[IAM PoC] Starting with implementation

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[IAM PoC] Starting with implementation

ilgrosso
Administrator
Hi all,
we now have our GIT repository at

https://git-wip-us.apache.org/repos/asf/iampoc.git

which is also mirrored, as usual, to GitHub.

As you can see, I have made an initial commit featuring an empty default
Syncope 2.0.0-SNAPSHOT setup.

Now, waiting for the VM to be available (see INFRA-10931), we can start
defining what is actually going to be part of this PoC, and how we are
going to implement the related features.

 From the list showed by Tony in [1], I'd start with first item, e.g.
"https://id.apache.org (The end-user part of it)".

Here are some questions:

  1. does the current app exclusively manage data from LDAP?
  2. if so, could you provide some details:
     a. LDAP architecture (replicas, load-balancing, ..)
     b. which LDAP server implementation? OpenLDAP?
     c. which object classes are in use? baseDN(s)?
     d. which processes / tools are reading from LDAP? which are writing?
     e. is there any test LDAP instance available? if not, is it
possible to pre-load some data from the production instances in order to
build a test instance in our development VM?

Please add questions if you see something missing.

Regards.

[1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Francesco Chicchiriccò
HI all,
I am happy to report that the VM for the PoC was made available
(syncope-vm2.apache.org) - see INFRA-10931.
I have been able to successfully access via SSH (sudo does not seem to
work, but nothing problematic about this ATM).

I know from IRC that Pierre is at work to try to define a first Puppet
setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
Besides such components, the setup process will also need to fetch and
build the Maven project from the dedicated GIT repository (see below).

Now in fist place I think we should re-attempt to start discussing the
actual requirements of this PoC, and then the planning.

This means, essentially, to gather some information from the infra team.

I propose again to concentrate, from the list shown by Tony in [1], on
the first item, e.g. "https://id.apache.org (The end-user part of it)",
which triggers these first questions:

  1. does the current app exclusively manage data from LDAP?
  2. if so, could you provide some details:
     a. which LDAP server implementation? OpenLDAP?
     b. which object classes are in use? baseDN(s)?
     c. which processes / tools are reading from LDAP? which are writing?

In INFRA-10931, Greg proposed to provide an LDIF export of the
production LDAP servers so that we can setup a local detached copy which
we could use for tests.

Looking forward to your reply.
Regards.

On 21/12/2015 17:16, Francesco Chicchiriccò wrote:

> Hi all,
> we now have our GIT repository at
>
> https://git-wip-us.apache.org/repos/asf/iampoc.git
>
> which is also mirrored, as usual, to GitHub.
>
> As you can see, I have made an initial commit featuring an empty
> default Syncope 2.0.0-SNAPSHOT setup.
>
> Now, waiting for the VM to be available (see INFRA-10931), we can
> start defining what is actually going to be part of this PoC, and how
> we are going to implement the related features.
>
> From the list showed by Tony in [1], I'd start with first item, e.g.
> "https://id.apache.org (The end-user part of it)".
>
> Here are some questions:
>
>  1. does the current app exclusively manage data from LDAP?
>  2. if so, could you provide some details:
>     a. LDAP architecture (replicas, load-balancing, ..)
>     b. which LDAP server implementation? OpenLDAP?
>     c. which object classes are in use? baseDN(s)?
>     d. which processes / tools are reading from LDAP? which are writing?
>     e. is there any test LDAP instance available? if not, is it
> possible to pre-load some data from the production instances in order
> to build a test instance in our development VM?
>
> Please add questions if you see something missing.
>
> Regards.
>
> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò
Tel +393290573276

Amministratore unico @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

"To Iterate is Human, to Recurse, Divine"
(James O. Coplien, Bell Labs)

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
I have also been able to ssh into the PoC environment.

Based on information provided by INFRA officials I have forked the INFRA
puppet config repo [1], to start building the Syncope-PoC node
configuration. As soon as I have something tangible I will make the file
available for review and when accepted will initiate the pull request.

[1] https://github.com/apache/infrastructure-puppet

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Fri, Dec 16, 2016 at 11:13 AM, Francesco Chicchiriccò <
[hidden email]> wrote:

> HI all,
> I am happy to report that the VM for the PoC was made available (
> syncope-vm2.apache.org) - see INFRA-10931.
> I have been able to successfully access via SSH (sudo does not seem to
> work, but nothing problematic about this ATM).
>
> I know from IRC that Pierre is at work to try to define a first Puppet
> setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
> Besides such components, the setup process will also need to fetch and
> build the Maven project from the dedicated GIT repository (see below).
>
> Now in fist place I think we should re-attempt to start discussing the
> actual requirements of this PoC, and then the planning.
>
> This means, essentially, to gather some information from the infra team.
>
> I propose again to concentrate, from the list shown by Tony in [1], on the
> first item, e.g. "https://id.apache.org (The end-user part of it)", which
> triggers these first questions:
>
>  1. does the current app exclusively manage data from LDAP?
>  2. if so, could you provide some details:
>     a. which LDAP server implementation? OpenLDAP?
>     b. which object classes are in use? baseDN(s)?
>     c. which processes / tools are reading from LDAP? which are writing?
>
> In INFRA-10931, Greg proposed to provide an LDIF export of the production
> LDAP servers so that we can setup a local detached copy which we could use
> for tests.
>
> Looking forward to your reply.
> Regards.
>
> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>
>> Hi all,
>> we now have our GIT repository at
>>
>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>
>> which is also mirrored, as usual, to GitHub.
>>
>> As you can see, I have made an initial commit featuring an empty default
>> Syncope 2.0.0-SNAPSHOT setup.
>>
>> Now, waiting for the VM to be available (see INFRA-10931), we can start
>> defining what is actually going to be part of this PoC, and how we are
>> going to implement the related features.
>>
>> From the list showed by Tony in [1], I'd start with first item, e.g. "
>> https://id.apache.org (The end-user part of it)".
>>
>> Here are some questions:
>>
>>  1. does the current app exclusively manage data from LDAP?
>>  2. if so, could you provide some details:
>>     a. LDAP architecture (replicas, load-balancing, ..)
>>     b. which LDAP server implementation? OpenLDAP?
>>     c. which object classes are in use? baseDN(s)?
>>     d. which processes / tools are reading from LDAP? which are writing?
>>     e. is there any test LDAP instance available? if not, is it possible
>> to pre-load some data from the production instances in order to build a
>> test instance in our development VM?
>>
>> Please add questions if you see something missing.
>>
>> Regards.
>>
>> [1] http://markmail.org/message/utlcjkanilz4qztz
>>
>
> --
> Francesco Chicchiriccò
> Tel +393290573276
>
> Amministratore unico @ Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
> "To Iterate is Human, to Recurse, Divine"
> (James O. Coplien, Bell Labs)
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
Hi All,

I have made the first pass of the Syncope-PoC node configuration available
at [1]. Please review and post you comments (and other insights) here.
After a few days I will (based on your feedback) create a pull request and
ask INFRA for feedback.

[1]
https://github.com/PierreSmits/infrastructure-puppet/blob/deployment/data/nodes/syncope-vm2.apache.org.yaml

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Fri, Dec 16, 2016 at 11:30 AM, Pierre Smits <[hidden email]>
wrote:

> I have also been able to ssh into the PoC environment.
>
> Based on information provided by INFRA officials I have forked the INFRA
> puppet config repo [1], to start building the Syncope-PoC node
> configuration. As soon as I have something tangible I will make the file
> available for review and when accepted will initiate the pull request.
>
> [1] https://github.com/apache/infrastructure-puppet
>
> Best regards,
>
> Pierre Smits
>
> ORRTIZ.COM <http://www.orrtiz.com>
> OFBiz based solutions & services
>
> OFBiz Extensions Marketplace
> http://oem.ofbizci.net/oci-2/
>
> On Fri, Dec 16, 2016 at 11:13 AM, Francesco Chicchiriccò <
> [hidden email]> wrote:
>
>> HI all,
>> I am happy to report that the VM for the PoC was made available (
>> syncope-vm2.apache.org) - see INFRA-10931.
>> I have been able to successfully access via SSH (sudo does not seem to
>> work, but nothing problematic about this ATM).
>>
>> I know from IRC that Pierre is at work to try to define a first Puppet
>> setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>> Besides such components, the setup process will also need to fetch and
>> build the Maven project from the dedicated GIT repository (see below).
>>
>> Now in fist place I think we should re-attempt to start discussing the
>> actual requirements of this PoC, and then the planning.
>>
>> This means, essentially, to gather some information from the infra team.
>>
>> I propose again to concentrate, from the list shown by Tony in [1], on
>> the first item, e.g. "https://id.apache.org (The end-user part of it)",
>> which triggers these first questions:
>>
>>  1. does the current app exclusively manage data from LDAP?
>>  2. if so, could you provide some details:
>>     a. which LDAP server implementation? OpenLDAP?
>>     b. which object classes are in use? baseDN(s)?
>>     c. which processes / tools are reading from LDAP? which are writing?
>>
>> In INFRA-10931, Greg proposed to provide an LDIF export of the production
>> LDAP servers so that we can setup a local detached copy which we could use
>> for tests.
>>
>> Looking forward to your reply.
>> Regards.
>>
>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>
>>> Hi all,
>>> we now have our GIT repository at
>>>
>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>
>>> which is also mirrored, as usual, to GitHub.
>>>
>>> As you can see, I have made an initial commit featuring an empty default
>>> Syncope 2.0.0-SNAPSHOT setup.
>>>
>>> Now, waiting for the VM to be available (see INFRA-10931), we can start
>>> defining what is actually going to be part of this PoC, and how we are
>>> going to implement the related features.
>>>
>>> From the list showed by Tony in [1], I'd start with first item, e.g. "
>>> https://id.apache.org (The end-user part of it)".
>>>
>>> Here are some questions:
>>>
>>>  1. does the current app exclusively manage data from LDAP?
>>>  2. if so, could you provide some details:
>>>     a. LDAP architecture (replicas, load-balancing, ..)
>>>     b. which LDAP server implementation? OpenLDAP?
>>>     c. which object classes are in use? baseDN(s)?
>>>     d. which processes / tools are reading from LDAP? which are writing?
>>>     e. is there any test LDAP instance available? if not, is it possible
>>> to pre-load some data from the production instances in order to build a
>>> test instance in our development VM?
>>>
>>> Please add questions if you see something missing.
>>>
>>> Regards.
>>>
>>> [1] http://markmail.org/message/utlcjkanilz4qztz
>>>
>>
>> --
>> Francesco Chicchiriccò
>> Tel +393290573276
>>
>> Amministratore unico @ Tirasa S.r.l.
>> Viale D'Annunzio 267 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net
>>
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
>> http://home.apache.org/~ilgrosso/
>>
>> "To Iterate is Human, to Recurse, Divine"
>> (James O. Coplien, Bell Labs)
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
In reply to this post by Francesco Chicchiriccò
Quick update:

1. Pierre has submitted the first PR for puppet at
https://github.com/apache/infrastructure-puppet/pull/156

2. I have just updated the PoC code to Syncope 2.0.1 (that's the second
commit, exactly 1 year after fist one: time flies):
https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984

However, without someone from Infra providing info + specifications,
there is no much more we can do.
Infra, please if you're there, knock once.

Regards.

On 16/12/2016 11:13, Francesco Chicchiriccò wrote:

> HI all,
> I am happy to report that the VM for the PoC was made available
> (syncope-vm2.apache.org) - see INFRA-10931.
> I have been able to successfully access via SSH (sudo does not seem to
> work, but nothing problematic about this ATM).
>
> I know from IRC that Pierre is at work to try to define a first Puppet
> setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
> Besides such components, the setup process will also need to fetch and
> build the Maven project from the dedicated GIT repository (see below).
>
> Now in fist place I think we should re-attempt to start discussing the
> actual requirements of this PoC, and then the planning.
>
> This means, essentially, to gather some information from the infra team.
>
> I propose again to concentrate, from the list shown by Tony in [1], on
> the first item, e.g. "https://id.apache.org (The end-user part of
> it)", which triggers these first questions:
>
>  1. does the current app exclusively manage data from LDAP?
>  2. if so, could you provide some details:
>     a. which LDAP server implementation? OpenLDAP?
>     b. which object classes are in use? baseDN(s)?
>     c. which processes / tools are reading from LDAP? which are writing?
>
> In INFRA-10931, Greg proposed to provide an LDIF export of the
> production LDAP servers so that we can setup a local detached copy
> which we could use for tests.
>
> Looking forward to your reply.
> Regards.
>
> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>> Hi all,
>> we now have our GIT repository at
>>
>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>
>> which is also mirrored, as usual, to GitHub.
>>
>> As you can see, I have made an initial commit featuring an empty
>> default Syncope 2.0.0-SNAPSHOT setup.
>>
>> Now, waiting for the VM to be available (see INFRA-10931), we can
>> start defining what is actually going to be part of this PoC, and how
>> we are going to implement the related features.
>>
>> From the list showed by Tony in [1], I'd start with first item, e.g.
>> "https://id.apache.org (The end-user part of it)".
>>
>> Here are some questions:
>>
>>  1. does the current app exclusively manage data from LDAP?
>>  2. if so, could you provide some details:
>>     a. LDAP architecture (replicas, load-balancing, ..)
>>     b. which LDAP server implementation? OpenLDAP?
>>     c. which object classes are in use? baseDN(s)?
>>     d. which processes / tools are reading from LDAP? which are writing?
>>     e. is there any test LDAP instance available? if not, is it
>> possible to pre-load some data from the production instances in order
>> to build a test instance in our development VM?
>>
>> Please add questions if you see something missing.
>>
>> Regards.
>>
>> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
I guess we'll see the input from INFRA appear in the comments of the pull
request, or else in e.g. https://issues.apache.org/jira/browse/INFRA-10931
and associated issues.

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Mon, Dec 19, 2016 at 9:09 AM, Francesco Chicchiriccò <[hidden email]
> wrote:

> Quick update:
>
> 1. Pierre has submitted the first PR for puppet at
> https://github.com/apache/infrastructure-puppet/pull/156
>
> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the second
> commit, exactly 1 year after fist one: time flies):
> https://github.com/apache/iampoc/commit/a155f59362e6f553356e
> 7e52116834837dbda984
>
> However, without someone from Infra providing info + specifications, there
> is no much more we can do.
> Infra, please if you're there, knock once.
>
> Regards.
>
>
> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>
>> HI all,
>> I am happy to report that the VM for the PoC was made available (
>> syncope-vm2.apache.org) - see INFRA-10931.
>> I have been able to successfully access via SSH (sudo does not seem to
>> work, but nothing problematic about this ATM).
>>
>> I know from IRC that Pierre is at work to try to define a first Puppet
>> setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>> Besides such components, the setup process will also need to fetch and
>> build the Maven project from the dedicated GIT repository (see below).
>>
>> Now in fist place I think we should re-attempt to start discussing the
>> actual requirements of this PoC, and then the planning.
>>
>> This means, essentially, to gather some information from the infra team.
>>
>> I propose again to concentrate, from the list shown by Tony in [1], on
>> the first item, e.g. "https://id.apache.org (The end-user part of it)",
>> which triggers these first questions:
>>
>>  1. does the current app exclusively manage data from LDAP?
>>  2. if so, could you provide some details:
>>     a. which LDAP server implementation? OpenLDAP?
>>     b. which object classes are in use? baseDN(s)?
>>     c. which processes / tools are reading from LDAP? which are writing?
>>
>> In INFRA-10931, Greg proposed to provide an LDIF export of the production
>> LDAP servers so that we can setup a local detached copy which we could use
>> for tests.
>>
>> Looking forward to your reply.
>> Regards.
>>
>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>
>>> Hi all,
>>> we now have our GIT repository at
>>>
>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>
>>> which is also mirrored, as usual, to GitHub.
>>>
>>> As you can see, I have made an initial commit featuring an empty default
>>> Syncope 2.0.0-SNAPSHOT setup.
>>>
>>> Now, waiting for the VM to be available (see INFRA-10931), we can start
>>> defining what is actually going to be part of this PoC, and how we are
>>> going to implement the related features.
>>>
>>> From the list showed by Tony in [1], I'd start with first item, e.g. "
>>> https://id.apache.org (The end-user part of it)".
>>>
>>> Here are some questions:
>>>
>>>  1. does the current app exclusively manage data from LDAP?
>>>  2. if so, could you provide some details:
>>>     a. LDAP architecture (replicas, load-balancing, ..)
>>>     b. which LDAP server implementation? OpenLDAP?
>>>     c. which object classes are in use? baseDN(s)?
>>>     d. which processes / tools are reading from LDAP? which are writing?
>>>     e. is there any test LDAP instance available? if not, is it possible
>>> to pre-load some data from the production instances in order to build a
>>> test instance in our development VM?
>>>
>>> Please add questions if you see something missing.
>>>
>>> Regards.
>>>
>>> [1] http://markmail.org/message/utlcjkanilz4qztz
>>>
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
In reply to this post by ilgrosso
Hi all,
semi-formal "ping" for Infra guys: is there anyone available for
supporting this PoC? As said from the beginning, a fundamental
requirement is to have someone playing the customer role, otherwise any
effort is pointless.

Regards.

On 19/12/2016 09:09, Francesco Chicchiriccò wrote:

> Quick update:
>
> 1. Pierre has submitted the first PR for puppet at
> https://github.com/apache/infrastructure-puppet/pull/156
>
> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
> second commit, exactly 1 year after fist one: time flies):
> https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984 
>
>
> However, without someone from Infra providing info + specifications,
> there is no much more we can do.
> Infra, please if you're there, knock once.
>
> Regards.
>
> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>> HI all,
>> I am happy to report that the VM for the PoC was made available
>> (syncope-vm2.apache.org) - see INFRA-10931.
>> I have been able to successfully access via SSH (sudo does not seem
>> to work, but nothing problematic about this ATM).
>>
>> I know from IRC that Pierre is at work to try to define a first
>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>> Besides such components, the setup process will also need to fetch
>> and build the Maven project from the dedicated GIT repository (see
>> below).
>>
>> Now in fist place I think we should re-attempt to start discussing
>> the actual requirements of this PoC, and then the planning.
>>
>> This means, essentially, to gather some information from the infra team.
>>
>> I propose again to concentrate, from the list shown by Tony in [1],
>> on the first item, e.g. "https://id.apache.org (The end-user part of
>> it)", which triggers these first questions:
>>
>>  1. does the current app exclusively manage data from LDAP?
>>  2. if so, could you provide some details:
>>     a. which LDAP server implementation? OpenLDAP?
>>     b. which object classes are in use? baseDN(s)?
>>     c. which processes / tools are reading from LDAP? which are writing?
>>
>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>> production LDAP servers so that we can setup a local detached copy
>> which we could use for tests.
>>
>> Looking forward to your reply.
>> Regards.
>>
>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>> Hi all,
>>> we now have our GIT repository at
>>>
>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>
>>> which is also mirrored, as usual, to GitHub.
>>>
>>> As you can see, I have made an initial commit featuring an empty
>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>
>>> Now, waiting for the VM to be available (see INFRA-10931), we can
>>> start defining what is actually going to be part of this PoC, and
>>> how we are going to implement the related features.
>>>
>>> From the list showed by Tony in [1], I'd start with first item, e.g.
>>> "https://id.apache.org (The end-user part of it)".
>>>
>>> Here are some questions:
>>>
>>>  1. does the current app exclusively manage data from LDAP?
>>>  2. if so, could you provide some details:
>>>     a. LDAP architecture (replicas, load-balancing, ..)
>>>     b. which LDAP server implementation? OpenLDAP?
>>>     c. which object classes are in use? baseDN(s)?
>>>     d. which processes / tools are reading from LDAP? which are
>>> writing?
>>>     e. is there any test LDAP instance available? if not, is it
>>> possible to pre-load some data from the production instances in
>>> order to build a test instance in our development VM?
>>>
>>> Please add questions if you see something missing.
>>>
>>> Regards.
>>>
>>> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Chris Lambertus
Yes, I am available. I will provide you an export of our existing LDAP repository and pointers to our schemas. In answer to your questions below regarding id.a.o:

1) Yes, the current id.a.o app exclusively manages data in LDAP as a self-service tool.

