Page MenuHomekolab.org

Recipient Policy broken when using hosted_domain mode
Open, Needs TriagePublic

Description

The initial ldap creation (using kolab-webadmin) seems to be okay:

time: 20191123155643
dn: uid=doe,ou=people,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: add
alias: j.doe@example.org
alias: john.doe@example.org
givenName: John
mailQuota: 1048576
preferredLanguage: de_DE
sn: Doe
cn: John Doe
displayName: Doe, John
mail: doe@example.org
uid: doe
objectClass: top
objectClass: inetorgperson
objectClass: kolabinetorgperson
objectClass: mailrecipient
objectClass: organizationalperson
objectClass: person
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFOVVFJOWswQjk5VTVsQ2JqMEdDMU1sZlpJYWx
 BVW8zSzVXUXJWSHZLczBmMVQzUGxTSlBVeEJxUkxTNDNqWHNxcWhlcXdiSHpJWHJVVllMa1g5VHBl
 M3BxK0hrQ00rbG1WUGE5S0hERXU2c0VWWllhdmZaZjZRK0JUaTYvMFU5Qk5KWVp3M1pnZHlaSkFZO
 FNWOXF4RVUwbCtINVQvSlFQcEx0T0h0QlFmc0laSFRjd0dISU1zT283eVNWK1I5azZyZ0h4bTZOTG
 xNU0VxWVRKaFNCajUzV3lYZ2VtY2xvZlE0MW5vam1JcTlKRG1YK1h4UmRvZFJIYWExd3dMMmNFWjQ
 4aUJDbjh2NUNtQVQ5VThYaVd1dzBhdHRtWSs4WVZnVVF1WkY5Rmt3VnlZWDEvTDBKNDd1TGJGT0Vz
 VkZIWXd0aTNaaVN4YUk2c1Z3Z21pb21sUHM4a1FCdFRhUmROdk9ibzZYaEhSa09Tdm15OE9xcDgvQ
 1IwU1dpNDc1ZURwN1JwNGw5OTFRYUtrcDhQU0E0UEtqSFEyUGZzMXhxUHZyZ2cremgzYzJK
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20191123145643Z
modifyTimestamp: 20191123145643Z

After that, kolabd kicks in with the recipient policy plugin and changes mail, alias and mailHost multiple times based on the number of domains found. Instead of limiting it to the domains of the hosted domain, it also takes in the primary_domain attributes (from the mgmt_domain) and hosted_domain.

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@hosted.dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: alias
alias: john.doe@example.org
alias: j.doe@hosted.dotlan.info
alias: john.doe@hosted.dotlan.info
alias: j.doe@example.org
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: alias
alias: john.doe@example.org
alias: j.doe@dotlan.info
alias: john.doe@dotlan.info
alias: j.doe@example.org
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
add: mailHost
mailHost: localhost
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: alias
alias: john.doe@example.org
alias: j.doe@dotlan.info
alias: john.doe@dotlan.info
alias: j.doe@example.org
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: alias
alias: john.doe@example.org
alias: j.doe@dotlan.info
alias: john.doe@dotlan.info
alias: j.doe@example.org
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155643
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145643Z
-

time: 20191123155644
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: alias
alias: j.doe@dotlan.info
alias: john.doe@hosted.dotlan.info
alias: j.doe@example.org
alias: john.doe@dotlan.info
alias: j.doe@hosted.dotlan.info
alias: john.doe@example.org
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145644Z
-

time: 20191123155644
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145644Z
-

time: 20191123155644
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145644Z
-

time: 20191123155644
dn: uid=doe,ou=People,ou=example.org,dc=hosted,dc=dotlan,dc=info
result: 0
changetype: modify
replace: mail
mail: doe@dotlan.info
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20191123145644Z
-

These changes are taken from the dirsrv/auditlog. Which was easier to read then the pykolab log in debug mode 9

Parts of the kolab.conf

[kolab]
primary_domain = dotlan.info
[...]

[kolab_wap]
mgmt_root_dn = dc=dotlan,dc=info
hosted_root_dn = dc=hosted,dc=dotlan,dc=info
[...]

I guess that the recipient policy completely fails in hosted domain mode. It also results into kolabd running in a 100% cpu usage loop. It seems to be a bug that kolabd lookups the wrong domain in hosted mode (it also doesn't know anything about hosted_domain_rootdn (which resides under kolab_wap).

It is either not supposed to work at all or kolabd is having a bug looking up the right domains assigned for this hosted domain.

Details

Ticket Type
Task

Event Timeline

dhoffend created this task.Sat, Nov 23, 4:37 PM
dhoffend added a project: PyKolab.
dhoffend added a subscriber: PyKolab Developers.

Okay ... first issue (in my case) is that mgmt_root_dn is in the same domain name space ... One issue, but that's not the root cause

I found this in my logs:

2019-11-23 16:32:23,684 pykolab.daemon DEBUG [2718] Listing domains...
2019-11-23 16:32:23,747 pykolab.daemon DEBUG [2718] Domain 'example.org' naming context: 'dc=hosted,dc=dotlan,dc=info', root dn: 'ou=example.org,dc=hosted,dc=dotlan,dc=info'
2019-11-23 16:32:23,755 pykolab.daemon DEBUG [2718] Domain 'dotlan.info' naming context: 'dc=dotlan,dc=info', root dn: 'dc=dotlan,dc=info'
2019-11-23 16:32:23,764 pykolab.daemon DEBUG [2718] Domain 'hosted.dotlan.info' naming context: 'dc=hosted,dc=dotlan,dc=info', root dn: 'dc=hosted,dc=dotlan,dc=info'
2019-11-23 16:32:23,764 pykolab.daemon DEBUG [2718] Naming contexts to synchronize: ['dc=hosted,dc=dotlan,dc=info', 'dc=dotlan,dc=info']
2019-11-23 16:32:23,764 pykolab.daemon DEBUG [2718] Result set of domains: ['hosted.dotlan.info', 'dotlan.info']
2019-11-23 16:32:23,764 pykolab.daemon DEBUG [2718] Checking for domain hosted.dotlan.info
2019-11-23 16:32:23,765 pykolab.daemon DEBUG [2718] Domain hosted.dotlan.info does not have a process yet.
2019-11-23 16:32:23,765 pykolab.daemon DEBUG [2718] Checking for domain dotlan.info
2019-11-23 16:32:23,765 pykolab.daemon DEBUG [2718] Domain dotlan.info does not have a process yet.
2019-11-23 16:32:23,765 pykolab.daemon DEBUG [2718] added domains: ['hosted.dotlan.info', 'dotlan.info'], removed domains: []
2019-11-23 16:32:23,765 pykolab.daemon DEBUG [2718] Process created for domain hosted.dotlan.info
2019-11-23 16:32:23,767 pykolab.daemon DEBUG [2718] Process created for domain dotlan.info
2019-11-23 16:32:23,770 pykolab.daemon DEBUG [2743] Synchronizing for domain hosted.dotlan.info
2019-11-23 16:32:23,772 pykolab.daemon DEBUG [2744] Synchronizing for domain dotlan.info
`

So kolabd is creating 2 kolabd processes to sync mailboxes, etc. One for the mgmt_root_dn and one for the hosted_root_dn.

When creating the ldap auth object it assignes the domain of the namespace domain. Which means that all hooks always get applied the "primary_domain" from the hosted namespace.

Without a detection (if we're in hosted_mode or not) this doesn't work. But in general since we're not able to switch on recipient_policy on/off per hosted domain, it doesn't make sense to use recipient_policy in hosted_mode anyway ...

dhoffend closed this task as Invalid.Tue, Nov 26, 6:05 PM

A workaround could be to move the hosted_root_dn from the [kolab_web] to [kolab] section and make a check for it. If hosted_mode is configured then look for ou=domain,$hosted_root_dn instead of the dc version. Another workaround would be to load all hosted domains into memory to avoid ldap query for every sync run. But we then need to trigger kolabd somehow to reload the domain list when domains have been changed or added

dhoffend reopened this task as Open.Tue, Nov 26, 6:05 PM

ups, reopen