Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-04-28

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
05:58 pfreixes joined #openam
06:36 kala joined #openam
07:06 rghose joined #openam
07:06 rghose why do I get a "No configuration found" message for a realm?
07:13 rghose all the chains seems fine. Chains include the OATH module and Data Store module
07:13 asyd morning
07:13 rghose good morning
07:48 balo morning
07:49 balo will be an announcement today?
08:31 fatbloke joined #openam
09:08 aldaris joined #openam
10:03 aldaris joined #openam
10:09 rghose joined #openam
10:28 pdurbin oh yeah
10:28 aldaris indeed :)
10:33 aldaris the announcement will happen around 8-9 AM PST btw
10:44 balo that's like 6pm in here
10:44 balo oh, i hate time zones
10:44 aldaris join the club
10:45 aldaris in NZ actually that is going to be tomorrow 3-4 AM :)
10:46 balo poor guys
11:12 rghose just wondering, in case of TOTP module with Google Authenticator in OpenAM, time should be synched between the device and servers right/
11:13 aldaris yeah, it doesn't hurt
11:14 rghose @aldaris: could time skew be the reason TOTP would differ ?
11:14 aldaris there is a time window setting for the TOTP module
11:15 rghose TOTP Time Steps ?
11:15 aldaris yeah
11:15 aldaris that should mean that AM will try to calculate other TOTP codes in a given window and if it is within the window it will let you in
11:15 rghose so if I have 30 as Time Step interval and 2 minute skew
11:15 rghose I should make this to 4 maybe
11:16 rghose or 5
11:16 aldaris your choice
11:16 rghose ok
11:16 rghose this timewindows works for the past and future both?
11:17 rghose so for 2 minute skew should it be 4 or 8 ?
11:18 aldaris yepp, seems so
11:18 rghose hm how does the module compute the time?
11:18 rghose does it take the local time ?
11:19 aldaris yeah
11:20 rghose great it works now
11:20 rghose thanks :)
11:21 rghose @aldaris: there should be a setting for this probably
11:21 aldaris for what?
11:21 rghose for the time, say for people who are in different timezonezs
11:21 aldaris it's currentTimeInMillis
11:22 aldaris so since epoch
11:22 aldaris possibly the standard also says this
11:22 aldaris so don't worry about it
11:22 rghose hm, but that would depend on the TZ
11:22 rghose ok
11:23 aldaris "the difference, measured in milliseconds, between the current time and midnight, January 1, 1970 UTC."
11:24 rghose and current time would depend on the server's TZ configuration
11:24 rghose won't it?
11:25 aldaris http://stackoverflow.com/questions/17271039/d​oes-system-currenttimemillis-return-utc-time
11:27 rghose aah, thanks :)
12:43 asyd joined #openam
12:46 rghose joined #openam
13:13 pfreixes joined #openam
15:04 aldaris and there you go
15:05 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 11.0.1 is out!!! - OpenAM 10.0.2 is out!!! Channel logs at: http://irclog.perlgeek.de/openam/today
15:10 MegaMatt joined #openam
15:42 jfroot joined #openam
16:02 fatbloke joined #openam
16:51 balo oh i read it on the mailing list. checking it now
16:51 aldaris security issues EVERYWHERE :)
16:51 aldaris well, not everywhere, but there are a few critical ones that everyone should really deploy
16:55 balo can i filter them somehow?
16:55 aldaris filter?
16:57 MegaMatt The ones listed in the security advisory are the filter you want, I think?
16:58 balo yes but i don't have a subscription and i can't open the advisory
17:01 aldaris well the only thing you can really do is download the patch and deploy it
17:02 MegaMatt Or build from trunk maybe?
17:03 aldaris nah, don't build from trunk
17:03 aldaris download the patch for 10.0.0 and then try to apply it to your code base
17:28 MegaMatt Balo, .. We’re still open source, you still have acess to the code ...
17:28 MegaMatt There are reasons why things are done the way they currently are… but I don’t think we can share the reasons ...
17:29 MegaMatt But you should be able to get the patches too - and view the source code
17:42 aldaris joined #openam
17:44 balo MegaMatt: i'm not sure i want to know the reasons. still won't justify it. except if you prevent some major catastrophe like an asteroid or global warming
17:45 MegaMatt :D maybe that is it.. but at least we are giving the patches to anyone who asks for them
17:47 pfreixes joined #openam
17:50 balo "who asks for them". i'm not an asshole or something, you "know" me from here. I can help where I can. But I think this is unacceptable and you shouldn't continue this behaviour. I suspect this is not your decision and you couldn't do much about it. You know the reasons, do you feel this right?
17:50 balo please just answer this
17:51 MegaMatt I think we’re trying to go about it in a reasonable manner, personally
17:51 MegaMatt We know that some people will get mad
17:52 balo Mad. Yeah, at least you get that part right.
