Hi all,

I am currently reviewing the PR for authconfig replacement with authselect (see [1]) but I am not 100% sure of the direction we should aim for (many items were discussed in the mailing list but it's not clear on which an agreement was reached).

1/ Deprecation of --no-sssd option:
- on non-fedora/non-rhel platforms, my understanding is that we should keep this option and let the distros implement their specific code in ipaplatform/<distro>/tasks.py

- what does it mean for fedora/rhel platform? we could add a check in tasks.py called during install_check, refusing this option on fedora/rhel (with a clean exit from ipa-client-install) and allowing this on other distributions. Other proposals?

2/ How do we handle backup/restore:
-the server may have been installed with authconfig then upgraded, or directly installed with authselect. If authselect was used, we can leverage 'authselect current' to save the current state. If authconfig was used, we have an issue as ipa-backup is currently calling authconfig --savebackup but this option (--savebackup) is not supported anymore when authselect is installed. Does it mean that we should migrate the configuration to authselect during ipa-server-upgrade? Is it ok to migrate only servers or should we also migrate clients?

- ipa-restore can be forced to restore a backup made on a different version. This means we could end up in a situation where the backup was done with authselect, but restored with authconfig. This should not be a problem because backup/restore is done on a server and servers cannot be installed with --no-sssd, but it means that there will be a migration to the authselect sssd profile.

3/ How do we handle uninstall:
the client may have been installed with authconfig then upgraded. When the pre-install config does not correspond to a supported authselect profile, how should we react (because we won't be able to restore exactly the same conf)? Simply log a warning, exit on error?

Thanks for your opinions/suggestions.

[1] https://github.com/freeipa/freeipa/pull/1603
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to