-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Currently, we have a number of blocking criterion in Fedora Server around domain membership that the machine must be able to join a domain and that a user must be able to log into the machine using standard login mechanisms (console, GDM, etc.).
What we are lacking is a criterion specifying single-sign-on functionality, which is a key part of the domain experience. I'd like to propose that the following functionality be added as a Beta criterion from here forth:
== Server Product Requirements ==
=== Remote Authentication === * A user who signs in locally or via SSH to a Fedora Server joined to a FreeIPA or Active Directory domain using a supported domain-joining mechanism[1] must be capable of connecting via SSH to any other Fedora Server of the same version to which they have appropriate access privileges without being required to re-enter their password.[2] (Note: this assumes an "online" login; if the user logs in while disconnected from the authentication server, they may not be able to use SSO features without manual intervention.)
* Single-sign-on capabilities must be available without any additional configuration by the user except the initial join to the domain.
[1] This means realmd in the current implementation, which is the mechanism used under the hood by Cockpit. I'd recommend leaving out more manual methods like ipa-client-install, adcli and 'net ads'.
[2] Under the hood, this means that the authentication negotiation should happen via GSSAPI.
On Mon, 2015-10-05 at 15:05 -0400, Stephen Gallagher wrote:
Currently, we have a number of blocking criterion in Fedora Server around domain membership that the machine must be able to join a domain and that a user must be able to log into the machine using standard login mechanisms (console, GDM, etc.).
What we are lacking is a criterion specifying single-sign-on functionality, which is a key part of the domain experience. I'd like to propose that the following functionality be added as a Beta criterion from here forth:
== Server Product Requirements ==
=== Remote Authentication ===
- A user who signs in locally or via SSH to a Fedora Server joined to
a FreeIPA or Active Directory domain using a supported domain-joining mechanism[1] must be capable of connecting via SSH to any other Fedora Server of the same version to which they have appropriate access privileges without being required to re-enter their password.[2] (Note: this assumes an "online" login; if the user logs in while disconnected from the authentication server, they may not be able to use SSO features without manual intervention.)
- Single-sign-on capabilities must be available without any
additional configuration by the user except the initial join to the domain.
[1] This means realmd in the current implementation, which is the mechanism used under the hood by Cockpit. I'd recommend leaving out more manual methods like ipa-client-install, adcli and 'net ads'.
[2] Under the hood, this means that the authentication negotiation should happen via GSSAPI.
I'm OK with this so long as it comes along with a matching test case.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/06/2015 12:59 PM, Adam Williamson wrote:
I'm OK with this so long as it comes along with a matching test case.
Yes, assuming this is agreed-upon to be a blocking criterion, I will write up a test-case.
server@lists.fedoraproject.org