sync-mailhost-attrs behaves strange
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	vendel.colja
	Aug 12 2016, 12:51 PM

Project Tags

Referenced Files

None

Subscribers

Description

pykolab.noarch 0.7.27-3.1.el6.kolab_14

"kolab sync-mailhost-attrs -d 9" updates one of our LDAP entries twice, once/first with the correct mailbox mailhost and once/second with an alias mailbox mailhost. We know that the alias mailbox should not even exist in cyrus but it does.
In our case we think the problem would not show up if "sync-mailhost-attrs" wouldn't use "alias" in LDAP-Filter. And by the way we are asking if it makes sense to use "alias" attribute in LDAP filter for "sync-mailhost-attrs".

Is it somehow possible to avoid this by configuration?

The filter we see with "-d 9"*

(&(&(objectclass=kolabinetorgperson)(objectclass=mailrecipient)(mail=*))(|(mail=pitb.mse@domain.de)(alias=pitb.mse@domain.de)))

The LDAP objetc

dn:: ------------------------------------------------------------------------------------------------------------------------------==
objectClass: gosaAccount
objectClass: gotoEnvironment
objectClass: inetOrgPerson
objectClass: kolabInetOrgPerson
objectClass: lhmNoPersonEntry
objectClass: lhmObject
objectClass: lhmTempKolab
objectClass: mailRecipient
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: mailbox-ftd.pdika.mse
gidNumber: 504
homeDirectory: /home/ftd.pdika.mse
sn: mailbox-ftd.pdika.mse
uid: ftd.pdika.mse
uidNumber: 121101051
alias: pitb.mse@domain.de
displayName: MSE-PDIKA-FTD
givenName: mailbox
l:: TcO8bmNoZW4=
lhmCalUser: Nein
lhmDisplayPrintTel: FALSE
lhmDisplayPrintTelIndex: FALSE
lhmFaxUser: Nein
lhmListMemberAuto: FALSE
lhmMailboxServer: head
lhmObjectID: 8111155151
lhmOfficeLocalityName:: TcO8bmNoZW4=
lhmOfficePostalCode: 82222
lhmOfficeStreetAddress: Friedenstr. 40
lhmPopImap: IMAP
lhmTempKolabEnabled: TRUE
mail: ftd.pdika.mse@domain.de
mailQuota: 1048576
ou: MSE-PDIKA-FTD
postalCode: 81671
street: Friedenstr. 40

Cyrus/Kolab knows about the alias mailbox

root@kolabmupdatep001a [0] ~ # kolab lm user/pitb.mse@domain.de
user/pitb.mse@domain.de

root@kolabmupdatep001a [0] ~ # kolab list-mailbox-metadata  user/pitb.mse@domain.de
Folder user/pitb.mse@domain.de
  /shared/vendor/cmu/cyrus-imapd/partition          fast
  /shared/vendor/cmu/cyrus-imapd/lastupdate          2-Aug-2016 07:37:16 +0200
  /shared/vendor/cmu/cyrus-imapd/duplicatedeliver   false
  /shared/vendor/cmu/cyrus-imapd/pop3newuidl        true
  /shared/vendor/cmu/cyrus-imapd/size               3813044
  /shared/vendor/cmu/cyrus-imapd/sharedseen         false
  /shared/vendor/cmu/cyrus-imapd/server             kolabbep004.srv.ha3.dir.domain.de
  /shared/vendor/cmu/cyrus-imapd/uniqueid           8c61c735-6190-4f2f-a3cf-4aa81231c356

Cyrus/Kolab knows about the mail mailbox

root@kolabmupdatep001a [0] ~ # kolab list-mailbox-metadata  user/ftd.pdika.mse@domain.de
Folder user/ftd.pdika.mse@domain.de
  /shared/vendor/cmu/cyrus-imapd/partition          fast
  /shared/vendor/cmu/cyrus-imapd/lastupdate         12-Aug-2016 09:25:12 +0200
  /shared/vendor/cmu/cyrus-imapd/duplicatedeliver   false
  /shared/vendor/cmu/cyrus-imapd/pop3newuidl        true
  /shared/vendor/cmu/cyrus-imapd/server             kolabbep002.srv.ha3.dir.domain.de
  /shared/vendor/cmu/cyrus-imapd/size               7289824
  /shared/vendor/cmu/cyrus-imapd/sharedseen         false
  /shared/vendor/kolab/folder-type                  mail
  /shared/vendor/cmu/cyrus-imapd/uniqueid           07b5aa5e-9216-4382-856d-618c43546b5f
root@kolabmupdatep001a [0] ~ # kolab lm  user/ftd.pdika.mse@domain.de
user/ftd.pdika.mse@domain.de

