=== Napsterbater_ is now known as Napsterbater | ||
=== paride4 is now known as paride | ||
=== ktosiek6 is now known as ktosiek | ||
JonTheNiceGuy | Hi, if I was hoping to set up a simple centralised AAA system on Ubuntu for 5 Linux servers, am I best off with FreeRadius+PAM_Radius, should I look at some kind of LDAP service, or is there some other option I've missed? | 09:36 |
---|---|---|
JonTheNiceGuy | Also, rate of change between servers is pretty low and connectivity between servers is very stable. | 09:36 |
=== frickler is now known as frickler_pto | ||
=== frickler_pto is now known as frickler | ||
rbasak | JonTheNiceGuy: o/ | 12:42 |
rbasak | JonTheNiceGuy: openldap + sssd seems to be one commonly done thing if it'll work for you. No need for radius then AFAIK. | 12:43 |
JonTheNiceGuy | Hey rbasak | 12:55 |
JonTheNiceGuy | I need to have a poke around and find more about setting up OpenLDAP then :) | 12:56 |
JonTheNiceGuy | Any whitepapers or Ubuntu Wiki entries I can have a paw through? | 12:56 |
rbasak | I'm not familiar with this area, sorry. I'd ask ahasenack but he's not here right now. | 13:03 |
rbasak | Looks like he's out until later today | 13:03 |
JonTheNiceGuy | No worries :) | 13:16 |
=== frickler is now known as frickler_pto | ||
=== JanC_ is now known as JanC | ||
ahasenack | JonTheNiceGuy: hi, just saw your AAA question, it really depends on who are the clients you want to authenticate. You need a common denominator, or else you will be duplicating authentication again | 14:45 |
ahasenack | FreeIPA is a common solution to this on the server side, as it also gives you all the management tools you need, but I don't think it's running well on ubuntu yet, it's a fedora thing | 14:47 |
icey | jamespage: should I mark that MIR bug in-progress, new, or something else? | 15:14 |
jamespage | inprogress and assign it to yourself while you're prepping for the MIR | 15:53 |
jamespage | then set back to new and assign to ubuntu-mir when what's in ubuntu is ready for review | 15:53 |
=== coconut_ is now known as coconut | ||
JonTheNiceGuy | Thanks "ahasenack" (https://matrix.to/#/@freenode_ahasenack:matrix.org) that's the worry I have. I've basically got 5 admins and about 25 users. It's the sort of thing I could (Ansible|puppet|chef|bash) but I'd rather do it "better"... | 16:30 |
ahasenack | JonTheNiceGuy: well, start with all the things you want to authenticate (user login, ssh, windows login, some webapp you have, etc), and find a common denominator amongst them, and throw in security requirements | 17:06 |
RoyK | ldap+kerberos | 17:06 |
RoyK | AD should work | 17:07 |
RoyK | :) | 17:07 |
JonTheNiceGuy | "RoyK" (https://matrix.to/#/@freenode_RoyK:matrix.org) joke.popey.com :) | 18:21 |
JonTheNiceGuy | Oh, it doesn't do the sounds any more :( | 18:21 |
kevindank | Hello, im having firewall issues i believe. Ive issued an SSL certificcate for my wordpress install running on ubuntu, but when i try to curl it it shows 443 connection refused | 18:59 |
kevindank | I allowed port 443 | 18:59 |
kevindank | when i do ufw verbose it shows 443 as allow | 19:00 |
=== tds2 is now known as tds | ||
sarnold | kevindank: do you need to modify security groups or other cloud-provided firewalling? | 19:04 |
kevindank | sarnold: I don't believe so | 19:17 |
kevindank | site is ledwell.com | 19:18 |
ahasenack | do you have something listening on port 443? | 19:24 |
kevindank | Yes, i setup a listener through the openlitespeed control panel to set 443 to any ip address | 19:31 |
kevindank | set it to secure | 19:31 |
kevindank | i used certbot for the certificate, so i set the paths and then set chained certificate to yes | 19:34 |
sarnold | does ss -ntlp show your server listening on the correct port and address? | 19:35 |
kevindank | I dont see 443 in that list | 19:36 |
sarnold | aha :) figure out which program should be listening to that port and make it see things your way :) | 19:36 |
kevindank | i think i may have figured it ut | 19:40 |
kevindank | under protocal i needed to check off ssl 3.0 and tls 1.3 | 19:41 |
kevindank | rebooted after that and it seems to work but i cant get to my wp-admin panel now | 19:41 |
kevindank | actually, now its giving me a 404 for the domain also | 19:41 |
sarnold | "check off ssl 3.0 and tls 1.3" -- I'm confused and worried what this means | 19:42 |
kevindank | theres an area when you setup the ssl certificate paths, that says protocal and inside there you have to enable ssl3 and tls | 19:45 |
kevindank | but now that ive done that by site is displaying a 404 and not my wordpress install which i still see on the http only version | 19:45 |
kevindank | like its almost like it doesnt recognize that it needs to display the wordpress install | 19:55 |
kevindank | but its using the same vhost as the non ssl version | 19:55 |
sarnold | unless you've got something crazy going on, you don't want ssl3, tls1, tls1.1 | 19:58 |
sarnold | a lot of people like mozilla's recommendations for tls configuration https://wiki.mozilla.org/Security/Server_Side_TLS | 19:59 |
=== halvors1 is now known as halvors |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!