On 02/23/2018 12:57 PM, Martin Kosek wrote:
On 02/21/2018 10:25 AM, Pavel Březina via FreeIPA-devel wrote:

​ ​
couple of scenarious here:
- install server
  install it and configure with authselect. there is no --no-sssd option
for the server installation
- upgrade server
  bakup authselect configuration. apply authselect sssd profile
overwriting what was there before.

Why do you call authselect during server update? Shouldn't the system be
already configured?

In FreeIPA server, we want to make sure that authselect profile is
activated, so that this FreeIPA server's PAM stack receives further
updates in case the authselect profile gets some fixes in. If it still
has the manual PAM configuration via old authconfig, it would not
receive such updates. Is that true?

It is true. But the same applies currently with authconfig. So if authconfig is run again during server update than sure, it should be there.

- upgrade client
  not applicable. only new binaries are copied onto the system

I would think that we want the same as on the FreeIPA server. I.e. if we
detect that FreeIPA client is configured with SSSD, we switch to a
supported authselect PAM stack and thus receive further updates, without
being stuck with manual authconfig PAM stack.


FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to