Re: PTS & LDAP Take 3

[Tim Pushor]

Igor Brezac wrote:

You could use ldap_whoami() instead of the first query.

 

Where does that come from?

   

You do not need to do anything with this.  The identifier is passed to pts
for canonicalization, the group is not validated.


 

I don't see this in ldap.c. The identifier group:xxx gets passed into
pts as the identifier and rejected by the canonicalizer because of the
colon. So the canonicalized identifer is null throughout the rest of the
code. I don't see a test for group: anywhere ( or in afskrb.c either ).
So assuming that we just want to make sure that the group name is valid,
and that the canonicalizer should be fixed to recognize group:xxx
syntax, what then am I suppose to do with it? Returning NULL seems to Do
Bad Things, and I don't see an entry for canonicalized group in the
auth_state struct..
   

Have you tried to step through the program with gdb or other debugger?

 

No, ldap.c doesn't work for me at all. If there are no memberOf 
attributes, it dies and user authentication fails (!). I guess I could 
setup a test user and step through it, but I did see what was happening 
at least in my adaptation of ldap.c. Canonicalization (of a group) was 
returning null because of the colon. So what use is it? There are enough 
unknowns that I would like to get cleared up if at all possible. I was 
hoping someone from CMU would be able to help advise.

Thanks,
Tim

Re: Messed up my database libraries, help!

[Mark London]

At 6:43 PM -0600 1/18/04, Jim Levie wrote:
On Sun, 2004-01-18 at 16:56, Mark London wrote:
 Hi - On redhat 9, I accidently deleted a bunch of files in /lib.  I
 installed the rpms I downloaded from redhat, including db4  However,
 I'm getting the following errors, even though I recompiled cyrus.
 Any suggestions?  I must have messed up the db libraries, but I can't
 figure out how.  Thanks. -  Mark
I'd suggest doing an 'rpm --verify -a' and see what lib related things
it complains about. You may not gave gotten everything re-installed that
got deleted.
Good suggestion, but it didn't help.  However, I did a google search, 
and found that there is a problem with the latest redhat build of 
db4!  db4-utils-4.0.14-20 will not work, and will produce the errors 
I reported.  While the suggested fix is to patch and build it from 
the sources, I simply reverted back to the earlier 
db4-utils-4.0.14-14 version, and the errors went away.  One problem 
always leads to another, sigh.  Thanks.

Mark

Re: PTS & LDAP Take 3

[Igor Brezac]

On Sun, 18 Jan 2004, Tim Pushor wrote:

>
>
> Igor Brezac wrote:
>
> >I see.  I did not realize you were going to retrieve groups with another
> >search filter.  This should work.
> >
> >
> >
> Yeah, I'm sure it will. I wish I could do it in one query though.. How

You could use ldap_whoami() instead of the first query.

> often does the ptloader get called on? Will the pts cache here help at
> all? What exactly does the pts cache do? ( I realize that it probably
> caches authorizaton info, but is it always consulted first, before
> asking the ptloader to look up the information again?)
>
> >>Thats what I thought as well. I have already written the code the does
> >>the user group membership check in ldap.c, but when I went to test it
> >>via cyradm - I created a folder, and tried to set a group:xxx ACL and at
> >>that exact point the identifier group:xxx was passed into the pts and I
> >>don't know what to do with it (do we check to see if its a valid group??
> >>I didn't see what to do in the original ldap.c code, afskrb.c, or any
> >>other file. Perhaps I'm thick, but I just wanted to make sure there
> >>wasn't anything else I was missing before going on).
> >>
> >>
> >
> >You do not need to do anything with this.  The identifier is passed to pts
> >for canonicalization, the group is not validated.
> >
> >
> >
> I don't see this in ldap.c. The identifier group:xxx gets passed into
> pts as the identifier and rejected by the canonicalizer because of the
> colon. So the canonicalized identifer is null throughout the rest of the
> code. I don't see a test for group: anywhere ( or in afskrb.c either ).
> So assuming that we just want to make sure that the group name is valid,
> and that the canonicalizer should be fixed to recognize group:xxx
> syntax, what then am I suppose to do with it? Returning NULL seems to Do
> Bad Things, and I don't see an entry for canonicalized group in the
> auth_state struct..
>

Have you tried to step through the program with gdb or other debugger?

-- 
Igor

Re: Messed up my database libraries, help!

[Jim Levie]

On Sun, 2004-01-18 at 16:56, Mark London wrote:
> Hi - On redhat 9, I accidently deleted a bunch of files in /lib.  I 
> installed the rpms I downloaded from redhat, including db4  However, 
> I'm getting the following errors, even though I recompiled cyrus. 
> Any suggestions?  I must have messed up the db libraries, but I can't 
> figure out how.  Thanks. -  Mark
> 
I'd suggest doing an 'rpm --verify -a' and see what lib related things
it complains about. You may not gave gotten everything re-installed that
got deleted.

Also, if you had to re-install glibc it is important that you used the
correct CPU specific rpms. On a Pentium (where 'uname -m' returns i686)
you must use the i686 rpm of glibc-2.3.2-27.9.7
-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
The instructions said to use Windows 98 or better, so I installed RedHat
   Jim Levie email:[EMAIL PROTECTED]

Re: Skiplist causing DB problems?

[[EMAIL PROTECTED]]

Hello and thanks for your help...

> Jan 16 16:46:01 obsidian master[167]: process started
> Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: recovering cyrus databases
> Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: skiplist: recovered 
> /var/imap/mailboxes.db (1 record, 320 bytes) in 0 seconds
> Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: done recovering cyrus databases
> Jan 16 16:46:02 obsidian master[167]: ready for work
> Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: checkpointing cyrus databases
> Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: error listing log 
> files: DB_NOTFOUND: No matching key/data pair found
> Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: archive 
> /var/imap/db: cyrusdb error

>These are db3 errors, not skiplist errors.  If this is a new server, try 
>deleting deliver.db, tls_sessions.db and the contents of /var/imap/db

I went ahead and did as you suggested: I deleted deliver.db,
tls_sessions.db and the contents in /var/imap/db...

Still getting the same results:

Jan 18 22:54:15 centralcore master[462]: process started
Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: recovering cyrus databases
Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: skiplist: recovered
/var/imap/mailboxes.db (1 record, 296 bytes) in 0 seconds
Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: done recovering cyrus
databases
Jan 18 22:54:15 centralcore master[462]: ready for work
Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: checkpointing cyrus databases
Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: DBERROR: error listing log
files: DB_NOTFOUND: No matching key/data pair found
Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: DBERROR: archive
/var/imap/db: cyrusdb error
Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: done checkpointing cyrus
databases

I'm at a loss at to what the problem is. Right now, im trying to narrow it
down as much as I can. I have a few other tests i'm going to be performing
today and tomorrow in hopes of finding more information.
Just weird that if I compile it with 'skiplist' that is there the problems
begin. If I dont, everything works out fine. 

If anyone has any suggestions or recommendations, I do appreciate it.


Jason




mail2web - Check your email from the web at
http://mail2web.com/ .

Messed up my database libraries, help!

[Mark London]

Hi - On redhat 9, I accidently deleted a bunch of files in /lib.  I 
installed the rpms I downloaded from redhat, including db4  However, 
I'm getting the following errors, even though I recompiled cyrus. 
Any suggestions?  I must have messed up the db libraries, but I can't 
figure out how.  Thanks. -  Mark

Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR db4: unable to join 
the environ\
ment
Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR db4: 
/var/imap/db/__db.001: una\
ble to initialize environment lock: Function not implemented
Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR: dbenv->open 
'/var/imap/db' fai\
led: Function not implemented

Re: Sent and Outgoing Folder issues

[Mike O'Rourke]

>>> "Troy McKinnon" <[EMAIL PROTECTED]> 01/17/04 03:34AM >>>


In squirrelmail I get the following error on the Left Hand Navigation
frame.

ERROR : Could not complete request. CREATE "INBOX.Sent" Reason Given:
Permission denied

Also when I set up an imap account I have to remove the 'special
folders'
Sent/Outgoing/deleted because I get a similar permission denied error.

I am using the allowunixsep = yes .. not sure if this is related tho?



I did some googling and found some solutions for squirrelmail.

i.e. conf.pl --> SMTP --> cyrus

 etc but it isn't a squirrelmail specific error since it is the same
for
imap.

Any ideas?

Thanks

>>
Hi Troy,

I believe that this is really a SquirrelMail issue.

IIRC, when I changed my Cyrus installation to use the unixhierarchysep,
I needed to change the SM config under Command 3 (Folder Defaults),
items 3, 4 and 5 to INBOX/Trash, INBOX/Sent and INBOX/Drafts,
respectively (note the "/" rather than the "." seperator). Someone on
the SM list would probably know more about that, though.

Mike.

Re: Skiplist causing DB problems?

