Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 28 Next »

[07:48:12 EDT(-0400)] * athena7 ( has joined ##uportal
[08:38:49 EDT(-0400)] * MarkRogers ( has joined ##uportal
[09:06:51 EDT(-0400)] * michelled (n=team@ has joined ##uportal
[09:28:39 EDT(-0400)] * EricDalquist ( has joined ##uportal
[09:29:03 EDT(-0400)] <EricDalquist> FYI: there is a wisclist outage:;caseID=080515-0091
[09:29:23 EDT(-0400)] <EricDalquist> test ...
[09:29:46 EDT(-0400)] * EricDalquist ( has joined ##uportal
[09:30:02 EDT(-0400)] <athena7> oh sad
[09:30:27 EDT(-0400)] <athena7> no email (sad)
[09:30:59 EDT(-0400)] <EricDalquist> yeah
[09:31:07 EDT(-0400)] <EricDalquist> I was wondering why my inbox was quiet
[09:31:14 EDT(-0400)] <EricDalquist> I think 95% of my email comes via wisclist
[09:31:30 EDT(-0400)] <athena7> yeah things seemed quiet this morning but i figured it was early still
[09:31:31 EDT(-0400)] <EricDalquist> including outage notices ironically
[09:31:36 EDT(-0400)] <athena7> since for me it's just the jasig stuff
[09:31:39 EDT(-0400)] <athena7> oh, lol
[09:32:01 EDT(-0400)] <EricDalquist> the only reason I though to check is I sent an email to uportal-user that hadn't shown up
[09:32:21 EDT(-0400)] <athena7> yeah last time we had a campus network outage we had some complaints from other departments in IT because the portal wasn't showing the ITS status messages about it
[09:32:27 EDT(-0400)] <athena7> i'm like no, it's not that we're not trying
[09:32:39 EDT(-0400)] <EricDalquist> lol
[09:32:41 EDT(-0400)] <athena7> but the portal relies on the network being functional to be able to get those messages . . .
[09:32:57 EDT(-0400)] <EricDalquist> brb
[09:33:08 EDT(-0400)] <athena7> k
[09:57:23 EDT(-0400)] * anastasiac (n=team@ has joined ##uportal
[10:13:49 EDT(-0400)] <EricDalquist> oi ... having the carpets cleaned at home today and I'm having fun moving stuff ...
[10:15:10 EDT(-0400)] <MarkRogers> where is host? UWisc?
[10:15:28 EDT(-0400)] <EricDalquist> princeton hosts all of the stuff
[10:15:31 EDT(-0400)] <MarkRogers> I meant "hosted"
[10:15:40 EDT(-0400)] <MarkRogers> thanks
[10:15:57 EDT(-0400)] <EricDalquist> something wrong with it?
[10:16:23 EDT(-0400)] <MarkRogers> nope
[10:17:06 EDT(-0400)] <MarkRogers> just curious as it was a little slow this morning when doing an ant deploy-ear and I had to look at it on my screen (smile)
[10:17:16 EDT(-0400)] <EricDalquist> ah
[10:22:26 EDT(-0400)] <EricDalquist> I'm going to write a wiki page on how to change host names with cas
[10:22:35 EDT(-0400)] <EricDalquist> detail each spot it needs changing
[10:23:18 EDT(-0400)] <MarkRogers> ldap hosts?
[10:23:25 EDT(-0400)] <EricDalquist> no
[10:23:34 EDT(-0400)] <EricDalquist> what host/port your portal is listening on
[10:23:45 EDT(-0400)] <EricDalquist> the ldap stuff we need to get figured out too
[10:23:46 EDT(-0400)] <EricDalquist> brb
[10:32:13 EDT(-0400)] <athena7> that sounds like a good idea
[10:32:21 EDT(-0400)] <athena7> i think some of that stuff is still pretty undocumented in the manual
[10:32:27 EDT(-0400)] <EricDalquist> Mark emailed me his config files
[10:32:31 EDT(-0400)] <EricDalquist> several problems
[10:32:43 EDT(-0400)] <EricDalquist> I'm checking to see if it is ok to reply to uportal-user with the answers
[10:32:43 EDT(-0400)] <athena7> ldap config files?
