=== Napsterbater_ is now known as Napsterbater
=== paride4 is now known as paride
=== ktosiek6 is now known as ktosiek
[09:36] <JonTheNiceGuy> Hi, if I was hoping to set up a simple centralised AAA system on Ubuntu for 5 Linux servers, am I best off with FreeRadius+PAM_Radius, should I look at some kind of LDAP service, or is there some other option I've missed?
[09:36] <JonTheNiceGuy> Also, rate of change between servers is pretty low and connectivity between servers is very stable.
=== frickler is now known as frickler_pto
=== frickler_pto is now known as frickler
[12:42] <rbasak> JonTheNiceGuy: o/
[12:43] <rbasak> JonTheNiceGuy: openldap + sssd seems to be one commonly done thing if it'll work for you. No need for radius then AFAIK.
[12:55] <JonTheNiceGuy> Hey rbasak
[12:56] <JonTheNiceGuy> I need to have a poke around and find more about setting up OpenLDAP then :)
[12:56] <JonTheNiceGuy> Any whitepapers or Ubuntu Wiki entries I can have a paw through?
[13:03] <rbasak> I'm not familiar with this area, sorry. I'd ask ahasenack but he's not here right now.
[13:03] <rbasak> Looks like he's out until later today
[13:16] <JonTheNiceGuy> No worries :)
=== frickler is now known as frickler_pto
=== JanC_ is now known as JanC
[14:45] <ahasenack> JonTheNiceGuy: hi, just saw your AAA question, it really depends on who are the clients you want to authenticate. You need a common denominator, or else you will be duplicating authentication again
[14:47] <ahasenack> FreeIPA is a common solution to this on the server side, as it also gives you all the management tools you need, but I don't think it's running well on ubuntu yet, it's a fedora thing
[15:14] <icey> jamespage: should I mark that MIR bug in-progress, new, or something else?
[15:53] <jamespage> inprogress and assign it to yourself while you're prepping for the MIR
[15:53] <jamespage> then set back to new and assign to ubuntu-mir when what's in ubuntu is ready for review
=== coconut_ is now known as coconut
[16:30] <JonTheNiceGuy> Thanks "ahasenack" (https://matrix.to/#/@freenode_ahasenack:matrix.org)  that's the worry I have. I've basically got 5 admins and about 25 users. It's the sort of thing I could (Ansible|puppet|chef|bash) but I'd rather do it "better"...
[17:06] <ahasenack> JonTheNiceGuy: well, start with all the things you want to authenticate (user login, ssh, windows login, some webapp you have, etc), and find a common denominator amongst them, and throw in security requirements
[17:06] <RoyK> ldap+kerberos
[17:07] <RoyK> AD should work
[17:07] <RoyK> :)
[18:21] <JonTheNiceGuy> "RoyK" (https://matrix.to/#/@freenode_RoyK:matrix.org) joke.popey.com :)
[18:21] <JonTheNiceGuy> Oh, it doesn't do the sounds any more :(
[18:59] <kevindank> Hello, im having firewall issues i believe.  Ive issued an SSL certificcate for my wordpress install running on ubuntu, but when i try to curl it it shows 443 connection refused
[18:59] <kevindank> I allowed port 443
[19:00] <kevindank> when i do ufw verbose it shows 443 as allow
=== tds2 is now known as tds
[19:04] <sarnold> kevindank: do you need to modify security groups or other cloud-provided firewalling?
[19:17] <kevindank> sarnold: I don't believe so
[19:18] <kevindank> site is ledwell.com
[19:24] <ahasenack> do you have something listening on port 443?
[19:31] <kevindank> Yes, i setup a listener through the openlitespeed control panel to set 443 to any ip address
[19:31] <kevindank> set it to secure
[19:34] <kevindank> i used certbot for the certificate, so i set the paths and then set chained certificate to yes
[19:35] <sarnold> does ss -ntlp show your server listening on the correct port and address?
[19:36] <kevindank> I dont see 443 in that list
[19:36] <sarnold> aha :) figure out which program should be listening to that port and make it see things your way :)
[19:40] <kevindank> i think i may have figured it ut
[19:41] <kevindank> under protocal i needed to check off ssl 3.0  and tls 1.3
[19:41] <kevindank> rebooted after that and it seems to work but i cant get to my wp-admin panel now
[19:41] <kevindank> actually, now its giving me a 404 for the domain also
[19:42] <sarnold> "check off ssl 3.0 and tls 1.3" -- I'm confused and worried what this means
[19:45] <kevindank> theres an area when you setup the ssl certificate paths, that says protocal and inside there you have to enable ssl3 and tls
[19:45] <kevindank> but now that ive done that by site is displaying a 404 and not my wordpress install which i still see on the http only version
[19:55] <kevindank> like its almost like it doesnt recognize that it needs to display the wordpress install
[19:55] <kevindank> but its using the same vhost as the non ssl version
[19:58] <sarnold> unless you've got something crazy going on, you don't want ssl3, tls1, tls1.1
[19:59] <sarnold> a lot of people like mozilla's recommendations for tls configuration https://wiki.mozilla.org/Security/Server_Side_TLS
=== halvors1 is now known as halvors