8.4. Using the IdM Web UI
8.4.1. About the Web UI
Table 8.1. Configuration Areas Per Tab
Main Menu Tab | Configuration Areas |
---|---|
Identity |
|
Policy |
|
IdM Server (access controls within Identity Management) |
|

Figure 8.1. The Main Menu
8.4.2. Opening the IdM Web UI
- Get a valid Kerberos ticket using
kinit
, as in Section 8.3, “Logging into IdM”. - Open the IdM URL. The full URL is
https://
IPAserver-FQDN/ipa/ui
, but this service is also accessed simply by openinghttps://
IPAserver-FQDN. For example:https://server.example.com https://server.example.com/ipa/ui
8.4.3. Configuring the Browser
8.4.3.1. Configuring Firefox

Figure 8.2. Kerberos Authentication Error
- Click the follow these directions link.
- Click the link to import the CA certificate for the IdM server.
- Set the web site and software developer (first and last) trust bits for the CA certificate.
- Click the Configure Firefox button. This automatically fills out all the
negotiate
settings in the Firefox configuration to use the IdM domain settings.When the process is complete, a success box pops up saying that Firefox has been configured for single sign-on. From there, you are redirected to the IdM web UI.
- Start Firefox.
- Type
about:config
in the address bar. - In the Search field, type
negotiate
to filter out the Kerberos-related parameters. - On Red Hat Enterprise Linux, enter the domain name for the URI parameters, including the preceding period (.) and set the
gsslib
parameter to true:network.negotiate-auth.trusted-uris .example.com network.negotiate-auth.using-native-gsslib true
On Windows, set the trusted URIs and library path, and disable the built-in Microsoft Kerberos for authentication:network.negotiate-auth.trusted-uris .example.com network.auth.use-sspi false network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
On a 64-bit system, the library location is inC:\Program Files(x86)\MIT\Kerberos\bin\gssapi32.dll
. - Open the web UI by going to the fully-qualified domain name of the IdM server such as
http://ipaserver.example.com
. Make sure that you can open the web UI and that there are no Kerberos authentication errors. - Next, download the IdM server's CA certificate from
http://ipa.example.com/ipa/config/ca.crt
. - In the Downloading Certificate window that appears, select the first (Trust this CA to identify web sites) and third (Trust this CA to identify software developers) check boxes.
8.4.3.2. Configuring Chrome
- Import CA Certificate
- Download the CA certificate from
http://my.ipa.server/ipa/config/ca.crt
. Alternatively, if the host is also an IdM client, you can find the certificate in/etc/ipa/ca.crt
. - Click the menu button with the
Customize and control Google Chrome
tooltip, which is by default in the top right-hand corner of Chrome, and click Settings. - Click Show advanced settings to display more options, and then click the Manage certificates button located under the
HTTPS/SSL
heading. - In the Authorities tab, click the Import button at the bottom.
- Select the CA certificate file that you downloaded in the first step.
- Enable SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to Use Kerberos Authentication in Chrome
- Make sure you have the necessary directory created by running
[root@client]# mkdir -p /etc/opt/chrome/policies/managed/
- Create a new
/etc/opt/chrome/policies/managed/mydomain.json
file with write privileges limited to the system administrator or root, and include the following line:{ "AuthServerWhitelist": "*.example.com" }
You can do this by running[root@server]# echo '{ "AuthServerWhitelist": "*.example.com" }' > /etc/opt/chrome/policies/managed/mydomain.json
8.4.4. Using a Browser on Another System
kinit
, and then the user can authenticate against the IdM server domain.
- Copy the
/etc/krb5.conf
file from the IdM server.# scp /etc/krb5.conf root@externalmachine.example.com:/etc/krb5_ipa.conf
Warning
Do not overwrite the existingkrb5.conf
file. - On the external machine, set the terminal session to use the copied IdM Kerberos configuration file:
$ export KRB5_CONFIG=/etc/krb5_ipa.conf
- Configure Firefox on the external machine as in Section 8.4.3, “Configuring the Browser”.
8.4.5. Logging in with Simple Username/Password Credentials

Figure 8.3. IdM Form-Based Login Option

Figure 8.4. IdM Password Prompt