HI Simo, Dmitiri, Rob and co.

Simos "log in with a different user" suggestion is pretty much what I was
intending. I want to be able to log out of the web ui, then log back in
with a different user. e.g. to allow a newly added user to change their
password to something secret.

On this particular workstation I have no kerberos ticket (double checking
with klist at the terminal confirms this). I have not saved the password in
Firefox (checking in the settings confirms this).

I often have ssh sessons open via terminal to the FreeIPA Server, and even
Apache Directory Studio open to browse the LDAP structure and content. I
don't see how that can play a role, but I mention it for completeness.



From:   Simo Sorce <s...@redhat.com>
To:     d...@redhat.com
Cc:     Rob Crittenden <rcrit...@redhat.com>, Christopher
            Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com
Date:   29.04.2015 03:31
Subject:        Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote:
> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
> > Dmitri Pal wrote:
> >> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
> >>> HI All
> >>>
> >>> I have just tested with the FreeIPA Web UI public demo
> >>> https://ipa.demo1.freeipa.org/ipa/ui/
> >>>
> >>> Using the public demo, when I log out, I get returned to the login
> >>> screen,
> >>> as expected. This allows me to log in with a different user.
> >>>
> >>> With our own installation FreeIPA, from exactly the same browser, I
> >>> logged straight back in to the Web UI - which makes logging out
> >>> pointless.
> >>>
> >>> still confused ...
> >> Do you have a kerberos ticket on your local system?
> >> Do klist.
> >> See which tickets you have.
> >> If you have tickets do kdestroy - this will remove the ability to SSO.
> >> If you then try to use your IPA server you will have the same
> >> as with public demo.
> > I think this is a question for Petr. On logout one should be directed
> > a page that doesn't require auth so it doesn't renegotiate the
> >
> > rob
> Petr can you reproduce this?

I've seen this in the past on my own IPA domain at home.
Perhaps what we should do is to have a logout option that says "log in
with a different user" and redirect to anon kerberized page that allows
you to do form based login.

This would address the case where a domain user wants to log in as admin
w/o exiting their user session or destroying there ccache (as that may
imply loosing access to email, other company websites, etc...).


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to