What is correct way to sync ACLs across two servers?
Example: I want user1 to have access to user2 mailbox. I do this on server1:
doveadm acl set shared/user2 user=user1 admin create delete expunge insert
lookup read write write-deleted write-see
Now user1 can see shared/user2 when logged to server1. (Looks good!) He still
has no access when logged to server2. (Seems correct.)
So I do synchronization:
doveadm sync -u user2 remote:server2
...and nothing changes. He still have access only when logged to server1.
So I force full synchronization:
doveadm sync -u -f user2 remote:server2
...and success! User1 has access to shared/user2 on both servers now.
But now I want to remove access. So I do this on server1:
doveadm acl delete shared/user2 user=user1
Of course the above affects only server1, so user1 still have access when
logged to server2.
So now I do synchronization:
doveadm sync -u user2 remote:server2
Nothing happens. :-(
So I try do do full synchro:
doveadm sync -u user2 -f remote:server2
...disaster! The ACL is COPIED BACK from server2 to server1 and effectively
restoring access to shared/user2 on on both servers again. (WTH?)
So big question is: Who to do it properly?
It would be enough for me if ACL's were copied only one way (server1->server2),
but bidirectional replication would of course also be nice. :-)
Configs:
namespace {
disabled = no
hidden = no
ignore_on_failure = no
inbox = no
list = children
location = maildir:%%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%%u
order = 0
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
plugin {
acl = vfile:/etc/dovecot/mailconfig/global-acls
acl_defaults_from_inbox = yes
acl_shared_dict = file:/etc/dovecot/mailconfig/shared/shared-mailboxes
}
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