17:52 MegaMatt .. Yeah.. But I still think we are trying to do the right things - for everyone
17:53 MegaMatt And, I’ll say this — everyone at FR is way more concerned about our customers than Oracle ever was, and we really do try to put them first - and not the $
17:53 MegaMatt And that’s a HUGE difference from working at Oracle
17:54 MegaMatt And “our customers” includes the community
17:54 balo It doesn't really *look* this way from my perspective.
17:56 MegaMatt I’m sure it doesn’t … But the feel inside the company is still that way.. (For now anyhow). I’m lowest man on the totem pole, so I’m probably last to find out if it changes,.. but everyone I know so far in the company is still very far from the Oracle way of business….
17:57 balo I believe you feel that in your workplace. I'm really glad that you happy there. But that's doesn't really do anything about this situation.
17:57 MegaMatt And there are reasonable justifications for the way we’re doing things..
17:59 MegaMatt Who knows if I’ve said more than I’m supposed to already - I’m not a PR guy or anything… But really, if you think about it.. we have to keep everyone’s interests in mind.. community, paid subscriptions, etc
18:02 balo Still looks sad. I mean you hurt yourself really. I will find an other solution to my problem. But you should disclose your reasons or change your ways. Because it looks very wrong. And it won't help you gain more clients.
18:02 balo Except ofc if you convince the managers with PR BS like... again, Oracle does
18:03 balo I understand. But you have to understand us, too.
18:03 MegaMatt I think that’s why we are trying to have a way for you to get the security updates.. rather than say “hey, pay for it” .. type of thing that oracle would probably do
18:09 aldaris joined #openam
18:10 balo btw I can't download the patch w/o sub
18:10 aldaris how come?
18:10 balo https://backstage.forgerock.​com/#/downloads/patch/OpenAM
18:10 aldaris that's for customers only
18:11 aldaris if you are a community member, then you need to go to http://forgerock.org/security_advisory.html -> http://go.forgerock.com/2014​OpenAM1101SecurityAlert.html
18:12 balo yeah i was at the sec. advisory page
18:13 balo but don't you think it's ridicolous to give my phone number, work email and phone number for the security patches? :D
18:14 balo if I am a possible attacker I could give a fake information
18:14 balo then I publish it. or just use that information.
18:14 balo same as public
18:15 balo it's just annoying as hell.
18:19 aldaris btw which version are you using nowadays?
18:21 balo I'm using 11.0.0
18:24 balo I was happy with it. Just configured the OAuth2 module. Works nice
18:27 aldaris to clarify: after filling out the form you'll only get the patches for the critical issues only (for 9.5.5 and 10.0.0), you still won't have access to the advisory
18:27 balo *sigh*
18:28 balo i shouldn't have waited for this announcement :D
18:28 balo i don't know if I should laugh or cry
18:44 balo i got another one: you sell the secrets instead of the knowledge. I think this should be the new slogan for FR :D
19:04 pfreixes upsss, I missed something important ?
19:07 aldaris pfreixes we were talking about https://lists.forgerock.org/piperm​ail/openam/2014-April/016930.html
19:07 balo pfreixes: nothing important, only security updates
19:10 pfreixes thks !
19:29 failshell joined #openam
19:32 failshell hey guys. im trying to configure 11.0.1. im on step 4, it's asking me for the Directory Name, and whatever i try to input there is refused. i tried my domain name (which is my base DN), tried my hostname, localhost, 127.0.0.1. what am i supposed to put there?
19:32 failshell with opendj as backend
19:32 aldaris step 4 is user store, right?
19:32 failshell yes
19:33 aldaris then where do you store your users?
19:33 failshell opendj
19:33 aldaris where does that listen?
19:33 failshell the first screen of step 4, i entered all my opendj info, and that was fine. then i went to the second step 4 screen, and it's asking me for the same information, but it won't work
19:33 failshell tcp/636
19:34 failshell 0.0.0.0
19:35 failshell most of the information was autocompleted by openam
19:35 failshell i only had to enter the password
19:35 balo can you bind your with user to <1024 port?
19:35 balo oh, again
19:36 balo *with your user
19:37 failshell opendj works
19:37 failshell its openam that can't talk to it
19:37 aldaris and you ticked the SSL box
19:38 failshell when i run /opt/opendj/bin/status, it connects and fetches the information correctly
19:38 failshell yes
19:38 aldaris then it's a trust issue
19:38 failshell the first step 4 screen is fine, the second one not
19:38 aldaris you are using a selfsigned cert aren't you
19:38 failshell whatever is the default
19:38 aldaris so yes
19:39 failshell why does it work on the first step 4 screen and not the second step 4 screen if it's a trust issue?
19:39 failshell hmm why does it work on step 3 and not 4?
19:39 failshell its the same server and credentials
19:39 aldaris did you configure the same server on step3?
19:40 failshell yes
19:40 failshell and it allowed me to move to step 4
19:40 aldaris and you explicitly selected external on step3?
19:40 failshell yes
19:41 failshell OpenDJ or Oracle Directory Server Enterprise Edition
19:41 aldaris then I don't know ;)
19:42 aldaris IMHO step3 should have equally failed for you
19:42 failshell when i try to do a default install, it fails because it tries to configure the port as -1
19:42 aldaris oh
19:42 aldaris let me guess
19:42 aldaris EC2
19:43 failshell im going to contact forgerock as we pay for support
19:43 failshell no
19:43 MegaMatt Turn off selinux
19:43 failshell no selinux
19:43 aldaris then incorrectly configured hosts file/DNS issue
19:43 failshell on a vm running RHEL
19:43 MegaMatt IPV6?
19:44 failshell no
19:44 aldaris well, feel free to open a support case, I'm sure MegaMatt will take good care of you :)
19:44 MegaMatt Are you directly connected to the openam machine via your browser? or is there some LB/Proxy in the way?
19:44 failshell directly connected
19:45 MegaMatt Then I’d guess maybe host file/dns like Peter said
19:46 aldaris I would guess you get port -1 as OpenAM tries to bind a socket on localhost but it fails to do so
19:47 aldaris make sure that your FQDN is in your hosts file and your hostname is defined in /etc/hosts
19:47 pfreixes joined #openam
19:48 MegaMatt I had one situation where somebody couldn’t get the gui to work, got the -1 ports.. but it was because they were connecting through a redirect… but they were able to get it working using ssoconfigurator on the machine...
19:48 MegaMatt And they weren’t using FQDNs at first, using FQDNs everywhere (even when using ssoconfigurator) worked out much better...
19:49 MegaMatt They also had some weird IPv6 stuff enabled which may or may not have gotten in the way, because of the way DNS was set up - from what I recall
19:50 MegaMatt But ultimately, it came down to making sure FQDN resolved correctly everywhere (/etc/hosts was updated and correct ips, no typos) … and then using ssoconfigurator because they weren’t accessing OpenAM directly
19:55 failshell i got the default config to install
19:55 failshell but with a custom config, im still stuck on step 4
19:56 MegaMatt What did you change to make the default install work?
19:56 failshell had to hardcode my url in /etc/hosts
19:57 MegaMatt Ok, yep.. So you’re now using fqdn?
19:58 failshell well the url is different than the machine name
19:58 failshell in any case, i have both in /etc/hosts
19:58 failshell pointing to 127.0.1.1
19:58 failshell but i dont want the default config, i want the external opendj :)
19:58 MegaMatt I’ve got 127.0.0.1mac.example.com
19:59 MegaMatt Then I go to http://mac.example.com/openam
19:59 MegaMatt and can upgrade ok
19:59 MegaMatt But mine isn’t very custom.. just a basic install of 11
20:00 MegaMatt OpenDJ is on another machine?
20:00 failshell same machine
20:00 MegaMatt Ok
20:00 failshell Directory name is configured to localhost
20:01 failshell like on step 3
20:01 MegaMatt Try the fqdn
20:01 MegaMatt since that should now resolve
20:02 failshell nope
20:02 failshell could not connec to the server
20:02 failshell why 2 configuration screens for the same info by the way?
20:03 aldaris it doesn't have to be the same
20:03 aldaris the configuration can be stored separately from user data
20:06 failshell well i just dont get why with the FQDN it works on step 3 and not 4
20:06 failshell from the doc: When using this option you also need to make sure the trust store used by the JVM running OpenAM has the necessary certificates installed.
20:06 failshell how do i do that?
20:06 failshell for tomcat
20:07 aldaris you install the OpenDJ LDAPS connector's cert into the JVM's truststore
20:12 MegaMatt (I would have thought they were already installed in the JVM’s trust store if you’re doing an upgrade — but I haven’t tried that myself yet)
20:13 failshell fresh install
20:13 MegaMatt ohhh
20:14 MegaMatt I thought this was an upgrade.. ok, well .. yes,.. that would help then.
20:15 MegaMatt http://openam.forgerock.org/openam-docume​ntation/openam-doc-source/doc/admin-guide​/index.html#openam-with-https-on-tomcat  … I think that’s the bookmark I have
20:15 failshell tomcat's fine
20:15 failshell its connecting to opendj that's not
20:15 failshell on step 4
20:17 MegaMatt When you use a self-signed certificate for your container, clients connecting must be able to trust the container certificate. Your browser makes this an easy, but manual process. For other client applications, you must import the certificate into the trust store used by the client. By default, Java applications can use the $JAVA_HOME/jre/lib/security/cacerts store. The default password is changeit.[10] The steps that follow demonstrate h
20:17 MegaMatt import a self-signed certificate into the Java cacerts store.
20:53 aldaris1 joined #openam
22:26 GLHMarmot joined #openam
22:32 aldaris joined #openam
23:28 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary