Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-07-09

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:26 em-dash joined #openam
04:53 aldaris joined #openam
05:43 aldaris1 joined #openam
06:32 rghose1 joined #openam
06:55 pfreixes joined #openam
08:03 rghose1 how can I change the agent password from the OpenSSOAgentBootstrap.properties file ?
08:07 rghose1 unlike in the older versions of the conf in opensso, this file contains 2 values, one is a password and the other is a key
09:21 jamiebowen joined #openam
09:29 tsmalmbe joined #openam
09:45 jamiebowen joined #openam
10:17 aldaris joined #openam
10:36 jamiebowen joined #openam
10:46 rghose1 how do I make the amadmin user login to only the admin chain ? Sometimes, I see amadmin is being authenticated by the default chain
10:46 rghose1 as of now, I have to provide this : "?service=adminconsoleservice" in the url
10:46 rghose1 for this to work
10:47 rghose1 won;t openam recognize amadmin logins and use appropriate chain ?
10:51 aldaris you should use the admin endpoint then: /openam/console
11:02 MegaMatt joined #openam
11:32 MegaMatt joined #openam
11:43 jamiebowen joined #openam
11:45 jamiebowen joined #openam
11:57 fatbloke joined #openam
11:58 aldaris joined #openam
12:26 mkulke joined #openam
12:44 jamiebowen joined #openam
13:09 em-dash joined #openam
13:30 pfreixes joined #openam
14:12 ilbot3 joined #openam
14:12 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 11.0.1 is out!!! - OpenAM 10.0.2 is out!!! Channel logs at: http://irclog.perlgeek.de/openam/today
14:31 jamiebowen joined #openam
14:53 jamiebowen joined #openam
16:03 jamiebowen joined #openam
16:03 aldaris joined #openam
16:39 aldaris joined #openam
16:55 rghose1 joined #openam
17:14 pfreixes joined #openam
17:17 rghose1 joined #openam
18:16 em-dash joined #openam
18:18 em-dash I’m trying to install openam for evaluation. I’m running into an error while running the configurator: “Entry ou=dashboardService,ou=services,dc=openam violates the Directory Server schema configuration because it does not include a structural objectclass.”
18:19 em-dash same error whether I run the configurator from the command line (java -jar /opt/openam/configurator.jar /opt/openam/configuration.properties) or from the web interface.
18:19 aldaris is this with embedded configstore?
18:19 em-dash yes
18:21 em-dash the top-level error appears to be: “Registering service dashboardService.xmlAMSetupServlet.processRequest: errorSMSException Exception Code:3”
18:24 MegaMatt Are you installing OpenAM 11???
18:28 em-dash yes
18:28 em-dash it may be pertinent that I’m trying to run the configurator on a separate host from the openam server. is that possible/supported?
18:29 MegaMatt Well, you said you have a problem from the web browser gui? Are you going to a FQDN name in the browser?
18:30 MegaMatt I would just open a browser and point it to your.openam.example.com:8080/openam/
18:30 MegaMatt And then run through the configurator that way
18:30 MegaMatt Should work fine as long as the container has enough heap in the JVM
18:30 em-dash yeah, I did that (again, from a separate host than the openam server). that ended with the same error in the install.log
18:31 MegaMatt Different host shouldn’t matter via the web gui….
18:32 em-dash as I’m doing an evaluation, I don’t have DNS in place, so I placed the intended FQDN in my /etc/hosts file (of the machine with the web browser, not the openam server)
18:32 MegaMatt Hmmmm.. I can’t recall if you need to do it on both
18:33 MegaMatt I think you do
18:33 MegaMatt try adding it’s FQDN in the /etc/hosts of the openam machine as well
18:34 em-dash in general, how can I configure the openam server to have a separate internal name (for use between openam servers) from its external name (will eventually be a load balancer, in my deployment)?
18:35 MegaMatt I think you’re asking about realms,…
18:35 MegaMatt http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-realms.html
18:35 em-dash MegaMatt: also, my configurator.properties file currently has SERVER_URL=http://10.0.0.1:8080
18:35 MegaMatt Don’t use IPs, use DNS names ...
