[Freeipa-users] FreeIPA WebUI Logout logs back in

Simo Sorce simo at redhat.com
Wed Apr 29 13:58:56 UTC 2015 

On Wed, 2015-04-29 at 07:57 +0200, Christopher Lamb wrote:
> HI Simo, Dmitiri, Rob and co.
> 
> Simos "log in with a different user" suggestion is pretty much what I was
> intending. I want to be able to log out of the web ui, then log back in
> with a different user. e.g. to allow a newly added user to change their
> password to something secret.

Can you open a RFE ticket about this ?
We should track it.

Thanks,
Simo.

> On this particular workstation I have no kerberos ticket (double checking
> with klist at the terminal confirms this). I have not saved the password in
> Firefox (checking in the settings confirms this).
> 
> I often have ssh sessons open via terminal to the FreeIPA Server, and even
> Apache Directory Studio open to browse the LDAP structure and content. I
> don't see how that can play a role, but I mention it for completeness.
> 
> thanks
> 
> Chris
> 
> 
> 
> From:	Simo Sorce <simo at redhat.com>
> To:	dpal at redhat.com
> Cc:	Rob Crittenden <rcritten at redhat.com>, Christopher
>             Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com
> Date:	29.04.2015 03:31
> Subject:	Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
> 
> 
> 
> On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote:
> > On 04/28/2015 05:39 PM, Rob Crittenden wrote:
> > > Dmitri Pal wrote:
> > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
> > >>> HI All
> > >>>
> > >>> I have just tested with the FreeIPA Web UI public demo
> > >>> https://ipa.demo1.freeipa.org/ipa/ui/
> > >>>
> > >>> Using the public demo, when I log out, I get returned to the login
> > >>> screen,
> > >>> as expected. This allows me to log in with a different user.
> > >>>
> > >>> With our own installation FreeIPA, from exactly the same browser, I
> get
> > >>> logged straight back in to the Web UI - which makes logging out
> > >>> pointless.
> > >>>
> > >>> still confused ...
> > >> Do you have a kerberos ticket on your local system?
> > >> Do klist.
> > >> See which tickets you have.
> > >> If you have tickets do kdestroy - this will remove the ability to SSO.
> > >> If you then try to use your IPA server you will have the same
> experience
> > >> as with public demo.
> > > I think this is a question for Petr. On logout one should be directed
> to
> > > a page that doesn't require auth so it doesn't renegotiate the
> connection.
> > >
> > > rob
> > Petr can you reproduce this?
> 
> I've seen this in the past on my own IPA domain at home.
> Perhaps what we should do is to have a logout option that says "log in
> with a different user" and redirect to anon kerberized page that allows
> you to do form based login.
> 
> This would address the case where a domain user wants to log in as admin
> w/o exiting their user session or destroying there ccache (as that may
> imply loosing access to email, other company websites, etc...).
> 
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
> 
> 
> 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list