[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Dmitri Pal
dpal at redhat.com
Fri Oct 30 20:36:03 UTC 2009
Simo Sorce wrote:
> On Fri, 2009-10-30 at 16:25 -0400, Dmitri Pal wrote:
>
>> Simo Sorce wrote:
>>
>>> On Fri, 2009-10-30 at 15:57 -0400, Rob Crittenden wrote:
>>>
>>>
>>>> The message is not configurable, it just says that something is
>>>> trying
>>>> to modify your user preferences.
>>>>
>>>>
>>> And rightly so, this is a security warning. If it were modifiable a
>>> rogue server could change the message to ask: "do you like bacon ?"
>>> To which *everyone* would have to answer Yes :-)
>>>
>>> Simo.
>>>
>>>
>>>
>> Modifiable by the program no, I agree. But configurable centrally on per
>> server basis why not?
>>
>
> Dmitri, this is a message the *client* shows the user, and the job of
> the client is to prevent servers to play with it ...
>
>
>> I would say that it would be nice to be able to configure FF centrally to:
>>
>> * Automatically accept cert from IPA.
>> * Have a right configuration in the preferences for kerberos
>>
>
> Certainly, but out of band, you can't do this from a Web Server you are
> connecting to. This is a job for puppet/cfengine/etc...
>
>
>> I think it all boils down to enhancements to FF.
>> Let me see what I can do about it.
>>
>
> Nothing, you'd be asking to break a security feature of the browser ...
>
>
No. No. No.
You got me totally wrong.
Of cause out of band by puppet/cfengine/etc...
It is just FF needs to store these properties somewhere these engines
actually can reach.
An d this is what we need to make sure that FF guys address.
> Simo.
>
>
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list