I have, right now, the following systems integrated using LDAP for authentication:
Linux (anything that uses PAM - ssh, ftp, X) AIX 5.1 Apache (mod_ldap) IBM HTTP Server (mod_ibm_ldap) Several internal apps (PHP, Perl, C/C++) MS Active Directory & Exchange Lotus SameTime, and Lotus QuickPlace Nortel Contivity VPN systems
And probably one or two things I've forgotten. So it's probably simple enough to add in the bits (IRC mainly) for the rest.
I've got 85 Dual 2.4ghz Xeons running for 2 months now with HT enabled (both Linux + Win2k), and I concur. While each box appears to have 4 CPUS if you query the OS, running even make -j5 bzImage thrashes the heck out of the systems, negating any possible performance gain.
Yes, you'll need patches to do all that sort of stuff just like you do now. In fact, now the patch maintainers will, if they are interested, have to port all the patches to this variant of IPSec, so don't expect that to happen soon, since this is still 2.5 work, and 2.6 probably won't be out until June of 2003.
2.00 + snapshots, and forthcoming 1.99 have vastly improved docs, and a way better inter-op doc.
I run OSPF + BGP over FreeS/WAN using GRE, which seems to be the simplest way to do it - there's been alot of dicussion lately on the lists about doing this.
Sorry to hear about the job loss, but when you get back on your feet and want to continue, just flip me a note and I'll give you a CVS repository if you want to start with.
Because it's a large project, it's really complex, and it's a bitch to keep up with things.
I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan
It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...
If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.
I'll second the vote for this, and add that with a CompactFlash to PCMCIA Adapter (about $10) you can pop it into your laptop and it shows up as an IDE device (mines hde) which means you don't even need USB support for this.
Disclaimer: I'm an ex-IBMer, who worked in the Linux services area.
I've used the 3[hl] and 4[hl] series of ServeRaids for over a year under Linux (both 2.2.x and 2.4.x kernels) with decent results. I currently have about 15 IBM x340's with ServeRaid 4l's running in production for nearly a year - no problems so far, however I did avoid early 2.4.x kernels (only upgraded after 2.4.7). I've suffered through failed drives and whatnot without datalos.
If you can find the ipsutils.rpm out there you can manage it from the commandline, otherwise the Java-based ServeRaid manager will let you do everything the Windows tools to under Linux.
It's not usually root's fault thier marketing department is braindead, so I tend to use info@ or news@, or look at a recent press release and use the contact email address used there:)
I asked both AT&T and Bell about multicast - both indicated that thier backbones do not support multicast... and they don't seem to have plans to enable it anytime soon.
Yes, patents are evil. But I'd rather have IBM, who is it at least *partially* open source friendly have this patent, than say, Microsoft, who could license it in such a way that only Frontpage + IIS would be allowed to use templates...
At my previous employer (not a dot-com, an FI) I transferred departments + locations. When I recieved my 1st paycheque after the change, I noticed it said 'vacation pay'. I knew something was up, but the next day when I received a letter about my termination, I was really confused.
Turns out some stupid new HR person couldn't figure out the different between transfer and terminate. Took them over 6 weeks to clean up the mess, and in the mean time I was getting benefits cancellation notices + other junk. Complete asspain, but I found it highly amusing how incompetant the HR folks were.
Zebra ( is still beta, last I looked) but is a full implementation of rip/ospf/bgp/etc... and the configuration interface is nearly identical to IOS.
The benifit here is that it's real, so you can setup 2 (or more) boxes and actually *make something work* rather than paste commands blindly into an emulator. And, of course, it's GPL'd. Better than Merit's gated implementation of the above protocols, and easier to configure.
CVSQ, or CVS Queued might solve your issues. It doesn't work over email, but it allows you to quere up commits until the CVS server is available again.
Ask Slashdot seems to be for people who haven't found www.google.com...
I also work for a large blue computer company. When I joined one of the Linux teams, I was told I wasn't allowed to use Slackware on customer machines. This was due to 'no vendor/support strategy'. Same with *BSD. However, I'll continue to use Slackware everywhere else, since I haven't seen a bad Slackware release yet.
For those of you who think I'm bashing Redhat, take a seat. I'm also an RHCE, and I've used RedHat for years as well.
ISPs will have control over QoS within thier own networks. So when a packet from ISP 1 goes thru ISP 2's network, ISP 2's routers strip the QoS tagging done by ISP 1, and put ISP 2's QoS information in the header.
If I remember right, this can be done on both a source & destination basis, so transit ISP's will probably set the priority high on traffic originating / terminating within thier networks. As least I know I would.
Now, this doesn't stop ISP 1 from paying ISP 2 extra cash to give them a higher priority - but then again - we need something left open to conspiracy theorys...
Slashdot Mirror
Today's solution is to use LDAP.
I have, right now, the following systems integrated using LDAP for authentication:
Linux (anything that uses PAM - ssh, ftp, X)
AIX 5.1
Apache (mod_ldap)
IBM HTTP Server (mod_ibm_ldap)
Several internal apps (PHP, Perl, C/C++)
MS Active Directory & Exchange
Lotus SameTime, and Lotus QuickPlace
Nortel Contivity VPN systems
And probably one or two things I've forgotten. So it's probably simple enough to add in the bits (IRC mainly) for the rest.
I've got 85 Dual 2.4ghz Xeons running for 2 months now with HT enabled (both Linux + Win2k), and I concur. While each box appears to have 4 CPUS if you query the OS, running even make -j5 bzImage thrashes the heck out of the systems, negating any possible performance gain.
