On 01/05/2018 03:14 PM, John Florian wrote:
On Fri, 2018-01-05 at 14:50 +0100, Jan Kurik wrote:
The tool is packaged with a default
profile set that is fully supported. If an administrator has
different
needs they can create a custom profile and make it accessible in
authselect by dropping it in the tool specific directory.
How? The authselect(8) man page tells me that `authselect show
profile_id` will print info about the profile, but I see nothing of any
detail. (Perhaps more could be gleaned with `--trace`, but without any
apparent dry-run option I'd want a VM to experiment.)
There is also authselect-profiles(5) that explains how profiles works.
But it is not yet present in current Fedora packages. I will do new
release on Monday.
Looking at the package contents doesn't help much either:
$ rpm -ql authselect
/usr/bin/authselect
/usr/lib/.build-id
/usr/lib/.build-id/b6
/usr/lib/.build-id/b6/6bcffc0719e16ebb39e888f8da173aa2bd464e
/usr/share/man/man8/authselect.8.gz
So the built-in profiles are hard-coded into the binary? I might have
expected a data dir providing these to serve as examples for making new
ones.
Yes, there is a data dir: /usr/share/authselect/
Description of these directories may be seen in the man page, currently
at this upstream link:
https://github.com/pbrezina/authselect/blob/master/src/man/authselect-profiles.5.txt.in.in
I also didn't see (nor did I even try searching for) any mention of the
upstream project.
Otherwise, this is a very nice write up. I'm mostly curious as our
setup uses an openldap directory server for identity and WinAD for
authentication. realmd doesn't seem to cover (from a very cursory
glance) that arrangement. So I have an eye out for how to best
leverage these things, if at all.
We had many discussions on this topic while designing and developing
authselect. The resolution was to include only sssd and winbind profiles
and avoid other use cases and avoid plain ldap and kerberos since they
can be implemented with sssd. So the use case that you have mentioned
above (different id and auth providers) can be achieved.
We do not want to touch configurations with authselect. But to avoid
breaking user scripts, we will configure daemons with the compatibility
tool to mimic authconfig behavior wherever possible.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx