jasig-cas IRC Logs-2011-03-25

Owned by Apereo Infrastructure
Last updated: Mar 25, 2011Version comment
7 min read

[13:01:19 CDT(-0500)] <wgthom> hola
[13:02:22 CDT(-0500)] <MarvinAddison> Howdy.
[13:02:56 CDT(-0500)] <MarvinAddison> Howdy Andrew.
[13:03:15 CDT(-0500)] <apetro> howdy
[13:03:42 CDT(-0500)] <apetro> uPortal quickstart seems to be a pretty good showcase of the features of CAS
[13:03:53 CDT(-0500)] <apetro> better of course if there were more than one application to single sign-on to
[13:04:11 CDT(-0500)] <MarvinAddison> Is that re my question days ago?
[13:04:16 CDT(-0500)] <apetro> but that proxy ticket support test portlet is a nice little example of the proxy ticket feature
[13:04:18 CDT(-0500)] <apetro> yes
[13:04:20 CDT(-0500)] <apetro> that was days ago?
[13:04:30 CDT(-0500)] <MarvinAddison> y
[13:04:39 CDT(-0500)] <apetro> showed up as the most recent thing in Xchat's reconstitution of the room, sorry, thought was current
[13:04:54 CDT(-0500)] <MarvinAddison> All good. I was hoping for feedback.
[13:05:15 CDT(-0500)] <apetro> re the database dependency, uP-quickstart works fine against hsql
[13:05:25 CDT(-0500)] <apetro> that's a database dependency, but a pretty darn modest one
[13:05:29 CDT(-0500)] <MarvinAddison> I'm looking for something that can be clustered.
[13:05:34 CDT(-0500)] <MarvinAddison> I guess that raises the bar in any case.
[13:05:40 CDT(-0500)] <apetro> well, yes
[13:05:42 CDT(-0500)] <apetro> (smile)
[13:05:43 CDT(-0500)] <MarvinAddison> I'm leaning toward uP all the same.
[13:06:03 CDT(-0500)] <apetro> being able to test the proxy ticket support is a pretty nice feature
[13:06:03 CDT(-0500)] <MarvinAddison> I have a cluster in a box now.
[13:06:18 CDT(-0500)] <apetro> excellent
[13:06:26 CDT(-0500)] <apetro> you might have to start marketing that as a private cloud
[13:07:02 CDT(-0500)] <MarvinAddison> Put "cloud" in it these days and it sell.s
[13:07:26 CDT(-0500)] <MarvinAddison> I want to do a couple things with this:
[13:07:34 CDT(-0500)] <MarvinAddison> Resource for developers to test HA features.
[13:07:44 CDT(-0500)] <MarvinAddison> Resource for deployers to see how the components fit together.
[13:07:47 CDT(-0500)] <MarvinAddison> Anything else is gravy.
[13:07:58 CDT(-0500)] <apetro> nice
[13:08:01 CDT(-0500)] <apetro> test resources are a good thing
[13:09:45 CDT(-0500)] <MarvinAddison> Either of you guys VirtualBox users?
[13:10:02 CDT(-0500)] <wgthom> not extensively...
[13:10:02 CDT(-0500)] <apetro> I am a VirtualBox consumer
[13:10:10 CDT(-0500)] <wgthom> using parallels on my home mac
[13:10:18 CDT(-0500)] <apetro> but I've not done much with producing VirtualBox envs
[13:10:58 CDT(-0500)] <apetro> somewhat turned off by the whole VirtualBox OSE vs VirtualBox Proprietary Oracle Edition fork
[13:11:57 CDT(-0500)] <MarvinAddison> It's not that bad, and it's way better than any of the other desktop solutions in terms of "freeness."
[13:12:07 CDT(-0500)] <apetro> agreed
[13:12:10 CDT(-0500)] <apetro> it's not that bad
[13:12:39 CDT(-0500)] <apetro> a totally different topic: that "Improper Handling of TGT's" thread laid to rest successfully?
[13:13:02 CDT(-0500)] <MarvinAddison> They went away – does that count?
[13:13:41 CDT(-0500)] <apetro> hmm. In general, no, but in the specific, that might mean the issue's resolved.
[13:14:06 CDT(-0500)] <MarvinAddison> In all seriousness...
[13:14:20 CDT(-0500)] <MarvinAddison> Unless we get headers of a client/server conversation, we can't know one way or the other.
[13:14:28 CDT(-0500)] <apetro> true
[13:14:57 CDT(-0500)] <apetro> looks like the thread was dispatched politely and, thanks to your efforts, with technical correctness and rigor, so I guess that's fine
[13:14:58 CDT(-0500)] <MarvinAddison> My proposal for what's happening is perfectly reasonable, and without contradictory evidence it's reasonable to assume no issue.
[13:15:04 CDT(-0500)] <apetro> grist for the manual update mill.
[13:15:19 CDT(-0500)] <MarvinAddison> I dunno about that....
[13:15:48 CDT(-0500)] <MarvinAddison> The matrix of client browser+environment is untenable at best.
