Time Nick Message
21:34 espen___ thanks for helping out with this; it may seem a bit old-fashioned but actually is quite helpful that you've kept the code like this; as 'private' plug-ins for apache auth are not uncommon if not always obvious to the wider world.
21:30 reiveune bye
21:26 espen___ staff side seems fine; I've not touched anything in that virtual host and staff still have purely local logins for that side (for now)
21:24 rangi but it should work for the opac
21:24 rangi and you will hit authorisation problems on the staff side
21:24 espen___ I'll come back to that if it becomes a problem!
21:23 rangi yeah but you cant run it under plack, so it's going to be slow(ish)
21:22 espen___ and allows me to add ip based access for our terminals
21:22 espen___ much easier than shib!
21:21 espen___ set the apache-based auth up in the virtual config and it 'just works'
21:21 espen___ just to confirm this all works according to plan now
21:11 rangi of course if you are using plack, you're going to have to figure that bit out yourself the env variables wont be passed to plack
21:10 cait aleisha++
21:07 espen___ I have two possible approaches now so thank's for the help
21:05 espen___ fair point
21:04 rangi because that wont get overwritten in upgrades, and would work with multiple instances
21:04 rangi id probably do the access control in the virtualhost config
21:03 espen___ guess that's the default in the ubuntu install
21:03 espen___ "/usr/share/koha/opac/cgi-bin/opac/"
21:01 rangi check your apache config for the virtualhosts, it'll be a scriptalias
21:00 espen___ I don't know if this is an ubuntuism but can I assume /cgi-bin/koha in this case is /koha/opac/cgi-bin/ or am I in the wrong place?
20:58 espen___ ok, that looks reasonable
20:57 rangi just no one uses it much anymore
20:57 rangi if ( !$shib and defined( $ENV{'REMOTE_USER'} ) and $ENV{'REMOTE_USER'} ne '' and $userid = $ENV{'REMOTE_USER'} ) {
20:57 rangi the code is still there
20:56 rangi thats why we don't recommend doing it that way anymore. Thats how it used to work in 2001
20:56 rangi (and it will still get into some potential auth loops when its a user with insufficent privs (probably only on the staff client tbf))
20:55 rangi if you just want certain parts, because you arent using one of the more advanced sso methods, which check with koha, you'd have to do it on a script by script basis
20:55 rangi so if you want the whole opac, thats easy /cgi-bin/koha
20:54 rangi you'd have to do it per file, not per directory, because basic auth doesnt check with koha first if the user should be logged in, all the scripts to dthat and can be control by a system preference etc, they also check what permissions a user has, and if insufficent force them to login with a different user
20:52 espen___ (in the first instance)
20:52 espen___ for OPAC
20:52 rangi all of them
20:52 espen___ if so, what directories do I need to protect with .htaccess?
20:51 rangi yes
20:51 espen___ will koha understand this?
20:51 espen___ that's the kind of thing I'm expecting
20:51 espen___ yup
20:51 wahanui rumour has it REMOTE_USER is a server environment variable.. often set by apache during basic auth
20:51 rangi REMOTE_USER
20:50 rangi thats set in an env variable
20:50 rangi yep
20:50 espen___ let's say, for the sake of argument I said "I want to authenticate users to through mod_auth_basic" (not a great idea, but sets the parameters).
20:49 rangi then match that to a user
20:49 rangi you'll have ot take that code, make a new if, check for the existence of whatever header or parameter you are going to decide to trust
20:48 espen___ it wouldn't be shib though
20:48 rangi thats why i said, modify it
20:48 espen___ yes; but that assumes shibboleth; I want to do it through 'any arbitrary auth mechanism supported by apache'
20:47 rangi because that is exactly what shibboleth does
20:46 rangi read the shibboleth code, and modify it
20:46 espen___ how do I do that?
20:46 espen___ only to the extent I need to tell koha: "don't worry about the authentication mechanism, just authorise this user based on the provided userid"
20:45 cait brb - doing dishes
20:45 rangi that'll work just fine yeah, thats nothing to do with koha
20:44 espen___ .htaccess controlling an authentication mechanism?
20:44 espen___ I'm pretty sure it is
20:44 cait seems like a not so common scenario
20:44 espen___ basically: apache redirects to 'webauth' over SSL from a .htaccess directive
20:43 espen___ the credentials only get exchanged over SSL (it's via a third-party service)
20:42 rangi that seems irresponsible
20:42 rangi but you want to do it under http? so that if people sniff credentials for one site, they get access to all of them?
