Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2016-02-29

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:48 ilbot3 joined #openam
02:48 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 13.0.0 is out! OpenAM 12.0.2 is out! Channel logs at: http://irclog.perlgeek.de/openam/today
04:11 ramteid joined #openam
08:40 daveloper joined #openam
08:46 aldaris joined #openam
09:21 jjpp good morning.
09:22 jjpp aldaris: you once mentioned that openam11 has some caching-problem somewhere enar policy-engine, do you remember/can you refer to an issue?
09:22 aldaris Good morning
09:22 jjpp s/enar/near
09:22 aldaris there are lots of different caching problems
09:22 aldaris you need to be more specific
09:25 jjpp we have a webagent (or two) in sso-only mode. still, reading ldap access log i see that most of the requests are something related to entitlements
09:25 jjpp half of the queries are result=0;nentries=0;indexed;scope=wholeSubtr​ee;filter="(&(|(sunxmlKeyValue=hostindex=://​o=sunamhiddenrealmdelegationservicepermissio​ns,ou=services,dc=opensso,dc=java,dc=net))(|​(sunxmlKeyValue=pathparentindex=/sunEntitlem​entService/1.0/application/default/applicati​on)))";attrs="sunKeyValue,sunxmlKeyValue"
09:26 jjpp (output from ldap-log-summarizer)
09:26 aldaris that looks like a delegation problem
09:26 aldaris that's not necessarily a policy evaluation problem
09:27 jjpp hmhm. i could try to find the exact codepath that causes that request?
09:27 aldaris well that would be somewhere around PrivilegeIndexStore
09:27 aldaris on older versions the method is called dodssearch iirc
09:29 jjpp and most importantly -- is there a way to avoid those requests?
10:10 aldaris not sure if they can be avoided
10:10 aldaris it takes a while for the policy cache to get fully populated
10:10 aldaris and with delegation privileges I actually think that it is probably going to be difficult
10:14 jjpp hm. but.. in my case that specific query is not cached -- there was some 38M requests (like that, with different, longer paths etc) and of those 19M were this specific one?
10:15 aldaris are you using delegated privileges?
10:15 aldaris and do you know what operation results in such queries?
10:15 aldaris and do you know that 11 is slowly going EOSL?
10:16 jjpp no, i do not know of us using delegated privileges (and that is why the requests were a surprise and why i want to get rid of those).
10:17 aldaris note that you can have stale delegated permissions in your system
10:17 jjpp no, i do not know yet what causes them. it seems to be something related to entitlements and webagents. i understood on friday that agent asking for profile fields can cause those?
10:17 asyd    /S 45
10:17 aldaris the console only shows groups, so if a group that previously had delegated privileges associated is removed at a later time, the privileges remain in the system regardless
10:18 jjpp and yes i do know that 11 will go EOSL. i do hope that we can upgrade this year. but obviously it is beyond me to make sure it will happen. :(
10:37 aldaris joined #openam
10:39 aldaris so probably you should figure out first what results in these delegated privilege evaluations
10:39 aldaris there should be a cache for delegation privilege evaluation results theoretically..
10:46 jjpp ok. i'll try to find out the codepath and reach to meaningful questions or enlightenment from there. thanks for pointers. :)
13:47 aldaris any tips for blog posts?
13:47 aldaris cc @asyd :)
13:48 asyd hmmm
17:48 MegaMatt joined #openam
17:48 aldaris joined #openam
18:21 auke- joined #openam
18:26 aldaris joined #openam
18:55 aldaris joined #openam
19:02 daveloper joined #openam
19:14 aldaris1 joined #openam
21:46 MegaMatt joined #openam
22:28 MegaMatt joined #openam
22:29 raspbeguy joined #openam
22:39 raspbeguy joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary