Versions Compared

Old Version 40

changes.mady.by.user Apereo Infrastructure

Saved on

compared with

New Version 41

changes.mady.by.user Apereo Infrastructure

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[13:03:28 CST(-0600)] <apetro__> Greetings Programmers.
[13:04:12 CST(-0600)] <wgthom> checking in
[13:07:02 CST(-0600)] <apetro> likewise checking in
[13:10:09 CST(-0600)] <apetro> I did draw the password policy code into Jasig sandbox source control since last cas-dev IRC chat, so I wish MarvinAddison were here for wooting purposes. https://source.jasig.org/sandbox/cas-password-policy/
[13:10:57 CST(-0600)] <wgthom> I don't give a woot!?!?
[13:13:47 CST(-0600)] <apetro> You do, but you haven't asked about the task as many times as he has.
[13:14:14 CST(-0600)] <wgthom> i'm sure I do...poor attempt at humor
[13:14:28 CST(-0600)] <apetro> Anyway, that progress, and then direct followup with historical participants in that extension has unearthed additional code, so some progress there.
[13:19:07 CST(-0600)] <MarvinAddison> hey
[13:19:11 CST(-0600)] <MarvinAddison> woot
[13:19:17 CST(-0600)] <apetro> (smile)
[13:19:55 CST(-0600)] <MarvinAddison> Which "historical participants"?
[13:20:43 CST(-0600)] <apetro> Andrew Tillinghast from Connecticut College, who replied to my reaching out with updated source code
[13:20:52 CST(-0600)] <apetro> and Eric Pierce from USF, original poster of the extension
[13:21:01 CST(-0600)] <MarvinAddison> Ah, see those messages now.
[13:21:36 CST(-0600)] <apetro> they're the two people who had edited/posted to that wiki page regarding the extension, so I figured they deserved my reaching out directly to let them know of intent and solicit participation
[13:21:53 CST(-0600)] <MarvinAddison> Good thinking.
[13:22:09 CST(-0600)] <MarvinAddison> Does it build cleanly? Deploy?
[13:22:35 CST(-0600)] <apetro> the fixed additional code sent via email? Haven't tried yet.
[13:22:59 CST(-0600)] <apetro> The code that's in SVN so far? No, unless I'm missing something important, but that's after all part of the impetus for the productization project (smile)
[13:24:21 CST(-0600)] <battags> hey!
[13:24:27 CST(-0600)] <battags> glad you all check your IMS :-p
[13:24:43 CST(-0600)] <wgthom> battaglia in the house.
[13:24:44 CST(-0600)] <MarvinAddison> Hey Scott – glad you made it.
[13:24:57 CST(-0600)] <battags> Web Chat and I fought
[13:24:59 CST(-0600)] <battags> I won this time
[13:25:09 CST(-0600)] <MarvinAddison> Yeah, saw your note.
[13:25:44 CST(-0600)] <battags> Andrew saw you sandboxed the code (woot!)
[13:25:50 CST(-0600)] <MarvinAddison> Andrew, I see that trunk of pwexp module is empty. What's the plan?
[13:26:05 CST(-0600)] <battags> do we need to go to Incubation?
[13:26:25 CST(-0600)] <MarvinAddison> I think we're going to work out some stuff in sandbox, then head that route.
[13:26:28 CST(-0600)] <apetro> My next move is to triage among the available code, put some reasonable starting point in /trunk, and iterate on it
[13:26:36 CST(-0600)] <MarvinAddison> Sounds good.
[13:27:32 CST(-0600)] <MarvinAddison> Just realized the title of your email, Andrew: "birthing CAS password policy extension module into Jasig SVN"
[13:27:34 CST(-0600)] <MarvinAddison> Love it.
[13:28:09 CST(-0600)] <apetro> birthing living projects rather than just contributing code snapshots, as it were
[13:28:22 CST(-0600)] <apetro> not that sharing code snapshots isn't a totally welcome starting point
[13:28:51 CST(-0600)] <MarvinAddison> Right on.
[13:29:15 CST(-0600)] <apetro> re Incubation, I guess I am interested in the JIRA issue tracker that Incubation could afford, but otherwise I see no hurry.
[13:29:31 CST(-0600)] <apetro> Immediate term even the issue tracker won't add much value, till a starting point stabilizes in sandbox
[13:29:51 CST(-0600)] <MarvinAddison> No hurry, but it's one specific direction for formalization.
[13:30:07 CST(-0600)] <MarvinAddison> Another possibility is a cas-server integration module.
[13:30:57 CST(-0600)] <MarvinAddison> Actually it might be helpful to discuss whether we envision this remaining a standalone project, or ever becoming part of cas-server proper.
[13:31:06 CST(-0600)] <apetro> Yes.
[13:31:22 CST(-0600)] <apetro> I definitely envision the part of cas-server proper endgame
[13:32:08 CST(-0600)] <MarvinAddison> I think it's perfectly justifiable if we assume or have evidence that it would be widely used/useful.
[13:32:09 CST(-0600)] <apetro> but am open to a couple paths to that, as a well-factored extension ala ClearPass for CAS 3, perhaps, and as more in-built in CAS 4.
[13:33:03 CST(-0600)] <apetro> Yes. Especially if we succeed in making it broader than just LDAP, there are several references of existing CAS adopters who have had this use case bad enough to customize CAS to meet it.
[13:33:57 CST(-0600)] <apetro> at the least, Connecticut and USF on record via that wiki page, the folks who participated in that cas-user thread incuding SacState
[13:34:26 CST(-0600)] <MarvinAddison> If it starts to creep toward multiple backends, then it certainly would make sense to be more tightly integrated in the server sourcebase since we already have integration modules for various backends auth systems.
[13:34:48 CST(-0600)] <apetro> I think we could convince ourselves that it would be widely used and useful, and that adopters increasingly expect password policy enforcement out of their Web SSO solution.
[13:35:00 CST(-0600)] <MarvinAddison> I think that's reasonable.
[13:35:09 CST(-0600)] <MarvinAddison> Password expiration comes up frequently on cas-user.
[13:35:46 CST(-0600)] <battags> CAS4 supports converting LDAP error codes to exceptions
[13:35:56 CST(-0600)] <battags> right now it only supports Microsoft AD (smile)
[13:36:31 CST(-0600)] <MarvinAddison> We could probably develop something similar for the Jdbc auth handler.
[13:36:35 CST(-0600)] <MarvinAddison> conceptually similar
[13:36:50 CST(-0600)] <apetro> yes
[13:37:02 CST(-0600)] <battags> https://source.jasig.org/cas3/trunk/cas-server-support-ldap/src/main/java/org/jasig/cas/server/authentication/GeneralSecurityExceptionTranslator.java
[13:37:09 CST(-0600)] <MarvinAddison> The handler would be responsible for throwing exceptions on certain cases, then the CAS4 plumbing would handle accordingly.
[13:37:18 CST(-0600)] <battags> https://source.jasig.org/cas3/trunk/cas-server-support-ldap/src/main/java/org/jasig/cas/server/authentication/MicrosoftActiveDirectoryGeneralSecurityExceptionTranslator.java
[13:37:19 CST(-0600)] <apetro> also need to handle case where authentication succeeds but password will expire "soon" and need to advise user of this unhappy fact
[13:37:30 CST(-0600)] <battags> that is available in CAS4 also
[13:37:32 CST(-0600)] <MarvinAddison> Optionally handle, yes.
[13:37:51 CST(-0600)] <apetro> ok
[13:37:59 CST(-0600)] <battags> https://source.jasig.org/cas3/trunk/cas-server-api/src/main/java/org/jasig/cas/server/authentication/MessageResolver.java
[13:38:03 CST(-0600)] <MarvinAddison> I believe warnings are much harder to handle generally.
[13:38:11 CST(-0600)] <MarvinAddison> Not sure if OpenLDAP ppolicy supports that.
[13:38:16 CST(-0600)] <apetro> sounds like a two pronged approach: articulate how this is solved in CAS 4, ideally shipping with viable example configuration and the relevant user experiences/flows
[13:38:27 CST(-0600)] <apetro> and factor extension module to address use case in cas3
[13:38:50 CST(-0600)] <MarvinAddison> For now we should focus on #3 since the API is fixed.
[13:38:59 CST(-0600)] <MarvinAddison> #2==cas3 I mean
[13:39:13 CST(-0600)] <apetro> seems like it's sometimes custom stuff anyway, driving the "your password will expire soon" use case