20:42 espen___ that was poorly worded
20:42 espen___ not that it really matters to this discussion, the point is: I can do this through apache modules and .htaccess settings, all I need to is koha to understand that's what's happening (ie. koha doesn't need to know anything about this at all!)
20:41 rangi i mean you can do that securely, via mod_mellon and SAML, or via CAS, or shibboleth
20:40 rangi how
20:40 espen___ likewise for third etc
20:40 espen___ the second site knows you're already signed in
20:40 espen___ not really
20:40 rangi you'd have to sign on to both sites still
20:39 cait or CAS
20:39 wahanui not even that is cold :)
20:39 rangi still not even that
20:39 rangi L
20:39 rangi :
20:39 rangi if you want actually SSO, you want to use shibboleth, or SAM
20:39 espen___ Singel Web Sign On if you like
20:39 cait ?
20:39 cait yeah that's what i meant
20:39 espen___ SWSO?
20:39 rangi you'd still have to login twice
20:39 rangi but not single sign on
20:39 cait only single log in i guess
20:39 rangi single password maybe
20:39 rangi wouldnt be SSO with htaccess
20:38 espen___ this is an SSO scenario
20:38 cait koha saves passwords encrypted and salted
20:38 espen___ the users all have their passwords in an external webauth system
20:38 cait and having them on a file on the server where noone can change their password or use password forget would be better?
20:37 espen___ sure. all the users are 'local' I'm just not interested in storing their passwords
20:37 rangi why the added complication of 2 places to define users
20:37 rangi why not just use local passwords
20:37 rangi if you have local users
20:37 espen___ trust the web server to have authenticated the user, match remote user to koha user?
20:37 cait maybe i got the wrong idea of it, but htat sounds quite different
20:36 espen___ should be fundamentally the same as shib I would think?
20:36 espen___ why not?
20:36 cait but not .htaccess
20:36 cait ldap
20:35 cait openid, pki auth
20:35 rangi so its unlikely we will make things less secure :)
20:35 * cait agrees
20:35 rangi for anything
20:35 rangi we shouldnt support non https at all imho
20:35 cait you can use CAS
20:35 espen___ what if I just wanted to use apache .htaccess control?
20:35 cait you can have local passwords
20:35 rangi lol
20:34 espen___ shibboleth may be overkill for this, so if I don't get the rest of it working (nothing to do with koha), what is the support for something more simple?
20:34 espen___ on another note,
20:33 espen___ not that it matters to me in this case, but just so you are aware
20:33 cait i am not an expert
20:33 cait you'd have to argue with someone else about that
20:33 espen___ so it may, but it's a wrong assumption.
20:33 cait shibboleth specifically changes it to https i think, but other spots do not
20:32 cait true, but might not be the case overall
20:32 espen___ in this case it gets ignored for OPACBaseURL anyway!
20:31 cait i noticed recently too
20:31 espen___ yup
20:31 cait i am not sure, i think we added https:// to staff anyway
20:31 cait protocol
20:31 cait yeah
20:31 espen___ I do note an inconsistency between OPACBaseURL and staffClientBaseURL though
20:31 cait atm
20:31 cait but i think it has to be set up with creating the instance
20:30 cait if you use what is in Koha
20:30 cait it might do that somewhat automatically - i haven't taken a closer look
20:30 espen___ I shouldn't complain; we get them for free!
20:30 espen___ which I'll probably do, even if it means YACR (Yet Another Certificate to Renew!)
20:30 cait we support let's encrypt if that is helpful
20:29 cait patron data and all
20:29 cait you sohuld with koha anyway
20:29 espen___ the trend it definitely towards SSL where you can though
20:29 cait too late for the experts to be around
20:29 cait it might be specific to our implementation
20:29 cait i just remember i had to set it up for testing shibboleth when it was first introduced
20:28 cait maybe
20:28 espen___ (been there; done that!)
20:28 espen___ it does it's shibboleth'ing over SSL, but can sit in front of a standard HTTP server if you want
20:27 espen___ errr...no
20:27 cait shibboleth only works with https
20:26 espen___ which I can obviously fix by going to https....but....
20:26 espen___ unfortunately it assumes https still despite specifying http in the opacbaseurl
20:25 cait ;)
20:25 espen___ I'm not going to argue, but that was a surprise :-)
20:24 espen___ (ie. shibboleth.sso now becomes Shibboleth.sso)
20:24 espen___ curiously that has fixed both problems in one go!
