syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: [IAM PoC] Starting with implementation
Date Fri, 13 Jan 2017 10:34:57 GMT
On 13/01/2017 10:30, Pierre Smits wrote:
> Ok. Thanks.
>
> I guess one of the next steps will be to change the password of the 
> admin userid to make it more secure.

Definitely.
Not an hard task, though:

https://syncope.apache.org/docs/reference-guide.html#set-admin-credentials

Regards.

> On Fri, Jan 13, 2017 at 9:26 AM, Francesco Chicchiriccò 
> <ilgrosso@apache.org <mailto:ilgrosso@apache.org>> wrote:
>
>     Hi all,
>     I honestly do not see the point of putting any effort (yet) in
>     puppetizing the configurations on syncope-vm2.
>
>     syncope-vm2 is the VM we are using to implement a PoC, not a
>     production environment.
>
>     For example, I had to install the OpenLDAP packages to load the
>     ASF Directory dump, in order to have a reference external resource
>     for Syncope. I would not expect this in a production machine.
>
>     The work to be done there is currently about configuring Syncope
>     (mainly via Admin UI) and possibly developing some extension
>     classes, to be part of the sources hosted at
>
>     https://git-wip-us.apache.org/repos/asf/iampoc.git
>     <https://git-wip-us.apache.org/repos/asf/iampoc.git>
>
>     with purpose of building a replacement for https://id.apache.org
>
>     I expect such work not to be completed anytime son, partly because
>     it is inherently complex, partly because it is done in my own
>     spare time.
>
>     I agree, indeed, that:
>
>     1. leaving all ports open to the wild is not good (especially
>     because there is currently an OpenLDAP instance loaded with the
>     dump from the official ASF Directory), so I have configured
>     iptables to refuse connections on all ports but SSH (see
>     /root/iptables.sh, currently saved via iptables-persistence to
>     survive restarts)
>
>     At the moment I can easily work with SSH port forwarding; I expect
>     to re-open the ports 80 and 443, to allow connections to
>
>     * http://idm-poc.apache.org/syncope
>     <http://idm-poc.apache.org/syncope>, redirecting to
>     https://idm-poc.apache.org/syncope
>     <https://idm-poc.apache.org/syncope>
>     * http://idm-poc.apache.org/syncope-console
>     <http://idm-poc.apache.org/syncope-console>, redirecting to
>     https://idm-poc.apache.org/syncope-console
>     <https://idm-poc.apache.org/syncope-console>
>     * http://idm-poc.apache.org/syncope-enduser
>     <http://idm-poc.apache.org/syncope-enduser>, redirecting to
>     https://idm-poc.apache.org/syncope-enduser
>     <https://idm-poc.apache.org/syncope-enduser>
>
>     as already configured by Pierre.
>
>     Note: I don't see any reason to enable the Syncope Swagger
>     extension, hence it is perfectly expected that
>
>     /syncope/swagger
>
>     returns nothing.
>
>     2. being the tomcat8 packages installed, there is almost no reason
>     (but the unavailability of Tomcat 8.5 as deb package, but this is
>     another story...) to use the manual Tomcat deployment under /opt,
>     I will remove that soon
>
>     Regards.
>
>     On 12/01/2017 22:58, Pierre Smits wrote:
>
>         Tony,
>
>         Francesco didn't install the syncope wars in/on the puppet
>         configured
>         Tomcat, but did a new Tomcat installation in /opt.
>
>         So we need to figure out how to do that correction there, or
>         redeploy
>         syncope in the puppet controlled Tomcat.
>
>         On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson
>         <pctony@apache.org <mailto:pctony@apache.org>> wrote:
>
>                 On Jan 12, 2017, at 1:22 PM, Pierre Smits
>                 <pierre.smits@gmail.com
>                 <mailto:pierre.smits@gmail.com>> wrote:
>
>                 Please do not use the syncope implementation via the
>                 unencrypted tomcat port 8080/
>
>             Then configure tomcat to only listen on loopback, or only
>             allow access
>             from the local interface then.  Better yet change the
>             firewall rules. Or do
>             both. ;)
>
>             Assuming the VM is in puppet the firewall rules should be
>             a few lines of
>             config.
>
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message