Re: [Dovecot] Syntax for doveadm auth cache
On 3.10.2012, at 9.25, Angel L. Mateo wrote: >>> I think I have found the source of the problem, although I don't know >>> how to fix it. The problem is that I have different results if I ask for >>> user information with just the login or with the whole email: >> >> Flush both the user and user@domain entries? >> > Yes, I could do this, but why there are entries with user and > user@domain?, because I have three user databases: > > * master password: it is not normally used > * pam: I have the cache_key=%n on it > * ldap: I don't know to configure cache_key (I tried args = cache_key=%n > /etc/dovecot/dovecot-ldap.conf.ext but it didn't work) For LDAP the cache_key is figured out automatically based on the used %variables. You can't override the cache key. The only way to make it work would be to change the LDAP query to use only %n and no %u/%d (which I guess would be possible by checking for %n@* ?)
Re: [Dovecot] Syntax for doveadm auth cache
El 02/10/12 22:18, Timo Sirainen escribió: On 2.10.2012, at 11.41, Angel L. Mateo wrote: I've been doing some more tests with this problem I have (I need to solve it because I'm planning to migrate mailboxes from maildir to mdbox and I need to change mail_location for my users without rebooting the server). You could flush the whole cache also. Oh... I was so obfuscated trying to expire just the user that I forgot I could flush the whole cache :-( I think I have found the source of the problem, although I don't know how to fix it. The problem is that I have different results if I ask for user information with just the login or with the whole email: Flush both the user and user@domain entries? Yes, I could do this, but why there are entries with user and user@domain?, because I have three user databases: * master password: it is not normally used * pam: I have the cache_key=%n on it * ldap: I don't know to configure cache_key (I tried args = cache_key=%n /etc/dovecot/dovecot-ldap.conf.ext but it didn't work)
Re: [Dovecot] Syntax for doveadm auth cache
On 2.10.2012, at 11.41, Angel L. Mateo wrote: > I've been doing some more tests with this problem I have (I need to > solve it because I'm planning to migrate mailboxes from maildir to mdbox and > I need to change mail_location for my users without rebooting the server). You could flush the whole cache also. > I think I have found the source of the problem, although I don't know > how to fix it. The problem is that I have different results if I ask for user > information with just the login or with the whole email: Flush both the user and user@domain entries?
Re: [Dovecot] Syntax for doveadm auth cache
Hello, I've been doing some more tests with this problem I have (I need to solve it because I'm planning to migrate mailboxes from maildir to mdbox and I need to change mail_location for my users without rebooting the server). I think I have found the source of the problem, although I don't know how to fix it. The problem is that I have different results if I ask for user information with just the login or with the whole email: root@myotis30:/etc/dovecot/conf.d# doveadm user angel.l...@um.es userdb: angel.l...@um.es mail : mdbox:/home/alumnos/46/113246/mdbox:INDEX=/var/indexes/mdbox/angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=10G root@myotis30:/etc/dovecot/conf.d# doveadm user angel.luis userdb: angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=10G I guess I'm using different keys depending the user database used. I have configured three user databases, one for master-password, one for a ldap server and the other with pam (I need it because my webmail users authenticate in my SSO system through PAM). This is my config: passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users # Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes } passdb { driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=] # [cache_key=] [] #args = dovecot args = session=yes cache_key=%n dovecot } passdb { driver = ldap # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext } # "prefetch" user database means that the passdb already provided the # needed information and there's no need to do a separate userdb lookup. # userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext # Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u } In my ldap configuration, I have a filter that looks for the uid of the user or the hole email: user_filter = (&()(|(uid=%u)(mail=%u))) I