On 07/22/2013 09:18 AM, Martin Kosek wrote:
On 07/20/2013 02:51 AM, Stephen Ingram wrote:
Is there a way to disable the forms-based login to the WebUI and require a
Kerberos ticket?



No, this is currently not possible. Stephen, can you please describe your use
case why you want it to be off? This would allow us to consider this as an
enhancement for future.

Petr, would it be possible to achieve this via Web UI plugin system introduced
in FreeIPA 3.2?

The login form can be removed by replacing IPA.unauthorized_dialog by different implementation. But it only hides the interface, the login feature itself (/ipa/session/login_password) won't be affected. So user can still send a HTTP POST with his credentials to log in. It's how the separate login page (/ipa/ui/login.html) works.

So the steps to disable forms-based login are:
 1. deny access to /ipa/session/login_password
 2. create UI plugin to change Web UI unauthorized_dialog
 3. deny access to /ipa/ui/login.html

#1 is sufficient if one does not care about UX.


Petr Vobornik

Freeipa-users mailing list

Reply via email to