[Ken Murchison]

[EMAIL PROTECTED] wrote:

Hello and thanks for your reply...


check the permissions for /var/imap/db. I had a problem with that once. 
What's in /var/imap/db?


centralcore# ls -la /var/imap/
total 20
drwxr-xr-x  10 cyrus  cyrus  512 Jan 17 22:23 .
drwxr-xr-x  21 root   wheel  512 Jan 17 22:23 ..
drwxr-xr-x   2 cyrus  cyrus  512 Jan 17 22:23 db
drwxr-xr-x   2 cyrus  cyrus  512 Jan 17 22:23 log
drwxr-xr-x   2 cyrus  cyrus  512 Jan 17 22:23 msg
drwxr-xr-x   2 cyrus  cyrus  512 Jan 17 22:23 proc
drwxr-xr-x  28 cyrus  cyrus  512 Jan 17 22:23 quota
drwxr-xr-x  28 cyrus  cyrus  512 Jan 17 22:23 sieve
drwxr-xr-x   2 cyrus  cyrus  512 Jan 17 22:23 socket
drwxr-xr-x  28 cyrus  cyrus  512 Jan 17 22:23 user
Also, I just tried again, using skiplist. I am getting errors now when I
try and add a user to the sasldb backend:
centralcore# /usr/local/sbin/saslpasswd2 -c imapadmin

Jan 17 22:27:34 centralcore saslpasswd2: setpass succeeded for imapadmin
Jan 17 22:27:34 centralcore saslpasswd2: error deleting entry from sasldb:
DB_NOTFOUND: No matching key/data pair found
Jan 17 22:27:34 centralcore last message repeated 2 times
This has nothing to do with skiplist, SASL and the Cyrus databases are 
two entirely separate things.

The errors you see are normal.  saslpasswd2 is trying to delete some 
legacy secrets, which won't exist on a new system.  The fact that 
setpass succeeds is all you need to see.

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: nntp fiddling

[Ken Murchison]

Nils Vogels wrote:
Kevin P. Fleming wrote:

Ken Murchison wrote:

There is no overlap between the groups from the different servers, 
and grouping them is easy with wildcard matching:

cups.*
microsoft.*
infragistics.*
everything else


OK, so you need the newspeer option to be a *list* of peers?  But you 
*don't* need fetchnews to track the newsgroups by host?


Forgive my inability to answer that at this point, I haven't studied 
the Cyrus NNTP support documentation yet. Here is what I like to do:

(A) mirror about a dozen newsgroups from news.west.cox.net (my ISP, 
Usenet groups)
(B) mirror about a dozen newsgroups from news.microsoft.com (public 
NNTP server)
(C) mirror six newsgroups from news.easysw.com (public NNTP server)
(D) mirror about ten newsgroups from news.infragistics.com (public 
NNTP server)

I read _and_ post to most of these groups. No single group comes from 
more than one place, though, each group has only a single server that 
I will use to get and post messages for that group.

Kevin, may I ask how you managed to get multiple groups using one 
fetchnews command ?

I've been trying comma delimited group names (fetchnews -n -w 
"nl.test,nl.someother" news.myisp.nl) but for some reason no articles 
are fetched then. If I use space delimitations, only the first group works.

fetchnews(8) isn't too clear about this, I'm afraid and when I look at 
example wildmats in imapd.conf(5) I see comma seperated grouplists 
("peer.example.com:*,!control.*,@local.*")
Your reading of fetchnews(8) is correct, but apparently this syntax is 
new to the NNTP update draft.  Both LIST ACTIVE and the wildmat format 
have not been formalized up until now.  I tried this against INN 2.3.4 
and it doesn't support comma-separated (or space separated) wildmat 
patterns (which really sucks).  For the time being, you'll have to use 
separate fetchnews commands rather than specifiying multiple wildmats in 
one command.  For example, instead of:

fetchnews -n -w "nl.test,nl.someother" news.myisp.nl

do:

fetchnews -n -w "nl.test" news.myisp.nl
fetchnews -n -w "nl.someother" news.myisp.nl
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: Skiplist causing DB problems?

[Ken Murchison]

Jason Williams wrote:

Important info:
FreeBSD 4.9
Cyrus-Imapd-2.1.16
Cyrus-SASL-2.1.17
I've setup two idential servers.
They are both compiled with BerkeleyDB 4.1.25:
I installed cyrus through the ports tree, but set different options upon 
compile time.