Thanks for reminding me of my age... I was one of the 1st to get an account here back when this all began those many years ago...
No... http://open-source.arkoon.net - NAT-T patch for 1.98b. Works on kernel 2.4.*.
FreeS/WAN doesn't talk to anything but itself? Stop spreading bullshit around, unless you're a farmer.
Here is a massive document with 25-30 other products listed, with instructions, sample configs, and links to more information.
Yes, you'll need patches to do all that sort of stuff just like you do now. In fact, now the patch maintainers will, if they are interested, have to port all the patches to this variant of IPSec, so don't expect that to happen soon, since this is still 2.5 work, and 2.6 probably won't be out until June of 2003.
ken@freeswan.ca
No worries - everyone seems too lazy to cut & paste, so my webstats aren't going crazy. Whew :)
Thanks...
ken@freeswan.ca
2.00 + snapshots, and forthcoming 1.99 have vastly improved docs, and a way better inter-op doc.
I run OSPF + BGP over FreeS/WAN using GRE, which seems to be the simplest way to do it - there's been alot of dicussion lately on the lists about doing this.
Sorry to hear about the job loss, but when you get back on your feet and want to continue, just flip me a note and I'll give you a CVS repository if you want to start with.
ken@freeswan.ca
Why no fork yet?
Because it's a large project, it's really complex, and it's a bitch to keep up with things.
I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan
It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...
If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.
FreeS/WAN + NAT-Traversal patch manages this fine, by encapsulating the packets in UDP.
You bastard... you've /.'d my server! =)
Oh well, so much for hiding in anonymity.
ken@freeswan.ca
From drivers/net/eexpress.c:
printk(KERN_INFO "%s: transmit timed out, %s?\n", dev->name, (SCB_complete(status)?"lost interrupt": "board on fire"));
I've actually seen this happen once before too. I couldn't stop laughing, so I had to dig into the source to see if it was for real...
Works good here. Novell's eDirectory has a pwdsyunc module available to sync info/passwords with Active Directory too.
Linux, Lotus, MS, Nortel products all happy, as well as internal apps too.
I'll second the vote for this, and add that with a CompactFlash to PCMCIA Adapter (about $10) you can pop it into your laptop and it shows up as an IDE device (mines hde) which means you don't even need USB support for this.
Export to CVS and then import... I know it's two steps, but it doesn't rely on any OBDC connections, so you avoid all of the crap there.
Disclaimer: I'm an ex-IBMer, who worked in the Linux services area.
I've used the 3[hl] and 4[hl] series of ServeRaids for over a year under Linux (both 2.2.x and 2.4.x kernels) with decent results. I currently have about 15 IBM x340's with ServeRaid 4l's running in production for nearly a year - no problems so far, however I did avoid early 2.4.x kernels (only upgraded after 2.4.7). I've suffered through failed drives and whatnot without datalos.
If you can find the ipsutils.rpm out there you can manage it from the commandline, otherwise the Java-based ServeRaid manager will let you do everything the Windows tools to under Linux.
It's not usually root's fault thier marketing department is braindead, so I tend to use info@ or news@, or look at a recent press release and use the contact email address used there :)
I asked both AT&T and Bell about multicast - both indicated that thier backbones do not support multicast... and they don't seem to have plans to enable it anytime soon.
Yes, patents are evil. But I'd rather have IBM, who is it at least *partially* open source friendly have this patent, than say, Microsoft, who could license it in such a way that only Frontpage + IIS would be allowed to use templates...
At my previous employer (not a dot-com, an FI) I transferred departments + locations. When I recieved my 1st paycheque after the change, I noticed it said 'vacation pay'. I knew something was up, but the next day when I received a letter about my termination, I was really confused.
Turns out some stupid new HR person couldn't figure out the different between transfer and terminate. Took them over 6 weeks to clean up the mess, and in the mean time I was getting benefits cancellation notices + other junk. Complete asspain, but I found it highly amusing how incompetant the HR folks were.
Zebra ( is still beta, last I looked) but is a full implementation of rip/ospf/bgp/etc... and the configuration interface is nearly identical to IOS.
The benifit here is that it's real, so you can setup 2 (or more) boxes and actually *make something work* rather than paste commands blindly into an emulator. And, of course, it's GPL'd. Better than Merit's gated implementation of the above protocols, and easier to configure.
Ask Slashdot seems to be for people who haven't found www.google.com...
I also work for a large blue computer company. When I joined one of the Linux teams, I was told I wasn't allowed to use Slackware on customer machines. This was due to 'no vendor/support strategy'. Same with *BSD. However, I'll continue to use Slackware everywhere else, since I haven't seen a bad Slackware release yet.
For those of you who think I'm bashing Redhat, take a seat. I'm also an RHCE, and I've used RedHat for years as well.
From what I know, it will work similar to this:
ISPs will have control over QoS within thier own networks. So when a packet from ISP 1 goes thru ISP 2's network, ISP 2's routers strip the QoS tagging done by ISP 1, and put ISP 2's QoS information in the header.
If I remember right, this can be done on both a source & destination basis, so transit ISP's will probably set the priority high on traffic originating / terminating within thier networks. As least I know I would.
Now, this doesn't stop ISP 1 from paying ISP 2 extra cash to give them a higher priority - but then again - we need something left open to conspiracy theorys...
Cisco makes the ESCON channel adapter cards for hte 7000 series routers for exactly this purpose.