Re: PTS & LDAP Take 3
Igor Brezac wrote: You could use ldap_whoami() instead of the first query. Where does that come from? You do not need to do anything with this. The identifier is passed to pts for canonicalization, the group is not validated. I don't see this in ldap.c. The identifier group:xxx gets passed into pts as the identifier and rejected by the canonicalizer because of the colon. So the canonicalized identifer is null throughout the rest of the code. I don't see a test for group: anywhere ( or in afskrb.c either ). So assuming that we just want to make sure that the group name is valid, and that the canonicalizer should be fixed to recognize group:xxx syntax, what then am I suppose to do with it? Returning NULL seems to Do Bad Things, and I don't see an entry for canonicalized group in the auth_state struct.. Have you tried to step through the program with gdb or other debugger? No, ldap.c doesn't work for me at all. If there are no memberOf attributes, it dies and user authentication fails (!). I guess I could setup a test user and step through it, but I did see what was happening at least in my adaptation of ldap.c. Canonicalization (of a group) was returning null because of the colon. So what use is it? There are enough unknowns that I would like to get cleared up if at all possible. I was hoping someone from CMU would be able to help advise. Thanks, Tim
Re: Messed up my database libraries, help!
At 6:43 PM -0600 1/18/04, Jim Levie wrote: On Sun, 2004-01-18 at 16:56, Mark London wrote: Hi - On redhat 9, I accidently deleted a bunch of files in /lib. I installed the rpms I downloaded from redhat, including db4 However, I'm getting the following errors, even though I recompiled cyrus. Any suggestions? I must have messed up the db libraries, but I can't figure out how. Thanks. - Mark I'd suggest doing an 'rpm --verify -a' and see what lib related things it complains about. You may not gave gotten everything re-installed that got deleted. Good suggestion, but it didn't help. However, I did a google search, and found that there is a problem with the latest redhat build of db4! db4-utils-4.0.14-20 will not work, and will produce the errors I reported. While the suggested fix is to patch and build it from the sources, I simply reverted back to the earlier db4-utils-4.0.14-14 version, and the errors went away. One problem always leads to another, sigh. Thanks. Mark
Re: PTS & LDAP Take 3
On Sun, 18 Jan 2004, Tim Pushor wrote: > > > Igor Brezac wrote: > > >I see. I did not realize you were going to retrieve groups with another > >search filter. This should work. > > > > > > > Yeah, I'm sure it will. I wish I could do it in one query though.. How You could use ldap_whoami() instead of the first query. > often does the ptloader get called on? Will the pts cache here help at > all? What exactly does the pts cache do? ( I realize that it probably > caches authorizaton info, but is it always consulted first, before > asking the ptloader to look up the information again?) > > >>Thats what I thought as well. I have already written the code the does > >>the user group membership check in ldap.c, but when I went to test it > >>via cyradm - I created a folder, and tried to set a group:xxx ACL and at > >>that exact point the identifier group:xxx was passed into the pts and I > >>don't know what to do with it (do we check to see if its a valid group?? > >>I didn't see what to do in the original ldap.c code, afskrb.c, or any > >>other file. Perhaps I'm thick, but I just wanted to make sure there > >>wasn't anything else I was missing before going on). > >> > >> > > > >You do not need to do anything with this. The identifier is passed to pts > >for canonicalization, the group is not validated. > > > > > > > I don't see this in ldap.c. The identifier group:xxx gets passed into > pts as the identifier and rejected by the canonicalizer because of the > colon. So the canonicalized identifer is null throughout the rest of the > code. I don't see a test for group: anywhere ( or in afskrb.c either ). > So assuming that we just want to make sure that the group name is valid, > and that the canonicalizer should be fixed to recognize group:xxx > syntax, what then am I suppose to do with it? Returning NULL seems to Do > Bad Things, and I don't see an entry for canonicalized group in the > auth_state struct.. > Have you tried to step through the program with gdb or other debugger? -- Igor
Re: Messed up my database libraries, help!
On Sun, 2004-01-18 at 16:56, Mark London wrote: > Hi - On redhat 9, I accidently deleted a bunch of files in /lib. I > installed the rpms I downloaded from redhat, including db4 However, > I'm getting the following errors, even though I recompiled cyrus. > Any suggestions? I must have messed up the db libraries, but I can't > figure out how. Thanks. - Mark > I'd suggest doing an 'rpm --verify -a' and see what lib related things it complains about. You may not gave gotten everything re-installed that got deleted. Also, if you had to re-install glibc it is important that you used the correct CPU specific rpms. On a Pentium (where 'uname -m' returns i686) you must use the i686 rpm of glibc-2.3.2-27.9.7 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email:[EMAIL PROTECTED]
Re: Skiplist causing DB problems?
Hello and thanks for your help... > Jan 16 16:46:01 obsidian master[167]: process started > Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: recovering cyrus databases > Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: skiplist: recovered > /var/imap/mailboxes.db (1 record, 320 bytes) in 0 seconds > Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: done recovering cyrus databases > Jan 16 16:46:02 obsidian master[167]: ready for work > Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: checkpointing cyrus databases > Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: error listing log > files: DB_NOTFOUND: No matching key/data pair found > Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: archive > /var/imap/db: cyrusdb error >These are db3 errors, not skiplist errors. If this is a new server, try >deleting deliver.db, tls_sessions.db and the contents of /var/imap/db I went ahead and did as you suggested: I deleted deliver.db, tls_sessions.db and the contents in /var/imap/db... Still getting the same results: Jan 18 22:54:15 centralcore master[462]: process started Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: recovering cyrus databases Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: skiplist: recovered /var/imap/mailboxes.db (1 record, 296 bytes) in 0 seconds Jan 18 22:54:15 centralcore ctl_cyrusdb[463]: done recovering cyrus databases Jan 18 22:54:15 centralcore master[462]: ready for work Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: checkpointing cyrus databases Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: DBERROR: archive /var/imap/db: cyrusdb error Jan 18 22:54:15 centralcore ctl_cyrusdb[464]: done checkpointing cyrus databases I'm at a loss at to what the problem is. Right now, im trying to narrow it down as much as I can. I have a few other tests i'm going to be performing today and tomorrow in hopes of finding more information. Just weird that if I compile it with 'skiplist' that is there the problems begin. If I dont, everything works out fine. If anyone has any suggestions or recommendations, I do appreciate it. Jason mail2web - Check your email from the web at http://mail2web.com/ .
Messed up my database libraries, help!
Hi - On redhat 9, I accidently deleted a bunch of files in /lib. I installed the rpms I downloaded from redhat, including db4 However, I'm getting the following errors, even though I recompiled cyrus. Any suggestions? I must have messed up the db libraries, but I can't figure out how. Thanks. - Mark Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR db4: unable to join the environ\ ment Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR db4: /var/imap/db/__db.001: una\ ble to initialize environment lock: Function not implemented Jan 18 17:43:26 mail ctl_cyrusdb[4863]: DBERROR: dbenv->open '/var/imap/db' fai\ led: Function not implemented
Re: Sent and Outgoing Folder issues
>>> "Troy McKinnon" <[EMAIL PROTECTED]> 01/17/04 03:34AM >>> In squirrelmail I get the following error on the Left Hand Navigation frame. ERROR : Could not complete request. CREATE "INBOX.Sent" Reason Given: Permission denied Also when I set up an imap account I have to remove the 'special folders' Sent/Outgoing/deleted because I get a similar permission denied error. I am using the allowunixsep = yes .. not sure if this is related tho? I did some googling and found some solutions for squirrelmail. i.e. conf.pl --> SMTP --> cyrus etc but it isn't a squirrelmail specific error since it is the same for imap. Any ideas? Thanks >> Hi Troy, I believe that this is really a SquirrelMail issue. IIRC, when I changed my Cyrus installation to use the unixhierarchysep, I needed to change the SM config under Command 3 (Folder Defaults), items 3, 4 and 5 to INBOX/Trash, INBOX/Sent and INBOX/Drafts, respectively (note the "/" rather than the "." seperator). Someone on the SM list would probably know more about that, though. Mike.
Re: Skiplist causing DB problems?
