dovecot - Apr 2015 - Disabling of userdb/passdb modules using config statements

On 2015-04-10 12:16, Gedalya wrote:
> On 04/10/2015 05:59 AM, Jeroen Massar wrote:
>>
>> This can be resolved by commenting out the entries in
>> auth-system.conf.ext but then I'll have to do that again at package
>> upgrade time.
> 
> Comment out the !include auth-system.conf.ext line in 10-auth.conf.
Though indeed simpler than commenting out multiple lines, that file also
gets replaced by a package upgrade.

Hence does not solve the 'can just upgrade silently' issue.
>> Hence, would it be a cool option to be able (in the 99-myconfig.conf)
>> file to put:
> Actually you mean local.conf. See the master dovecont.conf file, it's
> included last.
Only when it exists, one can use both.

from dovecot.conf:
8<-------------
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The
00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
--------------------------->8

Both conf.d/99-myconfig.conf and local.conf can work for this.

I prefer 99- as that is what other daemons also use.
>>
>> passdb {
>>      driver = pam
>>      enabled = false
>> }
>> userdb {
>>      driver = passwd
>>      enabled = false
>> }
>>
>> And thereby disabling those modules completely? Thus avoiding upgrade
>> conflicts etc.
> That's an interesting idea actually. My first thought is that it could
> be helpful to use *named* passdb / userdb sections to facilitate this.
That would require a default system, which now works out of the box with
pam/etc to be properly named and then renamed...

Greets,
 Jeroen

On Sex, 10 Abr 2015, Jeroen Massar wrote:
> Though indeed simpler than commenting out multiple lines, that file also
> gets replaced by a package upgrade.
>
> Hence does not solve the 'can just upgrade silently' issue.
If the file is unchanged then, yes, it gets replaced on upgrades. If  
it has local changes, however, you'll get a prompt asking what you  
want to do (keep your changes or use the package version). So while it  
fails you "upgrade silently" requirement, you'll not automatically
loose the changes you've made.
-- 
Eduardo M KALINOWSKI
eduardo at kalinowski.com.br

On 2015-04-10 14:23, Eduardo M KALINOWSKI wrote:
> On Sex, 10 Abr 2015, Jeroen Massar wrote:
>> Though indeed simpler than commenting out multiple lines, that file
also
>> gets replaced by a package upgrade.
>>
>> Hence does not solve the 'can just upgrade silently' issue.
> 
> If the file is unchanged then, yes, it gets replaced on upgrades. If it
> has local changes, however, you'll get a prompt asking what you want to
> do (keep your changes or use the package version). So while it fails you
> "upgrade silently" requirement, you'll not automatically
loose the
> changes you've made.
That is correct, though as I don't want to ever be asked about such
things, I am looking for a nicer solution and suggested the 'enabled
false' option for these kind of situations.

One does not want to manually approve such changes on every box one
runs, can be quite a few of them ;)

Greets,
 Jeroen

On 04/10/2015 08:23 AM, Eduardo M KALINOWSKI wrote:
> On Sex, 10 Abr 2015, Jeroen Massar wrote:
>> Though indeed simpler than commenting out multiple lines, that file
also
>> gets replaced by a package upgrade.
>>
>> Hence does not solve the 'can just upgrade silently' issue.
>
> If the file is unchanged then, yes, it gets replaced on upgrades. If 
> it has local changes, however, you'll get a prompt asking what you 
> want to do (keep your changes or use the package version). So while it 
> fails you "upgrade silently" requirement, you'll not
automatically
> loose the changes you've made.
Actually, a config file in Debian is replaced if it has _not_ been 
changed locally, and it _has_ been changed upstream. If it has been 
changed on both sides, you get prompted. If the new package is just a 
security update, which in most cases means changes to the binaries and 
not to the default config, then it will just install without prompts, 
and not touch your config files. If it's an entirely new version, then 
the desire to just upgrade silently is sort of inappropriate anyway - 
you will need some preparation.