= Proposed Self Contained Change: Authselect: new tool to replace authconfig = https://fedoraproject.org/wiki/Changes/Authselect Change owner(s): * Pavel Březina <pbrezina@xxxxxxxxxx> Authselect is a tool to select system authentication and identity sources from a list of supported profiles. It is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the pam stack with a tool (which may potentially end up with a broken configuration), it would ship several tested stacks (profiles) that solve a use-case and are well tested and supported. At the same time, some obsolete features of authconfig would not be supported by authselect. This tool aims to be first shipped along and later deprecate and later replace authconfig in a future Fedora release. == Detailed Description == Authselect will allow the administrator to choose one of the supported profiles. A profile provides description of how the resulting pam and nsswitch configuration looks like. The tool will be packaged with a default profile set that will be fully supported. If an administrator has different needs they can create a custom profile and make it accessible by authselect by dropping it in the tool directory. The authentication and identity configuration is hardcoded within the profile. However each profile is also allowed to contain some conditional modules that can be either enabled or disabled to allow the administrator to enable some optional behaviour such as password policy or ecryptfs support. Authselect will not configure daemons that provide the selected identity and authentication services such as SSSD or winbind, it will only configure pam and nsswitch. Daemons must be configured manually or through other system tools like realmd or ipa-client-install. The default profile set will contain the following profiles: Local users + SSSD -- local users and remote users are handled by sssd Local users + SSSD + Fingerprint -- same as above but also pam_fprintd is enabled Local users + winbind -- local users are handled by files and remote users by winbind Local users + winbind + Fingerprint -- same as above but also pam_fprintd is enabled We do not want to support nss-pam-ldapd and pam_krb5 in default profiles since their use-cases are completely or almost completely covered by SSSD. SSSD can be used as a complete replacement for pam_krb5 and there are only few old and rarely used maps for LDAP that remain unimplemented within SSSD such as hosts and aliases. These maps will be added in a future SSSD version. == Scope == * Proposal owners: implement the change * Other developers: N/A (not a System Wide Change) * Release engineering: [1] (a check of an impact with Release Engineering is needed) * List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) [1] https://pagure.io/releng/issue/6907 Jaroslav _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
