[Kolab-devel] [issue698] Kolab2 LDAP Sync can cause mailbox deletion

[Stephan Buys]

New submission from Stephan Buys <s.buys at codefusion.co.za>:

We stumbled accross this one over the weekend.     
     
The scenario:     
When we created perl-kolab/Kolab::LDAP and the active directory integration we     
sometimes had the situation that sometimes object were deleted from Active     
Directory without us getting delete notifications.     
When this occurred (or when there was a LDAP configuration error) certain     
object would just not appear in LDAP anymore.     
When this happenned we put a mailbox in the "Grave Yard" for the period:     
gyard_retention_period in kolab.conf (see output of "kolabconf -d" for the     
value). The default period is 7 days.     
If after 7 days the LDAP object was not restored the mailbox was deleted.     
     
Over the weekend we had Kolab2 servers starting to delete mailboxes that were     
older than 7 days. The only possible cause for this is the following code in     
perl-kolab/Kolab-LDAP/LDAP.pm:    
     # Any mailboxes left should be sent to the graveyard; these are mailboxes   
    # without a corresponding LDAP object, yet we were never informed of their   
    # deletion, i.e. either we missed the deletion notification or there was   
    # an error when iterating through the objects (Lost connection, invalid   
DNs)   
    foreach $guid (keys %uid_db) {   
        if (exists $objects{$uid_db{$guid}}) {   
            $gyard_db{$guid} = $uid_db{$guid};   
            $gyard_ts_db{$guid} = time;   
        }   
    }   
   
    my $now = time;   
    my $period = $Kolab::config{'gyard_deletion_period'} * 60;   
    Kolab::log('L', 'Gravekeeping (period = ' .   
$Kolab::config{'gyard_deletion_period'} . ' minutes)');   
    foreach $guid (keys %gyard_ts_db) {   
        if ($now - $gyard_ts_db{$guid} > $period) {   
            Kolab::log('L', "Gravekeeper deleting mailbox `" .   
$gyard_db{$guid}. "'");   
            Kolab::Cyrus::deleteMailbox($cyrus, $gyard_db{$guid}, 0);   
            delete $gyard_ts_db{$guid};   
            delete $gyard_db{$guid};   
        }   
    }   
   
Now, with Kolab2 I strongly suggest we completely disable this code and do   
testing that all still works as expected.   
   
What happenned in our case is we created mailboxes using an LDIF import, but   
had the "homeServer" attributes wrong. We then deleted the LDAP objects and   
recreated them the correct "homeServer". This caused the LDAP object to appear   
removed from LDAP, but triggerred the scenario above. The reason it appears   
removed is that we cache the "entryUUID" attribute for each LDAP object.  
   
There should be no reason for Kolab2 to delete mailboxes other than having a   
"deleteFlag" attribute. 
 
I will comment out the code if there are no objections, please could let me 
know where I can get the new perl-kolab package.

----------
messages: 4180
nosy: bernhard, bh, steffen, stephanb
priority: critical
status: unread
title: Kolab2 LDAP Sync can cause mailbox deletion
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue698>
________________________________________________