negative auth cache?

Discussion:

Will Yardley

2014-09-19 00:09:38 UTC

I am using Dovecot 2.2.13, which doesn't yet seem to have the
$auth_cache_negative parameter. Should the negative cache value honor
$auth_cache_ttl then?

I had a problem where some of our ldap systems were reinitialized. Some
users, presumably those who tried to login while their records were
returning a failure, became unable to login after the records were once
again returning normally.

I currently have:
auth_cache_size = 5 M
auth_cache_ttl = 5 mins
# Not yet implemented
#auth_cache_negative = 2 mins

yet the problem seemed to persist for more than an hour.

Also, how can I flush the cache for a non-default instance's cache using
doveadm -- "doveadm auth cache flush" doesn't seem to have an '-a'
option AFAICT.

# doveadm auth
usage: doveadm [-Dv] [-f <formatter>] auth <command> [<args>]
cache flush

w

Reindl Harald

2014-09-19 00:34:34 UTC

Permalink

Post by Will Yardley
I am using Dovecot 2.2.13, which doesn't yet seem to have the
$auth_cache_negative parameter. Should the negative cache value honor
$auth_cache_ttl then?
I had a problem where some of our ldap systems were reinitialized. Some
users, presumably those who tried to login while their records were
returning a failure, became unable to login after the records were once
again returning normally.
auth_cache_size = 5 M
auth_cache_ttl = 5 mins
# Not yet implemented
#auth_cache_negative = 2 mins
yet the problem seemed to persist for more than an hour.
Also, how can I flush the cache for a non-default instance's cache using
doveadm -- "doveadm auth cache flush" doesn't seem to have an '-a'
option AFAICT.
# doveadm auth
usage: doveadm [-Dv] [-f <formatter>] auth <command> [<args>]
cache flush

just hard restart dovecot

the auth cache is not persistent

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140919/a00e70dd/attachment-0001.sig>

Will Yardley

2014-09-19 02:54:57 UTC

Permalink

Post by Reindl Harald

Post by Will Yardley
Also, how can I flush the cache for a non-default instance's cache using
doveadm -- "doveadm auth cache flush" doesn't seem to have an '-a'
option AFAICT.
# doveadm auth
usage: doveadm [-Dv] [-f <formatter>] auth <command> [<args>]
cache flush

just hard restart dovecot
the auth cache is not persistent

Yes, that's how I've solved the problem so far.

But since the problem doesn't affect all users, I'd obviously prefer not
to do a hard restart of Dovecot just to fix it if there's a command that
will clear the auth cache only.

w

Joseph Tam

2014-09-19 01:20:13 UTC

Permalink

Post by Will Yardley
yet the problem seemed to persist for more than an hour.
Also, how can I flush the cache for a non-default instance's cache using
doveadm -- "doveadm auth cache flush" doesn't seem to have an '-a'
option AFAICT.

If you only want to dump a few auth cache entries, you can just
authenticate with a bad password. When a different (and possibly correct
password) is supplied, there will be a cache miss and the new credentials
will be cached.

echo "1 login someuser badpassword\n2 logout" | netcat --ssl your-imap-server:993

Joseph Tam <jtam.home at gmail.com>

Steffen Kaiser

2014-09-19 06:21:51 UTC

Permalink

mhm: -a does not have no relationship to (Dovecot) "instance".

doveadm auth cache flush

flushes all the auth cache, no selection of an user possible, no need for
- -a.

doveadm -i instance_name auth cache flush

should flush all the auth cache of the specified instance. Note the "-i"
preceeds the command.

- --
Steffen Kaiser

Will Yardley

2014-09-19 06:41:14 UTC

Permalink

Post by Steffen Kaiser

Post by Will Yardley
Also, how can I flush the cache for a non-default instance's cache using
doveadm -- "doveadm auth cache flush" doesn't seem to have an '-a'
option AFAICT.

mhm: -a does not have no relationship to (Dovecot) "instance".
doveadm auth cache flush
flushes all the auth cache, no selection of an user possible, no need for
- -a.
doveadm -i instance_name auth cache flush
should flush all the auth cache of the specified instance. Note the "-i"
preceeds the command.

That doesn't give an error, but strace shows this:

[...]
connect(8, {sa_family=AF_FILE, path="/var/run/dovecot-director/auth-master"}, 110) = 0

(is it connecting to the wrong instance's auth socket? the path to the
'main' instance's auth socket is /var/run/dovecot-main/auth-master)

and then I see
# doveadm -i main auth cache flush
0 cache entries flushed

(strace shows this, which is the same thing I see from the director
instance).
write(1, "0 cache entries flushed\n", 240 cache entries flushed
) = 24

The 'main' instance should definitely have plenty of auth cache entries
these are fairly busy systems, and the cache TTL is 5 minutes.

Also, while I'd seen the use of the '-i flag, I didn't realize it was
supported in this version, as '-i' doesn't seem to be listed in
doveadm(1) or in the usage for doveadm.

w

Will Yardley

2014-09-19 06:51:55 UTC

Permalink

Post by Will Yardley
(is it connecting to the wrong instance's auth socket? the path to the
'main' instance's auth socket is /var/run/dovecot-main/auth-master)
and then I see
# doveadm -i main auth cache flush
0 cache entries flushed

Seems that the problem was that I had a symlink (for convenience) of
/var/run/dovecot to /var/run/dovecot-director (so that I don't have to
specify the instance name for common operations, which mostly involve
the director).

If I remove that symlink, and run the command with '-i main'

# doveadm -i main auth cache flush
904 cache entries flushed

The relevant code is something like:
if (auth_socket_path == NULL) {
auth_socket_path = t_strconcat(doveadm_settings->base_dir,
"/auth-master", NULL);

I'm guessing that auth_socket_path isn't null for some reason, and thus
the auth_socket_path isn't constructed correctly in this case, even
though the instance is being specified?

# doveadm instance list
path name last used running
/var/run/dovecot-director director 2014-09-18 20:01:12 yes
/var/run/dovecot-main main 2014-09-18 20:01:12 yes

# doveconf -i main base_dir
base_dir = /var/run/dovecot-main

w