[Freeipa-devel] auto Firefox configuration status
Rob Crittenden
rcritten at redhat.com
Fri Dec 7 04:09:49 UTC 2007
I've looked into using the javacript function
netscape.security.PrivilegeManager.enablePrivilege() to allow modifying
the browser config.
Here are some notes to take away:
1. The javascript needs to be packaged as a signed jar. We can generate
a signing cert during our SSL setup step.
2. We'll need to create the javascript on the fly so we can customize it
to match the domain we're installing IPA into. The existing template
system should work fine.
3. The browser needs to trust the CA that is presenting the signed jar.
A semi- chicken and egg problem. As long as the user goes to an SSL site
signed by our temporary CA we're fine (our IPA web server, for example).
But if they get their account and hit some other SSO site their browser
will not be setup. We may have to live with this. The code should be
easily transportable though.
Alternatively they can use their own CA to sign our code.
Oh, and you get a huge, ugly, nasty time-delayed warning about having
your preferences written to.
I still have a fair bit of clean up to do before I can start integrating
it into IPA (remembering how I issued the signing cert for one). I
should have something to at least demo in the next day or two.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071206/0efaf14a/attachment.bin>
More information about the Freeipa-devel
mailing list