strange behaviour of ptloader unable to canonify identifier

Liutauras Adomaitis adomaitis at kolabsystems.com
Tue Aug 29 10:29:26 CEST 2017 

Hi Jan,

On 2017 m. rugpjūčio 29 d., antradienis 11:10:42 EEST Jan Kowalsky wrote:
> Hi Liutauras,
> 
> thanks for answer.
> 
> Am 14.08.2017 um 15:29 schrieb Liutauras Adomaitis:
> > Hi,
> > 
> > On 2017 m. rugpjūčio 11 d., penktadienis 17:52:34 EEST Jan Kowalsky wrote:
> >> Lookup works:
> >> 
> >> [11/Aug/2017:16:08:49 +0200] conn=2131533 op=2 SRCH
> >> base="dc=example,dc=org" scope=2
> >> filter="(&(objectClass=inetorgperson)(|(uid=example.user1)(mail=example.u
> >> ser 1 at fas-dresden.de)(alias=example.user1 at fas-dresden.de)))"
> >> attrs="displayName mail alias nsRoleDN uid"
> >> 
> >> Lookup doesn't work
> >> 
> >> [11/Aug/2017:16:14:14 +0200] conn=2118186 op=8777 SRCH
> >> base="dc=example,dc=org" scope=2
> >> filter="(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user2))(&(
> >> |(u
> >> id=example.user2)(mail=example.user2 at fas-dresden.de)(mail=example.user2@
> >> ))(o bjectClass=kolabinetorgperson)))" attrs="1.1"
> >> 
> >> But other entries with attrs="1.1" don't lead to problems.
> >> 
> >> I I change the ldap Server in the second webmailer for using the other
> >> ldap-server: no problem. But we have some fancy aci for separating
> >> domains.
> >> 
> >> So one question: does the ldapserver cyrus makes its lookups from have
> >> to be the same where the mailclient (roundcube) looks up?
> > 
> > No, but if you use different servers, then you must know what you are
> > doing, as that can lead to all sorts of problems.
> > 
> >> I have no Idea for further debugging. Any hint is welcome.
> > 
> > The LDAP log which doesn't work looks like generated by Cyrus PTS module.
> > What i would do is:
> > - take that filter from LDAP log record and use it for manual ldapsearch
> > command line utility to find out why it doesn't find what you expect. Make
> > sure you use same bind dn and password as it is configured in
> > /etc/imapd.conf for pts module. I usually remove parts of the filter
> > until ldapsearch utility finds the LDAP object.
> 
> That's exactly, what I did. And the same filter works on the command
> line. But it comes even more strange:
> 
> Today I tried to create mailboxes, which where not created by kolab
> during user creation.

Why is that? Doesn't your kolabd do the work it supposed to? Did you see any 
errors in /var/log/kolab/pykolab.log file? Maybe increase logging level in /
etc/sysconfig/kolabd (assuming you are running RedHat derivative distribution)

> >From 20 mailboxes for 9 of them the acl where not assigned - while the
> 
> mailbox was created. The reason: while mailbox creation is just a task
> for cyrus for setting the acl the ptloader queries ldap. And exactly
> this failed for the 9 mailboxes:

Do you mean it fails for 9 out of 20 mailboxes?

> Aug 29 09:50:17 mail ptloader[15994]: No entries found
> Aug 29 09:50:17 mail imaps[15883]: ptload(): bad response from ptloader
> server: identifier not found
> Aug 29 09:50:17 mail imaps[15883]: ptload completely failed: unable to
> canonify identifier: example.user at example.org
> 
> looking at the ldap access log there is this corresponding line:
> 
> [29/Aug/2017:09:41:14 +0200] conn=3144893 op=7837 SRCH
> base="dc=example,dc=org" scope=2
> filter="(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user))(&(|(ui
> d=example.user)(mail=example.user at example.org)(mail=example.user@))(objectCl
> ass=kolabinetorgperson)))" attrs="1.1"
> [29/Aug/2017:09:41:14 +0200] conn=3144893 op=7837 RESULT err=0 tag=101
> nentries=0 etime=0
> 
> But with the same filter on ldapsearch:
> 
> /usr/lib/mozldap/ldapsearch -x -h ldap -p 389 -D "cn=Directory Manager"
> -w $(cat /etc/kolab/kolab.conf |grep ^bind_pw | cut -d' ' -f 3) -s sub
> -b "dc=example,dc=org"
> '(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=example.user))(&(|(uid=examp
> le.user)(mail=example.user at example.org)(mail=example.user@))(objectClass=kol
> abinetorgperson)))'
> 
> it results the object.

How is your ptloader configured in /etc/imapd.conf, does it use cn=Directory 
Manager to bind to LDAP? You should use ldap_bind_dn value from your /etc/
imapd.conf for ldapsearch -D to do a correct test on command line.

> I tried a couple of times to set mailbox acls by command line:
> 
> kolab sam user/example.user at example.org user/example.user at example.org all

I see error in your command, you list mailbox name twice, while you should 
assign acls to user:
kolab sam user/example.user at example.org example.user at example.org all

> but always the same error in mail.log
> 
> After a while: Just doing the same command again with no changes in
> configuration the ptloader query worked and the acls are set.
> 
> Again: this problem only occurs with some of about 40 domains. And I'm
> completely clueless.

So you have a multidomain setup? Is that reflected in /etc/imapd.conf ptloader 
ldap configuration? Does every domain have it's own suffix in LDAP (like 
dc=example,dc=com and dc=example,dc=org)? Did you take care of LDAP ACI's to 
allow necessary access for kolab-admin bind dn?

> Kind Regards
> Jan
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


Regards,
Liutauras Adomaitis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20170829/be621d05/attachment.sig>

More information about the users mailing list