ptloader problem finding the domain in "Hosted Kolab Groupware" Multidomain setup (Kolab16 on CenOS 7.3)



  • I installed Kolab16 just new and as described in https://docs.kolab.org/installation-guide/centos-7.html which worked absolutely perfect and without any problems.
    Afterwards the webinterfaces "webmail-admin" was perfect to add the first user and on "roundcubemail" the login worked from the first try with sending and receiving mails, adding files creating events and tasks. So everything was fine and so I made some httpd config changes to add Let's Encrypt CERTS and some virtual domains for admin and webmail, that did as well but than the problems started with multidomain enabling.

    I followed those docs
    https://docs.kolab.org/administrator-guide/configuring-the-kolab-server.html#admin-organizations-with-multiple-domain-namespaces
    https://docs.kolab.org/deployment-guide/hosted-kolab-groupware-deployment.html#deployment-hosted-kolab
    https://docs.kolab.org/architecture-and-design/ldap.html#and-ldap-mapping-a-domain-name-space-to-a-dit-root-dn
    https://docs.kolab.org/howtos/multi-domain.html?highlight=root
    but after changing the ldap_domain_base_dn: "cn=kolab,cn=config" ptloader was no more able to cannonify the users any more.
    Is there somebody out there running a "hosted" setup who could probaply give me a hint on what I'm doing wrong? I'm so closed to beeing sure that this is not a softwar problem but a stupid config thing.
    To provide as much info as possible I'll add all info I think would be interesting.

    Oh, I'm struggling since three days know...

    This versions are currently installed

    # yum list installed cyrus-imapd kolab-cli pykolab wallace kolab-server roundcubemail roundcubemail-plugins-kolab
    Geladene Plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
     * base: repo.de.bigstepcloud.com
     * epel: mirror.de.leaseweb.net
     * extras: centos.mirrors.psw.services
     * updates: mirror.de.leaseweb.net
    104 packages excluded due to repository priority protections>
    Installierte Pakete
    cyrus-imapd.x86_64                                    2.5.10-6.1.el7.kolab_16                    @Kolab_16
    kolab-cli.noarch                                      0.8.7-1.1.el7.kolab_16                     @Kolab_16
    kolab-server.noarch                                   0.8.7-1.1.el7.kolab_16                     @Kolab_16
    pykolab.noarch                                        0.8.7-1.1.el7.kolab_16                     @Kolab_16
    roundcubemail.noarch                                  1.2.3-3.1.el7.kolab_16                     @Kolab_16
    roundcubemail-plugins-kolab.noarch                    3.3-6.1.el7.kolab_16                       @Kolab_16
    wallace.noarch                                        0.8.7-1.1.el7.kolab_16                     @Kolab_16
    

    under this environment

    # lsb_release -d
    Description:    CentOS Linux release 7.3.1611 (Core)
    

    LDAP search for the user created under the second domain

    [root@vhost4 ~]# ldapsearch -x -h localhost -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'dc=exampledomain,dc=de' '(mail=dampf@exampledomain.de)' mail cn
    # extended LDIF
    #
    # LDAPv3
    # base <dc=exampledomain,dc=de> with scope subtree
    # filter: (mail=dampf@exampledomain.de)
    # requesting: mail cn
    #
    
    # dampf, People, exampledomain.de
    dn: uid=dampf,ou=People,dc=exampledomain,dc=de
    mail: dampf@exampledomain.de
    cn: Hans Dampf
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    LDAP search for the user created under the first domain

    [root@vhost4 ~]# ldapsearch -x -h localhost -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'dc=exampledomain,dc=eu' '(mail=wasser@exampledomain.eu)' mail cn
    # extended LDIF
    #
    # LDAPv3
    # base <dc=exampledomain,dc=eu> with scope subtree
    # filter: (mail=wasser@exampledomain.eu)
    # requesting: mail cn
    #
    
    # wasser, People, exampledomain.eu
    dn: uid=wasser,ou=People,dc=exampledomain,dc=eu
    mail: wasser@exampledomain.eu
    cn: Werner Wasser
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    LDAP search for the first domain domainrelatedobject result attribute

