On 02/16/2018 07:34 PM, Florence Blanc-Renaud via FreeIPA-devel wrote:
On 02/14/2018 09:15 AM, Alexander Koksharov via FreeIPA-devel wrote:
> Please take a look on a design page here:
> I would like to
> hear you critics and suggessions.
> Thank you
> FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to
Thank you for the document, it is a good thing to discuss features based
on written material :)
The design only mentions ipa-client-install, but we also rely on
authconfig in various ipa-advise scripts (ipa-advise command creates a
script that can be run by the sysadmin, for instance to configure smart
card authentication with ipa-advise config-client-for-smart-card-auth,
and the script calls authconfig).
freeipa.spec.in defines a dependency on authconfig, will it be turned
into a weak dependency? Will we add a dependency on authselect instead?
Backup and restore refer to the directory /var/lib/authconfig/last/ and
the file /etc/sysconfig/authconfig, does it need to be adapted for
authselect or does the tool use the same dir and files?
Authselect does not perform backup and restore. If system is configured
with authselect you will get always exact configuration because it
writes the whole file, it does not insert lines like authconfig. And if
it is not configured with authselect, you have to provide --force
parameter to the cli tool.
Any potential issues with upgrade? If the client was installed with
authconfig but the sysadmin later installs authselect, would
backup/restore be disturbed? (I really have no idea but your design
should show that you asked yourself the question and evaluated the risks).
I would also suggest adding a pointer to authselect document
as this page explains
the rationale for migrating to authselect and the main differences. When
I read your design I didn't really understand that authselect would
provide only a limited set of profiles, hence ruling out the combination
authselect / --no-sssd. As this can be a hot topic (see the mail
thread...) I believe it's important to express this issue in the design
FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org