Question about cyrus ACL synchronisation - permission denied

Nicolas Chauvet nchauvet at linagora.com
Wed Nov 25 06:43:05 EST 2009 

Le mardi 24 novembre 2009 à 16:49 -0600, Dan White a écrit :
> On 24/11/09 20:16 +0100, Nicolas Chauvet wrote:
> >I'm trying to use imapsync between two cyrus-imapd servers.
> >At this time, synchronization of user mailbox went fine, with both
> >content and ACL. (using the cyrus account).
> >
> >But when I'm trying to use imapsync to synchronize ACL for shared
> >maiboxes, I obtain this error:
> >
> >acl oneuser: [lrsid]
> >setting acl INBOX oneuser lrsid
> >Could not set acl: 12 NO Permission denied
> >
> >The cyrus account owns rights on the destination mailbox:
> >MAILHOST> lam user/abuse
> >abuse lrswikxtecd
> >cyrus lrswipkxtecda
> >
> >Right on the source mailbox are differents:
> >> lam user.dsi
> >oneuser lrswipcda
> >twouser lrd
> >thiruser lrswipcda
> >cyrus lrswipcda
> >
> >Why ACL aren't synchronized using this imapsync command:
> >imapsync --buffersize 8192000 \
> >  --syncinternaldates --syncacls \
> >  --user1 oneuser \
> >  --subscribed \
> >  --include INBOX --exclude Brouillons --exclude ments --exclude user \
> >  --folderrec INBOX.${u} --regextrans2 's/(.*)/INBOX/' \
> >  --host1 liszt.cacc --authuser1 cyrus --authmech1 PLAIN --ssl1
> >--password1 secret1 \
> >  --host2 localhost --authuser2 cyrus --authmech2 PLAIN --password2
> >secret2 --ssl2 \
> >  --user2 oneuser
> 
> I'm not quite following the --folderrec INBOX.${u} --regextrans2
> 's/(.*)/INBOX/' parts.
I'm not sure either, but this is needed to pick the right mailbox on the source serveur.
> Which mailbox are you applying the ACLs to? user/abuse?, or 'INBOX'?
In this case, I try to set ACL on user/abuse.

> With the way you have specified your authentication and authorization
> identities, imapsync will ultimately assume the identity of 'oneuser' on
> both servers, rather than 'cyrus', which means that you are not going to
> have admin rights (unless oneuser is an admin).
What I have done so I imapsync assume the indentity of oneuser instead of cyrus ?
Because actually I cannot necessarily have the password of "oneuser".

> You might consider running imapsync twice to reduce complexity - once where
> you authz as oneuser, for synchronizing messages and seen state properly,
> and a second time where you authz as the cyrus user for synchronizing acls.
How can I only sync ACL without also synchronising mailbox ?

Thx for your answears

Nicolas Chauvet

More information about the Info-cyrus mailing list