20:23 espen___ didn't touch that since OPAC was otherwise working :-)
20:23 cait it's used for a few things
20:23 cait it will also give you links to the opac from detail pages in staff :)
20:22 cait yep, def set that
20:22 espen___ ok...that's not set.
20:22 cait there is a page with some instructions on the wiki
20:22 cait and you will have to set up more things from command line i think
20:22 cait or more search for *baseurl - there is one for staff too
20:22 wahanui hmmm... system preference is not the way to do it.
20:22 cait system preference
20:21 cait check opacbaseurl
20:21 espen___ (until I've got SSL sorted out)
20:21 espen___ ie. I'm expecting: http://koha.dar.cam.ac.uk/Shibboleth.sso/Login?target=https:///cgi-bin/koha/opac-main.pl
20:20 espen___ and it should be Shibboleth.sso (case sensitive)
20:20 espen___ so, two problems: hostname is AWOL
20:19 espen___ Unfortunately the actual URL of the 'click here to login' link is: https://shibboleth.sso/Login?target=https:///cgi-bin/koha/opac-main.pl
20:18 espen___ If you have a Shibboleth account, please click here to login.
20:18 espen___ I've enabled shibboleth, which has activated the section in Shibboleth Login section of "Login to your account", with the following text:
20:17 espen___ I might look at that in more detail, but at the moment my issue is rather more basic:
20:16 espen___ thanks
20:16 huginn` �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776 normal, P5 - low, ---, gmcharlt, Needs Signoff , Shibboleth Authentication is broken in plack�
20:16 Joubu espen___: there is a known issue under plack, see bug 17776
20:14 espen___ I can tap into shibboleth infrastructure but have hit something which I don't think is specifically a shibboleth issue and looking for suggestions
20:13 espen___ of the troubleshooting kind
20:12 espen___ I'm now moving on to OPAC authentication and need some more help
20:11 espen___ thanks for all your help a couple of weeks back
20:11 espen___ hello there
17:31 Joubu Hola!
16:38 huginn` mveron: Error: No such location could be found.
16:38 mveron @wunder Basel
16:37 mveron OK, they will try later...
16:34 mveron Can anyone give me a pointer on where to start?
16:34 mveron I help a small library to troubleshoot a Zebra problem. Zebra stops every two or three days.
16:33 * mveron should put his glasses...
16:33 mveron again :-)
16:33 mveron Hi agein #koha
16:08 cait Joubu++ great email
14:48 * mveron will be back later
14:45 barton Joubu++
14:42 * mveron should put his glasses...
14:42 mveron sign-off :-)
14:42 mveron A dign-off a day keeps Koha on it's way
14:40 mveron Joubu++
14:40 mveron Great mail about helping Koha, Joubu!
14:35 cait Joubu++
14:34 wahanui hi olé onard
14:34 barton hi oleonard!
14:33 * oleonard waves to tcohen and barton while contributing nothing to the conversation
14:33 barton I wonder if there's a way to recursively 'unbless' the object when you're dumping it.
14:32 barton ... there's the full locale in there, including tz.
14:30 barton tcohen: yeah.
14:30 tcohen barton: it looks like that's tz info, right?
14:28 barton tcohen: a single log entry contains hundreds of lines that look like this: bless( {'spans' => [['-inf','59418043200','-inf','59418014822',-28378,0,'LMT'],['59418043200','60502413600','59418014400','60502384800',-28800,0,'PST'],['60502413600','60520554000','60502388400','60520528800',-25200,1,'PDT'],['60520554000','60533863200','60520525200','60533834400',-28800,0,'PST'],
14:27 barton oh, I assumed that (y) was for yes...
14:27 tcohen too many logs? he
14:27 tcohen ?
14:26 barton tcohen: (noooooooooooooooooooooooooo!) ;-)
14:26 tcohen barton: (y)
14:23 huginn` �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18382 enhancement, P5 - low, ---, koha-bugs, NEW , action_logs entry for module HOLDS, action SUSPEND is spammy�
14:23 barton tcohen, I found an issue with HoldsLog: bug 18382 -- the log for the action 'suspend' is dumping an entire DateTime object into ActionLogs.
12:40 oleonard Yeah I wish. Donald Duck as Secretary of Defense would be an improvement.
12:40 marcelr thought he was :)
12:40 oleonard But it's like U.S. copyright, they keep raising it so that Mickey Mouse can be president.
12:39 marcelr at least
12:39 oleonard Yeah everyone knows the legal age for being president is 70.
12:39 marcelr np
12:38 jcamins marcelr: yep.
12:33 marcelr still too young?
12:33 oleonard I don't know jcamins I was just doing what the cool kids were doing.
12:33 marcelr :)
12:32 wahanui jcamins is too young to be the President of the United States. Which is a pity, because he had the votes at the 3.12 election.
12:32 marcelr and jcamins
12:32 marcelr hi kidclamp
12:32 jcamins oleonard: is that your DĂșnedain name?
12:32 * kidclamp waves
12:26 marcelr yeah see it now
12:25 marcelr i will try another browser
12:25 marcelr funny
12:25 eythian works for me when I click on the link
12:24 wahanui i think 404 is not found
12:24 marcelr 404 ?
12:23 eythian https://www.citylab.com/design/2017/04/amsterdam-digital-archive-maps-photos/521508/ <-- marcelr, this is particularly interesting, especially the videos
12:23 marcelr goedemiddag
12:23 eythian hi marcelr
12:20 marcelr hi #koha
12:10 francharb Good morning #koha
11:52 eythian hi oleopard
11:52 oleonard Hi all
11:24 mtj agreed
11:24 mtj yyy: you could describe your problem in more detail at -> http://bugs.koha-community.org
11:24 yyy acquisitions and serial control need to be improved. i was struggling to add ejournal in serials and acquisitions
11:22 mtj hmm, could be a bug?
11:19 yyy and it was not there in acquisitions
11:19 yyy so it picked up in serials that vendor
11:19 yyy though i deleted from acquisitions still same vendor is there in serials
11:18 yyy i had one vendor added with s and one not added with s and it was wrongly selected
11:18 yyy how to correct all wrongly entered vendors
11:18 yyy i found the mistake
11:18 yyy yes
11:17 mtj yyy: are you running a recent version of Koha?
10:46 yyy ISSN Title Notes Vendor Library Call number Expiration date 0366-7022 Chemistry Letters Allied Publishers Subscription Agency 31/12/2017 Cannot be ordered
10:46 yyy where is this to sort out
10:46 yyy i am trying to add one journal in serials and acquisitions but when i try to add it in acquisitions it says "cannot be ordered" what could be the problem
09:49 cait lol
09:48 * magnuse hopes the eels are smoked
09:43 * LibraryClaire leaves
09:43 * cait sends in the kraken
09:42 cait mean
09:42 * LibraryClaire sends in eels
09:42 * cait shakes her head
09:40 * mveron swims
09:38 * magnuse plays in the waves
09:37 * eythian makes waves
09:35 * LibraryClaire waves
09:29 * mveron waves
09:28 wahanui hola, eythian
09:28 eythian hi
09:28 huginn` mveron: Error: No such location could be found.
09:28 mveron @wunder Allschwil
09:27 huginn` mveron: Error: No such location could be found.
09:27 mveron @wunder Basel
09:27 mveron Hi #koha
08:14 sameee :'(
08:14 sameee rip wunder
08:03 * magnuse waves
07:57 cait it appears to be broken atm
07:57 huginn` cait: Error: No such location could be found.
07:57 cait @wunder Konstanz
07:57 cait morning #koha
07:51 sameee wunder wellington
07:45 * sameee waves
07:44 sameee hi sophie_m
07:39 sophie_m hello #koha
06:43 reiveune hello
06:34 drojf just black goodness
06:34 drojf no sugar please
06:33 alex_a bonjour
06:33 wahanui it has been said that sugar is yummy :)
06:33 fridolin sugar ?
06:33 drojf coffee for me too please!
06:33 fridolin never strong enought
06:33 drojf fridolin: fine, and you?
06:33 * fridolin morning coffee
06:33 fridolin drojf: hello, how are u ?
06:30 drojf hi fridolin
06:30 fridolin hie there
06:29 drojf :(
06:29 huginn` drojf: Error: No such location could be found.
06:29 drojf @wunder berlin, germany
06:29 huginn` drojf: Error: No such location could be found.
06:29 drojf @wunder txl
06:24 huginn` �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8010 major, P1 - high, ---, baptiste.wojtkowski, Pushed to Master , Search history can be added to the wrong patron�
06:24 cait LibraryClaire: could you take a look at the pref description and pref name on bug 8010? native speaker required :)
06:24 drojf hi cait
06:24 cait morning drojf
06:15 drojf morning #koha