Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-12-19

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:09 aldaris joined #openam
00:11 pcypher_ joined #openam
00:13 jjpp hi.
00:13 jjpp aldaris: no sleep tonight?
00:15 * jjpp thinks . o O ( and of course, i have questions.. :) has ldap auth module or rather the way it handles ldap changed between openam11 and openam12? and does it have timeout for (search) operations in openam11? )
00:23 aldaris hi
00:23 aldaris feel free to check it out :)
00:52 penk joined #openam
01:14 aldaris joined #openam
01:44 aldaris joined #openam
02:12 aldaris joined #openam
07:28 KermitTheFragger joined #openam
09:37 fatbloke joined #openam
09:39 aldaris joined #openam
09:45 fatbloke1 joined #openam
10:54 jjpp hi.
10:56 jjpp aldaris: yeah, I should check it out. but then again, you probably know from the top of your head, is there a limit on operations (I remember seeing some 10sec timeouts in openam logs? this was with sdk 2.6.4 but we are using 2.6.9 now)
10:56 aldaris not sure if you've seen the size of this release
10:56 aldaris I can't keep everything in my head any more :)
10:57 jjpp I haven't. yet.. this little fact.. do the ldap connections have some default timeout or not? :)
10:57 aldaris I know you want to look at the code :)
10:58 jjpp they do have connection timeout. and I should file RFE to somewhere so that they would emit at least a BIIG warning if getting connection from pool takes more time than the connection timeout (eg because all the connections in pool are in use)
10:58 jjpp and possibly fail, if the connection could not be given back during timeout
10:59 jjpp because.. at the moment.. when something blocks all connections in a pool, everything will just silently fail..
10:59 jjpp or.. rather silently hang
10:59 jjpp without no hint on what is happening
11:00 jjpp with no hint, that is
11:00 jjpp :)
11:00 jjpp (and this is probably something to implement on sdk-side, anyway)
11:02 jjpp but there is another thing that should be on openam-side. we had an incident yesterday where an user unknowingly killed our whole infrastructure..
11:02 aldaris nice
11:06 jjpp as far as i understand, what happened, is that he did mis eneter his email address with copyright mark instead of @.
11:06 jjpp and with all caps.
11:06 jjpp into ldap auth module
11:07 jjpp and something caused opendj to decide that the search for user entry (by two fields that might contain email address) would need to be nonindexed search.
11:07 jjpp over 3M records.
11:07 jjpp which took 2700+ seconds (until the nodes were restarted and connections terminated).
11:08 jjpp and there was 5 tries from both of our openam nodes. which is consistent with max 10 connections from ldap auth module (these 10 are divided by 2 for some reason, in openam11)
11:09 jjpp and.. for some reason that also did hang everything else. which could be because of we have (soon to be read "had") 10 connections for config store as well and cts on same pool, so just 5 for "regular stuff"
11:10 jjpp then again, ldap module by itself does not use main datastore pool directly, at least not by direct calls, as far as I could see.
11:11 jjpp so.. it appears that there is a lot of room for improvement.
11:12 jjpp 1) by default connectionpools use directory admin user. which is understandable during install. but hard to reason for afterwards. opendj directory manager happens to have no query limitations vs "regular user" who have some 15sec or so defaults.. that was the first line of defence.
11:14 jjpp 2) openam at least used to have operation timeouts on ldap. yet these particular searches werent aborted, as far as i could see. could be, that ldap auth module does not enforce that kind of timeouts... the second line of protection.
11:15 jjpp 3) i could not see anything about connectionpools being exhausted and/or users waiting too long for connections in logs. could be that I did not look well enough. that should be the third line.
11:16 jjpp (and of course, I should try to understand why the heck did opendj use unindexed search)
11:17 jjpp so.. there's my sad xmas story. i know that now I should go and read some code. and then write some nice rfes.
11:17 jjpp (we have a proverb here that shared trouble is half the trouble (and shared joy is double joy:), so.. I have halved my trouble and can get on to reading code now..:)
11:31 * jjpp thinks . o O ( afk for a while )
12:54 insanidade asyd: hi. just saw you left a message yesterday: "<asyd> insanidade: sounds like you confuse authentication and identity repository"
12:54 aldaris what happened in this room :D
12:54 insanidade I need to retrieve username/password data from a ldap server. wouldn't that ldap server be my identity repo ?
12:55 insanidade aldaris: more requirements from the customer ;_p
12:55 insanidade aldaris: I have openam doing its work smoothly here.
12:56 insanidade but a customer asked us to retrieve data from two different repos: a db and ldap so that data from both would be mixed up and transformed into the user that shall be authorized by the agent.
12:58 aldaris jjpp: the pools are halved in LDAP module, one half performs the administrative LDAP searches, the other pool performs the BINDs
13:00 insanidade asyd: ?
13:00 insanidade left #openam
13:00 insanidade joined #openam
13:01 aldaris jjpp: 1) directory manager also has the privilege for running unindexed searches and I think it has unlimited lookthrough limit
13:01 aldaris jjpp: 2) OPENAM-3353
13:02 aldaris insanidade this always saddens me
13:02 aldaris you could configure more than one data stores, but that just has so many issues
13:05 insanidade aldaris: I thought about creating a chain. the first one would validate username/password against ldap and the second node in the chain would check my customized auth model.
13:05 insanidade by "the first one" I mean "the first node in the chain"
13:05 aldaris sounds like you confuse authentication and identity repository
13:05 aldaris that is a very fair and correct comment
13:05 insanidade oO
13:06 aldaris authentication is separate from user lookup
13:06 MegaMatt Doesn’t IDM reconcile datastores?
13:07 insanidade aldaris: ok, that absolutely makes sense, of course. my identity repo would be that ldap and I'd have to access it in order to check for the user/password provided by the user.
13:08 insanidade I have to configure my ldap to act as my identity repo. right ?
13:30 insanidade joined #openam
13:41 insanidade question: if I use a ldap server as my identity repo, is it read-only? Would  the creation of  a group in openAm also create a group in ldap (identity repo) ?
13:46 * jjpp thinks . o O ( back. )
13:49 jjpp aldaris: openam-3353: nice, one (more) point for 12. :)
13:52 jjpp aldaris: about 1) -- a while ago i tried to look for "securing openam" or "best practices of openam" guides. I found 2 or three (mostly copies of each other) and no one of those had anything on ldap user for config store.. perhaps there is a reason to use admin user?
13:55 jjpp also, openam-3353 mentions openam "freezing". if ldap auth is the only thing that you do then even exhausted ldap search pool should not freeze everything else ..
13:55 aldaris ther is no reason
13:55 jjpp even isAlive.jsp stopped responding.
13:56 aldaris and we even document the ACIs necessary to use non-admin users
13:56 jjpp hm, okay. then there probably ought to be a more clear reference and recommendation (especially because of this unlimited access part in opendj)
13:57 aldaris Bernhard's rule of thumb is that each component within openam should use a different user
13:57 aldaris so one for authentication, one for data store, one for policy
13:57 jjpp yeah, that sounds sensible. even if not comfortable. :)
13:57 aldaris that helps tracking down buggy components
13:58 jjpp yeah. modifiedBy: cn=Directory Admin is not that helpful >(
13:58 jjpp :)
13:58 aldaris combine that with monitoring cn=monitor on OpenDJ and you should have some pretty simple troubleshooting session
13:58 aldaris it's just a big PITA to set it all up :)
14:00 jjpp yeah.
14:01 aldaris but using non-admin users is always a good way to ensure that indexes are correctly set up
14:01 jjpp now I should somehow debug why the whole openam did freeze. and understand what caused the unindexed search.
14:02 aldaris time to upgrade
14:02 aldaris we already went through quite a few of these debug sessions
14:02 aldaris and openam-3353 was one of those findings
14:02 aldaris plus we upgraded DJ SDK a few times
14:02 aldaris 2.6.9 looks very stable thus far
14:03 aldaris insanidade: you can't add a group to OpenAM only, OpenAM will use the configured data stores to create the identities
14:03 aldaris so it will show up in ALL configured data stores
14:04 MegaMatt what if a configured datastore is read only?
