strange behaviour of ptloader unable to canonify identifier

Tue Aug 29 10:10:42 CEST 2017

Hi Liutauras,

thanks for answer.

Am 14.08.2017 um 15:29 schrieb Liutauras Adomaitis:
> Hi,
> 
> On 2017 m. rugpjūčio 11 d., penktadienis 17:52:34 EEST Jan Kowalsky wrote:
>> Lookup works:
>>
>> [11/Aug/2017:16:08:49 +0200] conn=2131533 op=2 SRCH
>> base="dc=example,dc=org" scope=2
>> filter="(&(objectClass=inetorgperson)(|(uid=example.user1)(mail=example.user
>> 1 at fas-dresden.de)(alias=example.user1 at fas-dresden.de)))" attrs="displayName
>> mail alias nsRoleDN uid"
>>
>> Lookup doesn't work
>>
>> [11/Aug/2017:16:14:14 +0200] conn=2118186 op=8777 SRCH
>> base="dc=example,dc=org" scope=2
>> filter="(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user2))(&(|(u
>> id=example.user2)(mail=example.user2 at fas-dresden.de)(mail=example.user2@))(o
>> bjectClass=kolabinetorgperson)))" attrs="1.1"
>>
>> But other entries with attrs="1.1" don't lead to problems.
>>
>> I I change the ldap Server in the second webmailer for using the other
>> ldap-server: no problem. But we have some fancy aci for separating domains.
>>
>> So one question: does the ldapserver cyrus makes its lookups from have
>> to be the same where the mailclient (roundcube) looks up?
> 
> No, but if you use different servers, then you must know what you are doing, 
> as that can lead to all sorts of problems.
> 
>> I have no Idea for further debugging. Any hint is welcome.
> 
> The LDAP log which doesn't work looks like generated by Cyrus PTS module. What 
> i would do is:
> - take that filter from LDAP log record and use it for manual ldapsearch 
> command line utility to find out why it doesn't find what you expect. Make 
> sure you use same bind dn and password as it is configured in /etc/imapd.conf 
> for pts module. I usually remove parts of the filter until ldapsearch utility 
> finds the LDAP object.

That's exactly, what I did. And the same filter works on the command
line. But it comes even more strange:

Today I tried to create mailboxes, which where not created by kolab
during user creation.

>From 20 mailboxes for 9 of them the acl where not assigned - while the
mailbox was created. The reason: while mailbox creation is just a task
for cyrus for setting the acl the ptloader queries ldap. And exactly
this failed for the 9 mailboxes:

Aug 29 09:50:17 mail ptloader[15994]: No entries found
Aug 29 09:50:17 mail imaps[15883]: ptload(): bad response from ptloader
server: identifier not found
Aug 29 09:50:17 mail imaps[15883]: ptload completely failed: unable to
canonify identifier: example.user at example.org

looking at the ldap access log there is this corresponding line:

[29/Aug/2017:09:41:14 +0200] conn=3144893 op=7837 SRCH
base="dc=example,dc=org" scope=2
filter="(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user))(&(|(uid=example.user)(mail=example.user at example.org)(mail=example.user@))(objectClass=kolabinetorgperson)))"
attrs="1.1"
[29/Aug/2017:09:41:14 +0200] conn=3144893 op=7837 RESULT err=0 tag=101
nentries=0 etime=0

But with the same filter on ldapsearch:

/usr/lib/mozldap/ldapsearch -x -h ldap -p 389 -D "cn=Directory Manager"
-w $(cat /etc/kolab/kolab.conf |grep ^bind_pw | cut -d' ' -f 3) -s sub
-b "dc=example,dc=org"
'(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user))(&(|(uid=example.user)(mail=example.user at example.org)(mail=example.user@))(objectClass=kolabinetorgperson)))'

it results the object.

I tried a couple of times to set mailbox acls by command line:

kolab sam user/example.user at example.org user/example.user at example.org all

but always the same error in mail.log

After a while: Just doing the same command again with no changes in
configuration the ptloader query worked and the acls are set.

Again: this problem only occurs with some of about 40 domains. And I'm
completely clueless.

Kind Regards
Jan