Just to let everyone know: [11:32] ping. Could you please submit latest authselect to F27 as well? [11:32] yes, I plan to do it today [11:33] ok. thank you
Alexander On Mon, Mar 5, 2018 at 9:57 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > Hi, > > re-adding the ML to the thread. > > On 19/02/2018 10:35, Alexander Koksharov wrote: > >> @Flo, thank you for a comment. I believe that all these commands do use >> same code in ipaplatform/redhat/tasks.py So, I have to make these tasks >> execution to be dependant on a tools available. >> >> In fact the ipa-advise does not call tasks, it rather writes a bash > script with commands like the following (obtained with ipa-advise > config-client-for-smart-card-auth): > -------- > authconfig --enablesmartcard --smartcardmodule=sssd --updateall > if [ "$?" -ne "0" ] > then > echo "Failed to configure Smart Card authentication in SSSD" >&2 > exit 1 > fi > ------- > > So you will need to address the ipa-advise command separately. You can see > the relevant code here: > https://pagure.io/freeipa/blob/master/f/ipaserver/advise/ > plugins/smart_card_auth.py#_293 > > There are also other ipa-advise commands that use authconfig > (config-fedora-authconfig, config-redhat-sssd-before-1-9, > config-generic-linux-sssd-before-1-9, config-redhat-nss-pam-ldapd, > config-generic-linux-nss-pam-ldapd, config-redhat-nss-ldap). > > I would like to rise another concern about authselect. >> Currently we also use "authconfig --savebackup" and "authconfig >> --resorebackup" but there are no alternative options provided by authselect. >> I suspect that backup/restore was not even considered by authselect >> developer as the tool is only activating precofigured configurations. >> Could you please comment on this issue? >> >> You would need to ask confirmation to Pavel Brezina, but in > backup/restore we will need to retrieve/re-apply the configured profile > (need to check the "authselect current" command). > > Flo > >> >> Alexander >> >> On Fri, Feb 16, 2018 at 7:34 PM, Florence Blanc-Renaud <f...@redhat.com >> <mailto:f...@redhat.com>> wrote: >> >> On 02/14/2018 09:15 AM, Alexander Koksharov via FreeIPA-devel wrote: >> >> Hello, >> >> Please take a look on a design page here: >> https://www.freeipa.org/page/V4/Authselect_migration >> <https://www.freeipa.org/page/V4/Authselect_migration> >> I would like to >> >> hear you critics and suggessions. >> >> Thank you >> >> -- >> Alexander >> >> >> _______________________________________________ >> FreeIPA-devel mailing list -- >> freeipa-devel@lists.fedorahosted.org >> <mailto:freeipa-devel@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-devel-le...@lists.fedorahosted.org >> <mailto:freeipa-devel-le...@lists.fedorahosted.org> >> >> Hi Lex, >> >> Thank you for the document, it is a good thing to discuss features >> based on written material :) >> >> The design only mentions ipa-client-install, but we also rely on >> authconfig in various ipa-advise scripts (ipa-advise command creates >> a script that can be run by the sysadmin, for instance to configure >> smart card authentication with ipa-advise >> config-client-for-smart-card-auth, and the script calls authconfig). >> >> freeipa.spec.in <http://freeipa.spec.in> defines a dependency on >> authconfig, will it be turned into a weak dependency? Will we add a >> dependency on authselect instead? >> >> Backup and restore refer to the directory /var/lib/authconfig/last/ >> and the file /etc/sysconfig/authconfig, does it need to be adapted >> for authselect or does the tool use the same dir and files? >> >> Any potential issues with upgrade? If the client was installed with >> authconfig but the sysadmin later installs authselect, would >> backup/restore be disturbed? (I really have no idea but your design >> should show that you asked yourself the question and evaluated the >> risks). >> >> I would also suggest adding a pointer to authselect document >> https://fedoraproject.org/wiki/Changes/Authselect >> <https://fedoraproject.org/wiki/Changes/Authselect> as this page >> explains the rationale for migrating to authselect and the main >> differences. When I read your design I didn't really understand that >> authselect would provide only a limited set of profiles, hence >> ruling out the combination authselect / --no-sssd. As this can be a >> hot topic (see the mail thread...) I believe it's important to >> express this issue in the design doc. >> >> Flo >> >> >> >
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
