[Freeipa-users] Disable IPA Web UI auto-login
Dmitri Pal
dpal at redhat.com
Wed Jul 14 13:56:54 UTC 2010
Shan Kumaraswamy wrote:
> Hi Pal,
> Thank you very much for the clarificaiton, the secound question is I
> want to access the url from my laptop using firefox, and also I
> configured the browser as per the IPA installation browers
> configuration and its download the ipa certificate, after when I try
> the same url again its througing the kerberos auth failure. Please let
> me know what is the issure.
>
Have you authenticated from your laptop and do you have a ticket?
Is it a Windows client?
If yes you need to do kinit from the Windows laptop first to obtain a
ticket.
To do this you need kerberos client installed and configured.
If the laptop is a part of the IPA domain then this is one scenario if
not then a different.
http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA.html#sect-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA-Configuring_Windows_XP_Pro_and_Windows_2000_Pro
>
>
>
> On Wed, Jul 14, 2010 at 4:19 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
> > Dear All,
> >
> >
> >
> > Can anyone let me know how to disable IPA admin “auto-login” from
> > FreeIPA server, basically I need to use this URL
> > https://ipaserver.example.com/ipa/ui and should ask user name and
> > password every time while opening the login page,
> >
> This is not a bug. It is a feature :-)
> A bit of explanation about how things work.
> When admin does authentication he gets a kerberos ticket.
> This ticket is used to get access to the UI (automatically). It is a
> feature of kerberos.
> You would not be able to login if you do not have a ticket.
> If you have a ticket, this means you already proved your identity
> to the
> server and there is no need to challenge you again.
> What you are asking for is a form based authentication. It is not
> implemented in IPA and not planned to be implemented in v2 because the
> scheme above has same security attributes but is much more convenient.
> So there is no way to disable the auto-login feature.
>
>
>
> > and also the administrator will login via “Firefox” any machine in
> > the intranet (LAN) using the IPA admin login credentials.
> >
>
> Can you explain this part please? Login into any machine? Sure if you
> configured SSH to use kerberos you will be able to SSH into any
> machine
> unless you configures some access control rules that would prevent you
> from doing so.
>
>
> >
> > --
> > Thanks & Regards
> > Shan Kumaraswamy
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list