On Thu, 15 Feb 2018, Jakub Hrozek via FreeIPA-devel wrote:
On Thu, Feb 15, 2018 at 04:49:23PM +0200, Alexander Bokovoy via FreeIPA-devel
wrote:
On Thu, 15 Feb 2018, Alexander Koksharov wrote:
> Hello,
>
> I would like to confirm whether we do want to completelly drop --no-sssd
> option.
> "no-sssd" configuration is not supported by authselect - there is not such
> profile available.
> If we drop dependency on authconfig there will be a need to do code cleanup
> and also to rewrite related parts. And if we agreed on rewriting some parts
> there wont be any problems replacing multiple calls to authconfig with a
> single one to outhselect.
I think we should make sure authselect does support non-sssd profile.
authselect supports sssd and winbind. nss-pam-ldapd, pam_krb5 etc are
considered legacy and not supported. Nothing prevents you from creating
your own authselect profile for these, though, but authselect upstream
doesn't provide these.
What kind of non-sssd profile? What is the use-case for this?
We are mapping existing authconfig support to newer authselect support.
I think the question is not really what authselect is or isn't but
rather what non-sssd authconfig configuration IPA used and continues to
support. We definitely have to support ipa-client-install --no-sssd
variant because it is valid for any platform (including Fedora) and
removing it would make ipa-client-install non-working on something like
FreeBSD or ArchLinux.
Right now the client installer logic when --no-sssd option is passed is
following:
- check whether either nss_ldap or nss-pam-ldapd exist, configure them
- otherwise fail with a client installer error
Thus, either with authselect we are limiting ourselves to only sssd
configuration or not, we have to keep supporting nss_ldap/nss-pam-ldapd
variants through some other platform options. Perhaps, this means we
would need to make a generic ipaplatform backend that utilizes a recipe
from ipa-advise that gives us nss_ldap/nss-pam-ldapd support? Then we
can fall back to that backend in case authselect is not supporting
non-sssd path.
Otherwise it is not a real replacement for authconfig in Fedora.
Again, what reason is there to use anything else than SSSD or winbind?
See above. It is about compatibility to other platforms and older IPA
behavior.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
