On Mon, Oct 05, 2015 at 03:05:42PM -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Currently, we have a number of blocking criterion in Fedora Server > around domain membership that the machine must be able to join a > domain and that a user must be able to log into the machine using > standard login mechanisms (console, GDM, etc.). > > What we are lacking is a criterion specifying single-sign-on > functionality, which is a key part of the domain experience. I'd like > to propose that the following functionality be added as a Beta > criterion from here forth: > > == Server Product Requirements == > > === Remote Authentication === > * A user who signs in locally or via SSH to a Fedora Server joined to > a FreeIPA or Active Directory domain using a supported domain-joining > mechanism[1] must be capable of connecting via SSH to any other Fedora > Server of the same version to which they have appropriate access > privileges without being required to re-enter their password.[2] > (Note: this assumes an "online" login; if the user logs in while > disconnected from the authentication server, they may not be able to > use SSO features without manual intervention.) > > * Single-sign-on capabilities must be available without any additional > configuration by the user except the initial join to the domain. > > > > [1] This means realmd in the current implementation, which is the > mechanism used under the hood by Cockpit. I'd recommend leaving out > more manual methods like ipa-client-install, adcli and 'net ads'. > > [2] Under the hood, this means that the authentication negotiation > should happen via GSSAPI. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iEYEARECAAYFAlYSygMACgkQeiVVYja6o6NUMwCgkNjoXxlGB6cyCZC3bkVJ1pNX > +K4AoJn6Yg24djVWofsN5qr9AhGoBdDn > =vY35 +1 That seems to be clear and make sense to me. -- // Mike -- Fedora QA freenode: roshi http://roshi.fedorapeople.org -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
