On Wed, 2015-04-29 at 07:57 +0200, Christopher Lamb wrote: > HI Simo, Dmitiri, Rob and co. > > Simos "log in with a different user" suggestion is pretty much what I was > intending. I want to be able to log out of the web ui, then log back in > with a different user. e.g. to allow a newly added user to change their > password to something secret.
Can you open a RFE ticket about this ? We should track it. Thanks, Simo. > On this particular workstation I have no kerberos ticket (double checking > with klist at the terminal confirms this). I have not saved the password in > Firefox (checking in the settings confirms this). > > I often have ssh sessons open via terminal to the FreeIPA Server, and even > Apache Directory Studio open to browse the LDAP structure and content. I > don't see how that can play a role, but I mention it for completeness. > > thanks > > Chris > > > > From: Simo Sorce <[email protected]> > To: [email protected] > Cc: Rob Crittenden <[email protected]>, Christopher > Lamb/Switzerland/IBM@IBMCH, [email protected] > Date: 29.04.2015 03:31 > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > > > > On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: > > On 04/28/2015 05:39 PM, Rob Crittenden wrote: > > > Dmitri Pal wrote: > > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > > >>> HI All > > >>> > > >>> I have just tested with the FreeIPA Web UI public demo > > >>> https://ipa.demo1.freeipa.org/ipa/ui/ > > >>> > > >>> Using the public demo, when I log out, I get returned to the login > > >>> screen, > > >>> as expected. This allows me to log in with a different user. > > >>> > > >>> With our own installation FreeIPA, from exactly the same browser, I > get > > >>> logged straight back in to the Web UI - which makes logging out > > >>> pointless. > > >>> > > >>> still confused ... > > >> Do you have a kerberos ticket on your local system? > > >> Do klist. > > >> See which tickets you have. > > >> If you have tickets do kdestroy - this will remove the ability to SSO. > > >> If you then try to use your IPA server you will have the same > experience > > >> as with public demo. > > > I think this is a question for Petr. On logout one should be directed > to > > > a page that doesn't require auth so it doesn't renegotiate the > connection. > > > > > > rob > > Petr can you reproduce this? > > I've seen this in the past on my own IPA domain at home. > Perhaps what we should do is to have a logout option that says "log in > with a different user" and redirect to anon kerberized page that allows > you to do form based login. > > This would address the case where a domain user wants to log in as admin > w/o exiting their user session or destroying there ccache (as that may > imply loosing access to email, other company websites, etc...). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
