Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2020-02-03 14:47:28 GMT <alfresco-discord> <bhagyas> @Douglas Paes (douglascrp) any chance we might get to see you in person in London this year?

2020-02-03 14:50:29 GMT <AFaust> Last I heard, the chance is as non-existent as the last time(s)...

2020-02-03 14:57:35 GMT <alfresco-discord> <bhagyas> hmpf :/

2020-02-03 14:58:29 GMT <alfresco-discord> <bhagyas> has anyone used Hashicorp vault?

2020-02-03 14:59:02 GMT <alfresco-discord> <bhagyas> trying to figure out how to store private keys for Alfresco Users in Hashicorp vault

2020-02-03 15:00:15 GMT <alfresco-discord> <yreg> @Wim Fabri did long time ago, but not sure he is still involved in that ...

2020-02-03 15:01:40 GMT <alfresco-discord> <bhagyas> Trying to create a signing solution to work with Alfresco PDF Toolkit

2020-02-03 15:02:16 GMT <alfresco-discord> <bhagyas> Rn, the PDF toolkit requires end users to upload private keys/passwords and keystore passwords to sign a document

2020-02-03 15:02:45 GMT <alfresco-discord> <bhagyas> Thought it would be nice to use Vault to issue signing certificates instead

2020-02-03 15:06:53 GMT <alfresco-discord> <lars> We only generate certificates with Vault for VPN access at the moment. Though it might be interesting for you to look at the tool we use for doing that, to see how it talks to vault: https://github.com/Luzifer/vault-openvpn

2020-02-03 15:06:54 GMT <alfbot> Title:GitHub - Luzifer/vault-openvpn: Small wrapper utility to manage OpenVPN configuration combined with a Vault PKI (at github.com)

2020-02-03 15:08:49 GMT <alfresco-discord> <bhagyas> @lars thanks! I'm new to working with Vault, but it looks promising

2020-02-03 15:09:02 GMT <alfresco-discord> <bhagyas> how was your experience with OpenVPN cert-gen with Vault?

2020-02-03 15:13:54 GMT <alfresco-discord> <lars> Well, we didn't write that tool, but it works nicely. Since the certificates are signed by an internal root CA, no setup besides the root CA are required on the server side.

2020-02-03 15:14:22 GMT <alfresco-discord> <bhagyas> I see

2020-02-03 15:15:10 GMT <alfresco-discord> <bhagyas> Also thinking if its possible to re-authenticate an Alfresco LDAP authenticated user with Vault to store the private keys

2020-02-03 15:16:39 GMT <alfresco-discord> <lars> Well, Vault needs an authenticated user to be able to issue certificates. And if you want strong per-user traceability for operations, you can't really use a machine account for Alfresco

2020-02-03 15:17:20 GMT <alfresco-discord> <bhagyas> yeah, I was earlier thinking of using a system account - but given the LDAP/AD nature of the authenticating user it seems complicated

2020-02-03 15:17:54 GMT <alfresco-discord> <bhagyas> Vault does seem to support LDAP/AD as authentication methods

2020-02-03 15:18:23 GMT <alfresco-discord> <bhagyas> but my understanding is that it might require prompting/re-authentication by the user

2020-02-03 15:20:34 GMT <alfresco-discord> <yreg> unless if you hook in during the authentication in alfresco, and acquire a valid vault token and have it have a (very) long lifetime

2020-02-03 15:22:03 GMT <alfresco-discord> <yreg> for storing that token you can of course use the session context or a fully clustered cache in case you wanna support multi-nodes setup

2020-02-03 15:23:43 GMT <alfresco-discord> <bhagyas> @yreg hadn't thought that this was possible

2020-02-03 15:25:05 GMT <alfresco-discord> <bhagyas> so I would need to catch the password on the LDAP Authenticator and send it to Vault then

2020-02-03 15:35:18 GMT <alfresco-discord> <Douglas Paes (douglascrp)> @bhagyas no, Impossible

2020-02-03 22:16:34 GMT <alfresco-discord> <yreg> you can catch it independently from the authenticator 😉

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco