Wednesday, 2011-03-30

« Tuesday, 2011-03-29 Index Thursday, 2011-03-31 »
*** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid12:12
*** SEJeff (~jeff__@209.160.81.1) has joined #wikid15:35
SEJeffnowen, Hi :)15:35
nowenhi!15:35
SEJeffJust curious about the next release of wikid15:36
SEJeffthat uses derby instead of postgres15:36
SEJeffand does web api sync to support multi master15:36
SEJeffWe've deployed wikid and everyone seems to really like it15:37
nowentesting right now. not quite ready for public release, but getting there15:37
nowenI'm glad to hear it!15:37
SEJeffWe also replaced a couple of cisco vpn 3000 devices with a couple of small servers + the commercial openvpn variant15:37
SEJeffit is probably the best mix of 2fa + ssl vpn with openvpn + wikid together15:37
noweninteresting.  did that save money? I would have thought the ciscos were sunk costs?15:38
SEJeffWell those ciscos are way EOL15:38
nowenahh15:38
SEJeffand management told us to move to ssl vpn15:38
SEJeffSo we were looking at the new cisco stuff which is a mess, and then at juniper ssl vpn, which is crap15:38
SEJeffie: doesn't work on linux and only sort of works on os x15:38
SEJeffopenvpn just worked and the commercial version has a shiney webui to manage it all so our network / security team is happy. We're all really pleased with wikid15:39
nowenawesome15:39
SEJeffBut when we roll out the new version...15:39
SEJeffI would like some help in building a proper setup15:39
nowencertainly15:39
SEJeffWe were going to do Xen vms in a DMZ in 3 locations (2 in the US and one in Europe)15:40
nowenok15:40
SEJeffthen you mentioned a way to proxy requests back to IAS so that the Framed-IP-Address radius attribute works15:40
nowenhmm,  hoping i have the logs on that ...15:40
SEJeffso that the last 4 digits of a vpn users's ip == their voip extension15:40
SEJeffWell I'd like to put wikid in a DMZ15:41
SEJeffand also have it talk to IAS via radius. You mentioned that someone did it with Apache + mod_proxy15:41
nowensomeone didn't want wikid in the dmz so they put apache in the dmz and proxied the otps from there15:42
SEJeffAh, that actually sounds great15:42
nowenas for the Framed-IP-Address, I have to dig into that again15:43
SEJeffnowen, Well wikid can't do per-user arbitrary radius attributes15:54
SEJeffwe tried doing a group for a user, and assigning that attribute to the group15:54
SEJeffbut no matter how much I tried, it wouldn't work. I was even tcpdumping the radius call to try and compare against a working stream15:54
nowencan it be inserted by IAS after WiKID's ok?15:55
SEJeffYup15:55
SEJeffthats why the plan is to proxy through IAS with the upgrade15:55
nowenahh - ok15:55
SEJeffAlso, will there be an upgrade path of any sort, or do we need all new tokens issued?15:56
nowenit's a pretty drastic re-write, so new tokens will be needed15:56
SEJeffWe just finished rolling out wikid to 4 offices15:56
nowenit uses DNS instead of IP15:56
SEJeffin 3 continents15:56
SEJeffWhat do you mean by dns instead of ip15:56
SEJeffThe 0 padded ip address can be a dns entry now? That would be very nice15:57
nowenyes15:57
nowenso, the domain id can be:  anything@wikid.yourdomain.com15:57
SEJeffOh thats great16:00
SEJeffYou said that this version wont have an open source version, right?16:00
SEJeffNot that this matters to us, I'm just curious16:00
nowencorrect.  we will probably have 3 versions:  community, commercial and enterprise.  3x will become Commercial16:01
nowen4.x Enterprise16:01
nowenunless we can think of a better branding than "enterprise"16:02
SEJeffSure16:02
SEJeffcommercial pro ultimate edition16:02
SEJeffMore words must mean better16:02
nowenturbo maz16:02
nowenmax16:02
SEJeffha16:02
nowencloud16:02
SEJeffHonestly, opening a cloud 2fa service might not be a bad small side project16:02
nowenI think we will be partnering with someone on that soon16:03
SEJeffSure, thats a good idea16:03
SEJeffGet Amazon or Rackspace to use it16:03
nowenthough, I think we may also partner with some cloud services to make a cloud network client simple16:03
nowendo you use Qualys, for example?16:03
SEJeffNope16:04
SEJeffour company's vulnerability management is to hire former professional penetration testers as sysadmins16:04
nowenhehe, that's good.16:04
SEJeffYup16:05
SEJeffSo what would be the difference between commercial and enterprise turbo max?16:05
nowenanyway, we could do a qualys network client.  the wikid box is in your DC, you control access16:05
SEJeffYou're missing an upper case X16:05
SEJeffWould it be wikid branded, or Qualys branded?16:06
SEJeffLike how Dell oem's EMC san kit and sells it as their own16:06
nowenwikid, but Qualys currently pays for cloud 2FA from versign and some of their users want it in house16:08
SEJeffAh nice16:09
nowenwikidmaX has global load balancing via web services, a better UI, dns instead of ip, but otherwise, much of the same16:10
nowenradius, googlesso, etc16:10
SEJeffGotcha16:10
SEJeffI take it that would be much more expensive too16:11
SEJeffThe multimaster replication is really the killer feature for us16:11
nowenwe're looking at that right now16:11
SEJeffYou might consider rewriting the webui in python / django :)16:11
SEJeffhave it be a python api client16:11
SEJeffAnd jQuery, make it the pretty with jQuery16:12
nowenmy thinking is that we add a per server charge per year16:12
nowenhehe, it does use the GWT16:12
SEJeffDo you "own" wikid sys?16:12
SEJeffGWT is cheating16:12
nowen50%16:12
SEJeffAh ok16:12
nowenbut GWT does bring some security16:12
SEJeffSo you're a partner16:12
SEJeffis the other guy a developer?16:12
SEJeffguy/gal16:12
nowenyes, Eric and I co-founded16:12
nowenyes, CTO16:13
SEJeffgotcha16:13
SEJeffAnd I take it you're both in CO?16:14
nowenGa16:14
SEJeffNot sure where I got CO from16:14
nowenso, what would you pay for master-master replication? :)16:19
SEJeffI'm the tech monkey, so no clue there16:19
SEJeffHonestly we are the most interested in the ability to login to any specific wikid server16:19
SEJeffbut have the user token info on all of the servers16:19
nowenyes, that's the idea.  whatever server is fastest responds16:20
SEJeffSure16:20
SEJeffBut there is one thing I'd like (not sure if it is possible)16:20
nowenalso, every domain will be on every server - do you see that as an issue?16:20
SEJeffWe have users in LA, NYC, London, and Sydney Austrailia16:20
SEJeffWe have vpn concentrators near every office16:20
SEJeffin "serious business TM" datacenters16:21
SEJeffideally, a user could use their token to get an otp from the local (by region) wikid server16:21
SEJeffbut that the token could also be used to login to other region's wikid servers.16:21
SEJeffmake sense, or would you prefer me to mock up a diagram in inkscape real quick?16:22
nowenok - each user would typically get the OTP from the nearest WiKID server.16:22
SEJeffin a perfect world, yes16:22
nowenbut if that server went down, they would get one from the other16:23
nowens16:23
SEJeffNow if you use dns, we could use geoip based dns responses16:23
nowenIt shouldn't matter, but you guys are the speed freaks :)16:24
SEJeffHa16:24
SEJeffWell wikid is what we deem "enterprise" stuff16:24
SEJeffproduction and enterprise are totally separate16:24
SEJeffenterprise needs to be stable, production needs to be low latency16:24
noweninteresting16:25
SEJefflow latency stuff can be less stable so long as we have the work duplicated on >1 nodes16:27
*** finalbeta (~finalbeta@ip-81-11-184-161.dsl.scarlet.be) has joined #wikid18:47
*** Ken__ (a5bd4f37@gateway/web/freenode/ip.165.189.79.55) has joined #wikid19:30
Ken__Anyone here who would have a minute or two to T-shoot an issue with the ADRegister script?19:31
nowensure19:32
Ken__OK.   This is a new Install we are using as an eval.   I have made changes to the adregister scipt and when I browse to the scrip it prompt for username and password; however when attempting to auth i get an error that Authentication to the directory failed for user@mydomain.com.  I setup a logging filter on my firewall but never see any communicaitons to the LDAP server19:35
nowenhmm19:37
nowenhave you tried just 'user'?19:38
Ken__user@mydomain.com is just a place holder for a real username and domain19:39
nowenright, I'm just wondering if the domain part is needed19:39
Ken__Hmm I would not think so as that is specified in the scripts directoryDomainSuffix19:40
Ken__Nope as the error adds the domin suffix.  The login is user the error is user@mydomain.com19:41
nowenanything on the Event Viewer in AD?19:42
Ken__No.  But that's expected as the LDAP server is on the private network and the WiKID server is in the DMZ and I can monitor all communications between the two and there is 0 communiciton attempts19:45
nowencan you ping the AD server from the WiKID server?19:46
Ken__Yes19:46
nowenhmm19:49
nowenbooting up my AD vmware19:50
Ken__K19:58
nowenwant to install ldapsearch on the server to see if you can connect to your AD via the commandline?20:07
Ken__Going to have to wait.,  I have a meeting until 5.20:07
nowenok20:09
*** nprodromou (~nprodromo@dsl092-049-221.sfo4.dsl.speakeasy.net) has joined #wikid21:07
nprodromounowen:  How goes?21:07
nprodromoubusy?21:07
nowennprodromou: pretty busy.  what's up21:08
nprodromouI can circle back later21:08
nprodromoustill trying to make my wikid install work21:08
nowenrefresh my memory21:08
nprodromouI've got this wikid install21:09
nprodromouthat doesn't work.21:09
nprodromou:)21:09
nprodromouLet me pull it up21:09
nowenhehe21:09
nprodromouI think that when we were looking at it last, the problem appeared to be java based perhaps?21:09
nprodromouessentially wikid controls would say that it was starting, but nothing happened21:10
nprodromouwell21:10
nprodromoustuff happened21:10
nprodromoubut the web interface never came up21:10
nprodromouIs now actually a good time to check it out with you?21:11
nprodromouthat's why I asked the busy question first21:12
nowenis this an rpm install?21:12
nprodromouyes21:12
nprodromouit's hosted on a slice21:12
nprodromouso ISO install won't work21:13
nowenwhat does 'java -version' say?21:13
nprodromouthough it seems like you heavily favor the iso install, huh?21:13
nowenthe iso just avoids a lot of this because it has all the sw needed21:13
nprodromouhttp://privatepaste.com/820707de4721:13
nowenany error in /opt/WiKID/tomcat/logs/catalina.out?21:15
nprodromouhttp://privatepaste.com/419791593c21:18
nprodromouIs the answer here that I should host this myself and make my life easier?21:18
nowenis SELINUX disabled?21:18
nprodromouuh... dunno21:19
nowenrun getenforce21:20
nprodromouDisabled now21:20
nprodromouer21:20
nprodromouthat returned "Disabled"21:20
nowenOK21:20
nprodromougetenforce jsut tells me the status, huh?21:21
nowenis the database running?21:21
nowenyes21:21
nprodromoudunno21:21
nowentry running 'service postgresql status'21:21
nprodromoupostmaster (pid 16604 16600 16419 16418 16417 16415 16413 434) is running...21:22
nowenwhat does /usr/sbin/alternatives --config java show?21:26
nprodromouhttp://privatepaste.com/06302078cf21:27
nowencan you run:  keytool -list -v -keystore /opt/WiKID/private/intCAKeys.p12 -storetype pkcs12 -storepass yourpassphrase21:28
nprodromouuh21:29
nprodromoulike, I'm creating a key?21:29
nowenhave you created the wikid certs yet?21:29
nprodromoudon't they get manually created?21:29
nowenvia the web interface21:29
nowenhmm21:30
nprodromoucan't get to teh web interface yet21:30
nowenwhen you ran wikidctl setup did you get prompted to create an ssl cert?21:30
nprodromouyes21:30
nowendo you see the file /opt/WiKID/conf/tomcatKeystore ?21:32
nprodromou[root@wikid ~]# locate tomcatKeystore21:33
nprodromou/opt/WiKID/conf/tomcatKeystore21:33
nprodromouWe're talking about this at the office here21:34
nprodromouI can allocate hardware on site to make this work if I'd be better off installing from ISO21:34
nowenit's totally doable via rpm21:34
nowenthis is centos, right?21:34
nowencan you delete /opt/WiKID/conf/tomcatKeystore and then re-run setup?21:35
nprodromousure21:35
nprodromounope21:40
nprodromouwell, I mean, it's run21:40
nprodromoubut same thing21:40
nprodromouyou want to see catalina.out again?21:40
nowennot if it is the same21:41
nowenok21:42
nowenhost about posting your history?21:42
nprodromouhttp://privatepaste.com/d01ac149c321:42
nowendid you install the pre-regs?21:45
nowenyum install postgresql postgresql-libs postgresql-jdbc postgresql-server postgresql-pl compat-libstdc++-296 ntp system-config-date perl-libwww-perl21:45
nprodromouyep21:45
nowenI'm wondering about postgresql-jdbc21:45
nowenhmm21:45
nprodromouI think I sudoed it21:45
nprodromouOK21:46
nprodromouI'm loading from iso21:46
nowenok21:46
nprodromoutoo much screwing with this.21:46
nprodromou:)21:46
nprodromouand, from a security standpoint, I should probably host internally anyway21:47
nprodromouspecs...21:47
nowen1 gig of ram21:47
nprodromou4G of RAM is plenty for 25 users, right?21:47
nprodromougreat21:47
nowenoh yes21:47
nprodromouwell, I'll probably run clipperz or something on the same box21:47
nprodromouI need to use wikid to authenticate to a client password database...21:48
nprodromouso having a couple of GB extra there seems right to me.21:48
nprodromouokay, and the idea is that I'm goign to install from scratch using your iso, right?21:49
nowenyes,  when you get to the install prompts, type 'install' and it will install the wikid appliance21:50
nprodromoucool21:50
*** SEJeff has quit (Read error: Connection reset by peer)21:53
*** SEJeff (~jeff__@209.160.81.1) has joined #wikid21:53
nprodromouoh... one question about that21:53
nprodromouwhat's the unerlying OS on the appliance?21:53
nowencentos21:56
*** nprodromou has quit (Ping timeout: 240 seconds)21:58
nowenKen__: are you still here>22:25
nowen?22:25
nowenKen:  I have to go, but I have tested this on win2008 and it is working form me22:28
nowenI did use an IP address instead of a FQDN22:28
nowennot sure if it matters, just didn't have that server in dns22:29
*** nowen has parted #wikid (None)22:37
« Tuesday, 2011-03-29 Index Thursday, 2011-03-31 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!