[Freeipa-users] FreeIPA WebUI Logout logs back in
Christopher Lamb
christopher.lamb at ch.ibm.com
Wed Apr 29 11:42:07 UTC 2015
HI Petr
thanks.
Can you qualify "has a valid Kerberos Ticket"?
In my case, my user has a valid ticket on the LDAP server, but not on the
OSX workstation from which I am using Firefox / Web UI.
Cheers
Chris
From: Petr Vobornik <pvoborni at redhat.com>
To: dpal at redhat.com, Rob Crittenden <rcritten at redhat.com>,
Christopher Lamb/Switzerland/IBM at IBMCH
Cc: freeipa-users at redhat.com
Date: 29.04.2015 13:27
Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/28/2015 11:53 PM, Dmitri Pal wrote:
> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
>>>> HI All
>>>>
>>>> I have just tested with the FreeIPA Web UI public demo
>>>> https://ipa.demo1.freeipa.org/ipa/ui/
>>>>
>>>> Using the public demo, when I log out, I get returned to the login
>>>> screen,
>>>> as expected. This allows me to log in with a different user.
>>>>
>>>> With our own installation FreeIPA, from exactly the same browser, I
get
>>>> logged straight back in to the Web UI - which makes logging out
>>>> pointless.
>>>>
>>>> still confused ...
>>> Do you have a kerberos ticket on your local system?
>>> Do klist.
>>> See which tickets you have.
>>> If you have tickets do kdestroy - this will remove the ability to SSO.
>>> If you then try to use your IPA server you will have the same
experience
>>> as with public demo.
>> I think this is a question for Petr. On logout one should be directed to
>> a page that doesn't require auth so it doesn't renegotiate the
>> connection.
>>
>> rob
> Petr can you reproduce this?
>
Yes.
User is automatically logged-in back if he has a valid Kerberos ticket.
The reason is that after showing the login form, the whole UI is
reloaded in order to forget everything in the app memory. It then
behaves as normal access and SSO kicks in.
IPA had a logout page but it was removed. One reason was that PatternFly
says that when a session expires(which, in a way, is a logout), user
should be presented with a login page. As we see, with SSO, the behavior
is a little bit different and unexpected.
I've created a new ticket:
https://fedorahosted.org/freeipa/ticket/5008
--
Petr Vobornik
More information about the Freeipa-users
mailing list