[Freeipa-devel] [PATCH] Review: rga-0005 Fix order of synchronizing time when running ipa-client-install
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 18 15:09:02 UTC 2014
On Tue, 18 Mar 2014, Petr Viktorin wrote:
>On 03/18/2014 03:50 PM, Rob Crittenden wrote:
>>Petr Viktorin wrote:
>>>AFAIK this patch was only posted to Trac, where it was kind of
>>>forgotten. Let's move it to the mailing list.
>>>
>>>It looks & works fine, ACK for those aspects. But Dmitri had some
>>>concerns about the validity of the ticket itself:
>>>
>>>>Unusual but not critical. In future this can be an OTP prompt rather
>>>>than
>>>>password prompt and making sure time is correct on both sides might be
>>>>more critical. I do not see a big problem with a slight delay. Banks now
>>>>prompt people for user name on one page and then for password on
>>>>another.
>>>>It is a common practice. I would think that decoupling the prompts and
>>>>getting people used to it is a benefit rather than a hassle. The trend
>>>>of prompting for user and password independently should continue.
>>>>We should make it more usable if there are usability concerns but IMO we
>>>>should not be trying to push people back to traditional notion of "user
>>>>name and password are always together". They are not.
>>>
>>>It may be common practice but it doesn't really make sense to temporally
>>>split related actions if there's no need for it. It is annoying. In the
>>>banks case, the login pages follow one another, they don't insert some
>>>completely unrelated output in the middle of the login process.
>>>If we want to teach new expectations to users, ipa-client-install is not
>>>the place to do it.
>>>The OTP case will work since with the patch, time is synced before both
>>>prompts.
>>>
>>>The comment gives a good reason to move the ticket to Backlog, but since
>>>we have a fix I'd like to push it.
>>
>>IIRC Alexander purposely put the time sync in here to ensure that at the
>>time we actually obtain the password time is in sync. I can't say I
>>always agreed with that, but it does make a certain amount of sense.
>
>Was that really a conscious decision?
>The only thing between the old and new calls of the sync is the
>actual password entry. I don't think we should worry about clocks
>de-syncing while the admin enters a password.
See my other answer. :)
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list