[Freeipa-devel] [PATCH] 0003 Added support for authentication with user certificate
Tibor Dudlak
tdudlak at redhat.com
Thu Aug 11 07:55:30 UTC 2016
Hi,
I think this patch is finished. If it does not suits you and it will not be
merged please consider merging PATCH 0001 from
http://www.redhat.com/archives/freeipa-devel/2016-August/msg00009.html at
least.
Thank you
On Wed, Aug 10, 2016 at 10:17 AM, Tibor Dudlak <tdudlak at redhat.com> wrote:
> Hi,
>
> I have improved my previous patch for authentication with user
> certificate/smartcard.
> This patch includes patches and plugin and apache configuration described
> here: http://www.freeipa.org/page/V4/External_Authentication/Setup
> It also contains steps to configure and test this feature. Once this patch
> is merged and released I will simplify this page to not confuse customers.
>
> On Fri, Aug 5, 2016 at 3:58 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
>
>> On 08/05/2016 02:57 PM, Tibor Dudlak wrote:
>> >...
>>
>> Let's assume that we will go with this approach and not separate RPM.
>>
>> 1. ipa.conf version needs to be bumped
>>
>
> We have found another problem with ipa.conf approach so I have moved
> configuration of apache for plugin from ipa.conf into completely separated
> file to be not configured in FreeIPA by default. As you said it may cause
> some security issues and it definitely causes errors when plugin
> dependences are not installed nor configured.
>
> 2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a
>> dir for core UI plugins. This one is sort of hybrid - basically a third
>> party plugin added to core package but enabled as third party because
>> the feature is experimental.
>>
>> Create rather a new dir for that. E.g. plugins.d as Alexander suggested
>> -> freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js
>>
>> 3. unrelated and "alternative solution" comments needs to be removed
>> from the UI plugin. They were added to the example plugin
>> https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly
>> to help you with the development.
>>
>> 4. Add comment to freeipa.spec.in describing what the plugin is and why
>> it is put there this way.
>>
>> 5. The plugin itself deserves better description as well. Right now
>> there is the general description.
>>
>> 6. I have not tried it, but make sure that it passes jslint (`jsl -conf
>> jsl.conf`) Easiest may be to use temp(i.e. do not include it here)
>> jsl.conf e.g.: https://pvoborni.fedorapeople.
>> org/plugins/loginauth/jsl.conf
>>
>> --
>> Petr Vobornik
>>
>
> I hope result of jsl http://pastebin.test.redhat.com/400076 means that
> things passed.
> Thanks Petr for review and I hope this patch will cover all concerns he
> had.
>
> Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
>
> Thank you.
>
> --
> Tibor Dudlák
> Intern - Identity management Special Projects
> Red Hat
>
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160811/b8a338a5/attachment.htm>
More information about the Freeipa-devel
mailing list