← Previous day | Today | Next day → | Search | Index
All times shown according to UTC.
| Time | Nick | Message |
|---|---|---|
| 18:10 | kados | si in case you're around I've got a question |
| 18:10 | si | I am indeed |
| 18:10 | although it's a holiday here today | |
| 18:10 | it's raining | |
| 18:10 | kados | I've managed to get squid and squidguard working as a transparent proxy |
| 18:11 | si | so it's not looking good for the cricket :-( |
| 18:11 | kados | :-) |
| 18:11 | who's playing? | |
| 18:11 | si | excellent work |
| 18:11 | Ahh, well, Sri Lanka were supposed to be here at the moment | |
| 18:11 | kados | so as far as I can tell squid does not support authentication when used in a transparent environment |
| 18:11 | si | but they abandoned the tour and went home after the tsunami |
| 18:11 | kados | bummer |
| 18:12 | si | which left NZ a little starved of match play |
| 18:12 | so they rustled up some charity games between NZ and a World XI | |
| 18:12 | the real deal is Februaury, whe Australia come touring here | |
| 18:12 | but we digress | |
| 18:13 | kados | :-) |
| 18:13 | si | your auth problems do ring a bell for me |
| 18:13 | kados | so if I'm right, one way to do authentication might be through iptables |
| 18:13 | si | I recall there being problems with auth, because the browser didn't know whether it was authing for the cache, or the end site |
| 18:13 | kados | yea |
| 18:14 | well cacheing is disabled in my environment but it still won't work | |
| 18:14 | I'm just doing content mediation | |
| 18:14 | si | yup, but the same problem applies |
| 18:14 | kados | so I looked at nufw |
| 18:14 | also at checkpoint | |
| 18:14 | a bit | |
| 18:15 | there must be some way to do what I'd like to do since people are doing it: IPrism for instance | |
| 18:15 | si | rather than trying to do direct http auth |
| 18:15 | kados | right |
| 18:15 | si | that's what we do for Cafenet |
| 18:15 | kados | that is the ideal |
| 18:15 | so after they login what happens? | |
| 18:16 | si | we run a system where they try and hit a url, and the router in it's default rig redirects them off to a web server. |
| 18:16 | kados | i.e., what handles authentication and how does that change the clients movement in the network? |
| 18:17 | si | Some stuff happens on the webserver, it tickles some rules on the router, and they can then get to where they want to be. |
| 18:17 | kados | ahh so I can use iptables to specify rules for a specific ip address? |
| 18:18 | si | I think there's actually a double redirect in there - the router sends them to a dummy webserver, that then spits out a 302 redirect to the login server |
| 18:18 | kados | i.e., the log in ... if they authenticate the webserver runs an iptables script which allows them access? |
| 18:18 | si | pretty much |
| 18:18 | we actually do it with shorewall | |
| 18:18 | which has a loose concept of adding and removing users from zones | |
| 18:18 | kados | cool ... does it handle the actual authentication? |
| 18:19 | si | no, it's just an iptables wrapper |
| 18:20 | we do the auth via standard https authentication, I believe | |
| 18:20 | witha mysql backend | |
| 18:20 | kados | I really only need two cases ... a general case (non-authenticated) which already works ... and an adult user case (after authentication) ... probably just a single well-formed iptables sentence would do it for a single client ... and then I could have it timeout after an hour or so and require authentication again |
| 18:21 | si | the complex problem would be that you'd have to have a bounded set of IP numbers that were proscribed, and forced a redirect |
| 18:21 | kados | I'm thinking that we could use ldap on our Koha server for authentication |
| 18:21 | I don't quite understand that | |
| 18:22 | say I have only one branch ... it has a dsl line which gives my gateway server a single ip address ... the gateway does nat and has dhcp on it ... it also handles squid/squidguard/authentication to the ldap, and running the iptables script after a successful authentication ... | |
| 18:23 | that's my basic setup here | |
| 18:23 | si | how are you going to know when you need to force an auth? |
| 18:23 | kados | when the redirect happens |
| 18:23 | si | and what causes the redirect to happen? |
| 18:23 | kados | squidguard |
| 18:24 | this already works | |
| 18:24 | so if I access a | |
| 18:24 | bad site | |
| 18:24 | si | it'll do a redirect if you go to a bad site? |
| 18:24 | excellent | |
| 18:24 | kados | yep |
| 18:25 | si | then, after you've authenticated, you'd need to remove the rule that forced folks through squidguard |
| 18:25 | the iptables rule, that is | |
| 18:25 | kados | ahh ... that might be a problem |
| 18:25 | we'd only want to remove it for that one ip address | |
| 18:26 | si | indeed |
| 18:26 | so it would require a little clever iptables witchery | |
| 18:26 | but nothing to taxing | |
| 18:26 | kados | I don't know iptables enough to know if you can specify how to handle a single ip |
| 18:26 | si | ohh, you certainly can |
| 18:27 | kados | then at most we'd be dealing with about 30 rules or so |
| 18:27 | si | it's a pretty general purpose tool, it supports netmasks |
| 18:27 | kados | one for each ip (that's worse case) |
| 18:27 | best case is that I can figure out how to do it with two rules ;-) | |
| 18:28 | si | speaking from bitter recent experieince, you don't want to be going above a specific number of rules |
| 18:28 | which is about 3000 on a P4 | |
| 18:28 | kados | :-) |
| 18:28 | si | and probably about 1500 on a soekris |
| 18:28 | kados | (strangely the soekris seems to utilize more memory than I expected) |
| 18:28 | si | you can both append and insert rules into a running system |
| 18:28 | kados | (more on that some other time) |
| 18:29 | si | so it oughta be possible to slip some rules specific to an IP in front of the catch all rule that does the redirect |
| 18:29 | kados | ahh ... can you remove rules on a running system? |
| 18:29 | si | yes |
| 18:30 | presumably your other option is that aftre authentication you mangle the sg config in some fashion such that it stops doing the redirect and allows access | |
| 18:30 | the issue that I see with the iptables route is that you lose all info about what they might be doing once they've authenticated | |
| 18:30 | kados | no problem |
| 18:30 | si | that might not be such a bad thing |
| 18:30 | kados | my policy is |
| 18:31 | I don't want to know | |
| 18:31 | if I know they might ask | |
| 18:31 | ambrose | you can always do transparent squid just to do the logging |
| 18:31 | kados | I don't really need logging |
| 18:32 | we've got a policy like that with koha too | |
| 18:32 | we delete the history | |
| 18:32 | (except for the 'last borrower') | |
| 18:32 | so if the feds come we won't have anything to give them | |
| 18:33 | si | don't the feds have some mad rule where they can come and demand history without telling the borrower? |
| 18:33 | kados | yep |
| 18:33 | si | and you may not tell the patron? |
| 18:33 | kados | patriot's act |
| 18:33 | si | that's the one |
| 18:33 | kados | yep ... we're not allowed to tell |
| 18:33 | (one library had a sign that read: | |
| 18:33 | the feds have not come this week | |
| 18:33 | si | clowns |
| 18:33 | kados | if this sign disappears take note |
| 18:33 | ) | |
| 18:33 | :-) | |
| 18:34 | or something like that anyway | |
| 18:34 | yea it's craxy | |
| 18:34 | si | there's also http://nocat.net/moin/NoCatSoftware |
| 18:35 | ambrose | kados: you are from npl, right? |
| 18:35 | kados | ambrose: yep |
| 18:35 | ambrose | do you guys use dewey, or lc? |
| 18:35 | kados | dewey |
| 18:36 | ambrose | oh, would you know if we have someone who uses LC? i'd just want to know where they put the call number |
| 18:36 | kados | ambrose: you should be able to put it in the dewey place in Koha 2.2 |
| 18:36 | according to paul it supports any call number system now | |
| 18:36 | ambrose | kados: oh. is that right.... thanks... i need to test that (and change my translations) then |
| 18:37 | kados | si: nocat looks neat |
| 18:39 | si: after I get this working I'll need some advice on how to make the filesystem 'read-only' so I don't burn out this cf card | |
| 18:44 | si | I'm not sure I'd bother with mounting it read only as such |
| 18:45 | kados | http://lists.personaltelco.net[…]003q4/005811.html |
| 18:45 | si | I'd set syslog to log remotely |
| 18:45 | to a central log server | |
| 18:46 | if you've stuff writing to /tmp, then I'd consider making that a small tmpfs ramdisk | |
| 18:46 | but if you haven't, I wouldn't bother | |
| 18:48 | then I'd look at what daemons are running, and what writes they're likely to do | |
| 18:48 | and see if you can turn em off | |
| 18:48 | but I personally wouldn't get to hung up on it | |
| 18:49 | as long as you get the writes down to a sensible level, you should just back up the flash regularly, and be emotinoally prepared to replace it once a year | |
| 18:49 | it's not as though flash is expensive | |
| 18:58 | when I Started making flash based routers, flash was about 10 times as expensive as RAM per MB | |
| 18:58 | now it's half the price of RAM/MB | |
| 18:58 | and falling fast | |
| 19:15 | ambrose | hmm... dewey.biblioitems is still double(8,6) |
| 19:20 | biblioitems.dewey rather | |
| 19:30 | kados | ambrose: is 'lccn' what you're looking for? |
| 19:30 | ambrose: or maybe 'number'? | |
| 19:31 | ambrose: you might be able to tell what changed in the biblioitems table by looking in CVS at the difs for the koha.mysql file (between 2.0 and 2.2) | |
| 19:31 | ambrose | no |
| 19:31 | lccn is something else | |
| 19:44 | hmm. not 'number' either. that's tag 440, 'number of part/section of a work', according to structure_def.sql | |
| 19:49 | 2.2 has new fields lccn, marc, and url | |
| 19:49 | i guess i'll try changing dewey to varchar(40) and see what happens | |
| 19:54 | hmm | |
| 19:59 | mapping 852k to biblioitems.dewey does not make sense for LC | |
| 20:02 | but now why is itemtype blank? :-/ | |
| 21:14 | kados | si: I've got the iptables rule working |
| 21:15 | here's what it looks like: | |
| 21:15 | iptables -I PREROUTING -t nat -p tcp -s 192.168.1.3 --dport 80 -j ACCEPT | |
| 21:43 | Genji | any coder here, or database design person? |
| 02:20 | kados | Genji it's best to ask your question and then we can answer it when we show up ;-) |
| 02:28 | Genji | okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.} |
| 02:31 | this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information? | |
| 07:44 | Hey there paul, you active? | |
| 09:03 | weirdness with keyboard.. | |
| 09:03 | sorry. | |
| 09:20 | okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.} | |
| 09:21 | this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information? | |
| 10:06 | slef | about http://ada.dhs.org/koha/2.2/i18n.html - has it been announced to koha-devel? Also, please set text colour when you set background colour. |
← Previous day | Today | Next day → | Search | Index