diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html index bf64eda85..9e3886193 100644 --- a/install/html/ssbrowser.html +++ b/install/html/ssbrowser.html @@ -5,15 +5,53 @@ IPA: Identity Policy Audit @@ -31,7 +69,8 @@
-
+
+
+
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index d3574b5ee..9465287bc 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -972,6 +972,188 @@ class i18n_messages(Command): "truncated": _("Query returned more results than the configured size limit. Displaying the first ${counter} results."), "unselect_all": _("Unselect All"), }, + "ssbrowser-page": { + "header": _( + "

Browser Kerberos Setup

\n" + "\n" + ), + "firefox-header": _( + "

Firefox

\n" + "\n" + "

\n" + " You can configure Firefox to use Kerberos for " + "Single Sign-on. The following instructions will guide you in " + "configuring your web browser to send your Kerberos " + "credentials to the appropriate Key Distribution Center which " + "enables Single Sign-on.\n" + "

\n" + "\n" + ), + "firefox-actions": _( + "
    \n" + "
  1. \n" + "

    \n" + "" + "Import Certificate Authority certificate\n" + "

    \n" + "

    \n" + " Make sure you select all three " + "checkboxes.\n" + "

    \n" + "
  2. \n" + "
  3. \n" + " In the address bar of Firefox, type " + "about:config to display the list of current " + "configuration options.\n" + "
  4. \n" + "
  5. \n" + " In the Filter field, type negotiate" + " to restrict the list of options.\n" + "
  6. \n" + "
  7. \n" + " Double-click the network.negotiate-auth" + ".trusted-uris entry to display the Enter string value " + "dialog box.\n" + "
  8. \n" + "
  9. \n" + " Enter the name of the domain against which " + "you want to authenticate, for example, .example.com.\n" + "
  10. \n" + "
  11. Return to Web UI
  12. \n" + "
\n" + "\n" + ), + "chrome-header": _( + "

Chrome

\n" + "\n" + "

\n" + " You can configure Chrome to use Kerberos for " + "Single Sign-on. The following instructions will guide you in " + "configuring your web browser to send your Kerberos " + "credentials to the appropriate Key Distribution Center which " + "enables Single Sign-on.\n" + "

\n" + "\n" + ), + "chrome-certificate": _( + "

Import CA Certificate

\n" + "
    \n" + "
  1. \n" + " Download the CA " + "certificate. Alternatively, if the host is also an IdM " + "client, you can find the certificate in /etc/ipa/ca.crt.\n" + "
  2. \n" + "
  3. \n" + " Click the menu button with the Customize " + "and control Google Chrome tooltip, which is by default " + "in the top right-hand corner of Chrome, and click " + "Settings.\n" + "
  4. \n" + "
  5. \n" + " Click Show advanced settings to " + "display more options, and then click the Manage " + "certificates button located under the HTTPS/SSL heading." + "\n" + "
  6. \n" + "
  7. \n" + " In the Authorities tab, click the " + "Import button at the bottom.\n" + "
  8. \n" + "
  9. Select the CA certificate file that you downloaded in the" + " first step.
  10. \n" + "
\n" + "\n" + ), + "chrome-spnego": _( + "

\n" + " Enable SPNEGO (Simple and Protected GSSAPI " + "Negotiation Mechanism) to Use Kerberos Authentication\n" + " in Chrome\n" + "

\n" + "
    \n" + "
  1. \n" + " Make sure you have the necessary directory " + "created by running:\n" + "
    \n" + " [root@client]# mkdir -p /etc/opt/chrome/" + "policies/managed/\n" + "
    \n" + "
  2. \n" + "
  3. \n" + " Create a new /etc/opt/chrome/policies/" + "managed/mydomain.json file with write privileges " + "limited to the system administrator or root, and include the " + "following line:\n" + "
    \n" + " { \"AuthServerWhitelist\": \"*.example.com.\" }\n" + "
    \n" + "
    \n" + " You can do this by running:\n" + "
    \n" + "
    \n" + " [root@server]# echo \'{ \"" + "AuthServerWhitelist\": \"*" + ".example.com.\" }' > /etc/opt/chrome/policies/managed/" + "mydomain.json\n" + "
    \n" + "
  4. \n" + "
\n" + "
    \n" + "

    \n" + "Note: If using Chromium, use /etc/" + "chromium/policies/managed/ instead of /etc/opt/" + "chrome/policies/managed/ for the two SPNEGO Chrome " + "configuration steps above.\n" + "

    \n" + "
\n" + "\n" + ), + "ie-header": _( + "

Internet Explorer

\n" + "

WARNING: Internet Explorer is no longer a" + " supported browser.

\n" + "

\n" + " Once you are able to log into the workstation " + "with your kerberos key you are now able to use that ticket in" + " Internet Explorer.\n" + "

\n" + "

\n" + ), + "ie-actions": _( + "Log into the Windows machine using an account of your" + " Kerberos realm (administrative domain)\n" + "

\n" + "

\n" + "In Internet Explorer, click Tools, and then click " + "Internet Options.\n" + "

\n" + "
\n" + "
    \n" + "
  1. Click the Security tab
  2. \n" + "
  3. Click Local intranet
  4. \n" + "
  5. Click Sites
  6. \n" + "
  7. Click Advanced
  8. \n" + "
  9. Add your domain to the list
  10. \n" + "
\n" + "
    \n" + "
  1. Click the Security tab
  2. \n" + "
  3. Click Local intranet
  4. \n" + "
  5. Click Custom Level
  6. \n" + "
  7. Select Automatic logon only in Intranet zone
  8. \n" + "
\n" + "\n" + "
    \n" + "
  1. Visit a kerberized web site using IE (You must use the " + "fully-qualified Domain Name in the URL)
  2. \n" + "
  3. You are all set.
  4. \n" + "
\n" + "
\n" + "\n" + ), + }, "status": { "disable": _("Disable"), "disabled": _("Disabled"),