Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2013-11-05

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
03:53 jjpp_ joined #openam
04:07 _ilbot joined #openam
04:07 Topic for #openam is now Chat about the OpenAM project - http://openam.forgerock.org - OpenAM 10.1.0-Xpress is out! Channel logs at: http://irclog.perlgeek.de/openam/today
07:31 hos001 joined #openam
07:32 tsmalmbe joined #openam
08:16 ludovicp joined #openam
08:51 aldaris joined #openam
09:10 kim__ is this normal behavior durring login? http://pastebin.com/7pNRaybX
09:11 kim__ the user get redirected, so seems like the authentication is OK
09:15 asyd morning
10:01 balo morning
10:08 balo still LDAP SFO: I'm thinking about the modify conflict in multimaster case. ex. if one of the dataserver is going down but couldn't replicate the changed session. the clients redirected to the other data center, they modify the session then the other datacenter comes back. how opendj will solve the conflict?
10:08 aldaris sounds like a pre-sales question, hehe
11:02 aldaris joined #openam
11:19 kim__ com.iplanet.dpro.session.SessionException: Invalid session ID.AQIC5wM2LY4SfcyiCTKVdf2HJfDahLcppM5MAjcvI68FG9w.*AAJTSQACMDE.*
11:19 kim__ Why is the session invalid?
11:20 aldaris because it is not valid :)
11:20 kim__ what is causing it to not be valid? :)
11:21 aldaris there is no such active session?
11:22 kim__ iPlanetDirectoryPro: AQIC5wM2LY4SfcxuteF9rUGFirbVWrDm0YweGw6xF9nDbQ8.*AAJTSQACMDE.*
11:26 MegaMatt joined #openam
11:55 aldaris balo: you still haven't raised an issue about storeusernamepassword
11:56 balo i know. it's on my todo list. i should review the entire module maybe there are other things in there
11:56 balo just have a lot of work now :(
12:26 pdurbin balo: at least you already migrated from glassfish: http://irclog.greptilian.com/javaee/2013-11-05#i_38515 :)
12:26 MegaMatt Ah, pdurbin - you saw the news that GF is going away?
12:26 pdurbin MegaMatt: yeah, discussing it in ##javaee
12:27 MegaMatt *switches tabs*
12:27 MegaMatt You don't like WLS?
12:29 pdurbin MegaMatt: WLS? Are you talking to me?
12:29 MegaMatt Yeah - Weblogic Server
12:30 MegaMatt It's supposedly the "commercial replacement" for GF
12:30 pdurbin I don't know much about it. I get it confused with websphere
12:30 asyd so gf will die like almost every opensource products bought by oracle?
12:32 balo asyd: it seems to me. it was just the first step
12:33 asyd well oracle have: Welogic, Oracle Application Server, Glassfish and another one iirc
12:34 MegaMatt I think that's it
12:34 MegaMatt They have always wanted people to use Weblogic Server
12:34 balo Q: is openam update the 'lastaccesstime' attribute on every page reaload protected by agents?
12:34 MegaMatt And btw, the frontline support team for WebLogic Server is understaffed and under trained.. and not very good to start with...
14:13 ludovicp joined #openam
15:25 balo I'm just wondering why FR chose LDAP backend for the sessions. Is there any particular reason for this? I know, I read in the release notes ("simplify the deployment") but I don't think the LDAP is a good choice for this task.
15:25 balo did you try it with ehcache or memcached?
15:26 aldaris oh, there is always someone asking this :)
15:27 aldaris I've been pushing ehcache for a while, but in the end I've heard that some parts of the licensing wasn't okay for some people
15:28 aldaris and we ended up with LDAP because that we know the most and we can actually support it, rather than relying on some external party
16:16 pdurbin does the SAML support in OpenAM come from OpenSAML?
16:17 aldaris no
16:18 pdurbin ok, thanks
16:25 MegaMatt http://sources.forgerock.org/browse/~br=trunk/openam/trunk/openam/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/
16:26 pdurbin MegaMatt: thanks
16:26 pdurbin I'm looking at this old thread I started: [OpenAM] Getting started with Shibboleth/SAML and the OpenAM Federation module - https://lists.forgerock.org/pipermail/openam/2013-September/013795.html
16:27 aldaris hah, Glassfish support :D
16:27 pdurbin heh
16:28 pdurbin I'll try it with tomcat, just like balo
16:28 MegaMatt That thread was what made me join this irc channel ;)
16:28 aldaris yaaay :D
16:28 aldaris almost everyone uses Tomcat here, so I'm pretty sure it works on it just fine :p
16:29 pdurbin the latest version of tomcat?
16:29 aldaris donno, I'm still running it on GF 3 :p
16:29 aldaris but should work with TC7
16:30 MegaMatt I grabbed TC 6 when I installed 10.0.0 .. but I think TC7 is fine too
16:31 pdurbin ok. 11 is out real soon now?
16:31 MegaMatt Should be in 3 days
16:32 aldaris something is not right with the Maven artifacts, it is missing the -sources -javadoc JARs randomly
16:34 pdurbin huh, the nightly builds at http://forgerock.org/openam.html have 12.0 in the URLs, not 11.0
16:34 aldaris because the release has been branched off
16:35 pdurbin any 11 release candidates? or should I just download 10?
16:36 aldaris it's in the maven repo already, but it's not official yet
16:36 aldaris if we want to fix the sources/javadoc JAR situation then we need to respin the build
16:38 pdurbin so I see: http://maven.forgerock.org/repo/releases/org/forgerock/openam/openam/
16:39 pdurbin does OpenAM 10 work with Java 7? I see "OpenAM Java 7 support" listed for OpenAM 11 at https://wikis.forgerock.org/confluence/display/openam/OpenAM+Roadmap
16:40 aldaris 10 what?
16:44 pdurbin should I run OpenAM 10 on Java 6?
16:44 aldaris 10 what?
16:45 aldaris we have 10.0.0, 10.0.1 and 10.1.0-Xpress you know..
16:45 MegaMatt I think a common issue with java 7 ... and even later java 6 updates is https://bugster.forgerock.org/jira/browse/OPENAM-2644
16:48 aldaris other than that we had a bug in ssoadm I think
16:48 aldaris and those were the only real problems with Java 7
16:48 pdurbin I only see 10.0.0 at http://forgerock.org/openam-archive.html . Not sure where to find 10.0.1 but I'll keep looking. Heading to lunch.
16:49 aldaris download.forgerock.com
16:49 aldaris see "Enterprise builds"
16:49 pdurbin so... not free? you have to pay?
16:50 aldaris well, if you can build with Maven, then it's free
16:50 aldaris otherwise you can only use the enterprise builds for poc and dev and stuff
16:50 MegaMatt 10.1.0 should be up there
16:51 pdurbin hmm. back in a bit. thanks
16:52 MegaMatt Or can build it - as aldaris said
16:59 MegaMatt_ joined #openam
17:59 pdurbin MegaMatt: you said you installed 10.0.0. I guess I'll try that version first
18:00 aldaris 10.0.1 would be more secure
18:01 MegaMatt 10.0.0 was an old download ..
18:01 MegaMatt If I were to grab it again, I'd grab 10.1.0-Express right now
18:01 MegaMatt and then get 11 on Friday :)
18:02 aldaris nah, I wouldn't grab 10.1.0-Xpress :d
18:02 aldaris 10.0.1 if you must, and 11 when possible
18:02 MegaMatt Fair enough
18:03 MegaMatt I'd say wait for 11 ;)
18:03 MegaMatt But play with 10.0.1 until then, if you feel like it .. hehe
18:12 balo aldaris: thanks for the clarifications about ldap sfo
18:37 pdurbin Ok, so I can download the community edition of OpenAM 10.0.0 from http://forgerock.org/openam-archive.html but it has two security advisories ("rated as Critical") listed at http://forgerock.org/security_advisory.html and if I want to use the community version of 10.0.1 to address these security advisories, I must build it myself. Is that correct?
18:38 MegaMatt That does seem to be the current state of things -- I think it's really best to wait for 11 on Friday (knock on wood)
18:39 MegaMatt Or wait
18:39 MegaMatt I think the enterprise page has 10.0.1
18:39 MegaMatt https://download.forgerock.com/#/openam
18:39 MegaMatt That has 10.0.1 if you want to just download it
18:40 aldaris "for development purposes"
18:40 MegaMatt *wink wink* *nod nod*
18:40 aldaris if you are just waiting for 11, then you can wait with the build for 11, and use the enterprise binary for PoC
18:40 pdurbin well, I would want the community version not the enterprise version since I would want to eventually use it in our open source application
18:41 aldaris so you could download the 10.0.1 for evaluation and compile 11 once out
18:41 aldaris that's what I wanted to say previously :D
18:41 MegaMatt Right, eval 10.0.1 binary, build 11 source code when it's released
18:42 pdurbin for some testing I would think 10.0.0 (security flaws and all) would be fine. the community version
19:12 aldaris heh, you would think that
19:12 aldaris only critical vulnerabilities are announced to the community, customers get notifications of non-critical bugs as well
19:12 aldaris so 11 will be the safest bet once out
19:15 pdurbin aldaris: I'll definitely look for it. thanks
19:18 b4ch joined #openam
19:19 b4ch Hi ther,
19:19 b4ch got java.lang.NullPointerException on LDAP TCPNIOConnection.. connection to LDAP works fine. Anyone?
19:41 aldaris joined #openam
21:13 pdurbin hmm, I figured I'd try fedlet.war (the demo app). https://svn.forgerock.org/openam/tags/10.0.0-docs/products/federation/library/fedlet/README says "If this is the first time the page is accessed, it will show that the Fedlet home directory is not configured yet, and a link will be provided for you to create the configuration automatically."
21:14 pdurbin but instead at the "Validate Fedlet Setup" page I see "Fedlet configuration home directory does not exist. Please follow the README bundled inside your Fedlet-unconfigured.zip file to setup Fedlet configuration, then restart your web container."
21:14 pdurbin that is to say... a link does not seem to be provided to create the configuration
21:16 aldaris because it is an unconfigured fedlet
21:16 aldaris you can generate a configured fedlet on the AM console main screen
21:17 pdurbin but will the configured fedlet somehow depend on the AM instance I used to create it?
21:17 aldaris yeah, it will be bound to the OpenAM Hosted IdP
21:17 pdurbin hmm. ok. so maybe fedlet's aren't for me. I'm not interested in running an IdP. Just an SP
21:18 aldaris seriously man
21:18 aldaris how long would it take to switch out the AM's IdP metadata to your external IdP?
21:18 pdurbin oh, I can do that? :)
21:18 aldaris (facepalm)
21:19 pdurbin :)
21:19 aldaris you could do that already with the unconfigured fedlet...
21:19 aldaris you just have to come up with the metadata and other config files
21:19 pdurbin ok. I'm not familiar with the config files but I believe you :)
21:21 pdurbin the fedlet readme leads me to think fedlets might be enough for my needs. it seems multiple IdPs are supported.
21:21 aldaris not too sure about that
21:21 aldaris I guess maybe that's possible, but not well tested
21:22 pdurbin hmm. well the readme says "5. How to enable Fedlet to support multiple Identity Providers"
21:22 aldaris roysjosh are you taking notes for Susan? :)
21:22 pdurbin roysjosh: hi!
21:23 aldaris pdurbin, yeah that's news for me then :)
21:23 pdurbin aldaris: are you advising me to not use fedlet? You were the one who mentioned fedlet a couple months back :)
21:23 aldaris but still, not the most tested feature if it works
21:23 aldaris well fedlet is a lightweight SP implementation and it looks like that's what you need
21:23 aldaris we have .net fedlet too :p
21:24 pdurbin yeah, I saw :)
21:24 aldaris and I have a github project which I don't progress at all and should be a SAML implementation when I actually get the time to do something about it :D
21:25 pdurbin aldaris: heh. this one? nice name: https://github.com/aldaris/shamble
21:25 aldaris busted :)
21:26 aldaris I'm still trying to get JAXB working and do XML validation as I would want it
21:26 aldaris so nowhere close to SAML spec :p
21:26 pdurbin the SAML spec has a roadmap just for reading the docs
21:27 aldaris but nowadays I'm looking into a much neater subject around cryptography for OpenAM
21:27 pdurbin http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#2.2.Documentation%20Roadmap%20|outline
21:27 aldaris that will be a nice blog post one time..
21:27 pdurbin cool. I like blog posts
21:27 aldaris pdurbin: have you thought about using apache in front of your Java EE apps and use Shibboleth SP?
21:28 pdurbin aldaris: a bit. why?
21:28 aldaris well that's also an option :p
21:28 pdurbin yeah, I have it listed as an option: https://docs.google.com/document/d/1y2axfd_ScmXVICFlV8AuPDdp5xHwTag54pUpVefzs5g/edit?usp=sharing
21:29 pdurbin hmm. I need to update that thing. I've actually made some more progress with OIOSAML
21:33 pdurbin well, I probably won't end up with fedlet as a solution anyway since I'm interested in oauth support from openam. so I'm sure I'll need to run more of openam than just fedlet for that
21:39 pdurbin aldaris: thanks for your help. I really appreciate it!
21:45 hos001 left #openam
22:22 SteveFerris joined #openam
22:23 SteveFerris i love torrent
22:23 SteveFerris download efficiency; we should push out open am on a magnet link
22:24 aldaris sounds good, though there are some networks filtering for p2p traffic
22:29 MegaMatt Bye Bye net neutrality.

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary