Hi folks! I want to talk about the Active Directory requirements in the
release criteria.
Since Fedora Server was created, we've had this in the criteria:
"It must be possible to join the system to a FreeIPA or Active
Directory domain at install time and post-install, and the system must
respect the identity, authentication and access control configuration
provided by the domain."
...plus various further requirements at Beta and Final.
For FreeIPA we have this testing entirely automated, it's no problem at
all. For Active Directory we...don't. At every release point this does
not get tested until very late. Often Stephen Gallagher has to test it
manually at the very last minute, which is an unfair burden on him.
When we *do* find problems, there is a mad scramble to fix them or at
least find workarounds, because we find them way too late.
We've looked into automating it and still kinda intend to do so, but
it's not really simple. There's a legal side to it - it's not clear
what the licensing requirements involved would be - and a technical
side to it - we'd need a way to reliably and quite quickly deploy an AD
domain controller using openQA automation, which is not a trivial job.
When I estimate the time that's going to take and consider what *else*
I (or anyone else) could do with that time, I'm not certain that
"automating AD testing" is the best use of it. To me it doesn't feel
like a really key feature of Fedora to the point that would justify the
work involved, or justify continuing to throw Stephen and others under
the last-minute-manual-testing bus. But I'm not sure!
What do others think? Do you use the AD client support of Fedora
Server? Do you think it's a key feature that we should keep as a
release-blocking requirement, or no?
Thanks!
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net