English Portuguese (Brazil)
Authconfig tries its best to keep users's manual changes to the files it generates. It generates not only PAM configuration files and nsswitch.conf (to setup authentication modules and identity sources) but it also generates simple configuration files for several services such as LDAP and Kerberos.
Authselect does no such things. It does not generate any configuration files beside PAM and nsswitch.conf and it strictly prohibits any manual changes to generated configuration. It provides a set of files called profiles. Each profile describes how the resulting configuration should look like and it can be slightly modified by enabling or disabling certain optional features. If a need arises for a different profile than what authselect ships, the administrator has an option to create a whole new profile and use it with authselect. See authselect-profiles(5) to learn more about profiles.
This may seem like a big disadvantage but the truth is the opposite. Authconfig is a very old tool and the applications providing required services have changed rapidly over the years. Typically, there is no longer a need to have multiple authentication modules in PAM and nsswitch.conf, because the vast majority of use-cases is covered by SSSD. Therefore there is no need to add or remove them specifically. There are also better tools to generate configuration for system daemons that can help you automate the process of joining to a remote domain such as `realm`. In addition, the shipped profiles give us comprehensive and deterministic system configuration that can be fully tested and is much less error prone. It is also much easier to distribute such configuration across many systems.
Probably the most controversial change is that authselect only ships profiles for sssd and winbind providers. Those two providers cover all modern use cases from providing local users and legacy LDAP domain to complex configurations with IPA or Active Directory servers. The profiles no longer contain support for nss-pam-ldapd and users are encouraged to switch to sssd.
You can use either `ipa-client-install` or `realm` to join an IPA domain and `realm` to join an Active Directory domain. These tools will make sure that the correct authselect profile is selected and all daemons and services are properly configured.
If you use `ipa-client-install` or `realm` to join a domain, you can just remove any authconfig call in your scripts. If this is not an option, you need to replace each authconfig call with its equivalent authselect call to select a correct profile with desired features. Then you also need to write configuration file for required services.
Relation of authconfig options to authselect profiles
|*Authconfig options* |*Authselect profile*
|--enableldap --enableldapauth |sssd
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
|--enablenis |nis
Relation of authconfig options to authselect profile features
authconfig --enableldap --enableldapauth --enablefaillock --updateall
authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
authconfig --enableecryptfs --enablepamaccess --updateall
authselect select sssd with-ecryptfs with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
Even if LDAP is not directly used through `pam_ldap` and `nss_ldap`, it is still useful to configure ldap.conf to configure openldap-libs and indirectly, e.g. LDAP tools such as `ldapsearch`.
# Set the default base dn
BASE dc=example,dc=com
# Set the default LDAP server
URI ldap://ldap.example.com ldap://ldap-master.example.com:666
If you use Kerberos, the default Kerberos realm should be configured in order for krb5-libs and therefore tools such as `kinit` to work out of the box.