Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default
On Tue, 2014-02-11 at 14:27 +0100, Jakub Hrozek wrote: > On Tue, Feb 11, 2014 at 02:57:40PM +0200, Alexander Bokovoy wrote: > > On Mon, 10 Feb 2014, Jakub Hrozek wrote: > > >On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: > > >>https://fedorahosted.org/freeipa/ticket/4173 > > >> > > >>I do have one question. Do we ever try to "upgrade" the SSSD config? If > > >>so, should we try to "upgrade" the SSSD config to enable FAST by > > >>default? > > >> > > >>Nathaniel > > > > > >What if we changed the SSSD defaults instead? Would enabling FAST by > > >default break backwards compatibility in any way if we set it to "try" ? > > 'try' shouldn't break anything now that I fixed SSSD side to properly > > process OTP token responses. > > > > >I would prefer to keep the config as clean as possible and only rely on > > >sane defaults. > > I agree but this means we would depend on specific SSSD version to > > provide full OTP experience. It may be good to be clear with that in > > documentation instead of explicitly setting the option, though. > > Wouldn't you prefer to Require a specific version anyway to make sure > the OTP fix is in? Agreed. In a private conversation, Jakub is going to work up a patch. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default
On Tue, Feb 11, 2014 at 02:57:40PM +0200, Alexander Bokovoy wrote: > On Mon, 10 Feb 2014, Jakub Hrozek wrote: > >On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: > >>https://fedorahosted.org/freeipa/ticket/4173 > >> > >>I do have one question. Do we ever try to "upgrade" the SSSD config? If > >>so, should we try to "upgrade" the SSSD config to enable FAST by > >>default? > >> > >>Nathaniel > > > >What if we changed the SSSD defaults instead? Would enabling FAST by > >default break backwards compatibility in any way if we set it to "try" ? > 'try' shouldn't break anything now that I fixed SSSD side to properly > process OTP token responses. > > >I would prefer to keep the config as clean as possible and only rely on > >sane defaults. > I agree but this means we would depend on specific SSSD version to > provide full OTP experience. It may be good to be clear with that in > documentation instead of explicitly setting the option, though. Wouldn't you prefer to Require a specific version anyway to make sure the OTP fix is in? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default
On Mon, 10 Feb 2014, Jakub Hrozek wrote: On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/4173 I do have one question. Do we ever try to "upgrade" the SSSD config? If so, should we try to "upgrade" the SSSD config to enable FAST by default? Nathaniel What if we changed the SSSD defaults instead? Would enabling FAST by default break backwards compatibility in any way if we set it to "try" ? 'try' shouldn't break anything now that I fixed SSSD side to properly process OTP token responses. I would prefer to keep the config as clean as possible and only rely on sane defaults. I agree but this means we would depend on specific SSSD version to provide full OTP experience. It may be good to be clear with that in documentation instead of explicitly setting the option, though. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default
On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: > https://fedorahosted.org/freeipa/ticket/4173 > > I do have one question. Do we ever try to "upgrade" the SSSD config? If > so, should we try to "upgrade" the SSSD config to enable FAST by > default? > > Nathaniel What if we changed the SSSD defaults instead? Would enabling FAST by default break backwards compatibility in any way if we set it to "try" ? I would prefer to keep the config as clean as possible and only rely on sane defaults. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel