[Freeipa-users] A public interface (aka My account management)

Arturo Borrero aborrero at cica.es
Thu Apr 25 08:49:32 UTC 2013 

On 25/04/13 10:30, Martin Kosek wrote:
> On 04/24/2013 10:30 PM, Chris Evich wrote:
>> On 04/24/2013 08:32 AM, Tomas Babej wrote:
>>> On 04/24/2013 01:53 PM, Arturo Borrero wrote:
>>>> Hi there.
>>>>
>>>> I'm wondering if it's possible to get FreeIPA with a 'public user
>>>> interface'.
>>>> This is: a place where a standar user can update his password and
>>>> other personal data. I'm thinking in something similar to
>>>> google.com/accounts
>>>>
>>>> Does this exists? If not, it is possible to develop this addon?
>>>>
>>>> We are strongly evaluating this functionality in order to actually
>>>> implement FreeIPA as our identity management system.
>>>>
>>>> Best regards
>>> Hi,
>>>
>>> every user can log in to the Web UI using their login and Kerberos
>>> password.
>>>
>>> Having no other rights, there they can only edit their contact
>>> information, address information, reset their password, etc.
>>>
>>> See /ipa/ui/ on your FreeIPA server, that is
>>> https://ipa.example.com/ipa/ui/
>>> <https://vm-131.idm.lab.bos.redhat.com/ipa/ui/index.html#identity
>> =user&navigation=identity&user-pkey=random&user-facet=details>
>>
>> Having played with it off/on a year or so ago, IIRC it's relatively
>> easy to get apache + SSL speaking with LDAP + Kerberos.   Even ignoring
>> the direct python IPA interface.  With some server-side scripting (I did
>> it in python) you could emulate most of what's on the google
>> accounts-page.
>>
>> The hardest part I found was getting my head around the lower-level LDAP
>> + Kerberos python interfaces.  However, going from understanding
>> common-operations of both technologies from the command-line level to
>> working with the API's isn't a very long road.
>>
>> Depending on how "pretty" the web-site needs to be, the "code one
>> yourself" approach could be feasible, given educated developer
>> resources.  Since it sounds like your requirements are fairly basic,
>> this may be an option to consider. (No I'm not volunteering, though it
>> sounds fun :)
>>
>> Otherwise, I've also used the built-in web interface.  It may be a bit
>> cluttered for someone who _just_ needs to change a password or other
>> very simplistic task (compared to google accounts-page).  However if
>> your users are somewhat technically-mided, they shouldn't have any
>> trouble with the built-in self-service UI.  It also offers a HUGE
>> benefit to greatly extend self-service to the n-th degree, when it's
>> multi-level rights-management features are used.
>>
> Hello Chris,
>
> Thanks for info! Do you have any specific suggestions which would help you make
> the user self-service page more acceptable for regular users? Having users
> building their own selfservice pages instead of using the vanilla selfservice
> page does not seems like something we would like to have.
>
> We are already considering simplifying the self-service page, so any
> suggestions and ideas for improving it are welcome.
>
Hi all,

thanks all for your quick and deep response.

FreeIPA is an amazing tool :-)

Best regards.

-- 
Arturo Borrero González
Departamento de Seguridad Informática (nis at cica.es)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3072 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130425/9321f657/attachment.p7s>

More information about the Freeipa-users mailing list