Follow-up on the chat, this was a complex issue …
- We identified that the issues lied in
slapdand the fact that a backport version of it was installed. You can identify this running ‘dpkg --list | grep slapd’ which showed a version with “deb10~bpo9” (instead of deb9) - This in turns trigger this issue about member overlay being broken with the new slapd version (or maybe that’s just yunohost doing something bad, we don’t know yet)
- Can be confirmed by running
'grep -nr "MemberOfMemberAD:" /etc/ldap'(which should return three lines about inheritPermission, groupPermission and member, but doesn’t when the bug happens). Hence the group permission system is broken - not just “doveadm” - Tried to identify where the initial backport issue was coming from by running
'for FILE in $(ls /var/log/apt/history*); do zgrep -C3 "deb10\|~bpo9" $FILE; done', and looking for lines related to ldap/slapd. Unfortunatenly the logs were not going far enough in the past (the system deletes logs older than 1 year apparently?) to identify the moment these backports were installed… - Anyway, we finally downgraded the slapd packages to the non-backport version with:
# This version numbers comes from `apt policy slapd`. Might be different on another system / arch
VERSION=2.4.44+dfsg-5+deb9u3
apt install slapd=$VERSION libldap-2.4-2=$VERSION ldap-utils=$VERSION libldap2-dev=$VERSION
# apt will display a warning ... gotta check that nothing fucky is going to be done...
- Had to extra-force the regen-conf of slapd
echo " " >> /etc/slapd/slapd.conf
yunohost tools regen-conf slapd --force
- Then force-refresh the group permissions which can be achieved like this:
yunohost user permission update mail.main --remove all_users
yunohost user permission update mail.main --add all_users
