| *** manonst (~manonstre@su-nat.int.smq.datapipe.net) has joined #wikid | 13:22 | |
| *** Ownage has quit (Ping timeout: 272 seconds) | 13:39 | |
| *** Ownage (~yourmom@static-96-247-50-178.lsanca.fios.verizon.net) has joined #wikid | 13:40 | |
| *** billb_ (41a01c42@gateway/web/freenode/ip.65.160.28.66) has joined #wikid | 16:40 | |
| billb_ | Are you Fips 140 compliant - we need this for goverment contracts | 16:41 |
|---|---|---|
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 16:58 | |
| *** billb_ has quit (Quit: Page closed) | 17:44 | |
| *** SEJeff (~jeff__@209.160.81.1) has joined #wikid | 18:38 | |
| SEJeff | So any update on the next version of the wikid server? | 18:38 |
| SEJeff | The one that will do web sync and allow multimaster? | 18:38 |
| nowen | SEJeff: hello | 18:38 |
| SEJeff | nowen, Morning :D | 18:38 |
| nowen | hehe | 18:39 |
| nowen | I am supposed to see a version this week or early next week | 18:39 |
| nowen | which could be very close to beta | 18:39 |
| SEJeff | Awesome! | 18:39 |
| SEJeff | nowen, Is there any chance I could ask your engineers to build in a really nice feature? | 18:39 |
| nowen | there certainly is | 18:40 |
| SEJeff | The feature that AD does natively by setting the static ip of a user | 18:40 |
| SEJeff | and the vpn concentrator hands that ip to the user. We use it to set the last 4 digits of the ip address to the extension of the user's voip phone | 18:40 |
| SEJeff | So it is really easy to get ahold of someone if they are doing something stupid over our vpn | 18:40 |
| nowen | can AD do that anyway via radius? | 18:41 |
| SEJeff | Well you set a field in AD | 18:41 |
| SEJeff | and the radius server hands that to the vpn concentrator | 18:41 |
| SEJeff | and gives them that ip | 18:41 |
| SEJeff | nowen, The radius attribute name is: Framed-IP-Address | 18:42 |
| SEJeff | But we're unable to get it to work by manually setting it in wikid | 18:42 |
| nowen | hmm | 18:42 |
| nowen | are you running the auth through AD via nps or ias? | 18:42 |
| SEJeff | With wikid, we aren't | 18:42 |
| SEJeff | but we set the attributed on the user | 18:42 |
| SEJeff | in wikid | 18:42 |
| SEJeff | no love | 18:42 |
| nowen | yeah, it seems that the finest tuned we are is group or network client | 18:43 |
| SEJeff | Right | 18:43 |
| SEJeff | Oh well heh. I tried to hack around it by creating a group for 1 user and assigning that attribute to it | 18:44 |
| nowen | but if you ran the auths through AD, I think it could be done that way | 18:44 |
| nowen | and that didn't work? | 18:44 |
| SEJeff | No we have the wikid server in a DMZ | 18:44 |
| SEJeff | Doesn't talk to AD at all | 18:44 |
| SEJeff | completely separate | 18:44 |
| nowen | fyi, we have a company that has their WiKID server inside and has an apache server in the dmz, forwarding requests to WiKID | 18:45 |
| SEJeff | Thats no a bad idea | 18:45 |
| SEJeff | apache's mod_proxy | 18:45 |
| SEJeff | but our management wants wikid in the DMZ | 18:45 |
| SEJeff | completely separate | 18:45 |
| nowen | doing a per-user radius attribute a la AD makes me a bit uncomfortable | 18:47 |
| SEJeff | What exactly do you mean? | 18:47 |
| nowen | well, we have per network client and per-group. | 18:47 |
| SEJeff | So when we add a user to vpn access group (non-wikid vpn), the desktop support guys right click on a user in AD via the windows stuff | 18:48 |
| nowen | doing per user means another interface and more complexity | 18:48 |
| SEJeff | check the box for static ip, then type it in | 18:48 |
| SEJeff | nowen, That would just be a very nice feature | 18:48 |
| nowen | right, but how do we do that in wikid? | 18:48 |
| SEJeff | per-user radius attributes | 18:48 |
| nowen | yeah. | 18:49 |
| SEJeff | and the Framed-IP-Address attribute :) | 18:49 |
| SEJeff | With a fancy ui ontop of it | 18:49 |
| nowen | which means a new UI for users | 18:49 |
| nowen | hehe | 18:49 |
| nowen | yea | 18:49 |
| SEJeff | I do a good bit of django web development for internal tools | 18:49 |
| nowen | and more QA etc, etc | 18:49 |
| SEJeff | Can't speak for jsp, but for django, this would be sooo easy | 18:49 |
| nowen | development is just one part of it... ;) | 18:49 |
| SEJeff | indeed | 18:50 |
| SEJeff | unit tests | 18:50 |
| SEJeff | and ponies | 18:50 |
| SEJeff | nowen, But basically, it would be really nice for us to set the static IP for each user | 18:51 |
| SEJeff | we can't with wikid now | 18:52 |
| nowen | i hear you. | 18:52 |
| SEJeff | That is the only regression when moving to wikid | 18:52 |
| SEJeff | and our desktop support team is none-too pleased with it | 18:52 |
| SEJeff | ditto for our neteng team | 18:52 |
| nowen | but you could, if you ran the auth through AD ;) | 18:52 |
| SEJeff | nowen, Any chance you could put docs on the suggested way to proxy wikid with apache? | 18:53 |
| nowen | sure | 18:53 |
| SEJeff | I'll show it to management and see what they think | 18:53 |
| nowen | ok | 18:54 |
| SEJeff | And can you explain that architecture to me? | 18:59 |
| SEJeff | How wikid is proxied by apache to AD | 18:59 |
| SEJeff | We're trying to minimize our attack vectors as much as possible | 18:59 |
| nowen | sure | 19:18 |
| nowen | although now I have to think about it | 19:20 |
| nowen | on our web server, we also run a WiKID server | 19:20 |
| nowen | we put wikid on a different port | 19:20 |
| nowen | then we use mod_rewrite: | 19:20 |
| nowen | RewriteRule ^/wikid/(.*) http://localhost:8090/wikid/$1 [P] | 19:20 |
| nowen | but for a different box, you would want to use proxy | 19:21 |
| nowen | I remember now who did it. just emailed them for the details | 19:24 |
| nowen | ok - gotta go to microcenter to pick up a bunch of computer parts :-) | 20:12 |
| nowen | be back in a bit | 20:12 |
| *** nowen has quit (Quit: Leaving.) | 20:12 | |
| *** Ownage has quit (Ping timeout: 240 seconds) | 20:25 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 21:25 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!