| Time |
S |
Nick |
Message |
| 18:10 |
|
kados |
si in case you're around I've got a question |
| 18:10 |
|
si |
I am indeed |
| 18:10 |
|
si |
although it's a holiday here today |
| 18:10 |
|
si |
it's raining |
| 18:10 |
|
kados |
I've managed to get squid and squidguard working as a transparent proxy |
| 18:11 |
|
si |
so it's not looking good for the cricket :-( |
| 18:11 |
|
kados |
:-) |
| 18:11 |
|
kados |
who's playing? |
| 18:11 |
|
si |
excellent work |
| 18:11 |
|
si |
Ahh, well, Sri Lanka were supposed to be here at the moment |
| 18:11 |
|
kados |
so as far as I can tell squid does not support authentication when used in a transparent environment |
| 18:11 |
|
si |
but they abandoned the tour and went home after the tsunami |
| 18:11 |
|
kados |
bummer |
| 18:12 |
|
si |
which left NZ a little starved of match play |
| 18:12 |
|
si |
so they rustled up some charity games between NZ and a World XI |
| 18:12 |
|
si |
the real deal is Februaury, whe Australia come touring here |
| 18:12 |
|
si |
but we digress |
| 18:13 |
|
kados |
:-) |
| 18:13 |
|
si |
your auth problems do ring a bell for me |
| 18:13 |
|
kados |
so if I'm right, one way to do authentication might be through iptables |
| 18:13 |
|
si |
I recall there being problems with auth, because the browser didn't know whether it was authing for the cache, or the end site |
| 18:13 |
|
kados |
yea |
| 18:14 |
|
kados |
well cacheing is disabled in my environment but it still won't work |
| 18:14 |
|
kados |
I'm just doing content mediation |
| 18:14 |
|
si |
yup, but the same problem applies |
| 18:14 |
|
kados |
so I looked at nufw |
| 18:14 |
|
kados |
also at checkpoint |
| 18:14 |
|
kados |
a bit |
| 18:15 |
|
kados |
there must be some way to do what I'd like to do since people are doing it: IPrism for instance |
| 18:15 |
|
si |
rather than trying to do direct http auth |
| 18:15 |
|
kados |
right |
| 18:15 |
|
si |
that's what we do for Cafenet |
| 18:15 |
|
kados |
that is the ideal |
| 18:15 |
|
kados |
so after they login what happens? |
| 18:16 |
|
si |
we run a system where they try and hit a url, and the router in it's default rig redirects them off to a web server. |
| 18:16 |
|
kados |
i.e., what handles authentication and how does that change the clients movement in the network? |
| 18:17 |
|
si |
Some stuff happens on the webserver, it tickles some rules on the router, and they can then get to where they want to be. |
| 18:17 |
|
kados |
ahh so I can use iptables to specify rules for a specific ip address? |
| 18:18 |
|
si |
I think there's actually a double redirect in there - the router sends them to a dummy webserver, that then spits out a 302 redirect to the login server |
| 18:18 |
|
kados |
i.e., the log in ... if they authenticate the webserver runs an iptables script which allows them access? |
| 18:18 |
|
si |
pretty much |
| 18:18 |
|
si |
we actually do it with shorewall |
| 18:18 |
|
si |
which has a loose concept of adding and removing users from zones |
| 18:18 |
|
kados |
cool ... does it handle the actual authentication? |
| 18:19 |
|
si |
no, it's just an iptables wrapper |
| 18:20 |
|
si |
we do the auth via standard https authentication, I believe |
| 18:20 |
|
si |
witha mysql backend |
| 18:20 |
|
kados |
I really only need two cases ... a general case (non-authenticated) which already works ... and an adult user case (after authentication) ... probably just a single well-formed iptables sentence would do it for a single client ... and then I could have it timeout after an hour or so and require authentication again |
| 18:21 |
|
si |
the complex problem would be that you'd have to have a bounded set of IP numbers that were proscribed, and forced a redirect |
| 18:21 |
|
kados |
I'm thinking that we could use ldap on our Koha server for authentication |
| 18:21 |
|
kados |
I don't quite understand that |
| 18:22 |
|
kados |
say I have only one branch ... it has a dsl line which gives my gateway server a single ip address ... the gateway does nat and has dhcp on it ... it also handles squid/squidguard/authentication to the ldap, and running the iptables script after a successful authentication ... |