14:04 aldaris read-only how?
14:05 jjpp well, we have 2.6.9 here at the moment.
14:05 aldaris if the configured admin user does not have write permission to the data, then most likely write operations will fail with IdRepoExceptions
14:05 insanidade aldaris: I understand an added group would be seen by all data stores, but would it be written to the ldap structure ?
14:05 jjpp and openam11 with our own patches.
14:05 aldaris @MegaMatt: on the other hand you can change the supported idtypes and operations on the data store page and remove the write operations
14:05 aldaris in that case AM will not attempt to perform those operations
14:06 jjpp but yes, time to upgrade. we just have to justify it to the client.
14:06 aldaris @insanidade where else would it be?
14:06 aldaris 11.0.2 is also good :)
14:06 jjpp also, it appears that the underlying opendj is EOSLd lately.. so.. time to upgrade there as well.
14:06 MegaMatt When is 12.0.1 coming out? ;) Jk
14:06 aldaris 11.0.3 is something for Q1, got a few issues we need to fix…
14:06 jjpp 11.0.2 has.. this license thing.
14:07 aldaris I'm sure people won't have to wait for 12.0.1 for too long
14:07 jjpp but this is obviously one thing on the table with the client.
14:07 insanidade aldaris: what if I must use a customer's ldap configuration and, for obvious reasons, I can't write to that ldap? All that I need from it is to map its users into openAm.
14:07 MegaMatt I’m pretty sure you can get a low level subscription pretty cheap
14:08 MegaMatt And that way you can ensure Aldaris sticks around ;)
14:08 jjpp MegaMatt: yeah, is there any page with rough estimates on prices_ >(
14:08 jjpp s/_ >(/? :)
14:08 aldaris no
14:08 MegaMatt I don’t think so
14:08 aldaris sales isn't really like that
14:08 MegaMatt Gotta work with a sales rep
14:08 aldaris they tend to look at deployments and requirements and which features are being used and stuff like that
14:09 jjpp hm yeah. probably. I remember it depends on size of userbase etc as well.. _
14:09 jjpp ?
14:09 aldaris don't ask us
14:09 aldaris we are just working on support/sustaining :)
14:09 MegaMatt ^ True story
14:10 jjpp heh :)
14:10 MegaMatt But we’d like to keep working, so yeah buying a subscription is in our best interests :D
14:11 jjpp then.. it is art of sales. could that art be influenced with promises of contribution? :)
14:11 MegaMatt Beats me, maybe?
14:11 aldaris you don't have to convince us
14:12 jjpp okay, it's worth a try then, at least. :)
14:12 aldaris we still have your contributions under review for 2+ years now
14:12 aldaris but happy to hear you still want to contribute
14:13 jjpp most of them have been incorporated (or replaced with some other improvement(
14:13 aldaris it took a while, but 12 has your syslog implementation :)
14:15 jjpp well, subscription would mean more intense involvement, probably. and while we are involved, there will probably places and ways to contribute..
14:15 aldaris insanidade: then you set it up as a read-only ldap directory, nothing special
14:15 insanidade aldaris: you mean a read-only option in openam's side or ldap's ?
14:16 aldaris either way
14:16 aldaris just discussed that above with MegaMatt^^
14:16 insanidade aldaris: yeah, I got that :_)
14:16 insanidade thanks :_)
14:18 MegaMatt I would suggest not getting IdRepo Exceptions flooding your logs though ;)
14:20 insanidade I'll try with changing the idtypes in the data store page.
14:38 jibaro joined #openam
14:39 jibaro hi! any advice or recommendation to use captcha in openam's jsp login page ?
14:40 MegaMatt Why not make it an authentication module?
14:41 jibaro to work with a captcha system?
14:41 MegaMatt Yeah, like one step in your authentication chain would be the captcha
14:41 MegaMatt Or I guess put it on your jsp page, that works too
14:44 insanidade aldaris: when you meant "changing the idtypes", did you mean the Plug-in Configuration session in Access Control -> Data Stores -> my realm ?
