_limit = 50000
disable_plaintext_auth = no
listen = *
mail_fsync = always
mail_gid = 500
mail_location = maildir:/var/vmail/mailboxes/%d/%8n/%n:INDEX=MEMORY
mail_nfs_index = yes
mail_nfs_storage = yes
mail_uid = 500
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
service auth {
  unix_listener auth-userdb {
    group = vmail
    mode = 0640
    user = vmail
  }
}
service doveadm {
  inet_listener {
    port = 24245
  }
}
service imap-login {
  process_min_avail = 24
  service_count = 0
}
service imap-urlauth-worker {
  chroot =
  client_limit = 1
  drop_priv_before_exec = no
  executable = imap-urlauth-worker
  extra_groups =
  group =
  idle_kill = 0
  privileged_group =
  process_limit = 8192
  process_min_avail = 0
  protocol = imap
  service_count = 1
  type =
  unix_listener imap-urlauth-worker {
    group =
    mode = 0600
    user = $default_internal_user
  }
  user =
  vsz_limit = 18446744073709551615 B
}
service imap-urlauth {
  chroot =
  client_limit = 1
  drop_priv_before_exec = no
  executable = imap-urlauth
  extra_groups =
  group =
  idle_kill = 0
  privileged_group =
  process_limit = 8192
  process_min_avail = 0
  protocol = imap
  service_count = 1
  type =
  unix_listener token-login/imap-urlauth {
    group =
    mode = 0666
    user =
  }
  user = $default_internal_user
  vsz_limit = 18446744073709551615 B
}
service imap {
  process_limit = 8192
}
service pop3-login {
  process_min_avail = 24
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol imap {
  mail_max_userip_connections = 1000
}
local 172.28.200.0/24/24 {
  doveadm_password = secret
}



<<attachment: hector_jacas.vcf>>--- 
This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at 
host imx3.etecsa.cu
Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>