Disabling of userdb/passdb modules using config statements

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 10 Apr 2015, Jeroen Massar wrote:

> Debian (and possibly other distros) use the /etc/dovecot/conf.d/* setup
> where default config files are stuffed and then one can just add a
> 99-myconfig.conf et voila, variables are overruled.

> This allows the distro to supply updates to the files at package upgrade
> time without any/much user intervention.
>
> The problem (for me ;) is that the system comes provided with:
>
> auth-system.conf.ext containing:
>
> passdb {
>    driver = pam
> }
> userdb {
>    driver = passwd
> }
>
> Hence pam & /etc/passwd based are always enabled.
> This while I don't have any local users.

Isn't that a packaging problem then? Debian should use DEBCONF to ask you 
while installation, which db to enable by default. You should file a bug 
with Debian to let the admin choose, which (if at all) db to enable by 
default. There are no config files installed by Dovecot, if compiled by 
source.

>
> Replication seems to then always pick up the local users, which are
> vmail + nobody (65536).
>
> doveadm user '*' thus reports vmail, nobody + virtual users
>
> Setting:
> first_valid_uid = 5000
> last_valid_uid = 5000
>
> only keeps vmail in there, but apparently some module (guess
> replication) is still able to figure out that 'nobody' exists:
>
> Apr 10 09:48:25 mail dovecot: doveadm(IPADDR,nobody): Error: Mail access
> for users with UID 65534 not permitted (see first_valid_uid in config
> file, uid from userdb lookup).
> Apr 10 09:48:25 mail dovecot: doveadm(IPADDR,nobody): Error:
> dsync-server: User init failed
> Apr 10 09:49:38 mail dovecot: doveadm(nobody): Error: sync: Failed to
> start remote dsync-server command: Remote exit_code=75
>
> and on the other side:
> Apr 10 09:54:38 mail dovecot: doveadm(nobody): Error: sync: Unknown user
> in remote
>
> This can be resolved by commenting out the entries in
> auth-system.conf.ext but then I'll have to do that again at package
> upgrade time.
>
> Hence, would it be a cool option to be able (in the 99-myconfig.conf)
> file to put:
>
> passdb {
>    driver = pam
>    enabled = false
> }
> userdb {
>    driver = passwd
>    enabled = false
> }
>
> And thereby disabling those modules completely? Thus avoiding upgrade
> conflicts etc.
>
> Greets,
> Jeroen
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVSvDzHz1H7kL/d9rAQJybAgAyOmtGbDyp6nzR0IqK2RUTWTHtjkbcmrN
G6MNxMCzsByp7JCCKaKZy4Ec9//4ua5+29zwsF4f/EjdyxOtCdZkOA2TRuw3Zbns
nuECm4h03HsjkGIi216mMHP3z2QjqTuZNWFj0MppBuiBqSuNrNFfxQ0pac3xEeAo
IYnKl1Oq4SKfwr351iF94NSHzCbR7CJDe5Q7TqkK8OB7PuASFIbYX9R6CYZc1jsR
euLRHKssX7Brw44PkQGLjHEOBG8xWP4/cAVf4bApskSiW8q1IZWhMR7Z4rbUgxRY
3RInqI/rJ8azOjZWd8Us25eCJl3f30bFkdbmOlL6LlUkzPAjMPx/3A==
=MZqU
-----END PGP SIGNATURE-----