[Freeipa-devel] [PATCH] Review: rga-0005 Fix order of synchronizing time when running ipa-client-install
Petr Viktorin
pviktori at redhat.com
Tue Mar 18 15:04:46 UTC 2014
On 03/18/2014 03:50 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> AFAIK this patch was only posted to Trac, where it was kind of
>> forgotten. Let's move it to the mailing list.
>>
>> It looks & works fine, ACK for those aspects. But Dmitri had some
>> concerns about the validity of the ticket itself:
>>
>>> Unusual but not critical. In future this can be an OTP prompt rather
>>> than
>>> password prompt and making sure time is correct on both sides might be
>>> more critical. I do not see a big problem with a slight delay. Banks now
>>> prompt people for user name on one page and then for password on
>>> another.
>>> It is a common practice. I would think that decoupling the prompts and
>>> getting people used to it is a benefit rather than a hassle. The trend
>>> of prompting for user and password independently should continue.
>>> We should make it more usable if there are usability concerns but IMO we
>>> should not be trying to push people back to traditional notion of "user
>>> name and password are always together". They are not.
>>
>> It may be common practice but it doesn't really make sense to temporally
>> split related actions if there's no need for it. It is annoying. In the
>> banks case, the login pages follow one another, they don't insert some
>> completely unrelated output in the middle of the login process.
>> If we want to teach new expectations to users, ipa-client-install is not
>> the place to do it.
>> The OTP case will work since with the patch, time is synced before both
>> prompts.
>>
>> The comment gives a good reason to move the ticket to Backlog, but since
>> we have a fix I'd like to push it.
>
> IIRC Alexander purposely put the time sync in here to ensure that at the
> time we actually obtain the password time is in sync. I can't say I
> always agreed with that, but it does make a certain amount of sense.
Was that really a conscious decision?
The only thing between the old and new calls of the sync is the actual
password entry. I don't think we should worry about clocks de-syncing
while the admin enters a password.
--
Petr³
More information about the Freeipa-devel
mailing list