[10:32:47 EDT(-0400)] <athena7> ahh
[10:32:47 EDT(-0400)] <EricDalquist> yeah
[10:32:59 EDT(-0400)] <EricDalquist> he has local AND local&ldap configs uncomments
[10:33:08 EDT(-0400)] <EricDalquist> and the ldap names don't match what is in ldapcontext
[10:33:12 EDT(-0400)] <athena7> yeah
[10:33:48 EDT(-0400)] <athena7> wait which ldap files were these?
[10:34:05 EDT(-0400)] <MarkRogers> do you mean "Kevin", Eric?
[10:34:54 EDT(-0400)] <EricDalquist> Kevin Thompson, one of the guys on the user list with ldap problems
[10:35:01 EDT(-0400)] <EricDalquist> and ldapContext.xml
[10:35:23 EDT(-0400)] <MarkRogers> ah, yes said Mark (wink)
[10:35:39 EDT(-0400)] <EricDalquist> oops
[10:35:48 EDT(-0400)] <EricDalquist> type one thing think another ... I'm good at that
[10:36:14 EDT(-0400)] <MarkRogers> kinda like typing "yes" when you mean "you" (wink)
[10:38:13 EDT(-0400)] <MarkRogers> yippee
[10:38:33 EDT(-0400)] <MarkRogers> I got my LDAPish stuff to work
[10:38:47 EDT(-0400)] <EricDalquist> cool
[10:39:10 EDT(-0400)] <MarkRogers> my problem must have been related to SSL
[10:39:49 EDT(-0400)] <MarkRogers> i was trying to authenticate against Novell eDirectory which requires an LDAPS connection unless you allow clear text passwords
[10:39:54 EDT(-0400)] <athena7> ah ok
[10:40:04 EDT(-0400)] <athena7> yeah i figured it was a bean config problem if it wasn't even starting up
[10:40:05 EDT(-0400)] <MarkRogers> so I set up an OpenDS server on my Mac, and BAM
[10:40:34 EDT(-0400)] <athena7> ahh
[10:40:35 EDT(-0400)] <EricDalquist> uPortal should be able to do ldapds
[10:40:37 EDT(-0400)] <EricDalquist> ldaps*
[10:40:38 EDT(-0400)] <athena7> yes
[10:40:50 EDT(-0400)] <athena7> i think if you configure it to use ldaps and the correct port it should work
[10:40:56 EDT(-0400)] <athena7> if it doesn't, that's something we should look into
[10:41:10 EDT(-0400)] <MarkRogers> I think it was that problem with the server certificate needing to be recognized by the JVM
[10:41:12 EDT(-0400)] <MarkRogers> just guessing
[10:41:13 EDT(-0400)] <athena7> if the server has a self-signed cert you'll probably need to import that into your jvm too
[10:41:17 EDT(-0400)] <athena7> ah
[10:41:33 EDT(-0400)] <athena7> yeah
[10:41:40 EDT(-0400)] <EricDalquist> ah
[10:41:40 EDT(-0400)] <athena7> if that turns out to be the case you can always use keytool to pull it in
[10:41:41 EDT(-0400)] <EricDalquist> yeah
[10:41:52 EDT(-0400)] <EricDalquist> and the jdk keytool is a pain in the but
[10:42:24 EDT(-0400)] <athena7> where is the keystore on a mac, anyway?
[10:42:27 EDT(-0400)] <MarkRogers> not even sure that my eDirectory server has a self-signed certificate
[10:42:39 EDT(-0400)] <EricDalquist> no idea
[10:42:51 EDT(-0400)] <athena7> it must have something if it's doing ssl?
[10:45:09 EDT(-0400)] <MarkRogers> I'll ask
[10:47:20 EDT(-0400)] * holdorph ( has joined ##uportal
[10:48:34 EDT(-0400)] <athena7> can you do something like s_client -connect ldapserver:port -showcerts ?