[EMAIL PROTECTED] wrote: Hello and thanks for your reply... check the permissions for /var/imap/db. I had a problem with that once. What's in /var/imap/db? centralcore# ls -la /var/imap/ total 20 drwxr-xr-x 10 cyrus cyrus 512 Jan 17 22:23 . drwxr-xr-x 21 root wheel 512 Jan 17 22:23 .. drwxr-xr-x 2 cyrus cyrus 512 Jan 17 22:23 db drwxr-xr-x 2 cyrus cyrus 512 Jan 17 22:23 log drwxr-xr-x 2 cyrus cyrus 512 Jan 17 22:23 msg drwxr-xr-x 2 cyrus cyrus 512 Jan 17 22:23 proc drwxr-xr-x 28 cyrus cyrus 512 Jan 17 22:23 quota drwxr-xr-x 28 cyrus cyrus 512 Jan 17 22:23 sieve drwxr-xr-x 2 cyrus cyrus 512 Jan 17 22:23 socket drwxr-xr-x 28 cyrus cyrus 512 Jan 17 22:23 user Also, I just tried again, using skiplist. I am getting errors now when I try and add a user to the sasldb backend: centralcore# /usr/local/sbin/saslpasswd2 -c imapadmin Jan 17 22:27:34 centralcore saslpasswd2: setpass succeeded for imapadmin Jan 17 22:27:34 centralcore saslpasswd2: error deleting entry from sasldb: DB_NOTFOUND: No matching key/data pair found Jan 17 22:27:34 centralcore last message repeated 2 times This has nothing to do with skiplist, SASL and the Cyrus databases are two entirely separate things. The errors you see are normal. saslpasswd2 is trying to delete some legacy secrets, which won't exist on a new system. The fact that setpass succeeds is all you need to see. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: nntp fiddling
Nils Vogels wrote: Kevin P. Fleming wrote: Ken Murchison wrote: There is no overlap between the groups from the different servers, and grouping them is easy with wildcard matching: cups.* microsoft.* infragistics.* everything else OK, so you need the newspeer option to be a *list* of peers? But you *don't* need fetchnews to track the newsgroups by host? Forgive my inability to answer that at this point, I haven't studied the Cyrus NNTP support documentation yet. Here is what I like to do: (A) mirror about a dozen newsgroups from news.west.cox.net (my ISP, Usenet groups) (B) mirror about a dozen newsgroups from news.microsoft.com (public NNTP server) (C) mirror six newsgroups from news.easysw.com (public NNTP server) (D) mirror about ten newsgroups from news.infragistics.com (public NNTP server) I read _and_ post to most of these groups. No single group comes from more than one place, though, each group has only a single server that I will use to get and post messages for that group. Kevin, may I ask how you managed to get multiple groups using one fetchnews command ? I've been trying comma delimited group names (fetchnews -n -w "nl.test,nl.someother" news.myisp.nl) but for some reason no articles are fetched then. If I use space delimitations, only the first group works. fetchnews(8) isn't too clear about this, I'm afraid and when I look at example wildmats in imapd.conf(5) I see comma seperated grouplists ("peer.example.com:*,!control.*,@local.*") Your reading of fetchnews(8) is correct, but apparently this syntax is new to the NNTP update draft. Both LIST ACTIVE and the wildmat format have not been formalized up until now. I tried this against INN 2.3.4 and it doesn't support comma-separated (or space separated) wildmat patterns (which really sucks). For the time being, you'll have to use separate fetchnews commands rather than specifiying multiple wildmats in one command. For example, instead of: fetchnews -n -w "nl.test,nl.someother" news.myisp.nl do: fetchnews -n -w "nl.test" news.myisp.nl fetchnews -n -w "nl.someother" news.myisp.nl -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Skiplist causing DB problems?