(Configure options)

make WITH_BDB_VER=41 WITH_SKIPLIST=YES install clean

Here is the first server: (Server 1)

name   : Cyrus IMAPD
version: v2.1.16 2003/11/19 16:45:28
vendor : Project Cyrus
support-url: http://asg.web.cmu.edu/cyrus
os : FreeBSD
os-version : 4.9-RELEASE
environment: Cyrus SASL 2.1.17
 Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)
 Built w/OpenSSL 0.9.7c 30 Sep 2003
 Running w/OpenSSL 0.9.7c 30 Sep 2003
 CMU Sieve 2.2
 TCP Wrappers
 mmap = shared
 lock = fcntl
 nonblock = fcntl
 auth = unix
 idle = poll
 mailboxes.db = skiplist
 seen.db = skiplist
 subs.db = flat
 deliver.db = db3-nosync
 tls_sessions.db = db3-nosync
mailboxes and seen, both set with skiplist, as suggested from twiki

Here is the problem, shown in my logfiles:

Jan 16 16:46:01 obsidian master[167]: process started
Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: recovering cyrus databases
Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: skiplist: recovered 
/var/imap/mailboxes.db (1 record, 320 bytes) in 0 seconds
Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: done recovering cyrus databases
Jan 16 16:46:02 obsidian master[167]: ready for work
Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: checkpointing cyrus databases
Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: error listing log 
files: DB_NOTFOUND: No matching key/data pair found
Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: archive 
/var/imap/db: cyrusdb error
These are db3 errors, not skiplist errors.  If this is a new server, try 
deleting deliver.db, tls_sessions.db and the contents of /var/imap/db

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: PTS & LDAP Take 3

[Tim Pushor]

Igor Brezac wrote:

I see.  I did not realize you were going to retrieve groups with another
search filter.  This should work.
 

Yeah, I'm sure it will. I wish I could do it in one query though.. How 
often does the ptloader get called on? Will the pts cache here help at 
all? What exactly does the pts cache do? ( I realize that it probably 
caches authorizaton info, but is it always consulted first, before 
asking the ptloader to look up the information again?)

Thats what I thought as well. I have already written the code the does
the user group membership check in ldap.c, but when I went to test it
via cyradm - I created a folder, and tried to set a group:xxx ACL and at
that exact point the identifier group:xxx was passed into the pts and I
don't know what to do with it (do we check to see if its a valid group??
I didn't see what to do in the original ldap.c code, afskrb.c, or any
other file. Perhaps I'm thick, but I just wanted to make sure there
wasn't anything else I was missing before going on).
   

You do not need to do anything with this.  The identifier is passed to pts
for canonicalization, the group is not validated.
 

I don't see this in ldap.c. The identifier group:xxx gets passed into 
pts as the identifier and rejected by the canonicalizer because of the 
colon. So the canonicalized identifer is null throughout the rest of the 
code. I don't see a test for group: anywhere ( or in afskrb.c either ). 
So assuming that we just want to make sure that the group name is valid, 
and that the canonicalizer should be fixed to recognize group:xxx 
syntax, what then am I suppose to do with it? Returning NULL seems to Do 
Bad Things, and I don't see an entry for canonicalized group in the 
auth_state struct..

Thanks,
Tim

Re: SQUAT indexes?

[+archive . info-cyrus]

On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote:

> On Sat, 17 Jan 2004, Craig Ringer wrote:
>
> > Nils Vogels wrote:
> > > Why not just run squatter from master ?
> > >
> > > This works deliciously over here:
> > >
> > > EVENTS {
> > >...
> > >  # Let's squat em
> > >  squat_usercmd="squatter -r -s user" period=1440
> > >...
> > > }
> >
> > That indexes all user mailboxes, including the trash etc. I only want to
> > automatically index INBOXES, plus any other mailboxes the user requests.
>
> Could always use the new squat annotation.  That's also... tasty?
>
> localhost> mboxconfig user.amos squat true
>
> Yum, yum.

Actually, I forgot that the squat annotation is inherited:

 -a   Only create indexes for mailboxes which have the shared
  /vendor/cmu/cyrus-imapd/squat annotation set to "true".

  The value of the /vendor/cmu/cyrus-imapd/squat  annota-
  tion is inherited by all children of the given mailbox,
  so an entire  mailbox  tree  can  be  indexed  (or  not
  indexed)  by setting a single annotation on the root of
  that tree with a value of "true" (or  "false").   If  a
  mailbox  does  not have a /vendor/cmu/cyrus-imapd/squat
  annotation set on it (or does not  inherit  one),  then
  the mailbox is not indexed.  In other words, the impli-
  cit value of /vendor/cmu/cyrus-imapd/squat is "false".


