[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

Fri Oct 30 20:10:46 UTC 2009

Rob Crittenden wrote:
> Dmitri Pal wrote:
>>>> Why make them fail? 
>>> True, it isn't ideal but all users fail the first time in the browser
>>> as it is. There isn't a stable way to pre-configure the browser
>>> currently. It either involves directly modifying files in the firefox
>>> rpm which will both cause rpm verification issues and be lost when an
>>> upgrade is done. Or we have to run something on the client to fix
>>> their browser profile when we run ipa-client-install and this will
>>> only affect existing profiles (and won't take effect until any running
>>> browser is restarted).
>>>
>> This should be filed as an RFE with FF.
>
> This would be handled by the bug below.
>
>>
>>
>>> There is a browser bug filed so one can configure a directory of
>>> additional settings to be read as sort of a global configuration
>>> cache. Once this is available we can write to one spot and
>>> pre-configure kerberos settings.
>>
>> Can you point me to it?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=516200
>>
>>> Similarly once the global NSS database is in place we can put the IPA
>>> CA cert there and be trusted by all browsers on the system.
>>>
>>>> I assume that things like cfengine or puppet can be used to already
>>>> precofigure browsers to know about IPA.
>>> Probably but again it's a client-side issue and the browser profile
>>> needs to be updated. Definitely a possibility.
>>>
>>>> So failing them and forcing them to use kinit manually sounds like
>>>> a bad
>>>> user experience approach to me.
>>> Yup. But this is close to what happens with new users now. They kinit
>>> (or not), try to hit the UI and in FF 3.5 fail with a nasty error
>>> message about untrusted CA's. If they decide to continue they get a
>>> kerberos failed page and can run a little javascript program to
>>> configure the browser. This little program causes a hair-on-fire
>>> warning to pop up. Then they need to restart the browser to work.
>>>
>>
>> They need to accept the cert first time right? Ok I understand why.
>
> Yes but beginning with FF 3.5 they have to go through a 2-step process
> where they accept the CA, add an exception etc.
>
>> And where this little javascript program comes from?
>> Do we provide it or it is a part of something standard?
>
> We provide it on the IPA server. It modified the user preferences to
> configure kerberos. In order to modify user preferences the javascript
> needs to be signed by a trusted CA (we use the IPA CA) and the user
> must agree to it. The dialog that asks has a several second pause
> before Ok is ungreyed.
>
>> Why it causes hair-on-fire?
>
> The message is not configurable, it just says that something is trying
> to modify your user preferences.
>
> rob
Anything we think might improve user experience let us log a bug for it.

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/