[13:39:36 CST(-0600)] <MarvinAddison> It certainly is in our case at present – I just finished implementing this stuff for VT.
[13:39:39 CST(-0600)] <apetro> so having flow support for it with a pluggable API for CAS to determine whether a given account is afflicted could scratch the itch
[13:40:24 CST(-0600)] <MarvinAddison> In fairness, it was easy enough to create custom actions and plug them into the vanilla webflow in our case.
[13:40:47 CST(-0600)] <apetro> perhaps a default impl that does nothing so the advisory never shows
[13:41:01 CST(-0600)] <apetro> it is. CAS is a beautiful customization and consulting platform.
[13:41:17 CST(-0600)] <apetro> but the most common use cases should probably be merged into the base flow
[13:41:20 CST(-0600)] <MarvinAddison> So building exp into the default flow with a noop handler?
[13:41:23 CST(-0600)] <MarvinAddison> Sounds reasonable.
[13:41:30 CST(-0600)] <apetro> yes
[13:41:40 CST(-0600)] <apetro> makes it feel more like a product
[13:41:57 CST(-0600)] <MarvinAddison> agreed
[13:42:22 CST(-0600)] <apetro> message becomes less "you can customize the login flow to do anything you want" (well, continues to be that, but for this specific use case, it becomes) more "Fulfill this plugin API and CAS will advise your users with stale passwords that their experience is about to get bad"
[13:42:56 CST(-0600)] <battags> if you want something that's going to be pulled into the default flow then it can't be the LDAP Password Expiration module
[13:43:08 CST(-0600)] <battags> it has the to be the Super Generic Supports Different Backends Expiration Module
[13:43:09 CST(-0600)] <battags> (wink)
[13:43:14 CST(-0600)] <MarvinAddison> Correct.
[13:43:17 CST(-0600)] <battags> I'm considering trademarking those names
[13:43:18 CST(-0600)] <battags> ha
[13:43:29 CST(-0600)] <MarvinAddison> I think Andrew got the name right in svn – doesn't claim ldap.
[13:43:41 CST(-0600)] <MarvinAddison> Good point regardless.
[13:44:25 CST(-0600)] <apetro> loosely relatedly, how's the Manual Cleanup / Great Migration of Great Stuff in the Manual that Isn't Really Documenting CAS Itself initiative?
[13:44:39 CST(-0600)] <battags> the tagged one's claim LDAP due I guess to the original module names
[13:44:44 CST(-0600)] <battags> that's what I saw go by in the RSS feed (smile)
[13:44:50 CST(-0600)] <apetro> indeed
[13:45:09 CST(-0600)] <apetro> the tags are intended to be exactly what was in the wiki, and by their names to communicate exactly what they are and where they came from
[13:45:25 CST(-0600)] <MarvinAddison> re documentation, it's slow going.
[13:45:38 CST(-0600)] <MarvinAddison> I'm trying to the hardest stuff first – writing new content.
[13:46:23 CST(-0600)] <MarvinAddison> I recently started on chapter 3, https://wiki.jasig.org/display/CASUM/3.+Planning+and+Deployment+Considerations.
[13:46:34 CST(-0600)] <MarvinAddison> This is one of the hardest chapters IMO.
[13:47:26 CST(-0600)] <MarvinAddison> Especially 3.4, since it's a very important aspect of CAS adoption/use, yet we have only bits and pieces that address planning and deployment.
[13:47:46 CST(-0600)] <MarvinAddison> If anyone can recommend sources of inspiration, please speak up.
[13:48:18 CST(-0600)] <apetro> Agreed it's hard work. We do some of our best custom consulting around working through this kind of planning. (smile)
[13:48:39 CST(-0600)] <battags> can we get a few deployers we trust to write something up for that section?
[13:48:39 CST(-0600)] <MarvinAddison> Is any of that work sharable?
[13:48:49 CST(-0600)] <battags> i.e. Rutgers, VT, Yale ?
[13:48:51 CST(-0600)] <MarvinAddison> I certainly have something to say.
[13:49:00 CST(-0600)] <battags> I'm sure Howard could write up a good description of Yale's deployment
[13:49:03 CST(-0600)] <MarvinAddison> It would be great if Howard could write something about true clustered setups.
[13:49:07 CST(-0600)] <MarvinAddison> haha
[13:49:08 CST(-0600)] <battags> Dave Steiner could write one for RU
[13:49:09 CST(-0600)] <MarvinAddison> thinking same
[13:49:35 CST(-0600)] <battags> I had dinner with Dave yesterday and he'll be at the meet up
[13:49:51 CST(-0600)] <MarvinAddison> It would be great if you could invite him to contribute.
[13:50:01 CST(-0600)] <battags> Andrew, can you work your Yale magic to tell the Yale people to sign up for the meet up?
[13:50:18 CST(-0600)] <battags> I'll check with Dave and Omer
[13:50:36 CST(-0600)] <apetro> battags , I 'll reach out and ask Yale folks to attend.
[13:51:41 CST(-0600)] <battags> thanks. I need to sync up with them in person. Did too many phone calls with them (smile)
[13:52:28 CST(-0600)] <apetro> I also blogged the meetup. That should draw the crowds. http://www.unicon.net/blog/apetro/cas-meetup-nyc-march-2011
[13:52:36 CST(-0600)] <MarvinAddison> haha
[13:53:07 CST(-0600)] <wgthom> how about reaching out the java sigs in nyc?
[13:53:31 CST(-0600)] <wgthom> http://www.nycjava.net/JSPWiki/
[13:55:27 CST(-0600)] <battags> I thought about it. Still trying to get as many active cas-user or dev people as possible to come
[13:55:33 CST(-0600)] <battags> and then convert them into conference attendees (wink)
[14:04:05 CST(-0600)] <apetro> update: rumor is Howard Gilbert of Yale will be at the meetup
[14:04:48 CST(-0600)] <battags> good to hear
[14:04:52 CST(-0600)] <battags> hoping Susan can make it too
[14:05:09 CST(-0600)] <battags> we'd have a CAS Steering Committee quorum then
[14:05:26 CST(-0600)] <battags> we should extend the invite to Patty Gertz also
[14:06:04 CST(-0600)] <battags> did we put an invite on the calendar for the rescheduled steering meeting?
[14:06:16 CST(-0600)] <apetro> cas steering committee meeting Tuesday - MarvinAddison, you still own the task of updating that Calliflower event?
[14:06:31 CST(-0600)] <MarvinAddison> Yes, thanks for reminding me.
[14:06:42 CST(-0600)] <MarvinAddison> Will do that now or I'll forget...
[14:07:27 CST(-0600)] <MarvinAddison> Found https://wiki.jasig.org/display/CASST/CAS-Related+Accounts, but no calliflower.
[14:07:29 CST(-0600)] <MarvinAddison> Is there other page?
[14:07:40 CST(-0600)] <apetro> it's a Jasig-scoped account rather than CAS-scoped
[14:08:28 CST(-0600)] <battags> if I don't block off the time then there's a greater than 90% chance that I'll have a meeting scheduled
[14:08:45 CST(-0600)] <apetro> I manually locally blocked, and I'm still double-booked
[14:08:48 CST(-0600)] <MarvinAddison> I totally slacked on this one.
[14:08:57 CST(-0600)] <apetro> but I'll always be double-booked, so let's run with this timeslot anyway
[14:09:05 CST(-0600)] <MarvinAddison> I can't find the page Andrew. Conf search isn't any help.
[14:09:26 CST(-0600)] <apetro> ok. I don't know that it's there to be found.
[14:09:35 CST(-0600)] <apetro> Who set it up? Susan? JJM?
[14:09:41 CST(-0600)] <MarvinAddison> Dunno.
[14:09:58 CST(-0600)] <apetro> Patty Gertz might have inherited the credentials, as silly as it feels to escalate this to the ExecDir, I suggest that as the next move
[14:10:11 CST(-0600)] <apetro> those credentials need to be avail to all the Jasig committee chairs at the least
[14:10:32 CST(-0600)] <MarvinAddison> Use ed@jasig.org? That's a good point, and worthy use of her time to make it so.
[14:12:56 CST(-0600)] <apetro> apparently yes, ed@jasig.org http://www.jasig.org/patty-gertz-appointed-jasig-interim-exec
[14:13:11 CST(-0600)] <MarvinAddison> ack
[14:13:33 CST(-0600)] <battags> the instructions appear to be under the Jasig Board space
[14:13:43 CST(-0600)] <battags> I can get to them
[14:13:46 CST(-0600)] <battags> since I'm an admin (smile)
[14:14:01 CST(-0600)] <MarvinAddison> Whew, good deal.
[14:14:17 CST(-0600)] <battags> I guess that means I'll need to schedule it
[14:14:45 CST(-0600)] <MarvinAddison> Or you can put the credentials on that cas page and I'll do it.