[Freeipa-devel] Web SSO and securely storing the ccache
Simo Sorce
ssorce at redhat.com
Fri Jul 10 13:47:20 UTC 2009
On Fri, 2009-07-10 at 09:09 -0400, Rob Crittenden wrote:
>
> How do we want to handle an expired TGT?
Uhmm very good point.
> If my ticket expires in 5 minutes I can still log into the UI. I go
> grab
> a cup of coffee and a danish and come back 10 minutes later and start
> to
> work again.
>
> The first LDAP operation will fail because the ticket is expired.
> Should
> we alert the user and redirect them, redirect to /login and see if we
> can somehow automatically re-try the operation or some other option?
Yes I think we should redirect them to the /login page.
This page in turn will do one the following 2:
a) warn the user that his kerberos ticket is expired. We may go as far
as giving advice on how to renew the ticket, although it would be nice
if this page could be customizable so that admins can point users at
their internal guides/resources/helpdesk/whatever
b) warn the user but also ask username/password (if configured to allow
aksing for user/pass, not the default).
> Or should the entry point where we test the existence of the ccache
> look
> inside somehow to verify that the ticket is still valid within some
> threshold? I'm assuming that python-krbV will let us do that.
I think we can do both if it is not too much trouble, but the former is
certainly more important IMO.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list