Hi all,
I honestly do not see the point of putting any effort (yet) in
puppetizing the configurations on syncope-vm2.
syncope-vm2 is the VM we are using to implement a PoC, not a production
environment.
For example, I had to install the OpenLDAP packages to load the ASF
Directory dump, in order to have a reference external resource for
Syncope. I would not expect this in a production machine.
The work to be done there is currently about configuring Syncope (mainly
via Admin UI) and possibly developing some extension classes, to be part
of the sources hosted at
https://git-wip-us.apache.org/repos/asf/iampoc.git
with purpose of building a replacement for https://id.apache.org
I expect such work not to be completed anytime son, partly because it is
inherently complex, partly because it is done in my own spare time.
I agree, indeed, that:
1. leaving all ports open to the wild is not good (especially because
there is currently an OpenLDAP instance loaded with the dump from the
official ASF Directory), so I have configured iptables to refuse
connections on all ports but SSH (see /root/iptables.sh, currently saved
via iptables-persistence to survive restarts)
At the moment I can easily work with SSH port forwarding; I expect to
re-open the ports 80 and 443, to allow connections to
* http://idm-poc.apache.org/syncope, redirecting to
https://idm-poc.apache.org/syncope
* http://idm-poc.apache.org/syncope-console, redirecting to
https://idm-poc.apache.org/syncope-console
* http://idm-poc.apache.org/syncope-enduser, redirecting to
https://idm-poc.apache.org/syncope-enduser
as already configured by Pierre.
Note: I don't see any reason to enable the Syncope Swagger extension,
hence it is perfectly expected that
/syncope/swagger
returns nothing.
2. being the tomcat8 packages installed, there is almost no reason (but
the unavailability of Tomcat 8.5 as deb package, but this is another
story...) to use the manual Tomcat deployment under /opt, I will remove
that soon
Regards.
On 12/01/2017 22:58, Pierre Smits wrote:
Tony,
Francesco didn't install the syncope wars in/on the puppet configured
Tomcat, but did a new Tomcat installation in /opt.
So we need to figure out how to do that correction there, or redeploy
syncope in the puppet controlled Tomcat.
On Thu, Jan 12, 2017 at 10:48 PM, Tony Stevenson <pct...@apache.org> wrote:
On Jan 12, 2017, at 1:22 PM, Pierre Smits <pierre.sm...@gmail.com> wrote:
Please do not use the syncope implementation via the unencrypted tomcat port
8080/
Then configure tomcat to only listen on loopback, or only allow access
from the local interface then. Better yet change the firewall rules. Or do
both. ;)
Assuming the VM is in puppet the firewall rules should be a few lines of
config.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
