Dmitri Pal wrote:
Why make them fail?
True, it isn't ideal but all users fail the first time in the browser
as it is. There isn't a stable way to pre-configure the browser
currently. It either involves directly modifying files in the firefox
rpm which will both cause rpm verification issues and be lost when an
upgrade is done. Or we have to run something on the client to fix
their browser profile when we run ipa-client-install and this will
only affect existing profiles (and won't take effect until any running
browser is restarted).

This should be filed as an RFE with FF.

This would be handled by the bug below.



There is a browser bug filed so one can configure a directory of
additional settings to be read as sort of a global configuration
cache. Once this is available we can write to one spot and
pre-configure kerberos settings.

Can you point me to it?

https://bugzilla.redhat.com/show_bug.cgi?id=516200

Similarly once the global NSS database is in place we can put the IPA
CA cert there and be trusted by all browsers on the system.

I assume that things like cfengine or puppet can be used to already
precofigure browsers to know about IPA.
Probably but again it's a client-side issue and the browser profile
needs to be updated. Definitely a possibility.

So failing them and forcing them to use kinit manually sounds like a bad
user experience approach to me.
Yup. But this is close to what happens with new users now. They kinit
(or not), try to hit the UI and in FF 3.5 fail with a nasty error
message about untrusted CA's. If they decide to continue they get a
kerberos failed page and can run a little javascript program to
configure the browser. This little program causes a hair-on-fire
warning to pop up. Then they need to restart the browser to work.


They need to accept the cert first time right? Ok I understand why.

Yes but beginning with FF 3.5 they have to go through a 2-step process where they accept the CA, add an exception etc.

And where this little javascript program comes from?
Do we provide it or it is a part of something standard?

We provide it on the IPA server. It modified the user preferences to configure kerberos. In order to modify user preferences the javascript needs to be signed by a trusted CA (we use the IPA CA) and the user must agree to it. The dialog that asks has a several second pause before Ok is ungreyed.

Why it causes hair-on-fire?

The message is not configurable, it just says that something is trying to modify your user preferences.

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to