#3821 Broken Firefox configuration files in freeipa-client package
Closed: Fixed None Opened 10 years ago by pvoborni.

freeipa-client contains two files: ipa.js and ipa.cfg which should serve for global Firefox configuration (kerberos settings).


  • 'network.negotiate-auth.trusted-uris' and 'network.negotiate-auth.delegation-uris' are hardcoded to '.freeipa.org'
  • ipa.cfg sets 'autoadmin.global_config_url' which might not be desired

luckily these files are not loaded because they are located in /usr/share/ipa and nothing points to them.

Additionally code in ipaclient contains other methods of Firefox configuration, all of them wrong - they do not meet config recommendations [1].

This feature should be fixed or completely removed.

Possible solutions to fix the feature might be:
a. create user.js in each FF profile

user_pref("network.negotiate-auth.trusted-uris", ".our.domain");

b. create global config file /usr/lib64/firefox/browser/defaults/browser-freeipa.js (can be a symlink to different location)

// First line is ignored
pref("network.negotiate-auth.trusted-uris", ".our.domain");
// other settings...
  • files and links should be created by ipaclient-install - domain needs to be altered
  • should be opt-in. Not every admin wants browsers to be configured.

1. https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/A_brief_guide_to_Mozilla_preferences
2. http://mike.kaply.com/2012/03/15/customizing-firefox-default-preference-files/ and other articles there

Make the configuration instructions correct.

3.4 development was shifted for one month, moving tickets to reflect reality better.


  • e8fc70f Removed old firefox configuration scripts
  • 478dc1e ipa-client-install: Added options to configure firefox

A note what was actually implemented:

There are two parts:

  1. Removed from ipa-client package:


  2. Added ipa-client-install options:
    --configure-firefox, --firefox-dir=DIR

--firefox-dir specifies where is firefox installed, usually it can be omitted. By default it is set to: /usr/lib64/firefox or /usr/lib/firefox

Will create global configuration file which will affect default settings for firefox configuration options as follows:

pref("network.negotiate-auth.trusted-uris", ".$DOMAIN"); <-- IPA domain
pref("network.negotiate-auth.gsslib", "");
pref("network.negotiate-auth.using-native-gsslib", true);
pref("network.negotiate-auth.allow-proxies", true);

The config file should be located at $firefox_dir/browser/defaults/preferences/all-ipa.js

Basically if this is run on a system with Firefox along with https://fedorahosted.org/freeipa/ticket/3504 , user then doesn't have to run browser configuration from Web UI, i.e., this config should have the same effect as the kerberos firefox extension.

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0 - 2013/11

7 years ago

Login to comment on this ticket.