[10:49:48 EDT(-0400)] <athena7> i think that should work against an ldap server, anyway
[10:50:08 EDT(-0400)] <MarkRogers> what is s_client
[10:50:08 EDT(-0400)] <athena7> if it does, it'll print out the certificate that you would need to import
[10:50:34 EDT(-0400)] <athena7> oops sorry - that'd be "openssl s_client -connect ldapserver:port -showcerts"
[10:51:30 EDT(-0400)] <MarkRogers> well look at that
[10:51:57 EDT(-0400)] <MarkRogers> yes it does
[10:52:04 EDT(-0400)] <MarkRogers> how do I import that?
[10:52:21 EDT(-0400)] <athena7> so if you take the certificate that gets printed out and save it to a file
[10:52:28 EDT(-0400)] <athena7> the part between begin and end certificate
[10:52:38 EDT(-0400)] <athena7> then use the jvm's keytool:
[10:52:44 EDT(-0400)] <MarkRogers> okay, I see that
[10:54:21 EDT(-0400)] <athena7> argh
[10:54:24 EDT(-0400)] <athena7> it ate my command
[10:54:44 EDT(-0400)] <MarkRogers> i can import it with Keychain Access on my Mac
[10:54:53 EDT(-0400)] <MarkRogers> okay done
[10:55:01 EDT(-0400)] <athena7> oh ok, a mac
[10:55:15 EDT(-0400)] <athena7> i was going to print out the command for using the jvm's keytool, but never mind (smile)
[10:56:03 EDT(-0400)] <MarkRogers> it says that it is signed by an unknown authority, but I suppose that just means it wasn't Thawte or Verisign
[10:56:04 EDT(-0400)] <athena7> so if that successfully gets it in your keystore as a trusted certificate, that should be it
[10:56:08 EDT(-0400)] <athena7> yes
[10:56:19 EDT(-0400)] <athena7> i haven't used the mac keychain access tool much
[10:56:30 EDT(-0400)] <athena7> is there a way to tell it that you trust it?
[10:56:42 EDT(-0400)] <MarkRogers> so I can try to change my ldap cas config back and try it
[10:56:50 EDT(-0400)] <athena7> sounds good
[10:57:05 EDT(-0400)] <athena7> did you get an ssl error in the cas log before?
[10:58:11 EDT(-0400)] <MarkRogers> no, nothing
[10:58:21 EDT(-0400)] <MarkRogers> i could only see that it had tried it
[10:58:34 EDT(-0400)] <MarkRogers> and failed
[10:59:00 EDT(-0400)] <athena7> interesting, i'm a little surprised
[10:59:11 EDT(-0400)] <athena7> i wonder if we might want to turn up logging a little in the default configuration
[10:59:22 EDT(-0400)] <athena7> or at least document how to do that
[11:01:43 EDT(-0400)] <MarkRogers> can you do that?
[11:02:23 EDT(-0400)] * holdorph_ ( has joined ##uportal
[11:02:59 EDT(-0400)] <athena7> turn up the logging? yes
[11:04:19 EDT(-0400)] <MarkRogers> being a connoisseur of ldap errors, I would like to try that
[11:04:34 EDT(-0400)] <athena7> you need to add a new to uportal-portlets-overlay/cas/src/main/webapp/WEB-INF/
[11:04:42 EDT(-0400)] <athena7> just looked, and i think that's the right spot
[11:05:03 EDT(-0400)] <athena7> then run ant deploy-ear
[11:06:05 EDT(-0400)] <MarkRogers> okay ... something is kinda slow today, but I'll try that later
[11:06:38 EDT(-0400)] <MarkRogers> here's a dumb question (now that Cris has gone off-line and can't make fun of my Canuckness)
[11:07:08 EDT(-0400)] <MarkRogers> when I do a deploy-ear, maven want to bring things to my local repository, right?
[11:07:19 EDT(-0400)] <EricDalquist> yes, if they aren't already there
[11:07:28 EDT(-0400)] <MarkRogers> but some things, it seems to always want to download
[11:07:33 EDT(-0400)] <EricDalquist> yeah
[11:07:50 EDT(-0400)] <EricDalquist> too bad Drew Wills isn't in here I could take a jab at him over this (wink)
[11:08:12 EDT(-0400)] <EricDalquist> so Cernunnos depends on some artifacts that only happen to be available in a Maven1 repository
[11:08:25 EDT(-0400)] <EricDalquist> Maven1 repositories do not include the pom.xml files, just the artifacts
[11:08:37 EDT(-0400)] <EricDalquist> so since those pom.xml files are missing from you local repo
[11:08:43 EDT(-0400)] <EricDalquist> maven tries to re-download them every time
[11:08:46 EDT(-0400)] <EricDalquist> annoying
[11:08:56 EDT(-0400)] <MarkRogers> can I manually put them there?
[11:09:01 EDT(-0400)] <EricDalquist> they don't exist
[11:09:06 EDT(-0400)] <EricDalquist> you could create stubs
[11:09:18 EDT(-0400)] <EricDalquist> since you can deduce the groupId, artifactId and version
[11:09:24 EDT(-0400)] <EricDalquist> and place those there
[11:10:41 EDT(-0400)] <MarkRogers> okay, I've gotten my eDir to work now too ... thanks to Jennifer
[11:12:19 EDT(-0400)] <MarkRogers> I used the fastldapbind in both cases
[11:15:50 EDT(-0400)] <athena7> oh good
[11:15:54 EDT(-0400)] <athena7> is everything fixed now?
[11:16:04 EDT(-0400)] <MarkRogers> yes, I think so
[11:16:08 EDT(-0400)] <athena7> yea!
[11:16:12 EDT(-0400)] <athena7> i'm glad
[11:16:23 EDT(-0400)] <athena7> and it's good to have someone test all this with ldaps too
[11:17:18 EDT(-0400)] <MarkRogers> i'm going to try to document this very simple case, including some of that keytool stuff
[11:18:05 EDT(-0400)] <athena7> wonderful (smile)
[11:18:28 EDT(-0400)] <athena7> i created initial pages for the person dir stuff and uportal security context stuff
[11:18:38 EDT(-0400)] <athena7> i don't think there's anything on the cas ldap configuration in the manual
[11:18:45 EDT(-0400)] <athena7> and the stuff i wrote could probably use some more work
[11:19:01 EDT(-0400)] <MarkRogers> the UPM30 manual?
[11:19:07 EDT(-0400)] <athena7> yeah
[11:21:12 EDT(-0400)] <athena7> can you set xstream to just ignore any xml elements it doesn't have java mappings for?
[11:21:45 EDT(-0400)] <EricDalquist> oops
[11:21:53 EDT(-0400)] <EricDalquist> just found out why Kevin's portal was failing to start
[11:22:00 EDT(-0400)] <EricDalquist> the example <alias name="studentLdapServer" alias="defaultLdapServer"/> I have in ldapContext.xml
[11:22:03 EDT(-0400)] <EricDalquist> the names are backwards
[11:22:10 EDT(-0400)] <EricDalquist> well
[11:22:12 EDT(-0400)] <EricDalquist> actually
[11:22:13 EDT(-0400)] <EricDalquist> no they aren't
[11:22:18 EDT(-0400)] <EricDalquist> they are just backwards in his version
[11:22:20 EDT(-0400)] <EricDalquist> ok
[11:22:22 EDT(-0400)] <athena7> oh (smile)
[11:22:25 EDT(-0400)] <EricDalquist> going to write an email to the list
[11:22:26 EDT(-0400)] <athena7> that'd do it
[11:22:47 EDT(-0400)] <athena7> if he wants to use the security context, he's going to need to update to the trunk or pull in the patch
[11:22:57 EDT(-0400)] <athena7> i don't think it will work in the GA
[11:22:57 EDT(-0400)] <EricDalquist> yeah
[11:23:14 EDT(-0400)] <EricDalquist> I'm going to need to do 3.0.1 soon ....
[11:23:22 EDT(-0400)] <athena7> yeah
[11:23:29 EDT(-0400)] <athena7> well i think i resolved like 4 tickets this morning
[11:24:35 EDT(-0400)] <EricDalquist> nice
[11:24:43 EDT(-0400)] <athena7> openTIckets--;
[11:25:01 EDT(-0400)] <athena7> is everything important that needs to go into 3.0.1 marked with that fix version?