need this, because I have users that authenticate with just his/her login, not the complete email address. How can I unify those entries, so they use always just the login as key? El 18/09/12 18:31, Timo Sirainen escribió: On 18.9.2012, at 9.59, Angel L. Mateo wrote: So I'm running this command. Whenever I run it, I get the message that 3 (sometimes, is 4) entries are removed, but user information isn't really reloaded and I doubt it is really removed from cache (I have the user in a passwd-file and information used by imap processes is still the old one, no the new one, changed before the flush) Works in my tests. Is this cache the same than the user information cache? Yes. The parameter of the user I want to change is his quota, so I have modified quota value in my ldap diretory, then I run: doveadm auth cache flush What is your doveconf -n output and the dovecot-ldap.conf contents? Is with or without @domain? Also try this: doveadm auth cache flush foo # make sure it isn't there doveadm user foo doveadm auth cache flush foo Does the second flush return 1 or 0 entries? If 0, then there's a problem. If 1, then it really should have worked. You could try also if disabling userdb prefetch makes any difference. And if you still have multiple userdb try with only one. # 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 3.4.0-030400-generic x86_64 Ubuntu 12.04.1 LTS auth_cache_size = 20 M auth_cache_ttl = 1 days auth_debug = yes auth_master_user_separator = * auth_verbose = yes default_process_limit = 1000 disable_plaintext_auth = no log_timestamp = %Y-%m-%d %H:%M:%S login_trusted_networks = 155.54.211.176/28 mail_debug = yes mail_location = maildir:~/Maildir:INDEX=/var/indexes/%n mail_plugins = quota mail_privileged_group = mail maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags mdbox_rotate_size = 20 M namespace { inbox = yes location = prefix = separator = . } namespace { hidden = yes list = no location = maildir:~/Maildir/expunged prefix = BORRADOS. separator = . } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = session=yes cache_key=%n dovecot driver = pam } plugin { lazy_expunge = BORRADOS. quota = dict:User quota::file:%h/Maildir/dovecot.quota quota_exceeded_message = El mensaje no se
Re: [Dovecot] Syntax for doveadm auth cache
(I forgot the attach) El 19/09/12 11:15, Angel L. Mateo escribió: El 18/09/12 18:31, Timo Sirainen escribió: On 18.9.2012, at 9.59, Angel L. Mateo wrote: So I'm running this command. Whenever I run it, I get the message that 3 (sometimes, is 4) entries are removed, but user information isn't really reloaded and I doubt it is really removed from cache (I have the user in a passwd-file and information used by imap processes is still the old one, no the new one, changed before the flush) Works in my tests. Is this cache the same than the user information cache? Yes. The parameter of the user I want to change is his quota, so I have modified quota value in my ldap diretory, then I run: doveadm auth cache flush What is your doveconf -n output and the dovecot-ldap.conf contents? Is with or without @domain? Also try this: doveadm auth cache flush foo # make sure it isn't there doveadm user foo doveadm auth cache flush foo Does the second flush return 1 or 0 entries? If 0, then there's a problem. If 1, then it really should have worked. You could try also if disabling userdb prefetch makes any difference. And if you still have multiple userdb try with only one. I have made the test in my test server (it has no real activity). In this server, user entry is refreshed correctly. But the same test in my production servers fails. I have checked (in the production one) that the second flush delete entries (in fact, 2, not 1): amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm auth cache flush angel.luis 2 cache entries flushed amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm user angel.luis userdb: angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=400M amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm auth cache flush angel.luis 2 cache entries flushed amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm user angel.luis userdb: angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=400M but quota information is not reloaded from ldap server. I have also checked my ldap server, and dovecot is not performing any search operation for the user after flushing him from the cache. I have attached my doveconf -n. In my ldap configuration I have: user_attrs = irisMailbox=mail,homeDirectory=home,uidNumber=uid,gidNumber=gid,quota=quota_rule pass_attrs = irisMailbox=userdb_mail,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid,quota=userdb_quota_rule and I have check that my test and production server has the same configuration (but client_limit and number of processes). Any idea? # 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 3.2.19um1 x86_64 Ubuntu 12.04.1 LTS auth_cache_size = 20 M auth_cache_ttl = 1 days auth_debug = yes auth_master_user_separator = * auth_verbose = yes default_process_limit = 1024 disable_plaintext_auth = no log_timestamp = %Y-%m-%d %H:%M:%S login_trusted_networks = 155.54.211.176/28 mail_debug = yes mail_location = maildir:~/Maildir:INDEX=/var/indexes/%n mail_plugins = quota mail_privileged_group = mail maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags mdbox_rotate_size = 20 M namespace { inbox = yes location = prefix = separator = . } namespace { hidden = yes list = no location = maildir:~/Maildir/expunged prefix = BORRADOS. separator = . } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = session=yes dovecot driver = pam } plugin { lazy_expunge = BORRADOS. quota = dict:User quota::file:%h/Maildir/dovecot.quota quota_rule = *:storage=10G quota_rule2 = Trash:storage=+1G sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +imapflags sieve_max_redirects = 15 zlib_save = gz zlib_save_level = 6 } postmaster_address = postmas...@um.es protocols = imap pop3 lmtp sieve service anvil { client_limit = 3075 } service auth { client_limit = 4096 unix_listener auth-userdb { mode = 0666 } } service doveadm { inet_listener { port = 24245 } } service imap { process_limit = 5120 process_min_avail = 6 vsz_limit = 512 M } service ipc { unix_listener ipc { user = dovecot } } service lmtp { inet_listener lmtp { port = 24 } process_min_avail = 10 vsz_limit = 512 M } service pop3 { process_min_avail = 6 } ssl = no ssl_cert = }
Re: [Dovecot] Syntax for doveadm auth cache
El 18/09/12 18:31, Timo Sirainen escribió: On 18.9.2012, at 9.59, Angel L. Mateo wrote: So I'm running this command. Whenever I run it, I get the message that 3 (sometimes, is 4) entries are removed, but user information isn't really reloaded and I doubt it is really removed from cache (I have the user in a passwd-file and information used by imap processes is still the old one, no the new one, changed before the flush) Works in my tests. Is this cache the same than the user information cache? Yes. The parameter of the user I want to change is his quota, so I have modified quota value in my ldap diretory, then I run: doveadm auth cache flush What is your doveconf -n output and the dovecot-ldap.conf contents? Is with or without @domain? Also try this: doveadm auth cache flush foo # make sure it isn't there doveadm user foo doveadm auth cache flush foo Does the second flush return 1 or 0 entries? If 0, then there's a problem. If 1, then it really should have worked. You could try also if disabling userdb prefetch makes any difference. And if you still have multiple userdb try with only one. I have made the test in my test server (it has no real activity). In this server, user entry is refreshed correctly. But the same test in my production servers fails. I have checked (in the production one) that the second flush delete entries (in fact, 2, not 1): amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm auth cache flush angel.luis 2 cache entries flushed amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm user angel.luis userdb: angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=400M amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm auth cache flush angel.luis 2 cache entries flushed amateo_adm@myotis31:/etc/dovecot/conf.d$ sudo doveadm user angel.luis userdb: angel.luis home : /home/alumnos/46/113246 uid : 113246 gid : 1001 quota_rule: *:storage=400M but quota information is not reloaded from ldap server. I have also checked my ldap server, and dovecot is not performing any search operation for the user after flushing him from the cache. I have attached my doveconf -n. In my ldap configuration I have: user_attrs = irisMailbox=mail,homeDirectory=home,uidNumber=uid,gidNumber=gid,quota=quota_rule pass_attrs = irisMailbox=userdb_mail,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid,quota=userdb_quota_rule and I have check that my test and production server has the same configuration (but client_limit and number of processes). Any idea?
Re: [Dovecot] Syntax for doveadm auth cache
On 18.9.2012, at 9.59, Angel L. Mateo wrote: >>> So I'm running this command. Whenever I run it, I get the message that >>> 3 (sometimes, is 4) entries are removed, but user information isn't really >>> reloaded and I doubt it is really removed from cache (I have the user in a >>> passwd-file and information used by imap processes is still the old one, no >>> the new one, changed before the flush) >> >> Works in my tests. >> > Is this cache the same than the user information cache? Yes. > The parameter of the user I want to change is his quota, so I have > modified quota value in my ldap diretory, then I run: > > doveadm auth cache flush What is your doveconf -n output and the dovecot-ldap.conf contents? Is with or without @domain? Also try this: doveadm auth cache flush foo # make sure it isn't there doveadm user foo doveadm auth cache flush foo Does the second flush return 1 or 0 entries? If 0, then there's a problem. If 1, then it really should have worked. You could try also if disabling userdb prefetch makes any difference. And if you still have multiple userdb try with only one.
Re: [Dovecot] Syntax for doveadm auth cache
El 11/09/12 16:24, Timo Sirainen escribió: On 3.9.2012, at 14.16, Angel L. Mateo wrote: Moreover... according to previous mails (thread http://www.dovecot.org/list/dovecot/2012-June/066691.html) there is a patch to remove a specific user entry from cache. This patch I think is included in dovecot 2.1.9 (which I'm running) and the syntax is (I think): doveadm auth cache flush 4 cache entries flushed Yep. So I'm running this command. Whenever I run it, I get the message that 3 (sometimes, is 4) entries are removed, but user information isn't really reloaded and I doubt it is really removed from cache (I have the user in a passwd-file and information used by imap processes is still the old one, no the new one, changed before the flush) Works in my tests. Is this cache the same than the user information cache? The parameter of the user I want to change is his quota, so I have modified quota value in my ldap diretory, then I run: doveadm auth cache flush in the logs I get: Sep 18 08:47:13 myotis34 dovecot: auth: Debug: master in: CACHE-FLUSH#0111#011 now I ask for user information with: doveadm user and this is what I get from logs: Sep 18 08:47:19 myotis34 dovecot: auth: Debug: master in: USER#0111#011#011service=doveadm Sep 18 08:47:19 myotis34 dovecot: auth: Debug: prefetch(): passdb didn't return userdb entries, trying the next userdb Sep 18 08:47:19 myotis34 dovecot: auth: Debug: userdb-cache(): hit: #011home=/home/otros/99/151299#011uid=151299#011gid=405 Sep 18 08:47:19 myotis34 dovecot: auth: Debug: master out: USER#0111#011#011home=/home/otros/99/151299#011uid=151299#011gid=405 Sep 18 08:47:41 myotis34 dovecot: auth: Debug: master in: USER#0111#011#011service=doveadm Sep 18 08:47:41 myotis34 dovecot: auth: Debug: prefetch(): passdb didn't return userdb entries, trying the next userdb Sep 18 08:47:41 myotis34 dovecot: auth: Debug: userdb-cache(): hit: #011home=/home/otros/99/151299#011uid=151299#011gid=405 Sep 18 08:47:41 myotis34 dovecot: auth: Debug: master out: USER#0111#011#011home=/home/otros/99/151299#011uid=151299#011gid=405 As you can see in the third message, it is still using information from userdb cache
Re: [Dovecot] Syntax for doveadm auth cache
On 3.9.2012, at 14.16, Angel L. Mateo wrote: > Moreover... according to previous mails (thread > http://www.dovecot.org/list/dovecot/2012-June/066691.html) there is a patch > to remove a specific user entry from cache. This patch I think is included in > dovecot 2.1.9 (which I'm running) and the syntax is (I think): > > doveadm auth cache flush > 4 cache entries flushed Yep. > So I'm running this command. Whenever I run it, I get the message that > 3 (sometimes, is 4) entries are removed, but user information isn't really > reloaded and I doubt it is really removed from cache (I have the user in a > passwd-file and information used by imap processes is still the old one, no > the new one, changed before the flush) Works in my tests.