| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 12:14 | |
| *** bdashrad has quit (Quit: leaving) | 16:55 | |
| *** bdashrad (~bdashrad@ocean.bdashrad.com) has joined #wikid | 16:56 | |
| bdashrad | Hi. We currently run wikid for two factor auth, and recently had a problem where we couldn't reach our wikid server. Are their options for high availability? | 18:00 |
|---|---|---|
| nowen | bdashrad: | 18:18 |
| nowen | hi | 18:18 |
| bdashrad | nevermind, i was able to find this: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-configure-wikid-for-replication | 18:18 |
| nowen | what do you mean you can't reach your server? | 18:18 |
| bdashrad | which i think will do what we want | 18:18 |
| bdashrad | there was an amazon ec2 outage | 18:18 |
| nowen | ahh | 18:18 |
| bdashrad | so we couldn't generate passcodes | 18:19 |
| bdashrad | and we use wikid for ssh authentication to our hosts | 18:19 |
| bdashrad | but i think the replication will do what we need. | 18:19 |
| bdashrad | do you need to change dns to point to the secondary when you fail over? | 18:20 |
| nowen | yes. it is a manual failover. it can be scripted | 18:20 |
| nowen | we are working on a version that will have real-time replication | 18:21 |
| nowen | you in us-east? | 18:23 |
| bdashrad | well | 18:23 |
| bdashrad | we have stuff in every region | 18:23 |
| bdashrad | but our wikid server is in us-east-1 | 18:23 |
| nowen | if you're interested in real-time replication and would be willing to beta test the new server, let me know | 18:26 |
| bdashrad | i'll discuss it with my team. | 18:28 |
| bdashrad | So manual replication means we have to run the sync every time we add a user? | 18:28 |
| nowen | no - it automatically syncs - you have to promote the replicant to master to get it to serve OTPS | 18:28 |
| nowen | replication is automatic, failover is not | 18:29 |
| bdashrad | ahhh, i got it. | 18:29 |
| nowen | so, on ec2, you could just change the virtual IP. | 18:29 |
| nowen | can you do that across data centers? | 18:29 |
| bdashrad | i don't think you can use the same elastic ip in different regions | 18:30 |
| bdashrad | but you can use the elastic load balancer | 18:30 |
| bdashrad | could you get me some more information about the real-time replication? | 18:31 |
| nowen | working on the docs right now. | 18:32 |
| bdashrad | cool. i'll ping you back in here and let you know once i've talked to the rest of the team. | 18:32 |
| nowen | the new version is pretty much a re-write. We do real-time replication of everything and use DNS instead of IP addresses | 18:32 |
| bdashrad | that would definitely be beneficial. | 18:33 |
| nowen | but - downside - new tokens. need to re-register | 18:34 |
| bdashrad | ok, good to know. | 18:35 |
| nowen | do you have a lot of users? | 18:35 |
| bdashrad | do you need to do anything with the clients when you do a failover in the current state? | 18:35 |
| nowen | no - they will go to the IP address and if the secondary is promoted, they will get the response | 18:36 |
| bdashrad | i think well over 100 | 18:36 |
| nowen | mostly PC or smart phone or both? | 18:37 |
| bdashrad | i'd say mostly smart phone | 18:37 |
| bdashrad | maybe 60/40 | 18:37 |
| bdashrad | maybe not, my team is almost all PC, but i know a lot of the other teams use the iphone and android apps | 18:38 |
| bdashrad | i'm sure i could find out | 18:38 |
| bdashrad | actually. i'd say it's almost all smart phone, since our setup instructions say to use the mobile app ;) | 18:39 |
| nowen | just ruminating on what the upgrade path might be | 18:39 |
| nowen | you should be able to see on the Users page | 18:39 |
| bdashrad | i don't have the login right now, i was just asked to do the research. I'm trying to find out now | 18:40 |
| bdashrad | we have between 200-300 users... mostly PC. | 18:41 |
| bdashrad | either using the java client or python client | 18:42 |
| bdashrad | but we're seeing more and more smartphone lately. | 18:42 |
| nowen | the python client? | 18:43 |
| bdashrad | unofficial. i'm just parroting back info. | 18:43 |
| bdashrad | umm, hang on. | 18:43 |
| bdashrad | https://code.google.com/p/pywikid/ | 18:44 |
| nowen | there is a python client | 18:44 |
| nowen | yeah, that's the one | 18:44 |
| nowen | that is interesting! | 18:44 |
| bdashrad | we have some very technical users, and some very non-technical users | 18:44 |
| bdashrad | deploying new tokens may be a challenge for us | 18:48 |
| nowen | yeah | 18:48 |
| nowen | we could throw in a license for the old server and you can migrate at your own pace | 18:49 |
| bdashrad | that would be super helpful. | 18:49 |
| nowen | there would be management costs, but hopefully, they aren't too bad | 18:49 |
| bdashrad | yeah, that would probably be the hardest part. lots of op's tickets. | 18:50 |
| nowen | we | 18:50 |
| nowen | are also thinking about adding an AD/LDAP password reset capability | 18:50 |
| bdashrad | we don't currently use wikid with any of our ldap stuff, but it sounds interesting as well | 18:51 |
| nowen | just trying to sell more seats by saving companies more money ;-) | 18:52 |
| bdashrad | definitely. we could have used that at my last place | 18:53 |
| bdashrad | instead they had secureauth for 2FA and manage engine adselfserve plus for password resets | 18:54 |
| nowen | I do wonder if a lot of places have something for resets and don't care | 18:55 |
| bdashrad | we had it because we had 550 remote users and too many helpdesk tickets | 18:56 |
| nowen | ouch | 18:56 |
| bdashrad | plus they had to answer security questions which helped us meet pci compliance for verifying identity for passwrod resets | 18:56 |
| nowen | god I hate those questions | 18:56 |
| bdashrad | yeah. pci is not fun. | 18:58 |
| nowen | ok - got to run - daughter's volleyball game | 19:27 |
| *** nowen has quit (Quit: Leaving.) | 19:28 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!