18:36 em-dash MUST use DNS names, or SHOULD?
18:36 MegaMatt you should always use DNS names if you can, cookies don’t like IP addresses for example
18:37 MegaMatt Really, if you follow the installation guide, word for word - you shouldn’t have any problem installing
18:37 em-dash the docs are extremely unclear to me about which configuration values are used to determine how clients will be informed, and which will be used to determine how openam replicas will address each other
18:38 em-dash MegaMatt: well, I’m trying to install the whole shebang into docker containers, so the guide doesn’t fit my scenario. I have to adapt it
18:39 MegaMatt The docs are pretty clear, … I think you mean when they are talking for session failover?
18:39 MegaMatt Because otherwise, it should be sticky LB'd
18:39 em-dash OK, that makes sense
18:39 MegaMatt Session failover is here: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index/chap-session-failover.html
18:40 MegaMatt Which has a link to site load balancing
18:40 MegaMatt http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index/chap-install-multiple.html#configure-site-load-balancing
18:41 MegaMatt So I guess really you were talking about sites, not realms.. sorry :)
18:41 em-dash does SERVER_URL need to be a canonical name (eg., FQDN) that both clients and other openam servers will see consistently, or can I use an internal name there (specifically, EC2 DNS names)?
18:42 MegaMatt SERVER_URL for configurator.jar is your container URL.. you’re going to want a FQDN
18:43 MegaMatt imo, don’t use the configurator.jar first
18:43 em-dash hmm, is it possible to do this without using an FQDN?
18:43 MegaMatt Install with the gui
18:43 MegaMatt and then look at the files
18:43 MegaMatt then understand it, then move to configurator after
18:43 em-dash MegaMatt: as I mentioned, I hit the same error with the GUI (the structural objectclass error I mentioned earlier)
18:43 MegaMatt You’re going to want FQDNs in /etc/hosts at first
18:44 MegaMatt s/at first/ .
18:44 em-dash ok
18:44 MegaMatt it needs a full host/domain name … you’re dealing with sessions and cookies here...
18:46 em-dash hmm, seems like cookies should be covered by COOKIE_DOMAIN. SERVER_URL seems like it should be a completely separate issue
18:48 em-dash I’m not clear how sessions interact with the SERVER_URL, but that also seems like a distinct issue
18:49 MegaMatt Ok, so try this: Edit your /etc/hosts on your OpenAM machine and put in a FQDN like openam.example.com to 127.0.0.1
18:49 MegaMatt connect to http://openam.example.com/openam
18:50 MegaMatt (or whatever you’re deploying it as)
18:50 MegaMatt which means on your browser machine, you need openam.example.com pointing to whatever IP you have for that openAM machine
18:50 MegaMatt Go through the GUI config screens
18:50 MegaMatt see if it installs ;)
18:50 em-dash yeah, ok. I’ll give it a go
18:50 MegaMatt I’ve done this myself using OpenAM 11 - and had no problem :)
18:51 em-dash were you doing this on EC2 by any chance?
18:51 em-dash there’s a whole public/private IP & DNS dance on EC2. that is where I’m struggling
18:53 MegaMatt I have done it on EC2 - but there I just used a local browser to make it easier
18:53 MegaMatt just used an SSH tunnel
18:53 MegaMatt and used firefox on the EC2 machine
18:53 MegaMatt the thing that killed me on EC2 was the freaking selinux being on by default
19:00 em-dash MegaMatt: when configuring the OpenAM deploy on EC2, did you set up replication, or just a single server?
19:01 MegaMatt I believe I set up session failover, but it was on 10.1 iirc .. no CTS
19:02 MegaMatt And I didn’t have a load balancer, it was just a simple session failover where I logged into one server, brought it down and checked that my session continued on the other server
19:02 em-dash is session failover completely separate from configuration data store replication? or does replication need to be working in order to support SFO?
19:03 MegaMatt SFO in 11.0 uses the Core Token Service
19:03 MegaMatt Which is based on site configuration, iirc
19:04 em-dash site configuration == configuration data store replication?
19:05 MegaMatt Again, I’d have to look at the docs, but .. I think CTS does replication .. and it’s not the same as the configuration data store…. which you can also replicate.. but I’m not entirely sure if that’s accurate…
19:06 MegaMatt It doesn’t much matter, when you set up the site, it configures all the goodies for you
19:06 MegaMatt It may replicate everything
19:06 MegaMatt It probably does now that I’m thinking about it
19:07 MegaMatt ah yeah, look at the docs
19:07 MegaMatt there’s a figure in there
19:07 MegaMatt Although I think that figure isn’t the best
19:07 MegaMatt I think recently somebody filed a doc bug on that one
19:07 MegaMatt let me see if I can find that
19:10 aldaris joined #openam
19:12 em-dash MegaMatt: the docs are pretty big… got a URL for this figure?
19:13 MegaMatt http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index/chap-session-failover.html#figure-global-cts
19:14 em-dash hmm, that’s kinda handy
19:14 em-dash definitely looks like it’s all replicated through the directory server, whether embedded or external
19:15 MegaMatt read the site document that’s linked in there too
19:18 em-dash MegaMatt: thanks a lot for your help! I’m going to step away for lunch, but I really appreciate your time
19:18 MegaMatt np, gl
19:18 em-dash I’m going to get this thing licked :D
19:39 aldaris joined #openam
20:06 aldaris joined #openam
20:10 em-dash joined #openam
20:42 em-dash joined #openam
21:01 aldaris joined #openam
21:19 em-dash joined #openam
21:43 aldaris joined #openam
22:03 em-dash joined #openam
22:22 em-dash curses. If I have deployed OpenAM as an exploded WAR file into a Tomcat7 webapps directory, what is an appropriate value for BASE_DIR in the config file?
22:23 aldaris the BASE_DIR shouldn't point to Tomcat's deployment directory (webapps)!
22:23 em-dash should it be the $TOMCAT_HOME/webapps/openam directory?
22:23 em-dash then where?
22:23 aldaris anywhere you fancy having a bunch of files for OpenAM
22:24 em-dash does the configuration file need to know anything about the openam deployed WAR directory?
22:24 aldaris it figures itself out during the installation, don't worry about it
22:25 em-dash I’m stuck on a failure during the configuration phase, and I’m trying to figure out what I’m doing wrong.
22:25 em-dash it occurred to me that the BASE_DIR might need to point to the tomcat deployment directory, but I guess that’s not it
22:26 aldaris that I don't know, and unfortunately it is difficult to get more debug output for the problem
22:36 aldaris joined #openam
22:42 em-dash aldaris: do you have any insight into what is being referred to in the line: “Registering service dashboardService.xml” (ie., what is dashboardService.xml)?
22:45 aldaris it's just a service XML that should be loaded into the configuration store
22:47 em-dash any chance you have any guesses about possible causes that could make loading it fail?
22:49 em-dash the backtrace I’m seeing in `install.log` reference an HTTP client connection failure
22:49 em-dash er, that’s a red herring
22:51 em-dash the exception is a com.sun.identity.shared.ldap.LDAPException error: “Entry ou=dashboardService,ou=services,dc=example,dc=com violates the Directory Server schema configuration because it does not include a structural objectclass. All entries must contain a structural objectclass”
22:51 aldaris1 joined #openam
22:54 em-dash the exception I’m seeing is a com.sun.identity.shared.ldap.LDAPException error: “Entry ou=dashboardService,ou=services,dc=example,dc=com violates the Directory Server schema configuration because it does not include a structural objectclass. All entries must contain a structural objectclass”
22:55 em-dash but I’m not able to Google any info about that exception
22:55 em-dash (any useful info)
23:01 aldaris1 well
23:01 aldaris1 the problem is that it is really difficult to determine what goes wrong without attaching a debugger
23:02 aldaris AM connects to the DJ internally, hence you probably cannot even capture the network traffic to see how is the entry actually created
23:05 em-dash joined #openam
23:33 em-dash joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary