Camelia, the Perl 6 bug

IRC log for #openam, 2013-10-29

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:12 leffeg joined #openam
01:13 leffeg left #openam
01:14 leffeg joined #openam
01:15 leffeg left #openam
03:41 tsmalmbe1 joined #openam
06:33 metadaddy___ joined #openam
06:55 hos002 joined #openam
07:57 aldaris joined #openam
08:43 asyd morning
08:48 balo morning
08:53 aldaris joined #openam
08:54 asyd today is a "try to understand openam differents cache level" day
09:07 balo :) if you've successed you should write a post about it :) the community would appreciate it
09:14 asyd yeah I thought about that, but the "if you've succedded" condition is not so easy :)
09:16 SteveF joined #openam
09:20 aldaris joined #openam
09:29 aldaris balo, asyd it's already somewhat documented in the core docs..
09:32 asyd I don't think all cache layers are documented iirc
10:00 aldaris joined #openam
10:03 aldaris1 joined #openam
10:06 aldaris1 not all the caches, but the interesting ones are documented. Which of the caches are you interested in?
10:07 asyd well it'sa bit complex, since the customer still using openam version 9. attributes fetched by REST (identity/attributes) are never updated
10:07 aldaris psearch problem.
10:08 asyd how to disable psearch? I tried to remove configuration in the userdatastore about psearch
10:08 aldaris why do you want to disable it?
10:09 asyd because the directory doesn't support it
10:10 aldaris http://openam.forgerock.org/openam-doc​umentation/openam-doc-source/doc/admin​-guide/index.html#caching-properties
10:11 asyd thanks
10:12 aldaris and 18.3.1
10:16 aldaris actually 18.3.1 is right on subject :)
10:16 asyd indeed
10:19 balo hm. yesterday i was wondering about the ldap sfo cache. are the sfo entries cached too if the cfg data caching enabled?
10:20 aldaris no, they are unrelated
10:20 balo or it has a different cache maybe? or no cache at all?
10:21 aldaris the session service has its own caching
10:24 asyd hmm sounds like that change require a restart
10:29 balo pretty good docs but it's from 2005 :| https://java.net/downloads/opensso/​docs/architecture/session_arch.pdf
10:31 aldaris asyd: it does require a restart
10:32 aldaris and do NOT forget to enable SM cache explicitly!
10:32 asyd it works now, thanks. Just wondering about performance issue
10:32 aldaris it will be much worse
10:32 asyd com.sun.identity.sm.cache.enabled ?
10:32 aldaris other solution could be to change the idm.entry.expiry setting or enable the data store level cache
10:32 aldaris yepp that one
10:33 asyd hm I disabled it
10:33 aldaris but then the attributes can be cached until the TTL expires
10:33 asyd ok
10:33 aldaris am.sdk caching should be disabled, sm caching should be enabled
10:34 asyd pff it's a bit complex
10:34 aldaris am sdk caching disables both idm caching and sm caching
11:16 auke- I'm having problems with http headers injected from the session by the Apache agent, it seems like the encoding of the header in Tomcat isn't UTF-8 (é becomes é). I'm confident the source is alright (ldap dn and session variable). Any ideas what could be the problem?
11:28 aldaris so you are mapping things to http headers?
11:28 aldaris does it make any difference if you map the session properties to request attributes?
11:28 aldaris (imho request attributes are the safest way to map attributes with JEE agents)
11:30 MegaMatt joined #openam
11:33 jjpp auke-: é sounds exactly like utf8. how it is encoded, bytewise, in transfer?
11:34 auke- Yes, i'm mapping session attributes to http headers. We are using the Apache agent (Apache 2.2) and Tomcat6 (ProxyPass -> AJP). If i convert the header from latin1 to utf8 i get the right value (new String(header.getBytes("ISO-8859-1"), "UTF-8")).
11:36 jjpp so, your problem is that agent writes utf8 to header but whatever your server is, decodes it as latin1. (which it has to do, by rfc, probably)
11:51 auke- What would be the right way to fix this? Just convert from latin1 to utf8 in the application? I think the agent should url-encode the header to prevent problems like this...
11:54 jjpp there is no rfc-defined way to do that. but yes, as the http headers should be us-ascii (so, 8bit chars are anyway nono), urlencoding should work. that's what https://wiki.apache.org/tomc​at/FAQ/CharacterEncoding#Q6 recommends, as well..
12:00 aldaris joined #openam
12:00 aldaris I think there is a magic option for web agents to be more friendly with utf-8 characters
12:02 auke- aldaris: magic... tell me more!
12:02 aldaris com.sun.identity.agents.config.en​code.cookie.special.chars.enable = false
12:02 aldaris but this is for cookies
12:03 aldaris not sure if this would change anything for headers, but give it a shot
12:04 MegaMatt what about com.sun.identity.agents.co​nfig.convert.mbyte.enable ... or that doesn't apply here, right?
12:05 MegaMatt Encode URL's Special Characters
12:05 MegaMatt When enabled, encodes the URL which has special characters before doing policy evaluation.
12:05 MegaMatt Property: com.sun.identity.agents.config.​encode.url.special.chars.enable
12:06 MegaMatt hmm no, I joined late, but it looks like you are in http headers not policy eval
12:06 aldaris nice MegaMatt :)
12:06 aldaris that's much more useful probably
12:07 aldaris The following property is to enable native encoding of
12:07 aldaris #   ldap header attributes forwarded by agents. If set to true
12:07 aldaris #   agent will encode the ldap header value in the default
12:07 aldaris #   encoding of OS locale. If set to false ldap header values
12:07 aldaris #   will be encoded in UTF-8
12:07 aldaris the default value is false
12:07 aldaris but maybe true actually helps here
12:07 aldaris auke- good luck, you've got your options :p
12:08 auke- Thank you, i will try the various options!
12:35 asyd SDK is supposed to be only configuration data, right? so nothing linked to IdRepo's contents?
12:36 asyd so why I can read:
12:36 asyd com.iplanet.am.sdk.cache.maxSize : Maximum number of user entries cached
12:39 aldaris https://bugster.forgerock.o​rg/jira/browse/OPENAM-2291
12:40 aldaris I don't remember too much really, but sdk cache maxSize may control the IDM cache's max size :D
12:41 asyd ok so it's really not easy to  understnad, it's not just me
12:41 aldaris it's been a while since I wrote this up, probably should have been clearer :(
12:43 asyd #2291 reading is very interesting
12:46 asyd just another remark, in the documentation there are a lot of "defined this <propertie> to <value>" but I never know where to define it. Sometimes in the agent properties, the userdatastore, sometines in advanced properties of a site, etc. Could be interesting to mention where
12:47 aldaris right :)
12:47 aldaris those are good questions :p
12:48 aldaris for the server - advanced server properties
12:48 aldaris for SDK - AMConfig.properties
12:48 aldaris for JEE agents, either OpenSSOAgentBootstrap.properties or in the agent profile as a custom advanced property
12:48 asyd oh well, it was a general remark, to try to improve the documentation :)
12:49 aldaris I've let doc "team" know
12:49 asyd thanks
12:59 balo i have an interesting question. if i'm using policies, all of my configured agents got all the policies or are there some kind of filters (ex. for domain)? If all of the policies sent to all of the agents... Isn't that a big overhead? Or every agent gets it but they run just their "own" filters?
12:59 aldaris not that interesting actually :)
12:59 aldaris which policy mode are you using? self or subtree?
13:00 aldaris in general the PAs only receive policies in subtree mode, otherwise (in self mode) the policy evaluation is done by AM and PA only gets the policy decision
13:01 asyd another questioon about cache and psearch. the default of com.sun.am.event.connection.disable.list is to disable all psearch, right?
13:01 aldaris with web agents the feature is called fetch from root resource, which basically means it grabs the FQDN and queries for policies with rules matching the FQDN of the request
13:02 aldaris asyd: that depends on whether you use embedded or external configstore IIRC
13:02 balo aldaris: thanks. i think i understand it now
13:04 aldaris balo: what you should remember: self is better and scales better with large number of policies, use self when possible (it is more accurate as well)
13:04 aldaris FYI subtree is the default in versions prior to 11.0.0 :)
13:05 balo yeah, i read about that change :)
13:05 balo it's a shame but i didn't know exactly what that means
13:05 aldaris we've made some changes to improve performance for entitlements in 11, but that was mostly tested with self
13:06 aldaris subtree is also tested and slowly we have bugs coming out of that as well, and in general subtree should work just as fine, but self is definitely the more reliable in terms of correct decisions
13:07 balo thanks for the tips!
14:50 asyd in unique openam instance mode, it is the normal behavior than j2ee must be restarted when openam is restarted (while it's works fine for web agents)
14:52 aldaris probably you have some really old jee agent
14:52 asyd 3.0.4 not *so* old :)
14:53 asyd but a bit old ok
15:26 asyd pff I really don't understand what is exactly ECP (in saml)
15:28 aldaris joined #openam
17:01 aldaris1 joined #openam
17:09 aldaris joined #openam
18:01 aldaris1 joined #openam
18:25 aldaris joined #openam
18:32 SteveF joined #openam
19:08 aldaris joined #openam
19:46 SteveF joined #openam
19:47 tsmalmbe joined #openam
19:54 hos002 left #openam
20:02 aldaris joined #openam
20:15 SteveF_ joined #openam
20:27 SteveF joined #openam
20:34 SteveF_ joined #openam
21:09 kala joined #openam
21:14 kohvihoor joined #openam
23:20 MegaMatt joined #openam
23:20 aldaris joined #openam
23:53 auke-_ joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary