On 03/18/2014 03:50 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
AFAIK this patch was only posted to Trac, where it was kind of
forgotten. Let's move it to the mailing list.

It looks & works fine, ACK for those aspects. But Dmitri had some
concerns about the validity of the ticket itself:

Unusual but not critical. In future this can be an OTP prompt rather
password prompt and making sure time is correct on both sides might be
more critical. I do not see a big problem with a slight delay. Banks now
prompt people for user name on one page and then for password on
It is a common practice. I would think that decoupling the prompts and
getting people used to it is a benefit rather than a hassle. The trend
of prompting for user and password independently should continue.
We should make it more usable if there are usability concerns but IMO we
should not be trying to push people back to traditional notion of "user
name and password are always together". They are not.

It may be common practice but it doesn't really make sense to temporally
split related actions if there's no need for it. It is annoying. In the
banks case, the login pages follow one another, they don't insert some
completely unrelated output in the middle of the login process.
If we want to teach new expectations to users, ipa-client-install is not
the place to do it.
The OTP case will work since with the patch, time is synced before both

The comment gives a good reason to move the ticket to Backlog, but since
we have a fix I'd like to push it.

IIRC Alexander purposely put the time sync in here to ensure that at the
time we actually obtain the password time is in sync. I can't say I
always agreed with that, but it does make a certain amount of sense.

Was that really a conscious decision?
The only thing between the old and new calls of the sync is the actual password entry. I don't think we should worry about clocks de-syncing while the admin enters a password.


Freeipa-devel mailing list

Reply via email to