our config

oot@kolabmupdatep001a [0] ~ # cat /etc/kolab/kolab.conf

# Managed by Puppet, from modules/kolab/templates/kolab/kolab.conf.erb

## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
## due to a software problem kolab is not able to use "autocreate_folders" under
## [kolab] section. It's only possible to use it in a domain specific section
##
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[kolab]
imap_backend = cyrus-imap
domain_sync_interval = 600
sync_interval = 300
default_locale = de_DE
auth_mechanism = ldap
primary_domain = domain.de
policy_uid = (givenname)s.%(surname)s.lower()
daemon_rcpt_policy = False

[domain.de]
primary_mail = %(uid)s@%(domain)s
default_quota = 1048576
autocreate_folders = {
        'Kalender': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "event.default",
                        '/shared/vendor/kolab/folder-type': "event",
                    },
            },
        'Kalender/Privat': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "event.private",
                        '/shared/vendor/kolab/folder-type': "event",
                    },
            },
        'Kalender/Vertraulich': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "event.confidential",
                        '/shared/vendor/kolab/folder-type': "event",
                    },
            },
        'Configuration': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "configuration.default",
                        '/shared/vendor/kolab/folder-type': "configuration",
                    },
            },
        'Adressbuch': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "contact.default",
                        '/shared/vendor/kolab/folder-type': "contact",
                    },
            },
        'Drafts': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "mail.drafts",
                    },
            },
        'Sent': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "mail.sentitems",
                    },
            },
        'Junk': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "mail.junkemail",
                    },
            },
        'Aufgaben': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "task.default",
                        '/shared/vendor/kolab/folder-type': "task",
                    },
            },
        'Archives': {
                'quota': 0,
                'partition': 'archive'
            },
        'Trash': {
                'annotations': {
                        '/private/vendor/kolab/folder-type': "mail.wastebasket",
                    },
            },
        }

[imap]
virtual_domains = userid

[ldap]
ldap_uri = ldap://ldap.domain.de:389
supported_controls = 0,2,3
base_dn = c=de
bind_dn = cn=svc pykolab,ou=kolab,o=Application,c=de
bind_pw = o-------------------*******i
service_bind_dn = cn=svc pykolab,ou=kolab,o=Application,c=de
service_bind_pw = o----------------------------*****************i

user_base_dn = c=de
user_filter = (|(uid=cyrus-admin)(uid=sieve-admin)(&(objectclass=inetorgperson)(objectclass=mailrecipient)))
user_scope = sub

kolab_user_base_dn = c=de
kolab_user_filter = (&(objectclass=kolabinetorgperson)(objectclass=mailrecipient)(mail=*))

group_base_dn = c=de
group_filter = (&(objectclass=lhmDistributionList)(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(!(objectclass=nstombstone)))
group_scope = sub

resource_base_dn = c=de
resource_filter = (&(objectclass=kolabresource)(|(&(objectclass=kolabsharedfolder)(kolabfoldertype=event)(mail=NOCHNICHTAKTIV))(objectclass=groupofuniquenames)(objectclass=groupofurls))(!(objectclass=nstombstone)))

sharedfolder_base_dn = c=de
sharedfolder_filter = (&(objectclass=kolabsharedfolder)(!%(group_filter)s)(!(objectclass=nstombstone)))
sharedfolder_acl_entry_attribute = acl

domain_base_dn = ou=kolab,o=Application,c=de
domain_filter = (&(objectclass=domainrelatedobject)(associatedDomain=*))
domain_name_attribute = associateddomain
domain_rootdn_attribute = inetdomainbasedn

auth_attributes = mail, uid
mail_attributes = mail, alias
mailserver_attribute = mailhost
quota_attribute = mailquota
unique_attribute = nsuniqueid

[wallace]
footer_html = /etc/kolab/footer.html
footer_text = /etc/kolab/footer.text
modules = invitationpolicy, resources
kolab_invitation_policy = EVENT_SAVE_AND_FORWARD:domain.de, EVENT_CANCEL_DELETE_AND_NOTIFY, ACT_UPDATE_AND_NOTIFY, ACT_MANUAL
resource_calendar_expire_days = 100
invitationpolicy_autoupdate_other_attendees_on_reply = True

[kolab_smtp_access_policy]
cache_retention = 86400
address_search_attrs = mail, alias
sender_header = True
xsender_header = False
alias_sender_header = False
delegate_sender_header = True
sender_header_enc_key = 'simple'

[cyrus-sasl]
result_attribute = mail

[cyrus-imap]
uri = imaps://imap.domain.de:993
admin_login = cyrus-admin
admin_password = o++++++++++++++************+sh

[kolab_wap]
api_url = https://kolabwebadminp001.srv.ha3.dir.domain.de/api
skin = default
sql_uri = mysql://kolab:-------@bmN@kolabdywp001.srv.ha3.dir.domain.de/kolab
ssl_verify_host =
ssl_verify_peer =
login_filter = (&(|(mail=%s)(mail=%U@%d))(objectclass=inetorgperson))
session_timeout = 1440
memcache_pconnect = true

Details

Ticket Type: Task

Revisions and Commits

rP pykolab
	D209	rPd9bf5f8b9c73 T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes
	D209	rPe75b015fa967 T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes

Related Objects

Mentioned In: T1389: a change we made to allow cmd_sync_mailhost_attrs to respect 'user_filter' settings from kolab.conf
Mentioned Here: D209: T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes
T1395: change of LDAP "mail" attribute unexpectedly creates new mailbox

Event Timeline

vendel.colja created this task.Aug 12 2016, 12:51 PM

Florian_Eder added subscribers: Robert_Selk, Florian_Eder.Aug 17 2016, 12:09 PM

sync-mailhost-attr uses auth.find_folder_resource() and auth.find_recipient() methods which indeed use attributes defined in mail_attributes. Sync command uses hardcoded 'mail' attribute, so I suppose we should use 'mail' only here too.

I think we could extend these two methods with an additional (optional) argument which would be a list of search attributes. If that will be confirmed by our architect I can create a Differential.

machniak added a project: PyKolab.Aug 17 2016, 2:17 PM

sync-mailhost-attr should use the (one) result attribute (cyrus-sasl, result attribute), not the mail attributes.

Returning to the original question. No, it is not possible to prevent this with configuration. So, you have to investigate why a mailbox exists for alias attribute in the first place.

As Jeroen already wrote, I think that is absolutely correct, it "should use" this

[cyrus-sasl]
result_attribute = mail

but the filter "-d 9" uses is

(&(&(objectclass=kolabinetorgperson)(objectclass=mailrecipient)(mail=*))(|(mail=pitb.mse@domain.de)(alias=pitb.mse@domain.de)))

so it includes "alias" into the search and I don't know why.

We found the reason for a mailbox existing in cyrus that is an "alias" and not "mail" in LDAP. It's related to T1395.
The LDAP object was initialy created with mail to "pitb.mse@domain.de", was renamed after a few weeks and changed to "ftd.pdika.mse@domain.de" and due to an issue T1395, which is still under investigation, the mailbox was not renamed but a new one was created. So now we have a mailbox for current "mail" attribute value and one for former "mail" now "alias" attribute value. But that's another issue.

machniak added a revision: D209: T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes.Aug 18 2016, 12:48 PM

Created a patch. This is untested and it's not my decision if it is proper aproach.

For normal mailboxes and users I'd be happy with the implementation as I read it.

But for shared folders there's a different behavior. They don't have a mail attribute required and rely on "kolabTargetFolder" to identify the unique mailbox.

I think this could lead into problems at line 194 of "pykolab/cli/cmd_sync_mailhost_attrs.py" (D209).

By the way, "kolabTargetFolder" is not mentioned in /etc/kolab/kolab.conf anywhere.

dn:: .................
objectClass: kolabSharedFolder
objectClass: lhmKolabSharedFolder
objectClass: lhmObject
objectClass: lhmTempKolab
objectClass: mailRecipient
objectClass: top
cn: blubb
kolabFolderType: mail
kolabTargetFolder: shared/asdf@domain.de
lhmObjectID: 911188155
lhmTempKolabEnabled: TRUE

Shared folders are handled differently. We've been there. See find_folder_resource() in line 192.

ok, thank's, I've missed that

machniak moved this task from Backlog to Review on the PyKolab board.Aug 25 2016, 10:19 AM

vanmeeuwen closed this task as Resolved by committing rPe75b015fa967: T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes.Oct 6 2016, 9:41 AM

vanmeeuwen added a commit: rPe75b015fa967: T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes.

vanmeeuwen added a commit: rPd9bf5f8b9c73: T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributes.

vendel.colja mentioned this in T1389: a change we made to allow cmd_sync_mailhost_attrs to respect 'user_filter' settings from kolab.conf.Nov 3 2016, 12:12 PM