Shame because I thought this might be handy to just squat the
inboxes.  So, this loops right back into the discussion of
"squatter -s user.%"  ;-)

I wonder if maybe there could/should be additional annotations,
one for recursive, one for not.  So maybe, to be backwards
compatible, "/squat" would be recursive, but "/squatthis" would
not?

More tasty?

-- 
Amos

Re: nntp fiddling

[Kevin P. Fleming]

Nils Vogels wrote:

Kevin, may I ask how you managed to get multiple groups using one 
fetchnews command ?

I've been trying comma delimited group names (fetchnews -n -w 
"nl.test,nl.someother" news.myisp.nl) but for some reason no articles 
are fetched then. If I use space delimitations, only the first group works.

fetchnews(8) isn't too clear about this, I'm afraid and when I look at 
example wildmats in imapd.conf(5) I see comma seperated grouplists 
("peer.example.com:*,!control.*,@local.*")

Else I will be fetchnews-ing a complete feed (including binaries) while 
I really only need a few groups, right ?
I haven't actually had a chance to set it up yet, it's on my list for 
this coming week.

Re: PTS & LDAP Take 3

[Igor Brezac]

On Sat, 17 Jan 2004, Tim Pushor wrote:

> Igor Brezac wrote:
>
> >I do not see how this is going to work within cyrus context.  You will
> >need to change a lot more than just ptloader/ldap code for this to work.
> >
> >
> >
> Perhaps I don't understand everything involved, but ptloader now just
> finds the user record via user defineable filter,  and only cares about
> the memberOf attributes, which it cycles through to find the users group
> membership. What I am doing now is to find the user dn via definable
> filter, then search for that dn in a groups container, and cycle through
> all returned entries, picking the cn of each as the group name. Two ldap
> queries unfortunately, but at least both are equality searches..

I see.  I did not realize you were going to retrieve groups with another
search filter.  This should work.

>
> >I do not think such docs exist (except for the code itself).  Basically,
> >whenever a user logs in, cyrus fetches all groups the user is member of
> >(ptloader/ldap does this in your case).  This group list is later used for
> >mailbox access (check lib/auth_pts.c).
> >
> >
> >
> Thats what I thought as well. I have already written the code the does
> the user group membership check in ldap.c, but when I went to test it
> via cyradm - I created a folder, and tried to set a group:xxx ACL and at
> that exact point the identifier group:xxx was passed into the pts and I
> don't know what to do with it (do we check to see if its a valid group??
> I didn't see what to do in the original ldap.c code, afskrb.c, or any
> other file. Perhaps I'm thick, but I just wanted to make sure there
> wasn't anything else I was missing before going on).

You do not need to do anything with this.  The identifier is passed to pts
for canonicalization, the group is not validated.

-- 
Igor

Re: PTS & LDAP Take 3

[Tim Pushor]

Igor Brezac wrote:

I do not see how this is going to work within cyrus context.  You will
need to change a lot more than just ptloader/ldap code for this to work.
 

Perhaps I don't understand everything involved, but ptloader now just 
finds the user record via user defineable filter,  and only cares about 
the memberOf attributes, which it cycles through to find the users group 
membership. What I am doing now is to find the user dn via definable 
filter, then search for that dn in a groups container, and cycle through 
all returned entries, picking the cn of each as the group name. Two ldap 
queries unfortunately, but at least both are equality searches..

I do not think such docs exist (except for the code itself).  Basically,
whenever a user logs in, cyrus fetches all groups the user is member of
(ptloader/ldap does this in your case).  This group list is later used for
mailbox access (check lib/auth_pts.c).
 

Thats what I thought as well. I have already written the code the does 
the user group membership check in ldap.c, but when I went to test it 
via cyradm - I created a folder, and tried to set a group:xxx ACL and at 
that exact point the identifier group:xxx was passed into the pts and I 
don't know what to do with it (do we check to see if its a valid group?? 
I didn't see what to do in the original ldap.c code, afskrb.c, or any 
other file. Perhaps I'm thick, but I just wanted to make sure there 
wasn't anything else I was missing before going on).

You'd be better of writing an ldap authorization module.  Check
lib/auth_unix.c for an example.
 

Like I said, I don't think theres any problem with my approach (other 
than it being two ldap queries)  but I'd sure like to know a little more 
about this ptloader subsystem - like what to do with group:xxx entries, 
and anything else other than just raw user/group lookups, and what the 
pts cache actually does.

Also, another interesting thing - it seems that the original ldap.c code 
would return null if it didn't find any memberOf attributes in the user 
record and Authentication would fail!

Thanks,
Tim