Jason Williams wrote: Important info: FreeBSD 4.9 Cyrus-Imapd-2.1.16 Cyrus-SASL-2.1.17 I've setup two idential servers. They are both compiled with BerkeleyDB 4.1.25: I installed cyrus through the ports tree, but set different options upon compile time. (Configure options) make WITH_BDB_VER=41 WITH_SKIPLIST=YES install clean Here is the first server: (Server 1) name : Cyrus IMAPD version: v2.1.16 2003/11/19 16:45:28 vendor : Project Cyrus support-url: http://asg.web.cmu.edu/cyrus os : FreeBSD os-version : 4.9-RELEASE environment: Cyrus SASL 2.1.17 Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) Built w/OpenSSL 0.9.7c 30 Sep 2003 Running w/OpenSSL 0.9.7c 30 Sep 2003 CMU Sieve 2.2 TCP Wrappers mmap = shared lock = fcntl nonblock = fcntl auth = unix idle = poll mailboxes.db = skiplist seen.db = skiplist subs.db = flat deliver.db = db3-nosync tls_sessions.db = db3-nosync mailboxes and seen, both set with skiplist, as suggested from twiki Here is the problem, shown in my logfiles: Jan 16 16:46:01 obsidian master[167]: process started Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: recovering cyrus databases Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: skiplist: recovered /var/imap/mailboxes.db (1 record, 320 bytes) in 0 seconds Jan 16 16:46:01 obsidian ctl_cyrusdb[168]: done recovering cyrus databases Jan 16 16:46:02 obsidian master[167]: ready for work Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: checkpointing cyrus databases Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Jan 16 16:46:02 obsidian ctl_cyrusdb[169]: DBERROR: archive /var/imap/db: cyrusdb error These are db3 errors, not skiplist errors. If this is a new server, try deleting deliver.db, tls_sessions.db and the contents of /var/imap/db -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: PTS & LDAP Take 3
Igor Brezac wrote: I see. I did not realize you were going to retrieve groups with another search filter. This should work. Yeah, I'm sure it will. I wish I could do it in one query though.. How often does the ptloader get called on? Will the pts cache here help at all? What exactly does the pts cache do? ( I realize that it probably caches authorizaton info, but is it always consulted first, before asking the ptloader to look up the information again?) Thats what I thought as well. I have already written the code the does the user group membership check in ldap.c, but when I went to test it via cyradm - I created a folder, and tried to set a group:xxx ACL and at that exact point the identifier group:xxx was passed into the pts and I don't know what to do with it (do we check to see if its a valid group?? I didn't see what to do in the original ldap.c code, afskrb.c, or any other file. Perhaps I'm thick, but I just wanted to make sure there wasn't anything else I was missing before going on). You do not need to do anything with this. The identifier is passed to pts for canonicalization, the group is not validated. I don't see this in ldap.c. The identifier group:xxx gets passed into pts as the identifier and rejected by the canonicalizer because of the colon. So the canonicalized identifer is null throughout the rest of the code. I don't see a test for group: anywhere ( or in afskrb.c either ). So assuming that we just want to make sure that the group name is valid, and that the canonicalizer should be fixed to recognize group:xxx syntax, what then am I suppose to do with it? Returning NULL seems to Do Bad Things, and I don't see an entry for canonicalized group in the auth_state struct.. Thanks, Tim
Re: SQUAT indexes?
On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote: > On Sat, 17 Jan 2004, Craig Ringer wrote: > > > Nils Vogels wrote: > > > Why not just run squatter from master ? > > > > > > This works deliciously over here: > > > > > > EVENTS { > > >... > > > # Let's squat em > > > squat_usercmd="squatter -r -s user" period=1440 > > >... > > > } > > > > That indexes all user mailboxes, including the trash etc. I only want to > > automatically index INBOXES, plus any other mailboxes the user requests. > > Could always use the new squat annotation. That's also... tasty? > > localhost> mboxconfig user.amos squat true > > Yum, yum. Actually, I forgot that the squat annotation is inherited: -a Only create indexes for mailboxes which have the shared /vendor/cmu/cyrus-imapd/squat annotation set to "true". The value of the /vendor/cmu/cyrus-imapd/squat annota- tion is inherited by all children of the given mailbox, so an entire mailbox tree can be indexed (or not indexed) by setting a single annotation on the root of that tree with a value of "true" (or "false"). If a mailbox does not have a /vendor/cmu/cyrus-imapd/squat annotation set on it (or does not inherit one), then the mailbox is not indexed. In other words, the impli- cit value of /vendor/cmu/cyrus-imapd/squat is "false". Shame because I thought this might be handy to just squat the inboxes. So, this loops right back into the discussion of "squatter -s user.%" ;-) I wonder if maybe there could/should be additional annotations, one for recursive, one for not. So maybe, to be backwards compatible, "/squat" would be recursive, but "/squatthis" would not? More tasty? -- Amos
Re: nntp fiddling
Nils Vogels wrote: Kevin, may I ask how you managed to get multiple groups using one fetchnews command ? I've been trying comma delimited group names (fetchnews -n -w "nl.test,nl.someother" news.myisp.nl) but for some reason no articles are fetched then. If I use space delimitations, only the first group works. fetchnews(8) isn't too clear about this, I'm afraid and when I look at example wildmats in imapd.conf(5) I see comma seperated grouplists ("peer.example.com:*,!control.*,@local.*") Else I will be fetchnews-ing a complete feed (including binaries) while I really only need a few groups, right ? I haven't actually had a chance to set it up yet, it's on my list for this coming week.
