First Last Prev Next    This bug is not in your last search results.
Bug 53764 - Dovecot is unable to set shared folder ACLs if univentionMailHomeServer is set at Administrator
Dovecot is unable to set shared folder ACLs if univentionMailHomeServer is se...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Mail maintainers
Mail maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-09 16:56 CEST by Sönke Schwardt-Krummrich
Modified: 2021-09-09 16:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2021-09-09 16:56:29 CEST 
Dovecot ACLs are set via the listener module dovecot-shared-folder-ox.py
which uses the following command
 doveadm acl set -u Administrator dovecot-test@univention.de/INBOX \
       testuser@univention.de read

But the acl set command failed in our environment (also manually at CLI):

# doveadm acl set -u Administrator dovecot-test@univention.de/INBOX  \
       testuser@univention.de read                                                                                                            doveadm(Administrator): Error: User doesn't exist
#

This shouldn't happen. Looks like following LDAP filter from 
/etc/dovecot/dovecot-ldap.conf.ext is not sufficient on one special case:
if the objectClass=univentionMail is set at the Administrator object AND
univentionMailHomeServer does not refer to the local system. In this case univentionMailHomeServer=mail1.knut.univention.de was set.

The filter from /etc/dovecot/dovecot-ldap.conf.ext (in human readable form):
(&
        (|
                (objectClass=univentionMail)
                (objectClass=univentionMailSharedFolder)
                (objectClass=oxSharedFolder)
        )
        (|
                (!(univentionMailHomeServer=*))
                (univentionMailHomeServer=mail2.knut.univention.de)
        )
        (|
                (mailPrimaryAddress=%Lu)
                (&
                        (uid=%u)
                        (|
                                (mailPrimaryAddress=*)
                                (uid=Administrator)
                        )
                )
        )
)

The filter should somehow ignore the univentionMailHomeServer attribute 
if "%u" == "Administrator".
First Last Prev Next    This bug is not in your last search results.