Text in the ticket is IMHO wrong. Patch uses different text.:
""""
If you choose the password and two-factor authentication types at once,
Kerberos still enforces authentication with both password and OTP. LDAP allows authentication with either one of the authentication types in this situation.
"""

One can also use only "Password" with kinit but must provide an armor ccache.

e.g.:
$ kinit admin
$ klist
Ticket cache: KEYRING:persistent:17127:17127
...
$ kinit -T KEYRING:persistent:17127:17127 fbar


https://fedorahosted.org/freeipa/ticket/4935
--
Petr Vobornik
From b38f2b4f6c3b4b60a699efd2d55e847896d9d966 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Mon, 10 Aug 2015 12:58:14 +0200
Subject: [PATCH] webui: add LDAP vs Kerberos behavior description to user auth
 types

https://fedorahosted.org/freeipa/ticket/4935
---
 install/ui/src/freeipa/serverconfig.js | 5 ++++-
 install/ui/src/freeipa/user.js         | 5 ++++-
 install/ui/test/data/ipa_init.json     | 4 ++--
 ipalib/plugins/internal.py             | 4 ++--
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index efe1805698372b45afae38d1f9dd883034ee03c6..70bb9574b8368d6a294dc171fdea2d03dfe56cab 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -83,7 +83,10 @@ return {
                                 { label: '@i18n:authtype.type_radius', value: 'radius' },
                                 { label: '@i18n:authtype.type_otp', value: 'otp' }
                             ],
-                            tooltip: '@i18n:authtype.config_tooltip'
+                            tooltip: {
+                                title: '@i18n:authtype.config_tooltip',
+                                html: true
+                            }
                         },
                         {
                             $type: 'checkbox',
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 0e828c16b999ffd58504bc4e53d2748bcd16b042..a920e088aacd02585cd131dce725272f47e4cf1c 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -188,7 +188,10 @@ return {
                                 { label: '@i18n:authtype.type_radius', value: 'radius' },
                                 { label: '@i18n:authtype.type_otp', value: 'otp' }
                             ],
-                            tooltip: '@i18n:authtype.user_tooltip'
+                            tooltip: {
+                                title: '@i18n:authtype.user_tooltip',
+                                html: true
+                            }
                         },
                         {
                             $type: 'entity_select',
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index ef172950527512e71c28916274153036f17212fe..b80e44ffe8ead3d0b29196ca3af18e00d72a9f04 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -49,12 +49,12 @@
                         "show_results": "Show Results"
                     },
                     "authtype": {
-                        "config_tooltip": "Implicit method (password) will be used if no method is chosen.",
+                        "config_tooltip": "<p>Implicit method (password) will be used if no method is chosen.</p><p><strong>Password + Two-factor:</strong> LDAP and Kerberos allow authentication with either one of the authentication types but Kerberos uses pre-authentication method which requires to use armor ccache.</p><p><strong>RADIUS with another type:</strong> Kerberos always use RADIUS, but LDAP never does. LDAP only recognize the password and two-factor authentication options.</p>",
                         "type_otp": "Two factor authentication (password + OTP)",
                         "type_password": "Password",
                         "type_radius": "Radius",
                         "type_disabled": "Disable per-user override",
-                        "user_tooltip": "Per-user setting, overwrites the global setting if any option is checked."
+                        "user_tooltip": "<p>Per-user setting, overwrites the global setting if any option is checked.</p><p><strong>Password + Two-factor:</strong> LDAP and Kerberos allow authentication with either one of the authentication types but Kerberos uses pre-authentication method which requires to use armor ccache.</p><p><strong>RADIUS with another type:</strong> Kerberos always use RADIUS, but LDAP never does. LDAP only recognize the password and two-factor authentication options.</p>",
                     },
                     "buttons": {
                         "about": "About",
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index f97885ceae8f3c0913a16c281c2faa8a918541e7..e1904d2d3d1e1523895554b8d8e58b1dfd070366 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -191,12 +191,12 @@ class i18n_messages(Command):
             "show_results": _("Show Results"),
         },
         "authtype": {
-            "config_tooltip": _("Implicit method (password) will be used if no method is chosen."),
+            "config_tooltip": _("<p>Implicit method (password) will be used if no method is chosen.</p><p><strong>Password + Two-factor:</strong> LDAP and Kerberos allow authentication with either one of the authentication types but Kerberos uses pre-authentication method which requires to use armor ccache.</p><p><strong>RADIUS with another type:</strong> Kerberos always use RADIUS, but LDAP never does. LDAP only recognize the password and two-factor authentication options.</p>"),
             "type_otp": _("Two factor authentication (password + OTP)"),
             "type_password": _("Password"),
             "type_radius": _("Radius"),
             "type_disabled": _("Disable per-user override"),
-            "user_tooltip": _("Per-user setting, overwrites the global setting if any option is checked."),
+            "user_tooltip": _("<p>Per-user setting, overwrites the global setting if any option is checked.</p><p><strong>Password + Two-factor:</strong> LDAP and Kerberos allow authentication with either one of the authentication types but Kerberos uses pre-authentication method which requires to use armor ccache.</p><p><strong>RADIUS with another type:</strong> Kerberos always use RADIUS, but LDAP never does. LDAP only recognize the password and two-factor authentication options.</p>"),
         },
         "buttons": {
             "about": _("About"),
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to