I have updated design page https://www.freeipa.org/page/V4/Authselect_migration#Overview

Here is pull request for that change https://github.com/freeipa/freeipa/pull/1603
non-sssd installation will display and error, stating that this option is not supported any longer,
and offers to run ipa-advise

Alexander

On Mon, Feb 26, 2018 at 5:08 PM, Martin Kosek <mkosek@redhat.com> wrote:
On 02/26/2018 01:16 PM, Lukas Slebodnik wrote:
> On (23/02/18 13:08), Martin Kosek via FreeIPA-devel wrote:
>> On 02/21/2018 03:39 PM, Rob Crittenden via FreeIPA-devel wrote:
>>>>> - install client
>>>>>   a) if we replace rpm dependancy on authconfig with aushselect we can
>>>>> go only this way: new installations done with authselect. if --no-sssd
>>>>> option is provided, then fail.
>>>> --no-sssd option is already deprecated and should not be used, you don't
>>>> have to think about that scenario. You can therefore go the a) way and
>>>> remove the option as a whole so that you can be sure it won't fiddle
>>>> with new installations.
>>> I can't seem to find anywhere that this deprecation was announced or
>>> discussed other than the ticket and commit,
>>> dfc271fdf4514481c11c342fabda135feeb44de6.
>>>
>>> Did anyone ask users, or anyone, if they use this option?
>>>
>>> In any case it isn't even clear that the option *is* deprecated. It just
>>> doesn't show as an option to ipa-client -install (hiding is not
>>> deprecating).
>>>
>>> IMHO to properly deprecate something it should yell loudly whenever
>>> invoked with a dire warning that it will disappear in the future.
>>
>> This mostly seems as a review feedback that could have come in
>> https://pagure.io/freeipa/issue/5860
>> but did not. But it does not change anything on the fact that the option
>> is deprecated.
>>
>>> There is also no man page mention of deprecation, in fact the option is
>>> still there.
>>>
>>> So even if the deprecation is fine and considered, removing the option
>>> completely has had no visible discussion.
>>
>> Let's discuss it then. From Fedora/RHEL point of view, I do not see big
>> value in spending much time in maintaining, supporting or developing
>> non-SSSD scenarios. Fedora itself does not support these scenarios any
>> more, after the authselect Fedora change. These very corner cases are
>> left for manual administrator configuration.
>>
>> The non-SSSD work and code should be left to FreeIPA platform code, for
>> platforms that do not use or want to use SSSD.
>
> Which platform do you have in mind?

I did not have any specific Platform in mind in this case. I am not
aware of platform that has freeipa-client and does not have SSSD.

> Because I do not know any platform/distribution which has freeipa-client
> and does not have sssd.

I see, thanks for info.

Reading this, I would be quite fine with removing all the --no-sssd
functionality from client installer and leaving people who want to
configure FreeIPA with nss-pam-ldapd for manual configuration. We have
some ipa-advise plugins for configuring nss-pam-ldapd "authconfig-free"
code already anyway.

Martin