Re: PTS & LDAP Take 3
On Sat, 17 Jan 2004, Tim Pushor wrote: > Igor Brezac wrote: > > >I do not see how this is going to work within cyrus context. You will > >need to change a lot more than just ptloader/ldap code for this to work. > > > > > > > Perhaps I don't understand everything involved, but ptloader now just > finds the user record via user defineable filter, and only cares about > the memberOf attributes, which it cycles through to find the users group > membership. What I am doing now is to find the user dn via definable > filter, then search for that dn in a groups container, and cycle through > all returned entries, picking the cn of each as the group name. Two ldap > queries unfortunately, but at least both are equality searches.. I see. I did not realize you were going to retrieve groups with another search filter. This should work. > > >I do not think such docs exist (except for the code itself). Basically, > >whenever a user logs in, cyrus fetches all groups the user is member of > >(ptloader/ldap does this in your case). This group list is later used for > >mailbox access (check lib/auth_pts.c). > > > > > > > Thats what I thought as well. I have already written the code the does > the user group membership check in ldap.c, but when I went to test it > via cyradm - I created a folder, and tried to set a group:xxx ACL and at > that exact point the identifier group:xxx was passed into the pts and I > don't know what to do with it (do we check to see if its a valid group?? > I didn't see what to do in the original ldap.c code, afskrb.c, or any > other file. Perhaps I'm thick, but I just wanted to make sure there > wasn't anything else I was missing before going on). You do not need to do anything with this. The identifier is passed to pts for canonicalization, the group is not validated. -- Igor
Re: PTS & LDAP Take 3
Igor Brezac wrote: I do not see how this is going to work within cyrus context. You will need to change a lot more than just ptloader/ldap code for this to work. Perhaps I don't understand everything involved, but ptloader now just finds the user record via user defineable filter, and only cares about the memberOf attributes, which it cycles through to find the users group membership. What I am doing now is to find the user dn via definable filter, then search for that dn in a groups container, and cycle through all returned entries, picking the cn of each as the group name. Two ldap queries unfortunately, but at least both are equality searches.. I do not think such docs exist (except for the code itself). Basically, whenever a user logs in, cyrus fetches all groups the user is member of (ptloader/ldap does this in your case). This group list is later used for mailbox access (check lib/auth_pts.c). Thats what I thought as well. I have already written the code the does the user group membership check in ldap.c, but when I went to test it via cyradm - I created a folder, and tried to set a group:xxx ACL and at that exact point the identifier group:xxx was passed into the pts and I don't know what to do with it (do we check to see if its a valid group?? I didn't see what to do in the original ldap.c code, afskrb.c, or any other file. Perhaps I'm thick, but I just wanted to make sure there wasn't anything else I was missing before going on). You'd be better of writing an ldap authorization module. Check lib/auth_unix.c for an example. Like I said, I don't think theres any problem with my approach (other than it being two ldap queries) but I'd sure like to know a little more about this ptloader subsystem - like what to do with group:xxx entries, and anything else other than just raw user/group lookups, and what the pts cache actually does. Also, another interesting thing - it seems that the original ldap.c code would return null if it didn't find any memberOf attributes in the user record and Authentication would fail! Thanks, Tim