> >> Why make them fail? > > True, it isn't ideal but all users fail the first time in the browser > as it is. There isn't a stable way to pre-configure the browser > currently. It either involves directly modifying files in the firefox > rpm which will both cause rpm verification issues and be lost when an > upgrade is done. Or we have to run something on the client to fix > their browser profile when we run ipa-client-install and this will > only affect existing profiles (and won't take effect until any running > browser is restarted). > This should be filed as an RFE with FF.
> There is a browser bug filed so one can configure a directory of > additional settings to be read as sort of a global configuration > cache. Once this is available we can write to one spot and > pre-configure kerberos settings. Can you point me to it? > > Similarly once the global NSS database is in place we can put the IPA > CA cert there and be trusted by all browsers on the system. > >> I assume that things like cfengine or puppet can be used to already >> precofigure browsers to know about IPA. > > Probably but again it's a client-side issue and the browser profile > needs to be updated. Definitely a possibility. > >> So failing them and forcing them to use kinit manually sounds like a bad >> user experience approach to me. > > Yup. But this is close to what happens with new users now. They kinit > (or not), try to hit the UI and in FF 3.5 fail with a nasty error > message about untrusted CA's. If they decide to continue they get a > kerberos failed page and can run a little javascript program to > configure the browser. This little program causes a hair-on-fire > warning to pop up. Then they need to restart the browser to work. > They need to accept the cert first time right? Ok I understand why. And where this little javascript program comes from? Do we provide it or it is a part of something standard? Why it causes hair-on-fire? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel