On 02/14/2018 09:15 AM, Alexander Koksharov via FreeIPA-devel wrote:
Please take a look on a design page here:
I would like to
hear you critics and suggessions.
FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org
Thank you for the document, it is a good thing to discuss features based
on written material :)
The design only mentions ipa-client-install, but we also rely on
authconfig in various ipa-advise scripts (ipa-advise command creates a
script that can be run by the sysadmin, for instance to configure smart
card authentication with ipa-advise config-client-for-smart-card-auth,
and the script calls authconfig).
freeipa.spec.in defines a dependency on authconfig, will it be turned
into a weak dependency? Will we add a dependency on authselect instead?
Backup and restore refer to the directory /var/lib/authconfig/last/ and
the file /etc/sysconfig/authconfig, does it need to be adapted for
authselect or does the tool use the same dir and files?
Any potential issues with upgrade? If the client was installed with
authconfig but the sysadmin later installs authselect, would
backup/restore be disturbed? (I really have no idea but your design
should show that you asked yourself the question and evaluated the risks).
I would also suggest adding a pointer to authselect document
as this page explains
the rationale for migrating to authselect and the main differences. When
I read your design I didn't really understand that authselect would
provide only a limited set of profiles, hence ruling out the combination
authselect / --no-sssd. As this can be a hot topic (see the mail
thread...) I believe it's important to express this issue in the design doc.