2a) OpenLDAP
2b) A variety including some custom schemas which I will make available you along with the ldif.
2c) There are MANY processes and tools which read and write from LDAP. 

The initial scope of the PoC should be to provision Syncope as an admin and end-user UI for maintaining attributes related to LDAP accounts (committers, staff) as a potential replacement for the id.apache.org service. Once we’ve explored the key functionality of a test/demo implementation, we can look at what it would take to replace the service in production, along with integrating other tools related to account creation.

-Chris





On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò <[hidden email]> wrote:

Hi all,
semi-formal "ping" for Infra guys: is there anyone available for supporting this PoC? As said from the beginning, a fundamental requirement is to have someone playing the customer role, otherwise any effort is pointless.

Regards.

On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
Quick update:

1. Pierre has submitted the first PR for puppet at
https://github.com/apache/infrastructure-puppet/pull/156

2. I have just updated the PoC code to Syncope 2.0.1 (that's the second commit, exactly 1 year after fist one: time flies):
https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984

However, without someone from Infra providing info + specifications, there is no much more we can do.
Infra, please if you're there, knock once.

Regards.

On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
HI all,
I am happy to report that the VM for the PoC was made available (syncope-vm2.apache.org) - see INFRA-10931.
I have been able to successfully access via SSH (sudo does not seem to work, but nothing problematic about this ATM).

I know from IRC that Pierre is at work to try to define a first Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
Besides such components, the setup process will also need to fetch and build the Maven project from the dedicated GIT repository (see below).

Now in fist place I think we should re-attempt to start discussing the actual requirements of this PoC, and then the planning.

This means, essentially, to gather some information from the infra team.

I propose again to concentrate, from the list shown by Tony in [1], on the first item, e.g. "https://id.apache.org (The end-user part of it)", which triggers these first questions:

1. does the current app exclusively manage data from LDAP?
2. if so, could you provide some details:
   a. which LDAP server implementation? OpenLDAP?
   b. which object classes are in use? baseDN(s)?
   c. which processes / tools are reading from LDAP? which are writing?

In INFRA-10931, Greg proposed to provide an LDIF export of the production LDAP servers so that we can setup a local detached copy which we could use for tests.

Looking forward to your reply.
Regards.

On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
Hi all,
we now have our GIT repository at

https://git-wip-us.apache.org/repos/asf/iampoc.git

which is also mirrored, as usual, to GitHub.

As you can see, I have made an initial commit featuring an empty default Syncope 2.0.0-SNAPSHOT setup.

Now, waiting for the VM to be available (see INFRA-10931), we can start defining what is actually going to be part of this PoC, and how we are going to implement the related features.

From the list showed by Tony in [1], I'd start with first item, e.g. "https://id.apache.org (The end-user part of it)".

Here are some questions:

1. does the current app exclusively manage data from LDAP?
2. if so, could you provide some details:
   a. LDAP architecture (replicas, load-balancing, ..)
   b. which LDAP server implementation? OpenLDAP?
   c. which object classes are in use? baseDN(s)?
   d. which processes / tools are reading from LDAP? which are writing?
   e. is there any test LDAP instance available? if not, is it possible to pre-load some data from the production instances in order to build a test instance in our development VM?

Please add questions if you see something missing.

Regards.

[1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/



signature.asc (507 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Chris Lambertus

On Jan 10, 2017, at 2:56 PM, Chris Lambertus <[hidden email]> wrote:

I will provide you an export of our existing LDAP repository and pointers to our schemas. 


I’ve placed the ldif dump in /root/asf-20170110.ldif on syncope-vm2.

Our LDAP server configuration is generally defined in the following puppet module:


The custom schemas are in files/. There is a slapd.conf template that describes the ACLs in templates/slapd.conf.erb. Some of the data won’t be available to you because there are passwords for things like replication stored encrypted in other locations.

-Chris


signature.asc (507 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
In reply to this post by Chris Lambertus
On 10/01/2017 23:56, Chris Lambertus wrote:
> Yes, I am available. I will provide you an export of our existing LDAP
> repository and pointers to our schemas.

Thanks Chris, looks good!

> In answer to your questions below regarding id.a.o:
>
> 1) Yes, the current id.a.o app exclusively manages data in LDAP as a
> self-service tool.
>
> 2a) OpenLDAP
> 2b) A variety including some custom schemas which I will make
> available you along with the ldif.
> 2c) There are MANY processes and tools which read and write from LDAP.
>
> The initial scope of the PoC should be to provision Syncope as an
> admin and end-user UI for maintaining attributes related to LDAP
> accounts (committers, staff) as a potential replacement for the
> id.apache.org <http://id.apache.org> service. Once we’ve explored the
> key functionality of a test/demo implementation, we can look at what
> it would take to replace the service in production, along with
> integrating other tools related to account creation.

I completely agree.

AFAICT, the identified tasks are:

1. setup an OpenLDAP  instance with the content and configuration provided
2. configure the Syncope entities: schemas, realms, resource, tasks, ...
3. configure / customize the Enduser UI

I will start with task (1), manual installation; not sure if it makes
sense to puppet-ize that: if so, Pierre could possibly help.
Any other volunteer?

Regards.

>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò
>> <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Hi all,
>> semi-formal "ping" for Infra guys: is there anyone available for
>> supporting this PoC? As said from the beginning, a fundamental
>> requirement is to have someone playing the customer role, otherwise
>> any effort is pointless.
>>
>> Regards.
>>
>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
>>> Quick update:
>>>
>>> 1. Pierre has submitted the first PR for puppet at
>>> https://github.com/apache/infrastructure-puppet/pull/156
>>>
>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
>>> second commit, exactly 1 year after fist one: time flies):
>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984 
>>>
>>>
>>> However, without someone from Infra providing info + specifications,
>>> there is no much more we can do.
>>> Infra, please if you're there, knock once.
>>>
>>> Regards.
>>>
>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>>>> HI all,
>>>> I am happy to report that the VM for the PoC was made available
>>>> (syncope-vm2.apache.org) - see INFRA-10931.
>>>> I have been able to successfully access via SSH (sudo does not seem
>>>> to work, but nothing problematic about this ATM).
>>>>
>>>> I know from IRC that Pierre is at work to try to define a first
>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>>>> Besides such components, the setup process will also need to fetch
>>>> and build the Maven project from the dedicated GIT repository (see
>>>> below).
>>>>
>>>> Now in fist place I think we should re-attempt to start discussing
>>>> the actual requirements of this PoC, and then the planning.
>>>>
>>>> This means, essentially, to gather some information from the infra
>>>> team.
>>>>
>>>> I propose again to concentrate, from the list shown by Tony in [1],
>>>> on the first item, e.g. "https://id.apache.org (The end-user part
>>>> of it)", which triggers these first questions:
>>>>
>>>> 1. does the current app exclusively manage data from LDAP?
>>>> 2. if so, could you provide some details:
>>>>    a. which LDAP server implementation? OpenLDAP?
>>>>    b. which object classes are in use? baseDN(s)?
>>>>    c. which processes / tools are reading from LDAP? which are writing?
>>>>
>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>>>> production LDAP servers so that we can setup a local detached copy
>>>> which we could use for tests.
>>>>
>>>> Looking forward to your reply.
>>>> Regards.
>>>>
>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>>>> Hi all,
>>>>> we now have our GIT repository at
>>>>>
>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>>>
>>>>> which is also mirrored, as usual, to GitHub.
>>>>>
>>>>> As you can see, I have made an initial commit featuring an empty
>>>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>>>
>>>>> Now, waiting for the VM to be available (see INFRA-10931), we can
>>>>> start defining what is actually going to be part of this PoC, and
>>>>> how we are going to implement the related features.
>>>>>
>>>>> From the list showed by Tony in [1], I'd start with first item,
>>>>> e.g. "https://id.apache.org (The end-user part of it)".
>>>>>
>>>>> Here are some questions:
>>>>>
>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>> 2. if so, could you provide some details:
>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
>>>>>    b. which LDAP server implementation? OpenLDAP?
>>>>>    c. which object classes are in use? baseDN(s)?
>>>>>    d. which processes / tools are reading from LDAP? which are
>>>>> writing?
>>>>>    e. is there any test LDAP instance available? if not, is it
>>>>> possible to pre-load some data from the production instances in
>>>>> order to build a test instance in our development VM?
>>>>>
>>>>> Please add questions if you see something missing.
>>>>>
>>>>> Regards.
>>>>>
>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
On 11/01/2017 12:42, Francesco Chicchiriccò wrote:

> On 10/01/2017 23:56, Chris Lambertus wrote:
>> Yes, I am available. I will provide you an export of our existing
>> LDAP repository and pointers to our schemas.
>
> Thanks Chris, looks good!
>
>> In answer to your questions below regarding id.a.o:
>>
>> 1) Yes, the current id.a.o app exclusively manages data in LDAP as a
>> self-service tool.
>>
>> 2a) OpenLDAP
>> 2b) A variety including some custom schemas which I will make
>> available you along with the ldif.
>> 2c) There are MANY processes and tools which read and write from LDAP.
>>
>> The initial scope of the PoC should be to provision Syncope as an
>> admin and end-user UI for maintaining attributes related to LDAP
>> accounts (committers, staff) as a potential replacement for the
>> id.apache.org <http://id.apache.org> service. Once we’ve explored the
>> key functionality of a test/demo implementation, we can look at what
>> it would take to replace the service in production, along with
>> integrating other tools related to account creation.
>
> I completely agree.
>
> AFAICT, the identified tasks are:
>
> 1. setup an OpenLDAP  instance with the content and configuration provided
> 2. configure the Syncope entities: schemas, realms, resource, tasks, ...
> 3. configure / customize the Enduser UI
>
> I will start with task (1), manual installation; not sure if it makes
> sense to puppet-ize that: if so, Pierre could possibly help.

Updated: thanks to the LDIF dump saved under

/root/asf-20170110.ldif on syncope-vm2

and the LDAP conf chunks I could derive from

https://github.com/apache/infrastructure-puppet/tree/deployment/modules/ldapserver

I was finally able to successfully import everything; the OpenLDAP
instance is currently up and running, ready to rumble.

FYI I have placed a copy of the resulting slapd.conf under /root on
syncope-vm2

> Any other volunteer?
>
> Regards.
>
>>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò
>>> <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>> Hi all,
>>> semi-formal "ping" for Infra guys: is there anyone available for
>>> supporting this PoC? As said from the beginning, a fundamental
>>> requirement is to have someone playing the customer role, otherwise
>>> any effort is pointless.
>>>
>>> Regards.
>>>
>>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
>>>> Quick update:
>>>>
>>>> 1. Pierre has submitted the first PR for puppet at
>>>> https://github.com/apache/infrastructure-puppet/pull/156
>>>>
>>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
>>>> second commit, exactly 1 year after fist one: time flies):
>>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984 
>>>>
>>>>
>>>> However, without someone from Infra providing info +
>>>> specifications, there is no much more we can do.
>>>> Infra, please if you're there, knock once.
>>>>
>>>> Regards.
>>>>
>>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>>>>> HI all,
>>>>> I am happy to report that the VM for the PoC was made available
>>>>> (syncope-vm2.apache.org) - see INFRA-10931.
>>>>> I have been able to successfully access via SSH (sudo does not
>>>>> seem to work, but nothing problematic about this ATM).
>>>>>
>>>>> I know from IRC that Pierre is at work to try to define a first
>>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>>>>> Besides such components, the setup process will also need to fetch
>>>>> and build the Maven project from the dedicated GIT repository (see
>>>>> below).
>>>>>
>>>>> Now in fist place I think we should re-attempt to start discussing
>>>>> the actual requirements of this PoC, and then the planning.
>>>>>
>>>>> This means, essentially, to gather some information from the infra
>>>>> team.
>>>>>
>>>>> I propose again to concentrate, from the list shown by Tony in
>>>>> [1], on the first item, e.g. "https://id.apache.org (The end-user
>>>>> part of it)", which triggers these first questions:
>>>>>
>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>> 2. if so, could you provide some details:
>>>>>    a. which LDAP server implementation? OpenLDAP?
>>>>>    b. which object classes are in use? baseDN(s)?
>>>>>    c. which processes / tools are reading from LDAP? which are
>>>>> writing?
>>>>>
>>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>>>>> production LDAP servers so that we can setup a local detached copy
>>>>> which we could use for tests.
>>>>>
>>>>> Looking forward to your reply.
>>>>> Regards.
>>>>>
>>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>>>>> Hi all,
>>>>>> we now have our GIT repository at
>>>>>>
>>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>>>>
>>>>>> which is also mirrored, as usual, to GitHub.
>>>>>>
>>>>>> As you can see, I have made an initial commit featuring an empty
>>>>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>>>>
>>>>>> Now, waiting for the VM to be available (see INFRA-10931), we can
>>>>>> start defining what is actually going to be part of this PoC, and
>>>>>> how we are going to implement the related features.
>>>>>>
>>>>>> From the list showed by Tony in [1], I'd start with first item,
>>>>>> e.g. "https://id.apache.org (The end-user part of it)".
>>>>>>
>>>>>> Here are some questions:
>>>>>>
>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>> 2. if so, could you provide some details:
>>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
>>>>>>    b. which LDAP server implementation? OpenLDAP?
>>>>>>    c. which object classes are in use? baseDN(s)?
>>>>>>    d. which processes / tools are reading from LDAP? which are
>>>>>> writing?
>>>>>>    e. is there any test LDAP instance available? if not, is it
>>>>>> possible to pre-load some data from the production instances in
>>>>>> order to build a test instance in our development VM?
>>>>>>
>>>>>> Please add questions if you see something missing.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
Hi,
quick update: I have defined some schemas and the local LDAP resource
with provision for both users and groups: at the moment browsing the
resource from Syncope Admin UI works fine.

Regards.

On 11/01/2017 16:12, Francesco Chicchiriccò wrote:

> On 11/01/2017 12:42, Francesco Chicchiriccò wrote:
>> On 10/01/2017 23:56, Chris Lambertus wrote:
>>> Yes, I am available. I will provide you an export of our existing
>>> LDAP repository and pointers to our schemas.
>>
>> Thanks Chris, looks good!
>>
>>> In answer to your questions below regarding id.a.o:
>>>
>>> 1) Yes, the current id.a.o app exclusively manages data in LDAP as a
>>> self-service tool.
>>>
>>> 2a) OpenLDAP
>>> 2b) A variety including some custom schemas which I will make
>>> available you along with the ldif.
>>> 2c) There are MANY processes and tools which read and write from LDAP.
>>>
>>> The initial scope of the PoC should be to provision Syncope as an
>>> admin and end-user UI for maintaining attributes related to LDAP
>>> accounts (committers, staff) as a potential replacement for the
>>> id.apache.org <http://id.apache.org> service. Once we’ve explored
>>> the key functionality of a test/demo implementation, we can look at
>>> what it would take to replace the service in production, along with
>>> integrating other tools related to account creation.
>>
>> I completely agree.
>>
>> AFAICT, the identified tasks are:
>>
>> 1. setup an OpenLDAP  instance with the content and configuration
>> provided
>> 2. configure the Syncope entities: schemas, realms, resource, tasks, ...
>> 3. configure / customize the Enduser UI
>>
>> I will start with task (1), manual installation; not sure if it makes
>> sense to puppet-ize that: if so, Pierre could possibly help.
>
> Updated: thanks to the LDIF dump saved under
>
> /root/asf-20170110.ldif on syncope-vm2
>
> and the LDAP conf chunks I could derive from
>
> https://github.com/apache/infrastructure-puppet/tree/deployment/modules/ldapserver 
>
>
> I was finally able to successfully import everything; the OpenLDAP
> instance is currently up and running, ready to rumble.
>
> FYI I have placed a copy of the resulting slapd.conf under /root on
> syncope-vm2
>
>> Any other volunteer?
>>
>> Regards.
>>
>>>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò
>>>> <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>> Hi all,
>>>> semi-formal "ping" for Infra guys: is there anyone available for
>>>> supporting this PoC? As said from the beginning, a fundamental
>>>> requirement is to have someone playing the customer role, otherwise
>>>> any effort is pointless.
>>>>
>>>> Regards.
>>>>
>>>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
>>>>> Quick update:
>>>>>
>>>>> 1. Pierre has submitted the first PR for puppet at
>>>>> https://github.com/apache/infrastructure-puppet/pull/156
>>>>>
>>>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
>>>>> second commit, exactly 1 year after fist one: time flies):
>>>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e7e52116834837dbda984 
>>>>>
>>>>>
>>>>> However, without someone from Infra providing info +
>>>>> specifications, there is no much more we can do.
>>>>> Infra, please if you're there, knock once.
>>>>>
>>>>> Regards.
>>>>>
>>>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>>>>>> HI all,
>>>>>> I am happy to report that the VM for the PoC was made available
>>>>>> (syncope-vm2.apache.org) - see INFRA-10931.
>>>>>> I have been able to successfully access via SSH (sudo does not
>>>>>> seem to work, but nothing problematic about this ATM).
>>>>>>
>>>>>> I know from IRC that Pierre is at work to try to define a first
>>>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>>>>>> Besides such components, the setup process will also need to
>>>>>> fetch and build the Maven project from the dedicated GIT
>>>>>> repository (see below).
>>>>>>
>>>>>> Now in fist place I think we should re-attempt to start
>>>>>> discussing the actual requirements of this PoC, and then the
>>>>>> planning.
>>>>>>
>>>>>> This means, essentially, to gather some information from the
>>>>>> infra team.
>>>>>>
>>>>>> I propose again to concentrate, from the list shown by Tony in
>>>>>> [1], on the first item, e.g. "https://id.apache.org (The end-user
>>>>>> part of it)", which triggers these first questions:
>>>>>>
>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>> 2. if so, could you provide some details:
>>>>>>    a. which LDAP server implementation? OpenLDAP?
>>>>>>    b. which object classes are in use? baseDN(s)?
>>>>>>    c. which processes / tools are reading from LDAP? which are
>>>>>> writing?
>>>>>>
>>>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>>>>>> production LDAP servers so that we can setup a local detached
>>>>>> copy which we could use for tests.
>>>>>>
>>>>>> Looking forward to your reply.
>>>>>> Regards.
>>>>>>
>>>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>>>>>> Hi all,
>>>>>>> we now have our GIT repository at
>>>>>>>
>>>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>>>>>
>>>>>>> which is also mirrored, as usual, to GitHub.
>>>>>>>
>>>>>>> As you can see, I have made an initial commit featuring an empty
>>>>>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>>>>>
>>>>>>> Now, waiting for the VM to be available (see INFRA-10931), we
>>>>>>> can start defining what is actually going to be part of this
>>>>>>> PoC, and how we are going to implement the related features.
>>>>>>>
>>>>>>> From the list showed by Tony in [1], I'd start with first item,
>>>>>>> e.g. "https://id.apache.org (The end-user part of it)".
>>>>>>>
>>>>>>> Here are some questions:
>>>>>>>
>>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>>> 2. if so, could you provide some details:
>>>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
>>>>>>>    b. which LDAP server implementation? OpenLDAP?
>>>>>>>    c. which object classes are in use? baseDN(s)?
>>>>>>>    d. which processes / tools are reading from LDAP? which are
>>>>>>> writing?
>>>>>>>    e. is there any test LDAP instance available? if not, is it
>>>>>>> possible to pre-load some data from the production instances in
>>>>>>> order to build a test instance in our development VM?
>>>>>>>
>>>>>>> Please add questions if you see something missing.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
I see that the syncope-vm is working. But did we use the preconfigured
installations of tomcat and postgresql (the client for connection to a ASF
psql setup)?

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Thu, Jan 12, 2017 at 5:14 PM, Francesco Chicchiriccò <[hidden email]
> wrote:

> Hi,
> quick update: I have defined some schemas and the local LDAP resource with
> provision for both users and groups: at the moment browsing the resource
> from Syncope Admin UI works fine.
>
> Regards.
>
> On 11/01/2017 16:12, Francesco Chicchiriccò wrote:
>
>> On 11/01/2017 12:42, Francesco Chicchiriccò wrote:
>>
>>> On 10/01/2017 23:56, Chris Lambertus wrote:
>>>
>>>> Yes, I am available. I will provide you an export of our existing LDAP
>>>> repository and pointers to our schemas.
>>>>
>>>
>>> Thanks Chris, looks good!
>>>
>>> In answer to your questions below regarding id.a.o:
>>>>
>>>> 1) Yes, the current id.a.o app exclusively manages data in LDAP as a
>>>> self-service tool.
>>>>
>>>> 2a) OpenLDAP
>>>> 2b) A variety including some custom schemas which I will make available
>>>> you along with the ldif.
>>>> 2c) There are MANY processes and tools which read and write from LDAP.
>>>>
>>>> The initial scope of the PoC should be to provision Syncope as an admin
>>>> and end-user UI for maintaining attributes related to LDAP accounts
>>>> (committers, staff) as a potential replacement for the id.apache.org <
>>>> http://id.apache.org> service. Once we’ve explored the key
>>>> functionality of a test/demo implementation, we can look at what it would
>>>> take to replace the service in production, along with integrating other
>>>> tools related to account creation.
>>>>
>>>
>>> I completely agree.
>>>
>>> AFAICT, the identified tasks are:
>>>
>>> 1. setup an OpenLDAP  instance with the content and configuration
>>> provided
>>> 2. configure the Syncope entities: schemas, realms, resource, tasks, ...
>>> 3. configure / customize the Enduser UI
>>>
>>> I will start with task (1), manual installation; not sure if it makes
>>> sense to puppet-ize that: if so, Pierre could possibly help.
>>>
>>
>> Updated: thanks to the LDIF dump saved under
>>
>> /root/asf-20170110.ldif on syncope-vm2
>>
>> and the LDAP conf chunks I could derive from
>>
>> https://github.com/apache/infrastructure-puppet/tree/deploym
>> ent/modules/ldapserver
>>
>> I was finally able to successfully import everything; the OpenLDAP
>> instance is currently up and running, ready to rumble.
>>
>> FYI I have placed a copy of the resulting slapd.conf under /root on
>> syncope-vm2
>>
>> Any other volunteer?
>>>
>>> Regards.
>>>
>>>
>>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò <[hidden email]
>>>>> <mailto:[hidden email]>> wrote:
>>>>>
>>>>> Hi all,
>>>>> semi-formal "ping" for Infra guys: is there anyone available for
>>>>> supporting this PoC? As said from the beginning, a fundamental requirement
>>>>> is to have someone playing the customer role, otherwise any effort is
>>>>> pointless.
>>>>>
>>>>> Regards.
>>>>>
>>>>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
>>>>>
>>>>>> Quick update:
>>>>>>
>>>>>> 1. Pierre has submitted the first PR for puppet at
>>>>>> https://github.com/apache/infrastructure-puppet/pull/156
>>>>>>
>>>>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
>>>>>> second commit, exactly 1 year after fist one: time flies):
>>>>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e
>>>>>> 7e52116834837dbda984
>>>>>>
>>>>>> However, without someone from Infra providing info + specifications,
>>>>>> there is no much more we can do.
>>>>>> Infra, please if you're there, knock once.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>>>>>>
>>>>>>> HI all,
>>>>>>> I am happy to report that the VM for the PoC was made available (
>>>>>>> syncope-vm2.apache.org) - see INFRA-10931.
>>>>>>> I have been able to successfully access via SSH (sudo does not seem
>>>>>>> to work, but nothing problematic about this ATM).
>>>>>>>
>>>>>>> I know from IRC that Pierre is at work to try to define a first
>>>>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and PostgreSQL.
>>>>>>> Besides such components, the setup process will also need to fetch
>>>>>>> and build the Maven project from the dedicated GIT repository (see below).
>>>>>>>
>>>>>>> Now in fist place I think we should re-attempt to start discussing
>>>>>>> the actual requirements of this PoC, and then the planning.
>>>>>>>
>>>>>>> This means, essentially, to gather some information from the infra
>>>>>>> team.
>>>>>>>
>>>>>>> I propose again to concentrate, from the list shown by Tony in [1],
>>>>>>> on the first item, e.g. "https://id.apache.org (The end-user part
>>>>>>> of it)", which triggers these first questions:
>>>>>>>
>>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>>> 2. if so, could you provide some details:
>>>>>>>    a. which LDAP server implementation? OpenLDAP?
>>>>>>>    b. which object classes are in use? baseDN(s)?
>>>>>>>    c. which processes / tools are reading from LDAP? which are
>>>>>>> writing?
>>>>>>>
>>>>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>>>>>>> production LDAP servers so that we can setup a local detached copy which we
>>>>>>> could use for tests.
>>>>>>>
>>>>>>> Looking forward to your reply.
>>>>>>> Regards.
>>>>>>>
>>>>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>> we now have our GIT repository at
>>>>>>>>
>>>>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>>>>>>
>>>>>>>> which is also mirrored, as usual, to GitHub.
>>>>>>>>
>>>>>>>> As you can see, I have made an initial commit featuring an empty
>>>>>>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>>>>>>
>>>>>>>> Now, waiting for the VM to be available (see INFRA-10931), we can
>>>>>>>> start defining what is actually going to be part of this PoC, and how we
>>>>>>>> are going to implement the related features.
>>>>>>>>
>>>>>>>> From the list showed by Tony in [1], I'd start with first item,
>>>>>>>> e.g. "https://id.apache.org (The end-user part of it)".
>>>>>>>>
>>>>>>>> Here are some questions:
>>>>>>>>
>>>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>>>> 2. if so, could you provide some details:
>>>>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
>>>>>>>>    b. which LDAP server implementation? OpenLDAP?
>>>>>>>>    c. which object classes are in use? baseDN(s)?
>>>>>>>>    d. which processes / tools are reading from LDAP? which are
>>>>>>>> writing?
>>>>>>>>    e. is there any test LDAP instance available? if not, is it
>>>>>>>> possible to pre-load some data from the production instances in order to
>>>>>>>> build a test instance in our development VM?
>>>>>>>>
>>>>>>>> Please add questions if you see something missing.
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz
>>>>>>>>
>>>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
Il 12 gennaio 2017 19:23:37 CET, Pierre Smits <[hidden email]> ha scritto:
>I see that the syncope-vm is working. But did we use the preconfigured
>installations of tomcat and postgresql (the client for connection to a
>ASF
>psql setup)?

syncope-vm.apache.org hosts our public demo, see

http://syncope.apache.org/demo.html

I am working on syncope-vm2 with manual Tomcat deployment (and PostgreSQL) of the artifacts built from the POC GIT repository.

Regards.

>On Thu, Jan 12, 2017 at 5:14 PM, Francesco Chicchiriccò
><[hidden email]
>> wrote:
>
>> Hi,
>> quick update: I have defined some schemas and the local LDAP resource
>with
>> provision for both users and groups: at the moment browsing the
>resource
>> from Syncope Admin UI works fine.
>>
>> Regards.
>>
>> On 11/01/2017 16:12, Francesco Chicchiriccò wrote:
>>
>>> On 11/01/2017 12:42, Francesco Chicchiriccò wrote:
>>>
>>>> On 10/01/2017 23:56, Chris Lambertus wrote:
>>>>
>>>>> Yes, I am available. I will provide you an export of our existing
>LDAP
>>>>> repository and pointers to our schemas.
>>>>>
>>>>
>>>> Thanks Chris, looks good!
>>>>
>>>> In answer to your questions below regarding id.a.o:
>>>>>
>>>>> 1) Yes, the current id.a.o app exclusively manages data in LDAP as
>a
>>>>> self-service tool.
>>>>>
>>>>> 2a) OpenLDAP
>>>>> 2b) A variety including some custom schemas which I will make
>available
>>>>> you along with the ldif.
>>>>> 2c) There are MANY processes and tools which read and write from
>LDAP.
>>>>>
>>>>> The initial scope of the PoC should be to provision Syncope as an
>admin
>>>>> and end-user UI for maintaining attributes related to LDAP
>accounts
>>>>> (committers, staff) as a potential replacement for the
>id.apache.org <
>>>>> http://id.apache.org> service. Once we’ve explored the key
>>>>> functionality of a test/demo implementation, we can look at what
>it would
>>>>> take to replace the service in production, along with integrating
>other
>>>>> tools related to account creation.
>>>>>
>>>>
>>>> I completely agree.
>>>>
>>>> AFAICT, the identified tasks are:
>>>>
>>>> 1. setup an OpenLDAP  instance with the content and configuration
>>>> provided
>>>> 2. configure the Syncope entities: schemas, realms, resource,
>tasks, ...
>>>> 3. configure / customize the Enduser UI
>>>>
>>>> I will start with task (1), manual installation; not sure if it
>makes
>>>> sense to puppet-ize that: if so, Pierre could possibly help.
>>>>
>>>
>>> Updated: thanks to the LDIF dump saved under
>>>
>>> /root/asf-20170110.ldif on syncope-vm2
>>>
>>> and the LDAP conf chunks I could derive from
>>>
>>> https://github.com/apache/infrastructure-puppet/tree/deploym
>>> ent/modules/ldapserver
>>>
>>> I was finally able to successfully import everything; the OpenLDAP
>>> instance is currently up and running, ready to rumble.
>>>
>>> FYI I have placed a copy of the resulting slapd.conf under /root on
>>> syncope-vm2
>>>
>>> Any other volunteer?
>>>>
>>>> Regards.
>>>>
>>>>
>>>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò
><[hidden email]
>>>>>> <mailto:[hidden email]>> wrote:
>>>>>>
>>>>>> Hi all,
>>>>>> semi-formal "ping" for Infra guys: is there anyone available for
>>>>>> supporting this PoC? As said from the beginning, a fundamental
>requirement
>>>>>> is to have someone playing the customer role, otherwise any
>effort is
>>>>>> pointless.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
>>>>>>
>>>>>>> Quick update:
>>>>>>>
>>>>>>> 1. Pierre has submitted the first PR for puppet at
>>>>>>> https://github.com/apache/infrastructure-puppet/pull/156
>>>>>>>
>>>>>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
>>>>>>> second commit, exactly 1 year after fist one: time flies):
>>>>>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e
>>>>>>> 7e52116834837dbda984
>>>>>>>
>>>>>>> However, without someone from Infra providing info +
>specifications,
>>>>>>> there is no much more we can do.
>>>>>>> Infra, please if you're there, knock once.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
>>>>>>>
>>>>>>>> HI all,
>>>>>>>> I am happy to report that the VM for the PoC was made available
>(
>>>>>>>> syncope-vm2.apache.org) - see INFRA-10931.
>>>>>>>> I have been able to successfully access via SSH (sudo does not
>seem
>>>>>>>> to work, but nothing problematic about this ATM).
>>>>>>>>
>>>>>>>> I know from IRC that Pierre is at work to try to define a first
>>>>>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and
>PostgreSQL.
>>>>>>>> Besides such components, the setup process will also need to
>fetch
>>>>>>>> and build the Maven project from the dedicated GIT repository
>(see below).
>>>>>>>>
>>>>>>>> Now in fist place I think we should re-attempt to start
>discussing
>>>>>>>> the actual requirements of this PoC, and then the planning.
>>>>>>>>
>>>>>>>> This means, essentially, to gather some information from the
>infra
>>>>>>>> team.
>>>>>>>>
>>>>>>>> I propose again to concentrate, from the list shown by Tony in
>[1],
>>>>>>>> on the first item, e.g. "https://id.apache.org (The end-user
>part
>>>>>>>> of it)", which triggers these first questions:
>>>>>>>>
>>>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>>>> 2. if so, could you provide some details:
>>>>>>>>    a. which LDAP server implementation? OpenLDAP?
>>>>>>>>    b. which object classes are in use? baseDN(s)?
>>>>>>>>    c. which processes / tools are reading from LDAP? which are
>>>>>>>> writing?
>>>>>>>>
>>>>>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
>>>>>>>> production LDAP servers so that we can setup a local detached
>copy which we
>>>>>>>> could use for tests.
>>>>>>>>
>>>>>>>> Looking forward to your reply.
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>> we now have our GIT repository at
>>>>>>>>>
>>>>>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
>>>>>>>>>
>>>>>>>>> which is also mirrored, as usual, to GitHub.
>>>>>>>>>
>>>>>>>>> As you can see, I have made an initial commit featuring an
>empty
>>>>>>>>> default Syncope 2.0.0-SNAPSHOT setup.
>>>>>>>>>
>>>>>>>>> Now, waiting for the VM to be available (see INFRA-10931), we
>can
>>>>>>>>> start defining what is actually going to be part of this PoC,
>and how we
>>>>>>>>> are going to implement the related features.
>>>>>>>>>
>>>>>>>>> From the list showed by Tony in [1], I'd start with first
>item,
>>>>>>>>> e.g. "https://id.apache.org (The end-user part of it)".
>>>>>>>>>
>>>>>>>>> Here are some questions:
>>>>>>>>>
>>>>>>>>> 1. does the current app exclusively manage data from LDAP?
>>>>>>>>> 2. if so, could you provide some details:
>>>>>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
>>>>>>>>>    b. which LDAP server implementation? OpenLDAP?
>>>>>>>>>    c. which object classes are in use? baseDN(s)?
>>>>>>>>>    d. which processes / tools are reading from LDAP? which are
>>>>>>>>> writing?
>>>>>>>>>    e. is there any test LDAP instance available? if not, is it
>>>>>>>>> possible to pre-load some data from the production instances
>in order to
>>>>>>>>> build a test instance in our development VM?
>>>>>>>>>
>>>>>>>>> Please add questions if you see something missing.
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>>
>>>>>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz
>>>>>>>>>
>>>>>>>>
>> --
>> Francesco Chicchiriccò
>>
>> Tirasa - Open Source Excellence
>> http://www.tirasa.net/
>>
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
>> http://home.apache.org/~ilgrosso/
>>
>>


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
I have configured the Apache HTTPD as the proxy server for the syncope
deployment over ssl

Following url's can now be used:

   - http://idm-poc.apache.org/syncope, redirecting to
   https://idm-poc.apache.org/syncope
   - http://idm-poc.apache.org/syncope-console, redirecting to
   https://idm-poc.apache.org/syncope-console
   - http://idm-poc.apache.org/syncope-enduser, redirecting to
   https://idm-poc.apache.org/syncope-enduser

I still have to look at aspects like:

   - https://idm-poc.apache.org/syncope/swagger

As this doesn't work correctly. But then again,
http://idm-poc.apache.org:8080/syncope/swagger doesn't work either.

Please do *not* use the syncope implementation via the unencrypted tomcat
port 8080/

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Thu, Jan 12, 2017 at 8:23 PM, Francesco Chicchiriccò <[hidden email]
> wrote:

> Il 12 gennaio 2017 19:23:37 CET, Pierre Smits <[hidden email]> ha
> scritto:
> >I see that the syncope-vm is working. But did we use the preconfigured
> >installations of tomcat and postgresql (the client for connection to a
> >ASF
> >psql setup)?
>
> syncope-vm.apache.org hosts our public demo, see
>
> http://syncope.apache.org/demo.html
>
> I am working on syncope-vm2 with manual Tomcat deployment (and PostgreSQL)
> of the artifacts built from the POC GIT repository.
>
> Regards.
>
> >On Thu, Jan 12, 2017 at 5:14 PM, Francesco Chicchiriccò
> ><[hidden email]
> >> wrote:
> >
> >> Hi,
> >> quick update: I have defined some schemas and the local LDAP resource
> >with
> >> provision for both users and groups: at the moment browsing the
> >resource
> >> from Syncope Admin UI works fine.
> >>
> >> Regards.
> >>
> >> On 11/01/2017 16:12, Francesco Chicchiriccò wrote:
> >>
> >>> On 11/01/2017 12:42, Francesco Chicchiriccò wrote:
> >>>
> >>>> On 10/01/2017 23:56, Chris Lambertus wrote:
> >>>>
> >>>>> Yes, I am available. I will provide you an export of our existing
> >LDAP
> >>>>> repository and pointers to our schemas.
> >>>>>
> >>>>
> >>>> Thanks Chris, looks good!
> >>>>
> >>>> In answer to your questions below regarding id.a.o:
> >>>>>
> >>>>> 1) Yes, the current id.a.o app exclusively manages data in LDAP as
> >a
> >>>>> self-service tool.
> >>>>>
> >>>>> 2a) OpenLDAP
> >>>>> 2b) A variety including some custom schemas which I will make
> >available
> >>>>> you along with the ldif.
> >>>>> 2c) There are MANY processes and tools which read and write from
> >LDAP.
> >>>>>
> >>>>> The initial scope of the PoC should be to provision Syncope as an
> >admin
> >>>>> and end-user UI for maintaining attributes related to LDAP
> >accounts
> >>>>> (committers, staff) as a potential replacement for the
> >id.apache.org <
> >>>>> http://id.apache.org> service. Once we’ve explored the key
> >>>>> functionality of a test/demo implementation, we can look at what
> >it would
> >>>>> take to replace the service in production, along with integrating
> >other
> >>>>> tools related to account creation.
> >>>>>
> >>>>
> >>>> I completely agree.
> >>>>
> >>>> AFAICT, the identified tasks are:
> >>>>
> >>>> 1. setup an OpenLDAP  instance with the content and configuration
> >>>> provided
> >>>> 2. configure the Syncope entities: schemas, realms, resource,
> >tasks, ...
> >>>> 3. configure / customize the Enduser UI
> >>>>
> >>>> I will start with task (1), manual installation; not sure if it
> >makes
> >>>> sense to puppet-ize that: if so, Pierre could possibly help.
> >>>>
> >>>
> >>> Updated: thanks to the LDIF dump saved under
> >>>
> >>> /root/asf-20170110.ldif on syncope-vm2
> >>>
> >>> and the LDAP conf chunks I could derive from
> >>>
> >>> https://github.com/apache/infrastructure-puppet/tree/deploym
> >>> ent/modules/ldapserver
> >>>
> >>> I was finally able to successfully import everything; the OpenLDAP
> >>> instance is currently up and running, ready to rumble.
> >>>
> >>> FYI I have placed a copy of the resulting slapd.conf under /root on
> >>> syncope-vm2
> >>>
> >>> Any other volunteer?
> >>>>
> >>>> Regards.
> >>>>
> >>>>
> >>>> On Jan 9, 2017, at 3:59 AM, Francesco Chicchiriccò
> ><[hidden email]
> >>>>>> <mailto:[hidden email]>> wrote:
> >>>>>>
> >>>>>> Hi all,
> >>>>>> semi-formal "ping" for Infra guys: is there anyone available for
> >>>>>> supporting this PoC? As said from the beginning, a fundamental
> >requirement
> >>>>>> is to have someone playing the customer role, otherwise any
> >effort is
> >>>>>> pointless.
> >>>>>>
> >>>>>> Regards.
> >>>>>>
> >>>>>> On 19/12/2016 09:09, Francesco Chicchiriccò wrote:
> >>>>>>
> >>>>>>> Quick update:
> >>>>>>>
> >>>>>>> 1. Pierre has submitted the first PR for puppet at
> >>>>>>> https://github.com/apache/infrastructure-puppet/pull/156
> >>>>>>>
> >>>>>>> 2. I have just updated the PoC code to Syncope 2.0.1 (that's the
> >>>>>>> second commit, exactly 1 year after fist one: time flies):
> >>>>>>> https://github.com/apache/iampoc/commit/a155f59362e6f553356e
> >>>>>>> 7e52116834837dbda984
> >>>>>>>
> >>>>>>> However, without someone from Infra providing info +
> >specifications,
> >>>>>>> there is no much more we can do.
> >>>>>>> Infra, please if you're there, knock once.
> >>>>>>>
> >>>>>>> Regards.
> >>>>>>>
> >>>>>>> On 16/12/2016 11:13, Francesco Chicchiriccò wrote:
> >>>>>>>
> >>>>>>>> HI all,
> >>>>>>>> I am happy to report that the VM for the PoC was made available
> >(
> >>>>>>>> syncope-vm2.apache.org) - see INFRA-10931.
> >>>>>>>> I have been able to successfully access via SSH (sudo does not
> >seem
> >>>>>>>> to work, but nothing problematic about this ATM).
> >>>>>>>>
> >>>>>>>> I know from IRC that Pierre is at work to try to define a first
> >>>>>>>> Puppet setup including JDK 1.8, Maven, Tomcat 8.5 and
> >PostgreSQL.
> >>>>>>>> Besides such components, the setup process will also need to
> >fetch
> >>>>>>>> and build the Maven project from the dedicated GIT repository
> >(see below).
> >>>>>>>>
> >>>>>>>> Now in fist place I think we should re-attempt to start
> >discussing
> >>>>>>>> the actual requirements of this PoC, and then the planning.
> >>>>>>>>
> >>>>>>>> This means, essentially, to gather some information from the
> >infra
> >>>>>>>> team.
> >>>>>>>>
> >>>>>>>> I propose again to concentrate, from the list shown by Tony in
> >[1],
> >>>>>>>> on the first item, e.g. "https://id.apache.org (The end-user
> >part
> >>>>>>>> of it)", which triggers these first questions:
> >>>>>>>>
> >>>>>>>> 1. does the current app exclusively manage data from LDAP?
> >>>>>>>> 2. if so, could you provide some details:
> >>>>>>>>    a. which LDAP server implementation? OpenLDAP?
> >>>>>>>>    b. which object classes are in use? baseDN(s)?
> >>>>>>>>    c. which processes / tools are reading from LDAP? which are
> >>>>>>>> writing?
> >>>>>>>>
> >>>>>>>> In INFRA-10931, Greg proposed to provide an LDIF export of the
> >>>>>>>> production LDAP servers so that we can setup a local detached
> >copy which we
> >>>>>>>> could use for tests.
> >>>>>>>>
> >>>>>>>> Looking forward to your reply.
> >>>>>>>> Regards.
> >>>>>>>>
> >>>>>>>> On 21/12/2015 17:16, Francesco Chicchiriccò wrote:
> >>>>>>>>
> >>>>>>>>> Hi all,
> >>>>>>>>> we now have our GIT repository at
> >>>>>>>>>
> >>>>>>>>> https://git-wip-us.apache.org/repos/asf/iampoc.git
> >>>>>>>>>
> >>>>>>>>> which is also mirrored, as usual, to GitHub.
> >>>>>>>>>
> >>>>>>>>> As you can see, I have made an initial commit featuring an
> >empty
> >>>>>>>>> default Syncope 2.0.0-SNAPSHOT setup.
> >>>>>>>>>
> >>>>>>>>> Now, waiting for the VM to be available (see INFRA-10931), we
> >can
> >>>>>>>>> start defining what is actually going to be part of this PoC,
> >and how we
> >>>>>>>>> are going to implement the related features.
> >>>>>>>>>
> >>>>>>>>> From the list showed by Tony in [1], I'd start with first
> >item,
> >>>>>>>>> e.g. "https://id.apache.org (The end-user part of it)".
> >>>>>>>>>
> >>>>>>>>> Here are some questions:
> >>>>>>>>>
> >>>>>>>>> 1. does the current app exclusively manage data from LDAP?
> >>>>>>>>> 2. if so, could you provide some details:
> >>>>>>>>>    a. LDAP architecture (replicas, load-balancing, ..)
> >>>>>>>>>    b. which LDAP server implementation? OpenLDAP?
> >>>>>>>>>    c. which object classes are in use? baseDN(s)?
> >>>>>>>>>    d. which processes / tools are reading from LDAP? which are
> >>>>>>>>> writing?
> >>>>>>>>>    e. is there any test LDAP instance available? if not, is it
> >>>>>>>>> possible to pre-load some data from the production instances
> >in order to
> >>>>>>>>> build a test instance in our development VM?
> >>>>>>>>>
> >>>>>>>>> Please add questions if you see something missing.
> >>>>>>>>>
> >>>>>>>>> Regards.
> >>>>>>>>>
> >>>>>>>>> [1] http://markmail.org/message/utlcjkanilz4qztz
> >>>>>>>>>
> >>>>>>>>
> >> --
> >> Francesco Chicchiriccò
> >>
> >> Tirasa - Open Source Excellence
> >> http://www.tirasa.net/
> >>
> >> Member at The Apache Software Foundation
> >> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> >> http://home.apache.org/~ilgrosso/
> >>
> >>
>
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF,
> OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Tony Stevenson


> On Jan 12, 2017, at 1:22 PM, Pierre Smits <[hidden email]> wrote:
>
> Please do not use the syncope implementation via the unencrypted tomcat port 8080/
>

Then configure tomcat to only listen on loopback, or only allow access from the local interface then.  Better yet change the firewall rules. Or do both. ;)

Assuming the VM is in puppet the firewall rules should be a few lines of config.




--
Cheers,
Tony

-----------------------
http://www.pc-tony.com
GPG - 3072D/2543E323
-----------------------


Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
Tony,

Francesco didn't install the syncope wars in/on the puppet configured
Tomcat, but did a new Tomcat installation in /opt.

So we need to figure out how to do that correction there, or redeploy
syncope in the puppet controlled Tomcat.

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson <[hidden email]> wrote:

>
>
> > On Jan 12, 2017, at 1:22 PM, Pierre Smits <[hidden email]>
> wrote:
> >
> > Please do not use the syncope implementation via the unencrypted tomcat
> port 8080/
> >
>
> Then configure tomcat to only listen on loopback, or only allow access
> from the local interface then.  Better yet change the firewall rules. Or do
> both. ;)
>
> Assuming the VM is in puppet the firewall rules should be a few lines of
> config.
>
>
>
>
> --
> Cheers,
> Tony
>
> -----------------------
> http://www.pc-tony.com
> GPG - 3072D/2543E323
> -----------------------
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
Hi all,
I honestly do not see the point of putting any effort (yet) in
puppetizing the configurations on syncope-vm2.

syncope-vm2 is the VM we are using to implement a PoC, not a production
environment.