[13:16:06 CDT(-0500)] <MarvinAddison> Modern browsers are getting to be complex beasts. That much we can document.
[13:16:24 CDT(-0500)] <apetro> true
[13:16:56 CDT(-0500)] <apetro> I've got the same action items I had re documenting and raising code from NYC meetup, password policy efforts
[13:17:08 CDT(-0500)] <apetro> though getting to the end of other stuff in the way, so very hopeful of more progress on that
[13:17:24 CDT(-0500)] <MarvinAddison> Sounds good.
[13:17:38 CDT(-0500)] <MarvinAddison> I'm still working on the clustered single sign-out issue.
[13:17:47 CDT(-0500)] <apetro> Scott's still in Seattle, I believe, but when he returns to the comfort of his private keys, will be cutting a patch release of cas-server
[13:18:15 CDT(-0500)] <MarvinAddison> That'll include the LT issue?
[13:18:19 CDT(-0500)] <MarvinAddison> fix, that is
[13:18:26 CDT(-0500)] <apetro> I understand he was able to meet with jbourey while he was out there and a productive and satisfying uPortal-CAS liaising conversation was had
[13:18:38 CDT(-0500)] <apetro> yes, primary purpose of that release is to fix the LT issue
[13:18:48 CDT(-0500)] <apetro> I think other minor stuff mopped up in there too?
[13:18:50 CDT(-0500)] <apetro> haven't looked.
[13:18:57 CDT(-0500)] <MarvinAddison> Me either.
[13:20:35 CDT(-0500)] <apetro> Is CAS email list traffic getting heavier?
[13:20:44 CDT(-0500)] <MarvinAddison> Seems pretty heavy this week.
[13:20:51 CDT(-0500)] <MarvinAddison> But not enough data to indicate a trend.
[13:21:03 CDT(-0500)] <MarvinAddison> On the topic of trends,
[13:21:30 CDT(-0500)] <MarvinAddison> We're getting a lot of "interesting" client deployment/customization questions of late.
[13:21:47 CDT(-0500)] <MarvinAddison> Second to that I'd say is HA questions/problems.
[13:21:57 CDT(-0500)] <MarvinAddison> We're never going to be able to reduce #1.
[13:22:02 CDT(-0500)] <MarvinAddison> #2 we can do better on.
[13:22:26 CDT(-0500)] <apetro> yes
[13:22:38 CDT(-0500)] <apetro> your efforts seem to be sensibly focused on addressing #2
[13:22:53 CDT(-0500)] <MarvinAddison> I'd say JpaTicketRegistry is the most discussed component of the HA questions.
[13:23:03 CDT(-0500)] <MarvinAddison> We have got to get that component right for CAS4.
[13:23:24 CDT(-0500)] <MarvinAddison> Some problems:
[13:23:27 CDT(-0500)] <MarvinAddison> - deadlocks
[13:23:36 CDT(-0500)] <MarvinAddison> - ticket cleanup
[13:23:40 CDT(-0500)] <MarvinAddison> - deployment complexity
[13:24:05 CDT(-0500)] <MarvinAddison> Based on what I've seen for CAS4, looks like we're going to do better on ticket cleanup and related configuration.
[13:24:46 CDT(-0500)] <MarvinAddison> I really want to get CAS4 deployed locally w/JPA hooked up to our PostgreSQL infrastructure so I can test for the deadlock issue.
[13:24:52 CDT(-0500)] <MarvinAddison> PG is the worst case afaict.
[13:25:20 CDT(-0500)] <apetro> sounds plausible
[13:25:28 CDT(-0500)] <apetro> something about rigor around implementing transactions (smile)
[13:25:58 CDT(-0500)] <MarvinAddison> PG could do better, sure.
[13:26:11 CDT(-0500)] <MarvinAddison> But I've seen this on 3 major platforms to one degree or another.
[13:26:25 CDT(-0500)] <apetro> oh indeed, I don't mean to blame PG
[13:26:27 CDT(-0500)] <MarvinAddison> That points to a design issue. I think I know how to fix it.
[13:26:40 CDT(-0500)] <MarvinAddison> But I've got to test/code/test to do so.
[13:26:51 CDT(-0500)] <MarvinAddison> I just wanted to say that out loud so it's on everyone's radar.
[13:26:55 CDT(-0500)] <apetro> yes
[13:26:58 CDT(-0500)] <MarvinAddison> It's been on my mind a while, but not sure I've said it.
[13:27:08 CDT(-0500)] <apetro> you know, a cluster-in-a-box for testing that would be handy...
[13:27:14 CDT(-0500)] <apetro> don't think you've said it, no
[13:27:23 CDT(-0500)] <apetro> good to get it acknowledged out loud
[13:27:49 CDT(-0500)] <MarvinAddison> Indeed.
[13:29:45 CDT(-0500)] <apetro> I believe there's some new documentation on CASifying some applications being added to the wiki
[13:30:28 CDT(-0500)] <MarvinAddison> Got links?
[13:30:33 CDT(-0500)] <apetro> In particular, this is recently added: https://wiki.jasig.org/display/CASC/Single+Sign+On+to+WebAdvisor+Using+CAS%2C+ClearPass%2C+and+a+Custom+Java+Filter
[13:30:41 CDT(-0500)] <apetro> that might be the only one, should be more on the way
[13:31:07 CDT(-0500)] <MarvinAddison> Can't have too many of those.
[13:31:14 CDT(-0500)] <MarvinAddison> Matt –
[13:31:23 CDT(-0500)] <MarvinAddison> I'm supposed to bug you on behalf of Dave Hawes.
[13:31:33 CDT(-0500)] <matt_uconn> Howdy all, sorry I'm late to the game
[13:31:37 CDT(-0500)] <matt_uconn> What's Dave need?
[13:32:33 CDT(-0500)] <matt_uconn> (I'm hoping I didn't forget about an email thread)
[13:33:17 CDT(-0500)] <MarvinAddison> https://issues.jasig.org/browse/MAS-37
[13:33:26 CDT(-0500)] <MarvinAddison> That's a good feature, and one we need here.
[13:33:42 CDT(-0500)] <MarvinAddison> If there are any concerns about it in any way, Dave is very responsive.
[13:34:31 CDT(-0500)] <MarvinAddison> We're currently applying the patch to 1.0.9.1 and beating the crap out of it and works as expected.
[13:35:20 CDT(-0500)] <matt_uconn> Ah yes, got it. We've spent most of our time lately with libcurl and some unit testing (libcheck), before these things get too far away from us. We should be able to wrap back around to new functionality soon.
[13:35:52 CDT(-0500)] <MarvinAddison> Sounds good. I'll keep checking in.
[13:36:23 CDT(-0500)] <matt_uconn> cool - tnx!
[13:37:16 CDT(-0500)] <matt_uconn> Marvin, I'm curious – VT does Shib too, right? Why use m-a-c for SAML ?
[13:37:32 CDT(-0500)] <MarvinAddison> Authorization use cases exclusively.
[13:37:42 CDT(-0500)] <MarvinAddison> Which explains our excitement over that patch.
[13:38:04 CDT(-0500)] <MarvinAddison> We deliver LDAP group membership in the SAML payload and use it for authz.
[13:38:29 CDT(-0500)] <matt_uconn> Couldn't you do this with mod_shib (although, I do understand m-a-c is simpler)
[13:39:12 CDT(-0500)] <MarvinAddison> We use Shib almost exclusively for integration with services outside the University. Nobody wants to stand up an Shib SP for SSO here.
[13:39:17 CDT(-0500)] <MarvinAddison> (And I don't blame them.)
[13:39:27 CDT(-0500)] <apetro> Lazy bums. (smile)
[13:40:01 CDT(-0500)] <apetro> Do we know that mod_shib successfully integrates with SAML as vended by cas-server?
[13:40:02 CDT(-0500)] <MarvinAddison> I guess I'm just a wimp. But the SP is a complex beast on a very narrow platform.
[13:40:32 CDT(-0500)] <MarvinAddison> We've gotten same question in more general form several times.
[13:40:44 CDT(-0500)] <MarvinAddison> Answer is "maybe, but don't count on it."
[13:40:52 CDT(-0500)] <apetro> hmm
[13:41:00 CDT(-0500)] <apetro> not terribly marketable, that answer
[13:41:20 CDT(-0500)] <MarvinAddison> I'd feel much more confident if we used OpenSAML to generate responses, but we don't.
[13:41:28 CDT(-0500)] <apetro> agreed
[13:41:29 CDT(-0500)] <MarvinAddison> AFAIK, we're correcting that in CAS4.
[13:57:12 CDT(-0500)] <apetro> yeah progress and rigor
[13:57:16 CDT(-0500)] <apetro> anything else need touched on?
[13:58:19 CDT(-0500)] <apetro> yay, progress, even.
[13:58:57 CDT(-0500)] <MarvinAddison> I got nothing.
[13:59:16 CDT(-0500)] <matt_uconn> Maybe next week I'll get here on time ... but don't hold yer breath
[13:59:26 CDT(-0500)] <MarvinAddison> All good. Showing up at all counts.
[14:00:32 CDT(-0500)] <apetro> matt_uconn, that CAS sustainability reporting upward you're doing yield anything re-usable and valuable for Jasig CAS project generally?
[14:02:21 CDT(-0500)] <matt_uconn> No, verbal discussions only at this point. I wouldn't exactly call it a "report", more like a "justification". However, my involvement at the state level (due to horrific deficit conditions) seems to be turning more towards a general "Open Source Advocacy", and may turn into something tangible.
[14:02:43 CDT(-0500)] <apetro> k
[14:03:00 CDT(-0500)] <matt_uconn> If anything does manifest, I will make sure it is shareable and reusable.
[14:07:28 CDT(-0500)] <matt_uconn> All right, see ya'll next week.