On Tue, 18 Mar 2014, Petr Viktorin wrote:
AFAIK this patch was only posted to Trac, where it was kind of
forgotten. Let's move it to the mailing list.
It looks & works fine, ACK for those aspects. But Dmitri had some
concerns about the validity of the ticket itself:
Unusual but not critical. In future this can be an OTP prompt rather than
password prompt and making sure time is correct on both sides might be
more critical. I do not see a big problem with a slight delay. Banks now
prompt people for user name on one page and then for password on another.
It is a common practice. I would think that decoupling the prompts and
getting people used to it is a benefit rather than a hassle. The trend
of prompting for user and password independently should continue.
We should make it more usable if there are usability concerns but IMO we
should not be trying to push people back to traditional notion of "user
name and password are always together". They are not.
It may be common practice but it doesn't really make sense to
temporally split related actions if there's no need for it. It is
annoying. In the banks case, the login pages follow one another, they
don't insert some completely unrelated output in the middle of the
login process. If we want to teach new expectations to users,
ipa-client-install is not the place to do it.
The OTP case will work since with the patch, time is synced before
both prompts.
The comment gives a good reason to move the ticket to Backlog, but
since we have a fix I'd like to push it.
I'm ok with moving time sync prior to the user prompt.
With newer Kerberos we also have means to defeat time issues as KDC and
services can get time difference accounted from the TGT.
I don't think there was any specific reason into splitting the sequence
up, just time sync was put immediately before the operation where
correct time mattered. So, there is no need to read in tea leaves too
much. ;)
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
