[Freeipa-users] Disable IPA Web UI auto-login

Dmitri Pal dpal at redhat.com
Wed Jul 14 13:56:54 UTC 2010 

Shan Kumaraswamy wrote:
> Hi Pal,
> Thank you very much for the clarificaiton, the secound question is I
> want to access the url from my laptop using firefox, and also I
> configured the browser as per the IPA installation browers
> configuration and its download the ipa certificate, after when I try
> the same url again its througing the kerberos auth failure. Please let
> me know what is the issure.
>  

Have you authenticated from your laptop and do you have a ticket?
Is it a Windows client?
If yes you need to do kinit from the Windows laptop first to obtain a
ticket.
To do this you need kerberos client installed and configured.
If the laptop is  a part of the IPA domain then this is one scenario if
not then a different.

http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA.html#sect-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA-Configuring_Windows_XP_Pro_and_Windows_2000_Pro


>
>
>  
> On Wed, Jul 14, 2010 at 4:19 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     Shan Kumaraswamy wrote:
>     > Dear All,
>     >
>     >
>     >
>     > Can anyone let me know how to disable IPA admin “auto-login” from
>     > FreeIPA server, basically I need to use this URL
>     > https://ipaserver.example.com/ipa/ui  and should ask user name and
>     > password every time while opening the login page,
>     >
>     This is not a bug. It is a feature :-)
>     A bit of explanation about how things work.
>     When admin does authentication he gets a kerberos ticket.
>     This ticket is used to get access to the UI (automatically). It is a
>     feature of kerberos.
>     You would not be able to login if you do not have a ticket.
>     If you have a ticket, this means you already proved your identity
>     to the
>     server and there is no need to challenge you again.
>     What you are asking for is a form based authentication. It is not
>     implemented in IPA and not planned to be implemented in v2 because the
>     scheme above has same security attributes but is much more convenient.
>     So there is no way to disable the auto-login feature.
>
>
>
>     > and also the administrator will login via “Firefox”  any machine in
>     > the intranet (LAN) using the IPA admin login credentials.
>     >
>
>     Can you explain this part please? Login into any machine? Sure if you
>     configured SSH to use kerberos you will be able to SSH into any
>     machine
>     unless you configures some access control rules that would prevent you
>     from doing so.
>
>
>     >
>     > --
>     > Thanks & Regards
>     > Shan Kumaraswamy
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Engineering Manager IPA project,
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
> -- 
> Thanks & Regards
> Shan Kumaraswamy
>


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list