    [root@vhost4 ~]# ldapsearch -x -h ldap.exampledaomin.eu -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'cn=kolab,cn=config' '(&(objectclass=domainrelatedobject)(associateddomain=exampledomain.eu))'  inetdomainbasedn
    # extended LDIF
    #
    # LDAPv3
    # base <cn=kolab,cn=config> with scope subtree
    # filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.eu))
    # requesting: inetdomainbasedn
    #
    
    # exampledomain.eu, kolab, config
    dn: associateddomain=exampledomain.eu,cn=kolab,cn=config
    inetdomainbasedn: dc=exampledomain,dc=eu
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    LDAP search for the second domain domainrelatedobject result attribute

    [root@vhost4 ~]# ldapsearch -x -h ldap.exampledaomin.eu -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'cn=kolab,cn=config' '(&(objectclass=domainrelatedobject)(associateddomain=exampledomain.de))'  inetdomainbasedn
    # extended LDIF
    #
    # LDAPv3
    # base <cn=kolab,cn=config> with scope subtree
    # filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.de))
    # requesting: inetdomainbasedn
    #
    
    # exampledomain.de, kolab, config
    dn: associateddomain=exampledomain.de,cn=kolab,cn=config
    inetdomainbasedn: dc=exampledomain,dc=de
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    LDAP search for the first domain domainrelatedobject aci

    [root@vhost4 ~]# ldapsearch -x -h ldap.exampledaomin.eu -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'cn=kolab,cn=config' '(&(objectclass=domainrelatedobject)(associateddomain=exampledomain.eu))'  aci
    # extended LDIF
    #
    # LDAPv3
    # base <cn=kolab,cn=config> with scope subtree
    # filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.eu))
    # requesting: aci
    #
    
    # exampledomain.eu, kolab, config
    dn: associateddomain=exampledomain.eu,cn=kolab,cn=config
    aci: (targetattr = "*") (version 3.0;acl "Read Access for exampledomain.eu Users";allow
      (read,compare,search)(userdn = "ldap:///dc=exampledomain,dc=eu??sub?(objectclass=*)")
     ;)
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    LDAP search for the second domain domainrelatedobject aci

    [root@vhost4 ~]# ldapsearch -x -h ldap.exampledaomin.eu -p 389 -D 'uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu' -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3- | head -1)" -b 'cn=kolab,cn=config' '(&(objectclass=domainrelatedobject)(associateddomain=exampledomain.de))'  aci
    # extended LDIF
    #
    # LDAPv3
    # base <cn=kolab,cn=config> with scope subtree
    # filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.de))
    # requesting: aci
    #
    
    # exampledomain.de, kolab, config
    dn: associateddomain=exampledomain.de,cn=kolab,cn=config
    aci: (targetattr = "*") (version 3.0;acl "Read Access for exampledomain.de Users";allow (read,compare,search)(userdn = "ldap:///dc=exampledomain,dc=de??sub?(objectclass=*)");)
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    How cyrus imapd is configured in concerns to LDAP

    -bash-4.2$ /usr/lib/cyrus-imapd/cyr_info conf-all | grep -e pts -e ldap
    afspts_localrealms:
    afspts_mycell:
    auth_mech: pts
    ldap_authz:
    ldap_base: dc=exampledomain,dc=eu
    ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=exampledomain,dc=eu
    ldap_deref: never
    ldap_domain_base_dn: "cn=kolab,cn=config"
    ldap_domain_filter: (&(objectclass=domainrelatedobject)(associateddomain=%s))
    ldap_domain_name_attribute: associatedDomain
    ldap_domain_scope: sub
    ldap_domain_result_attribute: inetdomainbasedn
    ldap_filter: (|(&(uid=cyrus-admin)(uid=%U))(&(uid=sieve-admin)(uid=%U))(&(objectclass=kolabinetorgperson)(|(uid=%U)(alias=%u)(mail=%U@%d)(mail=%u)(mail=%U@%r))))
    ldap_group_base: dc=exampledomain,dc=eu
    ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
    ldap_group_scope: one
    ldap_id:
    ldap_mech:
    ldap_user_attribute: mail
    ldap_member_attribute: nsrole
    ldap_member_base: ou=People,dc=exampledomain,dc=eu
    ldap_member_filter: (member=%D)
    ldap_member_method: attribute
    ldap_member_scope: sub
    ldap_password: LDAPBINDPW_KOLAB
    ldap_realm:
    ldap_referrals: no
    ldap_restart: yes
    ldap_sasl: no
    ldap_sasl_authc:
    ldap_sasl_authz:
    ldap_sasl_mech:
    ldap_sasl_password:
    ldap_sasl_realm:
    ldap_scope: sub
    ldap_servers: ldap://ldap.exampledaomin.eu:389
    ldap_size_limit: 1
    ldap_start_tls: no
    ldap_time_limit: 10
    ldap_timeout: 10
    ldap_ca_dir:
    ldap_ca_file:
    ldap_client_cert:
    ldap_verify_peer: no
    ldap_ciphers:
    ldap_client_key:
    ldap_tls_cacert_dir:
    ldap_tls_cacert_file:
    ldap_tls_cert:
    ldap_tls_key:
    ldap_tls_check_peer:
    ldap_tls_ciphers:
    ldap_uri:
    ldap_version: 3
    pts_module: ldap
    ptloader_sock: /var/lib/imap/ptclient/ptsock
    ptscache_db: twoskip
    ptscache_db_path:
    ptscache_timeout: 10800
    ptskrb5_convert524: yes
    ptskrb5_strip_default_realm: yes
    sieve_maxscriptsize: 32
    sieve_maxscripts: 5
    

    this is what ptloader cache knows:

    [root@vhost4 ~]# su -s /bin/bash - cyrus
    Letzte Anmeldung: Dienstag, den 07. März 2017, 14:48:32 CET auf pts/0
    -bash-4.2$ /usr/lib/cyrus-imapd/ptdump
    user: wasser@exampledomain.eu -> wasser@exampledomain.eu
        time: 1488890625
        groups: 0
    user: cyrus-admin -> cyrus-admin
        time: 1488894465
        groups: 0
    

    ptloader is not able to cannonify user because of "LDAP search for domain failed: No such object" after enabling multidomain config in /etc/imapd.conf -> ldap_domain_base_dn:

    Mar  7 17:45:17 vhost4 ptloader[27353]: starting: ptloader.c,v 2.5.10-55-gb6dbffa b6dbffa0 2016-12-13
    Mar  7 17:45:32 vhost4 imap[27364]: accepted connection
    Mar  7 17:45:32 vhost4 master[27370]: about to exec /usr/lib/cyrus-imapd/imapd
    Mar  7 17:45:32 vhost4 imap[27364]: tls_client_ca_dir=(NULL) tls_client_ca_file=(NULL)
    Mar  7 17:45:32 vhost4 imap[27364]: TLS server engine: No client CA data configured.
    Mar  7 17:45:32 vhost4 imap[27364]: tls_server_cert=/etc/pki/cyrus-imapd/cyrus-imapd.pem tls_server_key=/etc/pki/cyrus-imapd/cyrus-imapd.pem
    Mar  7 17:45:32 vhost4 imap[27364]: inittls: Loading hard-coded DH parameters
    Mar  7 17:45:32 vhost4 imap[27370]: executed
    Mar  7 17:45:32 vhost4 imap[27364]: TLS Server Name Indication (SNI) Extension: "localhost"
    Mar  7 17:45:32 vhost4 imap[27364]: SSL_accept() incomplete -> wait
    Mar  7 17:45:32 vhost4 imap[27364]: SSL_accept() succeeded -> done
    Mar  7 17:45:32 vhost4 imap[27364]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
    Mar  7 17:45:32 vhost4 imap[27364]: client id: "name" "Roundcube/Kolab" "version" "1.2.3"
    Mar  7 17:45:32 vhost4 imap[27364]: ptload(): pinging ptloader
    Mar  7 17:45:32 vhost4 imap[27364]: connected with no delay
    Mar  7 17:45:32 vhost4 imap[27364]: ptload(): connected
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select: sock = 12, rp = 0x0, wp = 0x7fffcbd02b50, sec = 30
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:45:32 vhost4 imap[27364]: ptload sent data
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select: sock = 12, rp = 0x7fffcbd02ad0, wp = 0x0, sec = 30
    Mar  7 17:45:32 vhost4 ptloader[27353]: accepted connection
    Mar  7 17:45:32 vhost4 ptloader[27353]: Attempting to get domain for dampf@exampledomain.de from "cn=kolab,cn=config"
    Mar  7 17:45:32 vhost4 ptloader[27353]: Domain filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.de))
    Mar  7 17:45:32 vhost4 ptloader[27353]: LDAP search for domain failed: No such object
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select: sock = 12, rp = 0x7fffcbd02ad0, wp = 0x0, sec = 30
    Mar  7 17:45:32 vhost4 imap[27364]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:45:32 vhost4 imap[27364]: ptload read data back
    Mar  7 17:45:32 vhost4 imap[27364]: ptload(): bad response from ptloader server: identifier not found
    Mar  7 17:45:32 vhost4 imap[27364]: No data available at all from ptload()
    Mar  7 17:45:32 vhost4 imap[27364]: ptload completely failed: unable to canonify identifier: dampf@exampledomain.de
    Mar  7 17:45:32 vhost4 imap[27364]: SASL bad userid authenticated
    Mar  7 17:45:32 vhost4 imap[27364]: badlogin: localhost [::1] PLAIN [SASL(-13): authentication failure: bad userid authenticated]
    

    Working because of ptloader cache from earlier config without multidomain config in /etc/imapd.conf -> ldap_domain_base_dn:

    Mar  7 17:46:44 vhost4 imap[27362]: TLS Server Name Indication (SNI) Extension: "localhost"
    Mar  7 17:46:44 vhost4 imap[27362]: SSL_accept() incomplete -> wait
    Mar  7 17:46:44 vhost4 imap[27362]: SSL_accept() succeeded -> done
    Mar  7 17:46:44 vhost4 imap[27362]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
    Mar  7 17:46:44 vhost4 imap[27362]: client id: "name" "Roundcube/Kolab" "version" "1.2.3"
    Mar  7 17:46:44 vhost4 imap[27362]: ptload(): fetched cache record (wasser@exampledomain.eu)(mark 1488890625, current 1488905204, limit 1488894404)
    Mar  7 17:46:44 vhost4 imap[27362]: ptload(): pinging ptloader
    Mar  7 17:46:44 vhost4 imap[27362]: connected with no delay
    Mar  7 17:46:44 vhost4 imap[27362]: ptload(): connected
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select: sock = 12, rp = 0x0, wp = 0x7fffe6359700, sec = 30
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:46:44 vhost4 imap[27362]: ptload sent data
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select: sock = 12, rp = 0x7fffe6359680, wp = 0x0, sec = 30
    Mar  7 17:46:44 vhost4 ptloader[27353]: accepted connection
    Mar  7 17:46:44 vhost4 ptloader[27353]: Attempting to get domain for wasser@exampledomain.eu from "cn=kolab,cn=config"
    Mar  7 17:46:44 vhost4 ptloader[27353]: Domain filter: (&(objectclass=domainrelatedobject)(associateddomain=exampledomain.eu))
    Mar  7 17:46:44 vhost4 ptloader[27353]: LDAP search for domain failed: No such object
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select: sock = 12, rp = 0x7fffe6359680, wp = 0x0, sec = 30
    Mar  7 17:46:44 vhost4 imap[27362]: timeout_select exiting. r = 1; errno = 0
    Mar  7 17:46:44 vhost4 imap[27362]: ptload read data back
    Mar  7 17:46:44 vhost4 imap[27362]: ptload(): bad response from ptloader server: identifier not found
    Mar  7 17:46:44 vhost4 imap[27362]: ptload returning data
    Mar  7 17:46:44 vhost4 imap[27362]: ptload failed: but canonified wasser@exampledomain.eu -> wasser@exampledomain.eu
    Mar  7 17:46:44 vhost4 imap[27362]: canonified wasser@exampledomain.eu -> wasser@exampledomain.eu
    Mar  7 17:46:44 vhost4 imap[27362]: login: localhost [::1] wasser@exampledomain.eu PLAIN+TLS User logged in SESSIONID=<vhost4.exampledomain.eu-27362-1488905204-1-14662281227974780316>
    Mar  7 17:46:44 vhost4 imap[27362]: USAGE wasser@exampledomain.eu user: 0.012260 sys: 0.004086
    Mar  7 17:46:44 vhost4 imaps[27359]: accepted connection
    


  • Hi, I was wondering if you founded a solution to your issue, since I'm having the same...


Log in to reply