Question about cyrus ACL synchronisation - permission denied

Dan White dwhite at olp.net
Wed Nov 25 11:20:52 EST 2009


On 25/11/09 12:43 +0100, Nicolas Chauvet wrote:
>>> acl oneuser: [lrsid]
>>> setting acl INBOX oneuser lrsid
>>> Could not set acl: 12 NO Permission denied
>> 
>> I'm not quite following the --folderrec INBOX.${u} --regextrans2
>> 's/(.*)/INBOX/' parts.
> I'm not sure either, but this is needed to pick the right mailbox on the source serveur.
>> Which mailbox are you applying the ACLs to? user/abuse?, or 'INBOX'?
> In this case, I try to set ACL on user/abuse.

 From what the above error indicates, it appears to be applying ACLs to
'INBOX' rather than user/abuse, which would agree with how I'm interpreting
the 'regextrans2' option in your command. It appears to be replacing all
mailboxes with 'INBOX' on the destination server.

Also, note that if your intent is to connect as an admin user,
'INBOX' has no useful semantics for user mailboxes, on either the origin
server or the destination. INBOX only applies when connecting as a
user, viewing his personal mailboxes.

For more information, see:
http://cyrusimap.web.cmu.edu/imapd/overview.html#mboxname
RFC 2342

>> With the way you have specified your authentication and authorization
>> identities, imapsync will ultimately assume the identity of 'oneuser' on
>> both servers, rather than 'cyrus', which means that you are not going to
>> have admin rights (unless oneuser is an admin).
>What I have done so I imapsync assume the indentity of oneuser instead of cyrus ?
>Because actually I cannot necessarily have the password of "oneuser".

Yes. Typically you take this approach when you don't have the user's
password (or care to use it), but you wish to connect as the user, which
makes since if you're trying to copy over that user's seen state and
subscriptions. But you should not expect to have any admin rights.

See:
man (5) imapd.conf   (option: proxyservers)
RFC 3501 page 28
RFC 2222 page 14

However, it doesn't make a lot of sense to me if you're copying over ACLs.
It would make more sense to do that as an administrative user *once*,
after/before you've ran the sync script for all your users.

>How can I only sync ACL without also synchronising mailbox ?

Perhaps with:

--folderrec user
--syncacls
--justfolders
--user1 cyrus
--password1 secret1
--user2 cyrus
--password2 secret2

and since your source server appears to use hierarchy separator '.', and
the new server '/', you may or may not need:

--regextrans2 's/\./\//'

-- 
Dan White


More information about the Info-cyrus mailing list