In the previous versions of FreeIPA, this worked to disable the
browser-side Kerberos login prompt:

# version 27 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
  GssapiDelegCcacheUnique On
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  </If>
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>

I've been asked to disable the password dialog popup because it is
confusing to end users.

Before, in ipa.conf this worked to disable the dialog popup:

# version 22 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
  GssapiDelegCcacheUnique On
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  </If>
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>

But inserting the "If useragent = chrome/ie" now just gives me a
"forbidden" popup.

Does anyone know of a way to disable the browser's Kerberos password popup?

Thanks,

Anthony Clark
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to