Hi folks! I want to talk about the Active Directory requirements in the release criteria. [cross-posted from the server mailing list].
Since Fedora Server was created, we’ve had this in the criteria:
“It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain.”
…plus various further requirements at Beta and Final.
For FreeIPA we have this testing entirely automated, it’s no problem at all. For Active Directory we…don’t. At every release point this does not get tested until very late. Often Stephen Gallagher has to test it manually at the very last minute, which is an unfair burden on him.
When we do find problems, there is a mad scramble to fix them or at least find workarounds, because we find them way too late.
We’ve looked into automating it and still kinda intend to do so, but it’s not really simple. There’s a legal side to it - it’s not clear what the licensing requirements involved would be - and a technical
side to it - we’d need a way to reliably and quite quickly deploy an AD domain controller using openQA automation, which is not a trivial job.
When I estimate the time that’s going to take and consider what else I (or anyone else) could do with that time, I’m not certain that “automating AD testing” is the best use of it. To me it doesn’t feel
like a really key feature of Fedora to the point that would justify the work involved, or justify continuing to throw Stephen and others under the last-minute-manual-testing bus. But I’m not sure!
What do others think? Do you use the AD client support of Fedora Server? Do you think it’s a key feature that we should keep as a release-blocking requirement, or no?