Bug 38472 - Support ACLs for shared IMAP folders with Dovecot
Support ACLs for shared IMAP folders with Dovecot
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on: 38471
Blocks: 34839
  Show dependency treegraph
 
Reported: 2015-05-06 19:19 CEST by Daniel Tröder
Modified: 2015-07-09 18:13 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2015-05-06 19:19:54 CEST
Same as with Cyrus.
Comment 1 Daniel Tröder univentionstaff 2015-06-01 17:36:52 CEST
Commit: 60968

A post-login script is used to get the groups a user is in from NSS. The script is short and written in Python. For large installations this may become a problem. Tests should be made with 100s of simultaneous logins to check memory usage and login speed → Bug #38601.

A rewrite in C would be one possible solution. The other - and probably better solution - would be an LDAP overlay that lists the groups as an attribute of a posix user node.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-07-03 15:11:19 CEST
Added test script 44_dovecot_login_performance_test that creates 8000 groups and 100 users assigned to the groups. Next the IMAP login of 50 random users is measured.

IMAP login for 50 random users took 6.027876 seconds ==> 0.120558 per login

I think, this is ok for now.

Sidenote: the post-login script does the following:
---[cut]---
import grp
import os

if "SYSTEM_GROUPS_USER" in os.environ:
	user = os.environ["SYSTEM_GROUPS_USER"]
	groups = (g.gr_name for g in grp.getgrall() if user in g.gr_mem)
…
---[cut]---
Comment 3 Janek Walkenhorst univentionstaff 2015-07-09 18:13:24 CEST
<http://errata.univention.de/ucs/4.0/237.html>