Hi,
re-adding the ML to the thread.
On 19/02/2018 10:35, Alexander Koksharov wrote:
@Flo, thank you for a comment. I believe that all these commands do use
same code in ipaplatform/redhat/tasks.py So, I have to make these tasks
execution to be dependant on a tools available.
In fact the ipa-advise does not call tasks, it rather writes a bash
script with commands like the following (obtained with ipa-advise
config-client-for-smart-card-auth):
--------
authconfig --enablesmartcard --smartcardmodule=sssd --updateall
if [ "$?" -ne "0" ]
then
echo "Failed to configure Smart Card authentication in SSSD" >&2
exit 1
fi
-------
So you will need to address the ipa-advise command separately. You can
see the relevant code here:
https://pagure.io/freeipa/blob/master/f/ipaserver/advise/plugins/smart_card_auth.py#_293
There are also other ipa-advise commands that use authconfig
(config-fedora-authconfig, config-redhat-sssd-before-1-9,
config-generic-linux-sssd-before-1-9, config-redhat-nss-pam-ldapd,
config-generic-linux-nss-pam-ldapd, config-redhat-nss-ldap).
I would like to rise another concern about authselect.
Currently we also use "authconfig --savebackup" and "authconfig
--resorebackup" but there are no alternative options provided by authselect.
I suspect that backup/restore was not even considered by authselect
developer as the tool is only activating precofigured configurations.
Could you please comment on this issue?
You would need to ask confirmation to Pavel Brezina, but in
backup/restore we will need to retrieve/re-apply the configured profile
(need to check the "authselect current" command).
Flo
Alexander
On Fri, Feb 16, 2018 at 7:34 PM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:
On 02/14/2018 09:15 AM, Alexander Koksharov via FreeIPA-devel wrote:
Hello,
Please take a look on a design page here:
https://www.freeipa.org/page/V4/Authselect_migration
<https://www.freeipa.org/page/V4/Authselect_migration>
I would like to
hear you critics and suggessions.
Thank you
--
Alexander
_______________________________________________
FreeIPA-devel mailing list --
freeipa-devel@lists.fedorahosted.org
<mailto:freeipa-devel@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-devel-le...@lists.fedorahosted.org
<mailto:freeipa-devel-le...@lists.fedorahosted.org>
Hi Lex,
Thank you for the document, it is a good thing to discuss features
based on written material :)
The design only mentions ipa-client-install, but we also rely on
authconfig in various ipa-advise scripts (ipa-advise command creates
a script that can be run by the sysadmin, for instance to configure
smart card authentication with ipa-advise
config-client-for-smart-card-auth, and the script calls authconfig).
freeipa.spec.in <http://freeipa.spec.in> defines a dependency on
authconfig, will it be turned into a weak dependency? Will we add a
dependency on authselect instead?
Backup and restore refer to the directory /var/lib/authconfig/last/
and the file /etc/sysconfig/authconfig, does it need to be adapted
for authselect or does the tool use the same dir and files?
Any potential issues with upgrade? If the client was installed with
authconfig but the sysadmin later installs authselect, would
backup/restore be disturbed? (I really have no idea but your design
should show that you asked yourself the question and evaluated the
risks).
I would also suggest adding a pointer to authselect document
https://fedoraproject.org/wiki/Changes/Authselect
<https://fedoraproject.org/wiki/Changes/Authselect> as this page
explains the rationale for migrating to authselect and the main
differences. When I read your design I didn't really understand that
authselect would provide only a limited set of profiles, hence
ruling out the combination authselect / --no-sssd. As this can be a
hot topic (see the mail thread...) I believe it's important to
express this issue in the design doc.
Flo
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