For example, I had to install the OpenLDAP packages to load the ASF
Directory dump, in order to have a reference external resource for
Syncope. I would not expect this in a production machine.

The work to be done there is currently about configuring Syncope (mainly
via Admin UI) and possibly developing some extension classes, to be part
of the sources hosted at

https://git-wip-us.apache.org/repos/asf/iampoc.git

with purpose of building a replacement for https://id.apache.org

I expect such work not to be completed anytime son, partly because it is
inherently complex, partly because it is done in my own spare time.

I agree, indeed, that:

1. leaving all ports open to the wild is not good (especially because
there is currently an OpenLDAP instance loaded with the dump from the
official ASF Directory), so I have configured iptables to refuse
connections on all ports but SSH (see /root/iptables.sh, currently saved
via iptables-persistence to survive restarts)

At the moment I can easily work with SSH port forwarding; I expect to
re-open the ports 80 and 443, to allow connections to

* http://idm-poc.apache.org/syncope, redirecting to
https://idm-poc.apache.org/syncope
* http://idm-poc.apache.org/syncope-console, redirecting to
https://idm-poc.apache.org/syncope-console
* http://idm-poc.apache.org/syncope-enduser, redirecting to
https://idm-poc.apache.org/syncope-enduser

as already configured by Pierre.

Note: I don't see any reason to enable the Syncope Swagger extension,
hence it is perfectly expected that

/syncope/swagger

returns nothing.

2. being the tomcat8 packages installed, there is almost no reason (but
the unavailability of Tomcat 8.5 as deb package, but this is another
story...) to use the manual Tomcat deployment under /opt, I will remove
that soon

Regards.

On 12/01/2017 22:58, Pierre Smits wrote:

> Tony,
>
> Francesco didn't install the syncope wars in/on the puppet configured
> Tomcat, but did a new Tomcat installation in /opt.
>
> So we need to figure out how to do that correction there, or redeploy
> syncope in the puppet controlled Tomcat.
>
> On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson <[hidden email]> wrote:
>
>>> On Jan 12, 2017, at 1:22 PM, Pierre Smits <[hidden email]> wrote:
>>>
>>> Please do not use the syncope implementation via the unencrypted tomcat port 8080/
>> Then configure tomcat to only listen on loopback, or only allow access
>> from the local interface then.  Better yet change the firewall rules. Or do
>> both. ;)
>>
>> Assuming the VM is in puppet the firewall rules should be a few lines of
>> config.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

Pierre Smits
Ok. Thanks.

I guess one of the next steps will be to change the password of the admin
userid to make it more secure.

Best regards,



Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Fri, Jan 13, 2017 at 9:26 AM, Francesco Chicchiriccò <[hidden email]
> wrote:

> Hi all,
> I honestly do not see the point of putting any effort (yet) in puppetizing
> the configurations on syncope-vm2.
>
> syncope-vm2 is the VM we are using to implement a PoC, not a production
> environment.
>
> For example, I had to install the OpenLDAP packages to load the ASF
> Directory dump, in order to have a reference external resource for Syncope.
> I would not expect this in a production machine.
>
> The work to be done there is currently about configuring Syncope (mainly
> via Admin UI) and possibly developing some extension classes, to be part of
> the sources hosted at
>
> https://git-wip-us.apache.org/repos/asf/iampoc.git
>
> with purpose of building a replacement for https://id.apache.org
>
> I expect such work not to be completed anytime son, partly because it is
> inherently complex, partly because it is done in my own spare time.
>
> I agree, indeed, that:
>
> 1. leaving all ports open to the wild is not good (especially because
> there is currently an OpenLDAP instance loaded with the dump from the
> official ASF Directory), so I have configured iptables to refuse
> connections on all ports but SSH (see /root/iptables.sh, currently saved
> via iptables-persistence to survive restarts)
>
> At the moment I can easily work with SSH port forwarding; I expect to
> re-open the ports 80 and 443, to allow connections to
>
> * http://idm-poc.apache.org/syncope, redirecting to
> https://idm-poc.apache.org/syncope
> * http://idm-poc.apache.org/syncope-console, redirecting to
> https://idm-poc.apache.org/syncope-console
> * http://idm-poc.apache.org/syncope-enduser, redirecting to
> https://idm-poc.apache.org/syncope-enduser
>
> as already configured by Pierre.
>
> Note: I don't see any reason to enable the Syncope Swagger extension,
> hence it is perfectly expected that
>
> /syncope/swagger
>
> returns nothing.
>
> 2. being the tomcat8 packages installed, there is almost no reason (but
> the unavailability of Tomcat 8.5 as deb package, but this is another
> story...) to use the manual Tomcat deployment under /opt, I will remove
> that soon
>
> Regards.
>
> On 12/01/2017 22:58, Pierre Smits wrote:
>
>> Tony,
>>
>> Francesco didn't install the syncope wars in/on the puppet configured
>> Tomcat, but did a new Tomcat installation in /opt.
>>
>> So we need to figure out how to do that correction there, or redeploy
>> syncope in the puppet controlled Tomcat.
>>
>> On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson <[hidden email]>
>> wrote:
>>
>> On Jan 12, 2017, at 1:22 PM, Pierre Smits <[hidden email]> wrote:
>>>>
>>>> Please do not use the syncope implementation via the unencrypted tomcat
>>>> port 8080/
>>>>
>>> Then configure tomcat to only listen on loopback, or only allow access
>>> from the local interface then.  Better yet change the firewall rules. Or
>>> do
>>> both. ;)
>>>
>>> Assuming the VM is in puppet the firewall rules should be a few lines of
>>> config.
>>>
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [IAM PoC] Starting with implementation

ilgrosso
Administrator
On 13/01/2017 10:30, Pierre Smits wrote:
> Ok. Thanks.
>
> I guess one of the next steps will be to change the password of the
> admin userid to make it more secure.

Definitely.
Not an hard task, though:

https://syncope.apache.org/docs/reference-guide.html#set-admin-credentials

Regards.

> On Fri, Jan 13, 2017 at 9:26 AM, Francesco Chicchiriccò
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi all,
>     I honestly do not see the point of putting any effort (yet) in
>     puppetizing the configurations on syncope-vm2.
>
>     syncope-vm2 is the VM we are using to implement a PoC, not a
>     production environment.
>
>     For example, I had to install the OpenLDAP packages to load the
>     ASF Directory dump, in order to have a reference external resource
>     for Syncope. I would not expect this in a production machine.
>
>     The work to be done there is currently about configuring Syncope
>     (mainly via Admin UI) and possibly developing some extension
>     classes, to be part of the sources hosted at
>
>     https://git-wip-us.apache.org/repos/asf/iampoc.git
>     <https://git-wip-us.apache.org/repos/asf/iampoc.git>
>
>     with purpose of building a replacement for https://id.apache.org
>
>     I expect such work not to be completed anytime son, partly because
>     it is inherently complex, partly because it is done in my own
>     spare time.
>
>     I agree, indeed, that:
>
>     1. leaving all ports open to the wild is not good (especially
>     because there is currently an OpenLDAP instance loaded with the
>     dump from the official ASF Directory), so I have configured
>     iptables to refuse connections on all ports but SSH (see
>     /root/iptables.sh, currently saved via iptables-persistence to
>     survive restarts)
>
>     At the moment I can easily work with SSH port forwarding; I expect
>     to re-open the ports 80 and 443, to allow connections to
>
>     * http://idm-poc.apache.org/syncope
>     <http://idm-poc.apache.org/syncope>, redirecting to
>     https://idm-poc.apache.org/syncope
>     <https://idm-poc.apache.org/syncope>
>     * http://idm-poc.apache.org/syncope-console
>     <http://idm-poc.apache.org/syncope-console>, redirecting to
>     https://idm-poc.apache.org/syncope-console
>     <https://idm-poc.apache.org/syncope-console>
>     * http://idm-poc.apache.org/syncope-enduser
>     <http://idm-poc.apache.org/syncope-enduser>, redirecting to
>     https://idm-poc.apache.org/syncope-enduser
>     <https://idm-poc.apache.org/syncope-enduser>
>
>     as already configured by Pierre.
>
>     Note: I don't see any reason to enable the Syncope Swagger
>     extension, hence it is perfectly expected that
>
>     /syncope/swagger
>
>     returns nothing.
>
>     2. being the tomcat8 packages installed, there is almost no reason
>     (but the unavailability of Tomcat 8.5 as deb package, but this is
>     another story...) to use the manual Tomcat deployment under /opt,
>     I will remove that soon
>
>     Regards.
>
>     On 12/01/2017 22:58, Pierre Smits wrote:
>
>         Tony,
>
>         Francesco didn't install the syncope wars in/on the puppet
>         configured
>         Tomcat, but did a new Tomcat installation in /opt.
>
>         So we need to figure out how to do that correction there, or
>         redeploy
>         syncope in the puppet controlled Tomcat.
>
>         On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson
>         <[hidden email] <mailto:[hidden email]>> wrote:
>
>                 On Jan 12, 2017, at 1:22 PM, Pierre Smits
>                 <[hidden email]
>                 <mailto:[hidden email]>> wrote:
>
>                 Please do not use the syncope implementation via the
>                 unencrypted tomcat port 8080/
>
>             Then configure tomcat to only listen on loopback, or only
>             allow access
>             from the local interface then.  Better yet change the
>             firewall rules. Or do
>             both. ;)
>
>             Assuming the VM is in puppet the firewall rules should be
>             a few lines of
>             config.
>
--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

12