| 18:23 |
|
kados |
that's my basic setup here |
| 18:23 |
|
si |
how are you going to know when you need to force an auth? |
| 18:23 |
|
kados |
when the redirect happens |
| 18:23 |
|
si |
and what causes the redirect to happen? |
| 18:23 |
|
kados |
squidguard |
| 18:24 |
|
kados |
this already works |
| 18:24 |
|
kados |
so if I access a |
| 18:24 |
|
kados |
bad site |
| 18:24 |
|
si |
it'll do a redirect if you go to a bad site? |
| 18:24 |
|
si |
excellent |
| 18:24 |
|
kados |
yep |
| 18:25 |
|
si |
then, after you've authenticated, you'd need to remove the rule that forced folks through squidguard |
| 18:25 |
|
si |
the iptables rule, that is |
| 18:25 |
|
kados |
ahh ... that might be a problem |
| 18:25 |
|
kados |
we'd only want to remove it for that one ip address |
| 18:26 |
|
si |
indeed |
| 18:26 |
|
si |
so it would require a little clever iptables witchery |
| 18:26 |
|
si |
but nothing to taxing |
| 18:26 |
|
kados |
I don't know iptables enough to know if you can specify how to handle a single ip |
| 18:26 |
|
si |
ohh, you certainly can |
| 18:27 |
|
kados |
then at most we'd be dealing with about 30 rules or so |
| 18:27 |
|
si |
it's a pretty general purpose tool, it supports netmasks |
| 18:27 |
|
kados |
one for each ip (that's worse case) |
| 18:27 |
|
kados |
best case is that I can figure out how to do it with two rules ;-) |
| 18:28 |
|
si |
speaking from bitter recent experieince, you don't want to be going above a specific number of rules |
| 18:28 |
|
si |
which is about 3000 on a P4 |
| 18:28 |
|
kados |
:-) |
| 18:28 |
|
si |
and probably about 1500 on a soekris |
| 18:28 |
|
kados |
(strangely the soekris seems to utilize more memory than I expected) |
| 18:28 |
|
si |
you can both append and insert rules into a running system |
| 18:28 |
|
kados |
(more on that some other time) |
| 18:29 |
|
si |
so it oughta be possible to slip some rules specific to an IP in front of the catch all rule that does the redirect |
| 18:29 |
|
kados |
ahh ... can you remove rules on a running system? |
| 18:29 |
|
si |
yes |
| 18:30 |
|
si |
presumably your other option is that aftre authentication you mangle the sg config in some fashion such that it stops doing the redirect and allows access |
| 18:30 |
|
si |
the issue that I see with the iptables route is that you lose all info about what they might be doing once they've authenticated |
| 18:30 |
|
kados |
no problem |
| 18:30 |
|
si |
that might not be such a bad thing |
| 18:30 |
|
kados |
my policy is |
| 18:31 |
|
kados |
I don't want to know |
| 18:31 |
|
kados |
if I know they might ask |
| 18:31 |
|
ambrose |
you can always do transparent squid just to do the logging |
| 18:31 |
|
kados |
I don't really need logging |
| 18:32 |
|
kados |
we've got a policy like that with koha too |
| 18:32 |
|
kados |
we delete the history |
| 18:32 |
|
kados |
(except for the 'last borrower') |
| 18:32 |
|
kados |
so if the feds come we won't have anything to give them |
| 18:33 |
|
si |
don't the feds have some mad rule where they can come and demand history without telling the borrower? |
| 18:33 |
|
kados |
yep |
| 18:33 |
|
si |
and you may not tell the patron? |
| 18:33 |
|
kados |
patriot's act |
| 18:33 |
|
si |
that's the one |
| 18:33 |
|
kados |
yep ... we're not allowed to tell |
| 18:33 |
|
kados |
(one library had a sign that read: |
| 18:33 |
|
kados |
the feds have not come this week |
| 18:33 |
|
si |
clowns |
| 18:33 |
|
kados |
if this sign disappears take note |
| 18:33 |
|
kados |
) |
| 18:33 |
|
kados |
:-) |
| 18:34 |
|
kados |
or something like that anyway |
| 18:34 |
|
kados |
yea it's craxy |
| 18:34 |
|
si |
there's also http://nocat.net/moin/NoCatSoftware |
| 18:35 |
|
ambrose |
kados: you are from npl, right? |
| 18:35 |
|
kados |
ambrose: yep |
| 18:35 |
|
ambrose |
do you guys use dewey, or lc? |
| 18:35 |
|
kados |
dewey |
| 18:36 |
|
ambrose |
