[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Rob Crittenden
rcritten at redhat.com
Fri Oct 30 19:57:37 UTC 2009
Dmitri Pal wrote:
>>> Why make them fail?
>> True, it isn't ideal but all users fail the first time in the browser
>> as it is. There isn't a stable way to pre-configure the browser
>> currently. It either involves directly modifying files in the firefox
>> rpm which will both cause rpm verification issues and be lost when an
>> upgrade is done. Or we have to run something on the client to fix
>> their browser profile when we run ipa-client-install and this will
>> only affect existing profiles (and won't take effect until any running
>> browser is restarted).
>>
> This should be filed as an RFE with FF.
This would be handled by the bug below.
>
>
>> There is a browser bug filed so one can configure a directory of
>> additional settings to be read as sort of a global configuration
>> cache. Once this is available we can write to one spot and
>> pre-configure kerberos settings.
>
> Can you point me to it?
https://bugzilla.redhat.com/show_bug.cgi?id=516200
>
>> Similarly once the global NSS database is in place we can put the IPA
>> CA cert there and be trusted by all browsers on the system.
>>
>>> I assume that things like cfengine or puppet can be used to already
>>> precofigure browsers to know about IPA.
>> Probably but again it's a client-side issue and the browser profile
>> needs to be updated. Definitely a possibility.
>>
>>> So failing them and forcing them to use kinit manually sounds like a bad
>>> user experience approach to me.
>> Yup. But this is close to what happens with new users now. They kinit
>> (or not), try to hit the UI and in FF 3.5 fail with a nasty error
>> message about untrusted CA's. If they decide to continue they get a
>> kerberos failed page and can run a little javascript program to
>> configure the browser. This little program causes a hair-on-fire
>> warning to pop up. Then they need to restart the browser to work.
>>
>
> They need to accept the cert first time right? Ok I understand why.
Yes but beginning with FF 3.5 they have to go through a 2-step process
where they accept the CA, add an exception etc.
> And where this little javascript program comes from?
> Do we provide it or it is a part of something standard?
We provide it on the IPA server. It modified the user preferences to
configure kerberos. In order to modify user preferences the javascript
needs to be signed by a trusted CA (we use the IPA CA) and the user must
agree to it. The dialog that asks has a several second pause before Ok
is ungreyed.
> Why it causes hair-on-fire?
The message is not configurable, it just says that something is trying
to modify your user preferences.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091030/8635e852/attachment.bin>
More information about the Freeipa-devel
mailing list