On Fri, Feb 16, 2018 at 12:27 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On pe, 16 helmi 2018, Petr Vobornik wrote: >> >> On Fri, Feb 16, 2018 at 11:25 AM, Alexander Bokovoy via FreeIPA-devel >> <freeipa-devel@lists.fedorahosted.org> wrote: >>> >>> On pe, 16 helmi 2018, Alexander Koksharov via FreeIPA-devel wrote: >>>> >>>> >>>> Would it be good to implement the change like this: >>>> >>>> if authconfig is available then >>>> use current flow >>>> else >>>> if authselect is available and not no-sssd then >>>> use authselect to activate sssd profile >>>> else >>>> raise Error >>>> done >>>> done >>> >>> >>> Sounds good to me. >>> >>> Petr, Jakub? >> >> >> For default use case (with sssd), when both authselect and authconfig >> are available it will use authconfing. Do we want that? Isn't the >> purpose of authselect to provide better tested config. >> >> If I understood ab yesterday correctly it was more about changing >> current algorithm not changing the algorithm to not disturb the flow. >> >> Current algo is: >> >> authconfig --nisdomain=<domain> >> if (sssd) then >> authconfig --enablesssd >> authconfig --enablesssdauth >> else >> authconfig --enableldap >> authconfig --enableforcelegacy >> authconfig --enablekrb5 >> authconfig --nostart >> done >> if (mkhomedir) then >> authconfing --mkhomedir >> done >> >> so the change is more like: >> >> set nisdomain in platform default way (directly or using authconfig) >> if (sssd) then >> do platform default (authselect or authconfig) >> else: >> raise if not authconfig >> authconfig --enableldap >> authconfig --enableforcelegacy >> authconfig --enablekrb5 >> authconfig --nostart. >> done >> if (mkhomedir) then >> platform default (authconfing | authselect) >> done >> >> I.e. prefer authselect in individual steps, then try authconfig. > > Right, it is anyway a task for the platform implementation what to > prefer. > > I want to note, though, we do not run these "separate" authconfig calls. > Instead, we gather them into a single call. So the logic flow above is > not reflecting the actual call flow. >
Right. -- Petr Vobornik _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org