I would like to know the best practice for patching FreeIPA-Server packages. We generally have daily patching enabled in our servers. Will it be a good idea to do automatic patching of FreeIPA-Server packages?

If we want to restrict the FreeIPA-Server packages from automatomatic upgrade and rather keep it for manual upgrade, what are the packages we should hold back with a version restriction? And how frequently should we do the manual upgrade? If the FreeIPA-client packages are upgraded regularly by daily patching(yum-cron or unattended upgrade) will there be any problem with authentication, if the FreeIPA-Servers  are behind version upgrade?

We have two FreeIPA environments, one with CentOS7 and another with CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and CentOS (7 and 8).

Any help and guidance is appreciated.

Thanks

Suchi