[11:25:21 EDT(-0400)] <athena7> i'd found some stuff in the uncategorized bucket and moved them in, but i'm not sure if i missed anything
[11:27:04 EDT(-0400)] <athena7> i'm not sure what to tell dave about his logging issue
[11:37:08 EDT(-0400)] <EricDalquist> wow I didn't realize just how bad the ldap examples were
[11:37:09 EDT(-0400)] <EricDalquist> (sad)
[11:37:20 EDT(-0400)] <EricDalquist> athena7: yeah I'm not sure I get what he's trying to do
[11:37:21 EDT(-0400)] <athena7> yeah
[11:37:27 EDT(-0400)] <athena7> they're really confusing, huh (smile)
[11:37:38 EDT(-0400)] <EricDalquist> yeah
[11:37:43 EDT(-0400)] <athena7> i made a ticket for changing those - i can pull in some useful examples from the docs
[11:37:49 EDT(-0400)] <EricDalquist> that would be good
[11:37:54 EDT(-0400)] <athena7> yep
[11:38:13 EDT(-0400)] <EricDalquist> if we could get your or Marks (or both) as samples in security.properies and ldapContext.xml
[11:39:40 EDT(-0400)] <athena7> yeah i've been thinking too about how to make sure that the examples don't confuse the person dir and security context ldap configurations
[11:39:58 EDT(-0400)] <athena7> is there really any reason to keep the alias in there?
[11:40:04 EDT(-0400)] <athena7> it kind of seems like it just adds confusion
[11:40:19 EDT(-0400)] <EricDalquist> nope
[11:40:44 EDT(-0400)] <EricDalquist> well other than I think if you configure a LDAP server you need one to be named 'defaultLdapServer'
[11:41:05 EDT(-0400)] <EricDalquist> yup
[11:41:58 EDT(-0400)] * holdorph ( has joined ##uportal
[11:42:03 EDT(-0400)] <athena7> right
[11:42:12 EDT(-0400)] <athena7> might just be clearer to name it "defaultLdapServer"
[11:42:40 EDT(-0400)] <EricDalquist> yup
[11:49:55 EDT(-0400)] <athena7> should the default person directory connection configuration be pooled?
[11:50:16 EDT(-0400)] <EricDalquist> pooled ldap or cached persondir?
[11:51:07 EDT(-0400)] <EricDalquist> not sure what pooled persondir is
[11:51:10 EDT(-0400)] <athena7> sorry
[11:51:14 EDT(-0400)] <EricDalquist> (smile)
[11:51:17 EDT(-0400)] <athena7> the ldap connection bean configuration
[11:51:23 EDT(-0400)] <EricDalquist> ah
[11:51:28 EDT(-0400)] <EricDalquist> probably not
[11:51:40 EDT(-0400)] <EricDalquist> definetaly not with the JDK pooling
[11:51:48 EDT(-0400)] <EricDalquist> which is what that 'pool' attribute sets
[11:52:06 EDT(-0400)] <EricDalquist> and with the pooling context source (that we wrote at UW) it is actually slower
[11:52:16 EDT(-0400)] <athena7> ok, cool
[11:52:19 EDT(-0400)] <EricDalquist> though it does reduce load on the ldap server
[11:52:43 EDT(-0400)] <EricDalquist> that was one of those things where a manager said 'we must pool ldap to make it faster'
[11:53:05 EDT(-0400)] <EricDalquist> and even after testing and saying 'pooling with validation is slower than no pooling' we did it anyways (tongue)
[11:55:30 EDT(-0400)] <athena7> lol
[11:55:30 EDT(-0400)] <athena7> sad
[11:55:37 EDT(-0400)] <athena7> i mean it's not funny, but
[11:55:47 EDT(-0400)] <EricDalquist> (smile)
[11:55:49 EDT(-0400)] <EricDalquist> I know (smile)
[11:55:57 EDT(-0400)] <EricDalquist> it did make our ldap admins happy though
[11:56:06 EDT(-0400)] <EricDalquist> and it really isn't much slower ... maybe 1%
[11:56:17 EDT(-0400)] <EricDalquist> but it is extra complexity
[11:58:45 EDT(-0400)] <athena7> yeah
[11:58:52 EDT(-0400)] <MarkRogers> sorry, I have been away trying to write something down for Dave ... not sure if it will be of any help
