On 04/29/2015 01:42 PM, Christopher Lamb wrote:
Can you qualify "has a valid Kerberos Ticket"?
In my case, my user has a valid ticket on the LDAP server, but not on the
OSX workstation from which I am using Firefox / Web UI.
On the OSX workstation, if the user has a non-expired TGT ticket which
could be then used to obtain ticket for principal
HTTP/myipa.my.domain@MY.REALM (IPA server API - backend of webui).
From: Petr Vobornik <pvobo...@redhat.com>
To: d...@redhat.com, Rob Crittenden <rcrit...@redhat.com>,
Date: 29.04.2015 13:27
Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/28/2015 11:53 PM, Dmitri Pal wrote:
On 04/28/2015 05:39 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
On 04/28/2015 05:11 PM, Christopher Lamb wrote:
I have just tested with the FreeIPA Web UI public demo
Using the public demo, when I log out, I get returned to the login
as expected. This allows me to log in with a different user.
With our own installation FreeIPA, from exactly the same browser, I
logged straight back in to the Web UI - which makes logging out
still confused ...
Do you have a kerberos ticket on your local system?
See which tickets you have.
If you have tickets do kdestroy - this will remove the ability to SSO.
If you then try to use your IPA server you will have the same
as with public demo.
I think this is a question for Petr. On logout one should be directed to
a page that doesn't require auth so it doesn't renegotiate the
Petr can you reproduce this?
User is automatically logged-in back if he has a valid Kerberos ticket.
The reason is that after showing the login form, the whole UI is
reloaded in order to forget everything in the app memory. It then
behaves as normal access and SSO kicks in.
IPA had a logout page but it was removed. One reason was that PatternFly
says that when a session expires(which, in a way, is a logout), user
should be presented with a login page. As we see, with SSO, the behavior
is a little bit different and unexpected.
I've created a new ticket:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project