You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2017/06/07 08:30:37 UTC

Re: [IAM PoC] Starting with implementation

Hi all,
FYI this experiment was officially considered closed - see 
https://issues.apache.org/jira/browse/INFRA-10930

Regards.

On 13/01/2017 11:34, Francesco Chicchiriccò wrote:
> On 13/01/2017 10:30, Pierre Smits wrote:
>> Ok. Thanks.
>>
>> I guess one of the next steps will be to change the password of the 
>> admin userid to make it more secure.
>
> Definitely.
> Not an hard task, though:
>
> https://syncope.apache.org/docs/reference-guide.html#set-admin-credentials 
>
>
> Regards.
>
>> On Fri, Jan 13, 2017 at 9:26 AM, Francesco Chicchiriccò 
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>>     Hi all,
>>     I honestly do not see the point of putting any effort (yet) in
>>     puppetizing the configurations on syncope-vm2.
>>
>>     syncope-vm2 is the VM we are using to implement a PoC, not a
>>     production environment.
>>
>>     For example, I had to install the OpenLDAP packages to load the
>>     ASF Directory dump, in order to have a reference external resource
>>     for Syncope. I would not expect this in a production machine.
>>
>>     The work to be done there is currently about configuring Syncope
>>     (mainly via Admin UI) and possibly developing some extension
>>     classes, to be part of the sources hosted at
>>
>>     https://git-wip-us.apache.org/repos/asf/iampoc.git
>>     <https://git-wip-us.apache.org/repos/asf/iampoc.git>
>>
>>     with purpose of building a replacement for https://id.apache.org
>>
>>     I expect such work not to be completed anytime son, partly because
>>     it is inherently complex, partly because it is done in my own
>>     spare time.
>>
>>     I agree, indeed, that:
>>
>>     1. leaving all ports open to the wild is not good (especially
>>     because there is currently an OpenLDAP instance loaded with the
>>     dump from the official ASF Directory), so I have configured
>>     iptables to refuse connections on all ports but SSH (see
>>     /root/iptables.sh, currently saved via iptables-persistence to
>>     survive restarts)
>>
>>     At the moment I can easily work with SSH port forwarding; I expect
>>     to re-open the ports 80 and 443, to allow connections to
>>
>>     * http://idm-poc.apache.org/syncope
>>     <http://idm-poc.apache.org/syncope>, redirecting to
>>     https://idm-poc.apache.org/syncope
>>     <https://idm-poc.apache.org/syncope>
>>     * http://idm-poc.apache.org/syncope-console
>>     <http://idm-poc.apache.org/syncope-console>, redirecting to
>>     https://idm-poc.apache.org/syncope-console
>>     <https://idm-poc.apache.org/syncope-console>
>>     * http://idm-poc.apache.org/syncope-enduser
>>     <http://idm-poc.apache.org/syncope-enduser>, redirecting to
>>     https://idm-poc.apache.org/syncope-enduser
>>     <https://idm-poc.apache.org/syncope-enduser>
>>
>>     as already configured by Pierre.
>>
>>     Note: I don't see any reason to enable the Syncope Swagger
>>     extension, hence it is perfectly expected that
>>
>>     /syncope/swagger
>>
>>     returns nothing.
>>
>>     2. being the tomcat8 packages installed, there is almost no reason
>>     (but the unavailability of Tomcat 8.5 as deb package, but this is
>>     another story...) to use the manual Tomcat deployment under /opt,
>>     I will remove that soon
>>
>>     Regards.
>>
>>     On 12/01/2017 22:58, Pierre Smits wrote:
>>
>>         Tony,
>>
>>         Francesco didn't install the syncope wars in/on the puppet
>>         configured
>>         Tomcat, but did a new Tomcat installation in /opt.
>>
>>         So we need to figure out how to do that correction there, or
>>         redeploy
>>         syncope in the puppet controlled Tomcat.
>>
>>         On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson
>>         <pctony@apache.org <ma...@apache.org>> wrote:
>>
>>                 On Jan 12, 2017, at 1:22 PM, Pierre Smits
>>                 <pierre.smits@gmail.com
>>                 <ma...@gmail.com>> wrote:
>>
>>                 Please do not use the syncope implementation via the
>>                 unencrypted tomcat port 8080/
>>
>>             Then configure tomcat to only listen on loopback, or only
>>             allow access
>>             from the local interface then.  Better yet change the
>>             firewall rules. Or do
>>             both. ;)
>>
>>             Assuming the VM is in puppet the firewall rules should be
>>             a few lines of
>>             config.
>>

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/