oh, would you know if we have someone who uses LC? i'd just want to know where they put the call number |
| 18:36 |
|
kados |
ambrose: you should be able to put it in the dewey place in Koha 2.2 |
| 18:36 |
|
kados |
according to paul it supports any call number system now |
| 18:36 |
|
ambrose |
kados: oh. is that right.... thanks... i need to test that (and change my translations) then |
| 18:37 |
|
kados |
si: nocat looks neat |
| 18:39 |
|
kados |
si: after I get this working I'll need some advice on how to make the filesystem 'read-only' so I don't burn out this cf card |
| 18:44 |
|
si |
I'm not sure I'd bother with mounting it read only as such |
| 18:45 |
|
kados |
http://lists.personaltelco.net[…]003q4/005811.html |
| 18:45 |
|
si |
I'd set syslog to log remotely |
| 18:45 |
|
si |
to a central log server |
| 18:46 |
|
si |
if you've stuff writing to /tmp, then I'd consider making that a small tmpfs ramdisk |
| 18:46 |
|
si |
but if you haven't, I wouldn't bother |
| 18:48 |
|
si |
then I'd look at what daemons are running, and what writes they're likely to do |
| 18:48 |
|
si |
and see if you can turn em off |
| 18:48 |
|
si |
but I personally wouldn't get to hung up on it |
| 18:49 |
|
si |
as long as you get the writes down to a sensible level, you should just back up the flash regularly, and be emotinoally prepared to replace it once a year |
| 18:49 |
|
si |
it's not as though flash is expensive |
| 18:58 |
|
si |
when I Started making flash based routers, flash was about 10 times as expensive as RAM per MB |
| 18:58 |
|
si |
now it's half the price of RAM/MB |
| 18:58 |
|
si |
and falling fast |
| 19:15 |
|
ambrose |
hmm... dewey.biblioitems is still double(8,6) |
| 19:20 |
|
ambrose |
biblioitems.dewey rather |
| 19:30 |
|
kados |
ambrose: is 'lccn' what you're looking for? |
| 19:30 |
|
kados |
ambrose: or maybe 'number'? |
| 19:31 |
|
kados |
ambrose: you might be able to tell what changed in the biblioitems table by looking in CVS at the difs for the koha.mysql file (between 2.0 and 2.2) |
| 19:31 |
|
ambrose |
no |
| 19:31 |
|
ambrose |
lccn is something else |
| 19:44 |
|
ambrose |
hmm. not 'number' either. that's tag 440, 'number of part/section of a work', according to structure_def.sql |
| 19:49 |
|
ambrose |
2.2 has new fields lccn, marc, and url |
| 19:49 |
|
ambrose |
i guess i'll try changing dewey to varchar(40) and see what happens |
| 19:54 |
|
ambrose |
hmm |
| 19:59 |
|
ambrose |
mapping 852k to biblioitems.dewey does not make sense for LC |
| 20:02 |
|
ambrose |
but now why is itemtype blank? :-/ |
| 21:14 |
|
kados |
si: I've got the iptables rule working |
| 21:15 |
|
kados |
here's what it looks like: |
| 21:15 |
|
kados |
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.3 --dport 80 -j ACCEPT |
| 21:43 |
|
Genji |
any coder here, or database design person? |
| 02:20 |
|
kados |
Genji it's best to ask your question and then we can answer it when we show up ;-) |
| 02:28 |
|
Genji |
okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.} |
| 02:31 |
|
Genji |
this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information? |
| 07:44 |
|
Genji |
Hey there paul, you active? |
| 09:03 |
|
Genji |
weirdness with keyboard.. |
| 09:03 |
|
Genji |
sorry. |
| 09:20 |
|
Genji |
okay, to add a barcode to the shelves, ive altered the bookshelf table, adding a barcode field with varchar(20). Want to set up nesting of shelves... so something like main room->General->Buddhism->Tibetian Buddhism can exist. Im thinking, i add a barcode field to the shelfcontents as well, to hold a shelfbarcode... so if(shelfbarcode ne ''){getinfo on shelf of barcodenumber, display it instead of item details.} |
| 09:21 |
|
Genji |
this okay? also, how do i submit changes into CVS.. i.e how do i prepare the file for cvsing, add my comments to it at the end, describing briefly the changes, or does cvs automatically ask me for that information? |
| 10:06 |
|
slef |
about http://ada.dhs.org/koha/2.2/i18n.html - has it been announced to koha-devel? Also, please set text colour when you set background colour. |