[11:59:00 EDT(-0400)] <EricDalquist> plus people have to know that they can't use the same ldap connection for authn
[11:59:13 EDT(-0400)] <athena7> ok, i just committed some config file updates, if anyone wants to look them over and see if they make sense
[11:59:21 EDT(-0400)] <EricDalquist> thanks
[11:59:25 EDT(-0400)] <EricDalquist> I'll take a peak
[11:59:27 EDT(-0400)] <athena7> i've looked at all this stuff for so long i'm not sure i can converse sensibly about it anymore (smile)
[11:59:27 EDT(-0400)] <MarkRogers> I didn't touch or ldapContext.xml, Eric
[11:59:42 EDT(-0400)] <EricDalquist> oh yeah you're doing LDAP via CAS
[11:59:52 EDT(-0400)] <EricDalquist> this of course is the trick
[12:00:02 EDT(-0400)] <EricDalquist> you can do LDAP directly
[12:00:03 EDT(-0400)] <EricDalquist> or LDAP via CAS
[12:01:32 EDT(-0400)] <MarkRogers> yes, two separate cases I guess
[12:02:04 EDT(-0400)] <EricDalquist> this was a semi-expected consequence of bundling CAS though ... oh well
[12:02:21 EDT(-0400)] <MarkRogers> well, nice job though
[12:02:28 EDT(-0400)] <MarkRogers> it really does work
[12:03:16 EDT(-0400)] <EricDalquist> (smile)
[12:04:19 EDT(-0400)] <MarkRogers> I think the temptation is probably to try to do too much at one time (when you are just evaluating)
[12:05:04 EDT(-0400)] <EricDalquist> yup
[12:05:22 EDT(-0400)] <EricDalquist> and well much of the authn config is not well documented
[12:06:19 EDT(-0400)] <MarkRogers> there are a lot of different scenarios for that
[12:06:43 EDT(-0400)] <EricDalquist> yup
[12:06:49 EDT(-0400)] <athena7> yeah
[12:07:00 EDT(-0400)] <EricDalquist> and since I know it the back of my head that we're going to be switching to spring-security
[12:07:07 EDT(-0400)] <athena7> yeah
[12:07:10 EDT(-0400)] <EricDalquist> it makes me less motivated to document what we have now
[12:07:25 EDT(-0400)] <athena7> well, for the cause auth stuff, i guess we could provide some basic documentation, then refer to the CAS manual for more
[12:07:34 EDT(-0400)] <EricDalquist> yup
[12:07:41 EDT(-0400)] <EricDalquist> thats what it does right now
[12:08:10 EDT(-0400)] <athena7> i'm hoping what i added here will be close enough for now for the local ldap auth stuff:
[12:08:38 EDT(-0400)] <athena7> there's interesting random issues too
[12:09:03 EDT(-0400)] <athena7> like you need potentially need to import the certificate for the server itself if you're using uportal and cas over ssl
[12:09:17 EDT(-0400)] <MarkRogers> speaking for the unknowing ... it would be nice to have the simplest cases documented so that evaluators can get up an running as quickly as possible
[12:09:23 EDT(-0400)] <athena7> since even though they might be on the same server, that doesn't really matter if the cert is not trusted by the jvm
[12:09:29 EDT(-0400)] <athena7> i agree mark
[12:09:36 EDT(-0400)] <EricDalquist> yes
[12:09:54 EDT(-0400)] <EricDalquist> and having those as the included example as well
[12:10:02 EDT(-0400)] <EricDalquist> athena7: yeah the SSL issues are a whole other can of worms
[12:10:04 EDT(-0400)] <athena7> the CAS stuff in the uportal manual needs an update
[12:10:23 EDT(-0400)] <EricDalquist> luckily they are also pretty consistent across any Java + SSL situtation
[12:10:48 EDT(-0400)] <athena7> yeah
[12:12:55 EDT(-0400)] <MarkRogers> XML can be/seem a bit verbose and difficult to read
[12:13:18 EDT(-0400)] <EricDalquist>
[12:13:26 EDT(-0400)] <athena7> just saw that (smile)
[12:13:30 EDT(-0400)] <EricDalquist> does that seem right?
[12:13:34 EDT(-0400)] <EricDalquist> I'm going to test it right now

  • No labels