IRC log for #koha, 2005-01-25

All times shown according to UTC.

Time S Nick Message
18:10 kados si in case you're around I've got a question
18:10 si I am indeed
18:10 si although it's a holiday here today
18:10 si it's raining
18:10 kados I've managed to get squid and squidguard working as a transparent proxy
18:11 si so it's not looking good for the cricket :-(
18:11 kados :-)
18:11 kados who's playing?
18:11 si excellent work
18:11 si Ahh, well, Sri Lanka were supposed to be here at the moment
18:11 kados so as far as I can tell squid does not support authentication when used in a transparent environment
18:11 si but they abandoned the tour and went home after the tsunami
18:11 kados bummer
18:12 si which left NZ a little starved of match play
18:12 si so they rustled up some charity games between NZ and a World XI
18:12 si the real deal is Februaury, whe Australia come touring here
18:12 si but we digress
18:13 kados :-)
18:13 si your auth problems do ring a bell for me
18:13 kados so if I'm right, one way to do authentication might be through iptables
18:13 si I recall there being problems with auth, because the browser didn't know whether it was authing for the cache, or the end site
18:13 kados yea
18:14 kados well cacheing is disabled in my environment but it still won't work
18:14 kados I'm just doing content mediation
18:14 si yup, but the same problem applies
18:14 kados so I looked at nufw
18:14 kados also at checkpoint
18:14 kados a bit
18:15 kados there must be some way to do what I'd like to do since people are doing it: IPrism for instance
18:15 si rather than trying to do direct http auth
18:15 kados right
18:15 si that's what we do for Cafenet
18:15 kados that is the ideal
18:15 kados so after they login what happens?
18:16 si we run a system where they try and hit a url, and the router in it's default rig redirects them off to a web server.
18:16 kados i.e., what handles authentication and how does that change the clients movement in the network?
18:17 si Some stuff happens on the webserver, it tickles some rules on the router, and they can then get to where they want to be.
18:17 kados ahh so I can use iptables to specify rules for a specific ip address?
18:18 si I think there's actually a double redirect in there - the router sends them to a dummy webserver, that then spits out a 302 redirect to the login server
18:18 kados i.e., the log in ... if they authenticate the webserver runs an iptables script which allows them access?
18:18 si pretty much
18:18 si we actually do it with shorewall
18:18 si which has a loose concept of adding and removing users from zones
18:18 kados cool ... does it handle the actual authentication?
18:19 si no, it's just an iptables wrapper
18:20 si we do the auth via standard https authentication, I believe
18:20 si witha  mysql backend
18:20 kados I really only need two cases ... a general case (non-authenticated) which already works ... and an adult user case (after authentication) ... probably just a single well-formed iptables sentence would do it for a single client ... and then I could have it timeout after an hour or so and require authentication again
18:21 si the complex problem would be that you'd have to have a bounded set of IP numbers that were proscribed, and forced a redirect
18:21 kados I'm thinking that we could use ldap on our Koha server for authentication
18:21 kados I don't quite understand that
18:22 kados say I have only one branch ... it has a dsl line which gives my gateway server a single ip address ... the gateway does nat and has dhcp on it ... it also handles squid/squidguard/authentication to the ldap, and running the iptables script after a successful authentication ...
18:23 kados that's my basic setup here
18:23 si how are you going to know when you need to force an auth?
18:23 kados when the redirect happens
18:23 si and what causes the redirect to happen?
18:23 kados squidguard
18:24 kados this already works
18:24 kados so if I access a
18:24 kados bad site
18:24 si it'll do a redirect if you go to a bad site?
18:24 si excellent
18:24 kados yep
18:25 si then, after you've authenticated, you'd need to remove the rule that forced folks through squidguard
18:25 si the iptables rule, that is
18:25 kados ahh ... that might be a problem
18:25 kados we'd only want to remove it for that one ip address
18:26 si indeed
18:26 si so it would require a little clever iptables witchery
18:26 si but nothing to taxing
18:26 kados I don't know iptables enough to know if you can specify how to handle a single ip
18:26 si ohh, you certainly can
18:27 kados then at most we'd be dealing with about 30 rules or so
18:27 si it's a pretty general purpose tool, it supports netmasks
18:27 kados one for each ip (that's worse case)
18:27 kados best case is that I can figure out how to do it with two rules ;-)
18:28 si speaking from bitter recent experieince, you don't want to be going above a specific number of rules
18:28 si which is about 3000 on a P4
18:28 kados :-)
18:28 si and probably about 1500 on a soekris
18:28 kados (strangely the soekris seems to utilize more memory than I expected)
18:28 si you can both append and insert rules into a running system
18:28 kados (more on that some other time)
18:29 si so it oughta be possible to slip some rules specific to an IP in front of the catch all rule that does the redirect
18:29 kados ahh ... can you remove rules on a running system?
18:29 si yes
18:30 si presumably your other option is that aftre authentication you mangle the sg config in some fashion such that it stops doing the redirect and allows access
18:30 si the issue that I see with the iptables route is that you lose all info about what they might be doing once they've authenticated
18:30 kados no problem
18:30 si that might not be such a bad thing
18:30 kados my policy is
18:31 kados I don't want to know
18:31 kados if I know they might ask
18:31 ambrose you can always do transparent squid just to do the logging
18:31 kados I don't really need logging
18:32 kados we've got a policy like that with koha too
18:32 kados we delete the history
18:32 kados (except for the 'last borrower')
18:32 kados so if the feds come we won't have anything to give them
18:33 si don't the feds have some mad rule where they can come and demand history without telling the borrower?
18:33 kados yep
18:33 si and you may not tell the patron?
18:33 kados patriot's act
18:33 si that's the one
18:33 kados yep ... we're not allowed to tell
18:33 kados (one library had a sign that read:
18:33 kados the feds have not come this week
18:33 si clowns
18:33 kados if this sign disappears take note
18:33 kados )
18:33 kados :-)
18:34 kados or something like that anyway
18:34 kados yea it's craxy
18:34 si there's also http://nocat.net/moin/NoCatSoftware
18:35 ambrose kados: you are from npl, right?
18:35 kados ambrose: yep
18:35 ambrose do you guys use dewey, or lc?
18:35 kados dewey
18:36 ambrose oh, would you know if we have someone who uses LC? i'd just want to know where they put the call number
18:36 kados ambrose: you should be able to put it in the dewey place in Koha 2.2
18:36 kados according to paul it supports any call number system now
18:36 ambrose kados: oh. is that right.... thanks... i need to test that (and change my translations) then
18:37 kados si: nocat looks neat
18:39 kados si: after I get this working I'll need some advice on how to make the filesystem 'read-only' so I don't burn out this cf card
18:44 si I'm not sure I'd bother with mounting it read only as such
18:45 kados http://lists.personaltelco.net[…]003q4/005811.html
18:45 si I'd set syslog to log remotely
18:45 si to a central log server
18:46 si if you've stuff writing to /tmp, then I'd consider making that a small tmpfs ramdisk
18:46 si but if you haven't, I wouldn't bother
18:48 si then I'd look at what daemons are running, and what writes they're likely to do
18:48 si and see if you can turn em off
18:48 si but I personally wouldn't get to hung up on it
18:49 si as long as you get the writes down to a sensible level, you should just back up the flash regularly, and be emotinoally prepared to replace it once a year
18:49 si it's not as though flash is expensive
18:58 si when I Started making flash based routers, flash was about 10 times as expensive as RAM per MB
18:58 si now it's half the price of RAM/MB
18:58 si and falling fast
19:15 ambrose hmm... dewey.biblioitems is still double(8,6)
19:20 ambrose biblioitems.dewey rather
19:30 kados ambrose: is 'lccn' what you're looking for?
19:30 kados ambrose: or maybe 'number'?
19:31 kados ambrose: you might be able to tell what changed in the biblioitems table by looking in CVS at the difs for the koha.mysql file (between 2.0 and 2.2)
19:31 ambrose no
19:31 ambrose lccn is something else
19:44 ambrose hmm. not 'number' either. that's tag 440, 'number of part/section of a work', according to structure_def.sql
19:49 ambrose 2.2 has new fields lccn, marc, and url
19:49 ambrose i guess i'll try changing dewey to varchar(40) and see what happens
19:54 ambrose hmm
19:59 ambrose mapping 852k to biblioitems.dewey does not make sense for LC
20:02 ambrose but now why is itemtype blank? :-/
21:14 kados si: I've got the iptables rule working
21:15 kados here's what it looks like:
21:15 kados iptables -I PREROUTING -t nat -p tcp -s 192.168.1.3 --dport 80 -j ACCEPT
21:43 Genji any coder here, or database design person?
02:20 kados Genji it's best to ask your question and then we can answer it when we show up ;-)
02:28 Genji okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.}
02:31 Genji this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information?
07:44 Genji Hey there paul, you active?
09:03 Genji weirdness with keyboard..
09:03 Genji sorry.
09:20 Genji okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.}
09:21 Genji this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information?
10:06 slef about http://ada.dhs.org/koha/2.2/i18n.html - has it been announced to koha-devel? Also, please set text colour when you set background colour.

| Channels | #koha index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary