Rob Crittenden wrote: > Dmitri Pal wrote: >>>> Why make them fail? >>> True, it isn't ideal but all users fail the first time in the browser >>> as it is. There isn't a stable way to pre-configure the browser >>> currently. It either involves directly modifying files in the firefox >>> rpm which will both cause rpm verification issues and be lost when an >>> upgrade is done. Or we have to run something on the client to fix >>> their browser profile when we run ipa-client-install and this will >>> only affect existing profiles (and won't take effect until any running >>> browser is restarted). >>> >> This should be filed as an RFE with FF. > > This would be handled by the bug below. > >> >> >>> There is a browser bug filed so one can configure a directory of >>> additional settings to be read as sort of a global configuration >>> cache. Once this is available we can write to one spot and >>> pre-configure kerberos settings. >> >> Can you point me to it? > > https://bugzilla.redhat.com/show_bug.cgi?id=516200 >> >>> Similarly once the global NSS database is in place we can put the IPA >>> CA cert there and be trusted by all browsers on the system. >>> >>>> I assume that things like cfengine or puppet can be used to already >>>> precofigure browsers to know about IPA. >>> Probably but again it's a client-side issue and the browser profile >>> needs to be updated. Definitely a possibility. >>> >>>> So failing them and forcing them to use kinit manually sounds like >>>> a bad >>>> user experience approach to me. >>> Yup. But this is close to what happens with new users now. They kinit >>> (or not), try to hit the UI and in FF 3.5 fail with a nasty error >>> message about untrusted CA's. If they decide to continue they get a >>> kerberos failed page and can run a little javascript program to >>> configure the browser. This little program causes a hair-on-fire >>> warning to pop up. Then they need to restart the browser to work. >>> >> >> They need to accept the cert first time right? Ok I understand why. > > Yes but beginning with FF 3.5 they have to go through a 2-step process > where they accept the CA, add an exception etc. > >> And where this little javascript program comes from? >> Do we provide it or it is a part of something standard? > > We provide it on the IPA server. It modified the user preferences to > configure kerberos. In order to modify user preferences the javascript > needs to be signed by a trusted CA (we use the IPA CA) and the user > must agree to it. The dialog that asks has a several second pause > before Ok is ungreyed. > >> Why it causes hair-on-fire? > > The message is not configurable, it just says that something is trying > to modify your user preferences. > > rob Anything we think might improve user experience let us log a bug for it.
-- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel