On 10/05/2012 05:30 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Fri, 2012-10-05 at 17:33 +0300, Alexander Bokovoy wrote:
On Fri, 05 Oct 2012, Endi Sukma Dewata wrote:
On 10/5/2012 8:56 AM, Alexander Bokovoy wrote:
On Thu, 04 Oct 2012, Petr Vobornik wrote:
On 10/03/2012 04:19 PM, Simo Sorce wrote:
On Wed, 2012-10-03 at 15:50 +0200, Petr Vobornik wrote:
As Alexander proposed in other channel. I will remove the
removal of
configure.jar and offer the old configuration method if user is
using FF
< 4 so we don't have to make the extension compatible with this
ancient
version. It will be done this way:
If FF < 4 is detected:
* in browserconfig.html steps 2 and 3 will be grayed-out and
replaced
with step 2a with a link to ssbrowser.html and a description
explaining
the problem
* ssbrowser.html will be enhanced by steps for autoconfiguration
of FF
< 4.
We can also show the steps in browserconfig, but I want to have it
somehow available even if user is not using FF<4 to keep general
awareness about the problem and also to be usable if version
detection
fails. Other possible problem with steps in browserconfig is
different
styles of buttons (to keep the same styles we would have to include
same
css files and jquery.js to configure.jar, which I don't want to
do).
Excellent plan, we should try to reduce the amount of work, and
letting
old browsers use the old method is perfectly fine.
If FF15 is the only browser that fails with the old method I
would even
go as far as testing exclusively with FF15 and have anything <
FF15 use
the old method.
Simo.
Updated patches attached.
browserconfig.html points to older config method for versions
prior to
15.
The extension is theoretically compatible with FF3.6 and then FF10
and
later. There is a problem for FF4-9 with loading strings from
.properties file. FF3.6 is working because it doesn't use
bootstraping.
I also notice that we have an existing issue when navigating to
config
pages right away before accepting any certificate. Those pages are
using some resorces from /ui/ folder which is redirected to https.
These resources are not loaded because certificate isn't imported. If
user is going straight for Web UI, he won't encounter this issue, but
someone might.
I tested this patchset and apart from the non-obvious extension
description displayed when installing it, which is based on a
certificate,
everything is great.
ACK.
It works for me too. Just some questions:
1. It looks like the Firefox is limited to version 10 to 15 in
install/ffextension/install.rdf. Do we need the upper limit?
<em:minVersion>10.0</em:minVersion>
<em:maxVersion>15.0.*</em:maxVersion>
My understanding is that maxversion represents maximum tested version.
[https://developer.mozilla.org/en-US/docs/Install_Manifests] but the
document doesn't say if the extension stops being installable on newer
versions. I tried maxversion=14.0.* on FF15 and it worked.
2. In install/html/ssbrowser.html the step 5 is optional. Should we
explain what's that for or why we need it? General users could be
confused and stuck if they are given choices that they don't
understand. It's probably better to make it a required step if it
doesn't cause any problem.
<li> 5. Optional: Repeat the above procedure for the
<tt>network.negotiate-auth.delegation-uris</tt> entry, using the same
domain. </li>
delegation-uris setting should be removed. It is not needed since we
started using s4u2proxy mechanism.
Yes and we removed it because it is potentially a dangerous setting.
It should be generally discouraged and enabled only for specific fqdn's
not wildcard ones in future.
Simo.
I've pushed these 4 patches to master and ipa-3-0.
Petr, please submit a patch to remove/clarify references to
delegation-uris setting.
Patch attached.
rob
--
--
Petr Vobornik
>From 89279cf52e12fed1cde7bb5bac248e975ec36e7a Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 5 Oct 2012 17:39:18 +0200
Subject: [PATCH] Removal of delegation-uris instruction from browser config
Delegation is not needed since support of s4u2proxy mechanism.
https://fedorahosted.org/freeipa/ticket/3094
---
install/html/ssbrowser.html | 1 -
1 file changed, 1 deletion(-)
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index 285b1d1239288badca56ab29c4694c6722fdd534..9e17b5fb04951ad8d05077a62ddb809441c58104 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -63,7 +63,6 @@
<li> 2. In the Filter field, type <tt>negotiate</tt> to restrict the list of options. </li>
<li> 3. Double-click the <tt>network.negotiate-auth.trusted-uris</tt> entry to display the Enter string value dialog box. </li>
<li> 4. Enter the name of the domain against which you want to authenticate, for example, <tt class="example-domain">.example.com.</tt> </li>
- <li> 5. Optional: Repeat the above procedure for the <tt>network.negotiate-auth.delegation-uris</tt> entry, using the same domain. </li>
<br>
<li><strong> You are all set. </strong></li>
</ul>
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
