syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Smits <pierre.sm...@gmail.com>
Subject Re: [IAM PoC] Starting with implementation
Date Fri, 13 Jan 2017 09:30:41 GMT
Ok. Thanks.

I guess one of the next steps will be to change the password of the admin
userid to make it more secure.

Best regards,



Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Fri, Jan 13, 2017 at 9:26 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:

> Hi all,
> I honestly do not see the point of putting any effort (yet) in puppetizing
> the configurations on syncope-vm2.
>
> syncope-vm2 is the VM we are using to implement a PoC, not a production
> environment.
>
> For example, I had to install the OpenLDAP packages to load the ASF
> Directory dump, in order to have a reference external resource for Syncope.
> I would not expect this in a production machine.
>
> The work to be done there is currently about configuring Syncope (mainly
> via Admin UI) and possibly developing some extension classes, to be part of
> the sources hosted at
>
> https://git-wip-us.apache.org/repos/asf/iampoc.git
>
> with purpose of building a replacement for https://id.apache.org
>
> I expect such work not to be completed anytime son, partly because it is
> inherently complex, partly because it is done in my own spare time.
>
> I agree, indeed, that:
>
> 1. leaving all ports open to the wild is not good (especially because
> there is currently an OpenLDAP instance loaded with the dump from the
> official ASF Directory), so I have configured iptables to refuse
> connections on all ports but SSH (see /root/iptables.sh, currently saved
> via iptables-persistence to survive restarts)
>
> At the moment I can easily work with SSH port forwarding; I expect to
> re-open the ports 80 and 443, to allow connections to
>
> * http://idm-poc.apache.org/syncope, redirecting to
> https://idm-poc.apache.org/syncope
> * http://idm-poc.apache.org/syncope-console, redirecting to
> https://idm-poc.apache.org/syncope-console
> * http://idm-poc.apache.org/syncope-enduser, redirecting to
> https://idm-poc.apache.org/syncope-enduser
>
> as already configured by Pierre.
>
> Note: I don't see any reason to enable the Syncope Swagger extension,
> hence it is perfectly expected that
>
> /syncope/swagger
>
> returns nothing.
>
> 2. being the tomcat8 packages installed, there is almost no reason (but
> the unavailability of Tomcat 8.5 as deb package, but this is another
> story...) to use the manual Tomcat deployment under /opt, I will remove
> that soon
>
> Regards.
>
> On 12/01/2017 22:58, Pierre Smits wrote:
>
>> Tony,
>>
>> Francesco didn't install the syncope wars in/on the puppet configured
>> Tomcat, but did a new Tomcat installation in /opt.
>>
>> So we need to figure out how to do that correction there, or redeploy
>> syncope in the puppet controlled Tomcat.
>>
>> On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson <pctony@apache.org>
>> wrote:
>>
>> On Jan 12, 2017, at 1:22 PM, Pierre Smits <pierre.smits@gmail.com> wrote:
>>>>
>>>> Please do not use the syncope implementation via the unencrypted tomcat
>>>> port 8080/
>>>>
>>> Then configure tomcat to only listen on loopback, or only allow access
>>> from the local interface then.  Better yet change the firewall rules. Or
>>> do
>>> both. ;)
>>>
>>> Assuming the VM is in puppet the firewall rules should be a few lines of
>>> config.
>>>
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message