14:44 jibaro it would be easier on openam 11 or 12? I mean authentiation module solution
14:45 aldaris insanidade I think so, yes (haven't seen that screen for a while)
14:45 MegaMatt It would be the same
14:45 aldaris mostly :)
14:46 insanidade aldaris: ok. it might be there. that's the closes I could find to setting what a user could do agains a given data store.
14:47 insanidade I'll have my development ldap instance configured as my identity repo and give it a try.
14:47 jibaro ok MegaMatt thanks!!
14:50 MegaMatt insanidade: I see the LDAPv3 Plug-in Supported Types and Operations when I create a new generic LDAP v3 datastore, so it’s probably inside the config too once created, yes
14:51 MegaMatt (And it is)
15:09 penk joined #openam
16:43 insanidade MegaMatt: sorry for the delay (lunch time here). thanks for the advice :_)
16:43 MegaMatt Where are you located?
16:44 insanidade MegaMatt: Brazil
16:44 MegaMatt I had a feeling, I think Brazil is one of the few places only an hour ahead of where I am...
16:44 insanidade it's 2:43 pm here. just returned from lunch.
16:44 MegaMatt Ah you’re more than an hour ahead then
16:46 insanidade we have daylight savings time. it should be 1:43 pm :_)
17:05 GLHMarmot joined #openam
17:25 pcypher joined #openam
18:28 aldaris joined #openam
19:04 penk_ joined #openam
19:06 GLHMarmo1 joined #openam
20:24 aldaris joined #openam
21:03 insanidade left #openam
21:03 insanidade joined #openam
21:05 insanidade hi all. I just developed a small prototype of a customized module authentication... it is correctly registered and I can choose it in openam's console. Despite username/password, I return ISAuthConstants.LOGIN_SUCCEED but auth always fail.
21:05 insanidade would anyone give me hints on what I might have to check either in portal or my code ?
21:05 insanidade portal = console
21:06 insanidade my code is correctly invoked. I can even debug it in eclipse.
21:06 aldaris what do you return in getprincipal?
21:09 insanidade aldaris: I return an instance of my principal implementation
21:10 insanidade aldaris: http://pastebin.com/4KUbapJg
21:13 aldaris your module probably throws an NPE
21:13 aldaris callbacks may be null
21:13 aldaris you should really look at the debug logs
21:14 insanidade any hints on how to make callbacks 'not null' ?
21:16 insanidade I could not find where/what I should edit in console (if necessary)
21:27 aldaris it will be null in certain cases, no matter what you do
21:29 insanidade uow
21:30 jjpp also, is the subject always there?
21:31 insanidade jjpp: I noticed that subject is never null - it is passed to my init method.
21:34 jjpp one can pass a null there as well, but probably you are right.
21:35 aldaris callbacks is null when AM tries the credentials from sharedstate btw
21:35 insanidade I compared my code to the example provided by openam's documentation.
21:35 insanidade isn't there anything I have to configure in the console?
21:40 jjpp well. before configuring anything you should try to understand why it fails.
21:41 jjpp debuglog (eg what happens after the last thing your module logs and before or at the point where failure is logged) might be a good start
21:42 jjpp and after figuring out the cause.. it usually is almost magically clear what you have to adjust. :)
21:43 insanidade jjpp: you mean regular log files ?
21:43 penk joined #openam
21:43 jjpp depends on what you call regular.
21:45 jjpp openam has two log mechanisms, iirc. debuglog (the one where your module logs) and auditlog (where most important events like lifecycle events of sessions and authentication etc go in specific format)
21:45 insanidade jjpp: so those are not regular logs I was talking about :_)
21:46 insanidade where do I find those logs you mentioned, jjpp ?
21:46 jjpp default place for debuglogs was under openam-base/openam/debug, iirc?
21:47 insanidade jjpp: I have that folder and a file inside but it doesn't seem to be updated when I try to log in or log out.
21:47 jjpp https://wikis.forgerock.org/confluence/display/openam/Collect+debug+log+files+from+OpenAM
21:48 jjpp perhaps you have to incresae debug level then.
21:49 jjpp message is quite noisy but anything less is not enough most of the time.
21:52 insanidade jjpp: thanks. I'll check that.
21:52 jjpp np

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary