Tuesday, August 22, 2017

Fixing the annoying popup in FreeIPA

I love FreeIPA except for one thing: That annoying popup when using Chrome:

This popup confuses the hell out of my users when they can't log in. So what is it? One nice feature of FreeIPA is it's ability to do Single Sign on via Kerberos. The problem is that not all browsers support this and the configuration of this feature for users has a high bar of entry - I'm not even sure you can get it working in Chrome. So when a user goes to the FreeIPA page which supports Kerberos logins and sees this popup they (understandably) think they need to log in. Since the browser is not configured for Kerberos, this inevitably fails. But what is worse, is that unauthenticated users are prompted to log in twice. So pretty quickly this can turn into a service call or ticket when a user "can't login." The workaround is to click cancel twice to be taken to the forms based login. But instead, why don't we just suppress this popup?

Since the FreeIPA documentation is notoriously abysmal, I'll provide my solution to the problem here. Simply do the following:

Log in to your host
edit /etc/httpd/conf.d/ipa-rewrite.conf
Add to the end of this file:

#The following disables the annoying kerberos popup for Chrome
RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos

And that's it! Restart your web server and this popup should go away! So what does it do?

The first three lines set very specific conditions for triggering a 401 response for the page /ipa/session/json. The web client uses JSON to communicate with the IPA server, so we only want to send the 401 response if there is no ipa_session cookie (set on login) and the user is coming from the ui page and not, say, making their own JSON call from the command line. Otherwise we risk inadvertently breaking something.

It is worth noting that in older versions of FreeIPA, this path was /ipa/session/xml, but it was renamed. If you are on an old version of IPA either upgrade or adjust your configuration appropriately.

The second thing this does is returns a 401 when someone tries to access the kerberos login page. It is these two pages that generate the http basic authentication login and by immediately returning a 401 instead of allowing these pages to try to authenticate with kerberos, we are ultimately able to resolve this issue.

No comments:

Post a Comment