[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Dmitri Pal
dpal at redhat.com
Fri Oct 30 19:49:30 UTC 2009
>
>> Why make them fail?
>
> True, it isn't ideal but all users fail the first time in the browser
> as it is. There isn't a stable way to pre-configure the browser
> currently. It either involves directly modifying files in the firefox
> rpm which will both cause rpm verification issues and be lost when an
> upgrade is done. Or we have to run something on the client to fix
> their browser profile when we run ipa-client-install and this will
> only affect existing profiles (and won't take effect until any running
> browser is restarted).
>
This should be filed as an RFE with FF.
> There is a browser bug filed so one can configure a directory of
> additional settings to be read as sort of a global configuration
> cache. Once this is available we can write to one spot and
> pre-configure kerberos settings.
Can you point me to it?
>
> Similarly once the global NSS database is in place we can put the IPA
> CA cert there and be trusted by all browsers on the system.
>
>> I assume that things like cfengine or puppet can be used to already
>> precofigure browsers to know about IPA.
>
> Probably but again it's a client-side issue and the browser profile
> needs to be updated. Definitely a possibility.
>
>> So failing them and forcing them to use kinit manually sounds like a bad
>> user experience approach to me.
>
> Yup. But this is close to what happens with new users now. They kinit
> (or not), try to hit the UI and in FF 3.5 fail with a nasty error
> message about untrusted CA's. If they decide to continue they get a
> kerberos failed page and can run a little javascript program to
> configure the browser. This little program causes a hair-on-fire
> warning to pop up. Then they need to restart the browser to work.
>
They need to accept the cert first time right? Ok I understand why.
And where this little javascript program comes from?
Do we provide it or it is a part of something standard?
Why it causes hair-on-fire?
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list