[Freeipa-users] A public interface (aka My account management)

Thu Apr 25 08:30:29 UTC 2013

On 04/24/2013 10:30 PM, Chris Evich wrote:
> On 04/24/2013 08:32 AM, Tomas Babej wrote:
>> On 04/24/2013 01:53 PM, Arturo Borrero wrote:
>>> Hi there.
>>>
>>> I'm wondering if it's possible to get FreeIPA with a 'public user
>>> interface'.
>>> This is: a place where a standar user can update his password and
>>> other personal data. I'm thinking in something similar to
>>> google.com/accounts
>>>
>>> Does this exists? If not, it is possible to develop this addon?
>>>
>>> We are strongly evaluating this functionality in order to actually
>>> implement FreeIPA as our identity management system.
>>>
>>> Best regards
>> Hi,
>>
>> every user can log in to the Web UI using their login and Kerberos
>> password.
>>
>> Having no other rights, there they can only edit their contact
>> information, address information, reset their password, etc.
>>
>> See /ipa/ui/ on your FreeIPA server, that is
>> https://ipa.example.com/ipa/ui/
>> <https://vm-131.idm.lab.bos.redhat.com/ipa/ui/index.html#identity
> =user&navigation=identity&user-pkey=random&user-facet=details>
> 
> Having played with it off/on a year or so ago, IIRC it's relatively
> easy to get apache + SSL speaking with LDAP + Kerberos.   Even ignoring
> the direct python IPA interface.  With some server-side scripting (I did
> it in python) you could emulate most of what's on the google
> accounts-page.
> 
> The hardest part I found was getting my head around the lower-level LDAP
> + Kerberos python interfaces.  However, going from understanding
> common-operations of both technologies from the command-line level to
> working with the API's isn't a very long road.
> 
> Depending on how "pretty" the web-site needs to be, the "code one
> yourself" approach could be feasible, given educated developer
> resources.  Since it sounds like your requirements are fairly basic,
> this may be an option to consider. (No I'm not volunteering, though it
> sounds fun :)
> 
> Otherwise, I've also used the built-in web interface.  It may be a bit
> cluttered for someone who _just_ needs to change a password or other
> very simplistic task (compared to google accounts-page).  However if
> your users are somewhat technically-mided, they shouldn't have any
> trouble with the built-in self-service UI.  It also offers a HUGE
> benefit to greatly extend self-service to the n-th degree, when it's
> multi-level rights-management features are used.
>

Hello Chris,

Thanks for info! Do you have any specific suggestions which would help you make
the user self-service page more acceptable for regular users? Having users
building their own selfservice pages instead of using the vanilla selfservice
page does not seems like something we would like to have.

We are already considering simplifying the self-service page, so any
suggestions and ideas for improving it are welcome.

Martin