> On 31/03/2026 02:25 EEST Johannes Nohl via dovecot <[email protected]>
> wrote:
>
>
> I am using dovecot 2.4.2 (almost) with new config language and I have a
> working configuration. However, the check for disabled users throws
> permanently errors in the log file, whenever a user is missing the ldap
> attribute for disabled. This is - in my view - due to a misfunction of Filter
> "default".
>
> passdb ldap {
> driver = ldap
> ldap_bind = yes
> ldap_filter =
> (&(|(objectClass=posixAccount)(objectClass=mailAccount))(uid=%{user}))
> fields {
> user = %{ldap:uid}
> nologin = %{ldap:shadowInactive | default(null)}
> reason = The account for this email address is disabled.
> }
> }
>
>
> This results in the following log line:
> 2026-03-31T00:46:31.102690+02:00 mailserver dovecot:
> auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap: auth_passdb_post
> settings: Failed to parse configuration: Failed to expand
> passdb_fields/nologin setting variables: ldap: No such attribute
> 'shadowinactive'
>
>
> The right behaviour would be no logging on login success. Because the Filter
> "default" is intended to suppress any errors ("When value is missing or
> empty, you can use the default filter to provide value. Missing variables
> will cause errors and must be negated with default. This does not apply to
> all providers, some providers return empty when value is missing.").
> https://doc.dovecot.org/2.4.2/core/settings/variables.html#variable-expansion-syntax
>
> As you may have seen I had to borrow null-value from sql db config also to
> make nologin ignoring a non present attribute. This is undocumented
> obviously. Instead, a non-working tip is provided ("Changed: 2.4.0 Extra
> fields can now also be set to empty string, "). However, the following does
> not work: "nologin = {ldap:shadowinactive | default("")}".
> https://doc.dovecot.org/2.4.2/core/settings/variables.html
>
> Also, the documentation is missing/hiding the part which explains that
> "default()" can be used to avoid error logs. PR regarding the documentation
> source is sent already. See "Fails if the attribute is not present, unless
> the ` <missing part>"
> https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#ldap-specific-variables
>
> Is there another way to verify if account is disabled?
> --
> Johannes Nohl
> postmaster i-t-cloud
>
> --
> Johannes Nohl
> [email protected]
> I am using dovecot 2.4.2 (almost) with new config language and I have a
> working configuration. However, the check for disabled users throws
> permanently errors in the log file, whenever a user is missing the ldap
> attribute for disabled. This is - in my view - due to a misfunction of
> Filter "default".
> passdb ldap {
> driver = ldap
> ldap_bind = yes
> ldap_filter =
> (&(|(objectClass=posixAccount)(objectClass=mailAccount))(uid=%{user}))
> fields {
> user = %{ldap:uid}
> nologin = %{ldap:shadowInactive | default(null)}
> reason = The account for this email address is disabled.
> }
> }
> This results in the following log line:
> *2026-03-31T00:46:31.102690+02:00 mailserver dovecot:
> auth(test,ipv4,sasl:plain)<YE81n0VOVuofEeSD>: Error: ldap:
> auth_passdb_post settings: Failed to parse configuration: Failed to expand
> passdb_fields/nologin setting variables: ldap: No such attribute
> 'shadowinactive'
> The right behaviour would be no logging on login success. Because the
> Filter "default" is intended to suppress any errors ("When value is
> missing or empty, you can use the default filter to provide value. Missing
> variables will cause errors and must be negated with default. This does
> not apply to all providers, some providers return empty when value is
> missing.").
>
> https://doc.dovecot.org/2.4.2/core/settings/variables.html#variable-expansion-syntax
> As you may have seen I had to borrow null-value from sql db config also to
> make nologin ignoring a non present attribute. This is undocumented
> obviously. Instead, a non-working tip is provided ("Changed: 2.4.0 Extra
> fields can now also be set to empty string, "). However, the following
> does not work: "nologin = {ldap:shadowinactive | default("")}".
> https://doc.dovecot.org/2.4.2/core/settings/variables.html
> Also, the documentation is missing/hiding the part which explains that
> "default()" can be used to avoid error logs. PR regarding the
> documentation source is sent already. See "Fails if the attribute is not
> present, unless the ` <missing part>"
>
> https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#ldap-specific-variables
> Is there another way to verify if account is disabled?
> --
> Johannes Nohl
> postmaster i-t-cloud
>
Hi!
Try %{ldap:shadowInactive | default}
default(null) refers to variable null, which does not exist.
Aki
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
