[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Dmitri Pal
dpal at redhat.com
Fri Oct 30 19:52:48 UTC 2009
Dmitri Pal wrote:
> Ok I buy this.
> Just have questions below...
>
> Simo Sorce wrote:
>
>> Ok now on a more serious note ...
>>
>> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>>
>>
>>> Why we can't call kinit (or equivalent) on their behalf as soon as we
>>> migrated them right away ourselves and then redirect then to the right
>>> place - self service page?
>>>
>>>
>> We could call kinit and store the credentials in the server cache for
>> the time the user is connected like we do with forwarded credentials,
>> but we want to go toward S4U to avoid forwarding TGTs in the first
>> place.
>>
>>
> So if we have the user TGT on server haw we can use it to improve user
> experience?
>
>
>
>>
>>
>>> Why make them fail?
>>> I assume that things like cfengine or puppet can be used to already
>>> precofigure browsers to know about IPA.
>>>
>>>
>> In general the browser configuration is kept in the user home directory,
>> and is not something puppet or cfengine should touch (they may have no
>> access to the user home directory until the user is logged in anyway).
>>
>>
>>
> We already have the RFE to make FF to be able to configure kerberos more
> friendly.
> We can add specifics to it and make this configuration be stored outside
> of the user home directory
> so that it can be centrally configured.
> https://bugzilla.redhat.com/show_bug.cgi?id=526824
>
> Upsteam
> https://bugzilla.mozilla.org/show_bug.cgi?id=520668
>
> May be we should add it to the bug.
>
> But back to the point of user.
> What is that the browser carries that allows it to access the pages?
> Is it a cookie of some kind that is created as a result of the
> authentication using ticket or what?
> Can we create such cookie on behalf of the user.
> I understand that it will solve the problem of only this session and if
> user closes browser
> he will have to do kinit so may be it is not worth it.
>
> I guess asking user to log out and log in will only work if the system
> is configured to use same IPA with kerberos via SSSD or directly.
> Is this something that can be checked?
> If the user's machine is not configured for kerberos with the same
> domain asking user to log off and log on will not help.
>
>
I guess if we put the message into an attribute somewhere in the
cn=config and pull it from DS instead of making it a part of the page itself
we would give the admin choice what to tell user to do in this case.
"Kinit" or "logoff/login" or "check this ... if you are then ...
otherwise ..." this together with migration instructions would help a lot.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list