On Thu, Feb 15, 2018 at 11:10:16AM -0500, Rob Crittenden via FreeIPA-devel wrote:
Petr Vobornik via FreeIPA-devel wrote:
> On Thu, Feb 15, 2018 at 4:47 PM, Jakub Hrozek via FreeIPA-devel
> <freeipa-devel(a)lists.fedorahosted.org> wrote:
>> On Thu, Feb 15, 2018 at 08:57:55AM -0500, Rob Crittenden via FreeIPA-devel
wrote:
>>> Alexander Koksharov via FreeIPA-devel wrote:
>>>> Hello,
>>>>
>>>> Please take a look on a design page here:
>>>>
https://www.freeipa.org/page/V4/Authselect_migration
>>>> I would like to
>>>>
>>>> hear you critics and suggessions.
>>>
>>>
>>> On a non-technical note there are a number of spelling and grammatical
>>> errors.
>>>
>>> You assert that non-SSSD is deprecated. Is that true? And is that
>>> because authselect is choosing not to support it?
>>
>> Yes.
>>
>>> I'm ok with it and it
>>> simplifies options a lot but I don't recall a conversation about that
>>> before now. This is particularly important for in-place upgrades.
>>
>> What kind of a setup has non-SSSD clients? SSSD has been the default
>> since RHEL-6 and I even thought the IPA installer dropped support for
>> non-SSSD clients, but I haven't really checked.
>
> --no-sssd option in ipa-client-install was marked as deprecated in
>
https://github.com/freeipa/freeipa/pull/848 (summer 2017). As part of
>
https://pagure.io/freeipa/issue/5860 - spin of
>
https://pagure.io/freeipa/issue/5557. Origin was that IPA client
> doesn't bring dependencies for --no-sssd.
>
> I.e. the deprecation is quite new.
>
> Installation without SSSD is AFAIK not tested upstream.
>
Bleh. Documenting ONLY in the command-line? Not even the man page?
The RHEL docs don't mention --no-sssd at all apparently so there's that.
There seems to be no consideration of someone who installed with
--no-sssd in a supported version and has since upgraded.
I'm not advocating for --no-sssd but there was a real use-case when it
was introduced. It is likely not the case now but there may still be
corner cases.
Pavel, can you remind me what the upgrade plan was for authselect? Was
it simply 'don't touch the system' ?
Does IPA call auth{select,config} during upgrades at all?