Software distributed on Windows are either compiled statitically or ship with their own kit of.dll. It's necessary because Windows does not have *any* dependency resolution facility and, up until recently, had no library versionning mechanism either. There are drawback of shipping "ready-to-run" software : waste of disk space (static executable are larger, and duplicate.dll take up room), having library spread all over your disk instead of having them in a central location, potential library overwriting (aka "DLL Hell") and no way to update library centrally (witness the recent security hole with GDI+; you had to run an utility that scan your entire disk in search of vulnerable application). The Windows way *do* work, but it is certainly not the optimal way. People have gotten used to the drawback thus they don't complain.
Just for fun, search for files named "mfc42.dll" on your disk (or any other common Windows dll; I'm not very up-to-date on these). How many are there ? Are all of these up-to-date ? Does any of them have security issues (known buffer overflow, for example) ? How much disk space do they use collectivelly ?
You could distribute application the same way on Linux, but people don't because it would break the architecture of having your libraries centrally stored and managed. The Linux architecture to libraries management is much superior but have the drawback that it require that you use a dependencies-aware package manager correctly. Apparently, you don't.
Oh, man. You hit a button... I F-ING HATE PACKAGE MANAGERS UNDER LINUX. I try and update program X. Oh oh, dependency. Chase that down. That creates two more dependencies. Chase those down. Soon it cascades into a total nightmare. And then, I frankly give up, and just download the source, recompiled it in parallel to the package, and just delete the package.
You don't understand. A package manager is a piece of software that does resolve dependency, download packages (from the Internet or local media) and install them for you. That is why they are called package manager. Using these, you never have to "chase" down package, it's all automated. There are many of them : apt, yum, up2date, urpm, emerge, etc.
Please get current instead of making a fool of yourself on the Web; this problem have been solved a few years ago. Your favorite distro probably use one, and you don't even know. Which one is it, anyway, so I can give you the executive summary on it's usage ?
I don't believe the everything-is-cheaper-in-rural-area hype. I am from a very rual area, and commodities (food, lifestyle items, etc) cost the same indeed. Service (like restaurant) tend to cost a little bit more at equal quality (less competition). Utility cost exactly the same, and you probably spend more on long-distance. And it is impossible to live without at *least* one car per household, and more probably two if both parent work. Plus you put a lot more mileage on your vehicule.
That being said, mortgage is the dealbreaker. I am from the province of Québec, Canada. In the rural area where I come from, you can get a nice house with a *lot* of land for about 45K$ CDN. Same house near a bigger city like Québec City would cost around 120K$ CDN, and around a metropolitan area such as Montreal would cost no less than 180K$ CDN in the suburb.
When you pay three or four time less for your mortgage, you can afford a little dent in your salary and pay a bit more for certain things, and yet come out winner. You do the math.
(And in case you come up with the "mortgage is equity !" line, let me remind you the insane interest you are paying is not)
System Administration is worse than programming. I just cant find anyone with decent "basic" skills, much less someone mid-level.
You are pretty much on topic. With three solid years of linux administration (and a good deal of drive and talent at what I do), I still consider myself only intermediate-level. As I said in another post, Linux is unforgiving: if you don't know your shit, you will get nowhere. Contrast that with Windows, where a monkey could achieve at least *some* level of result by clicking his way out of setup wizard.
On the other hand, remember skills have to be compensated. Maybe you are just not competitive in your compensation ?
Do you have any advice or insight into your situation? For example, are you leveraging years of past experience and/or a large network of contacts?
Yes. I have been working 3 years for a Linux integrator that mostly service the SMB market; I also worked on a few "large" project (mostly, email servers). I would not say I have a large network of contact, but I have a good reputation in my circle. So far, all my lead where from contact made at my LUG, where I often do presentation at the monthly meeting. These presentations help build my credibility, and friends from the LUG contact me with offer when they heard I started freelancing.
I don't know how well this could apply to your situation, though. The LUG idea is a good one assuming that 1. you have one in your area, and 2. at least some professionnal frequent it.
I think the idea is to make yourself visible, and demonstrate technical proficiency. Other avenue might be to participate in local technical mailing list and forum, and offer sound advice. Or frequent your local board of trade to network with local businessman (although you will need to adapt your discourse for these people).
Sorry I do not have anything more concrete, I must admit I have been very lucky so far to be in the right place at the right time. Could you expand a little on your professionnal background ?
Since I have gone freelance last month, jobs are being lined back-to-back : integrating OpenLDAP, building a Samba domain controller, tweaking SpamAssassin, auditing security for a web server, etc.
Open-Source now have a lot of momentum, a kind of honey moon of sort if you want. Gone are the day of 1999 where IT director where laughing at the concept. It's now part of the landscape. Lot of people are not using on a large scale right now, but are trying deployement or pilot.
Since most of the IT workforce have been happy to drink the MS Kool-aid exclusively for the past decade, they are basically helpless when it come to deploying and maintaining Linux. Unfortunately for them, they can't click their way to competence, Linux not being as forgiving as the various flavor of Windows in this regard. Actually, it's pretty damn hostile to newbie sysadmin. Thus these people need help with Linux and Open-Source, and their bosses are willing to pay.
At this point in time, a lack of Linux expert in the workforce and the service industry may slow the adoption of Open-Source. If you have been earning a living doing the proprietary stuff in the past years and considering going freelance eventually to offer Linux and Open-Source services, NOW IS THE TIME !
The walk in the desert is coming to an end for us Linux geeks. For most of us, it's been mostly a work of love, faithful that we where doing the right choice when using and advocating Linux. Now, it's payback time.
I am not sure exactly what the guy meant by "single sign-on to Active Directory". People often confuse centralized authentication with single sign-on. Centralized authentication mean the authentication data and process is managed centrally, by a "domain controller", for example. Single sign-on mean you provide your credentials only once (at login time, most likely) and don't need to provide them again to access a set of services (files, email, etc). The principal benefit of the former is to ease management of credentials (ie change your password in a single place) while the benefit of the later is to let you provide your credentials only once per session (instead of once to log on your workstation, once to access your email, another time to access the intranet, etc).
Centralized authentication from Linux to Active Directory is available here and now, and work flawlessly. It's all possible with the magic of nsswitch and PAM. At most, you will need to install MS Service for Unix or AD4Unix on your ADC to extend the AD LDAP schema so it include attribute required for Unix account information (login shell, home directory, etc). It take about 5 minutes to setup on Linux. I do it all the time, it's boilerplate stuff. The password expiration stuff have nothing to do with the client, it's all a function of the server (password expire, authentication fail).
No Linux distribution do single sign-on to Active Directory (Kerberos, actually) out-of-the-box AFAIK. Technically, it is entirely possible though. You would just need to Kerberize all the applications your desktop use and the service you provide. On the desktop applications front, it is not granted that everything support Kerberos application at this point, that would be worth checking. On the service front, I know all the daemons that use the Cyrus SASL library (OpenLDAP, Cyrus imapd, etc) are by definition Kerberized, and so is Samba. The biggy would be to figure out how to Kerberize Web application, although I seem to recall Mozilla have recently gotten some level of Kerberos support.
That being said, it is worth noting that there is no such thing as a single sign-on under Windows even. I guess "AD-aware" network service can authenticate via Kerberos, but if you must provide your password more than once a day, you are not doing single sign-on.
In short : centralized password management against AD is here and fully functionnal now, single sign-on is within the grasp of a determined organisation.
Kerberos is an authentication protocol. Kerberos ticket are not used to encrypt communication, they only convey authentication data. Encryption of the datastream is up to the application. SSL and STARTTLS are two popular way to encrypt various communication protocol. OpenLDAP happen to support both.
I may be a "lunitic", but I know what I'm talking about.
You wish you did. But you are entirely in your right to make a fool yourself publically, if you so wish.
President Bush strongly opposes any treaty or policy that would cause the loss of a single American job, let alone the nearly 5 million jobs Kyoto would have cost,' said James Connaughton
How does Kyoto would make the US lose 5 millions jobs ? I would tend to believe the opposite : increased energy efficiency would make American industries more competitive and help fix the trade deficit.
But who am I to oppose the American people God-given right to burn fossile fuel like there is no tomorrow ?
He pushed a Red Hat-like strategy vs IBM style strategy? "Respected open-source advocate?" Sounds like he was a businessman making business decisions.
And that is bad... how ? RedHat have been making business decision that made them profitable, and all the while they continue to contribute massively to OSS. SuSE, er, Novell have been going in the same direction (continued work on Gnome and Mono, open-sourcing YaST, etc). I'm very much happy with both company's direction.
Exactly. But I could not afford medical care in the US (or India either, for that matter), so the Canadian system's waiting list at least give me the option of actually getting treatment.
Also, keep in mind that the complain about Canadian healthcare system waiting list are often grossly exagerated. I don't know about this guy case in particuliar (new treatment ? elective surgery ?), but the vast majority of people get treated in reasonnable delay. I had two relatives that got bypass last spring, and they both had their surgery within two weeks of being diagnosed. Complaining about healthcare is a national hobby here, not unlike complaining about the weather or the hockey players strike.
The Canadian system could be fixed quite easily. More candidate should be accepted in medical schools for a start, to fix the human ressource problem. For the rest, it's a matter of money.
In the end I will take our current system over any government managed system.
Which is nice if you can afford it. To relate to TFA, some people apparently can't, and see no other viable choice than to take the risk of getting critical surgery in the third-world. I'll stay on my waiting list, thank you.
The whole point of a public healthcare system is not the cost, it is the universality.
Yeah, I can feel your pain. I feel the same way and need a similar tool too. However, you have to keep in mind that LDAP object are by definition extensible, and the schema modifiable. This make writing a general-purpose tool pretty hard.
What I did at work is make some PHP scripts that put up HTML forms that have the above functionality, store the data in a MySQL database, and nightly run a job that reads the database, writes a.ldif file, and loads this into OpenLDAP.
I am not quite sure why you have the MySQL step in the middle. You could edit the directory in-place. I know there are pretty good LDAP module for PHP. Personnally, I use Perl's Net::LDAP with good success.
It work fine. Use the package for your distribution, don't try to compile it yourself if you are unsure about what to do. The man page seem to reflect the current command-line options, I don't see much problem here.
LDAP in general and OpenLDAP in particuliar is a complex subject. The initial learning curve is pretty steep. Good luck with it.
In the past, RedHat have been open-sourcing pretty much every applications they acquired AFAIK (see Sistina GFS, for example). Thus, I am pretty confident we will soon have a second Open-Source LDAP server from this deal. There is no garatee, but I am looking forward to it.
For those who are familiar with Netscape LDAP server, could you teach me a bit about its ACL management capability ? OpenLDAP, in this regard, is pathetic. The ACL have to be written in some kind of filter language *inside* the config file, which need a restart/reload to take effect. It is very error-prone and basically the part of OpenLDAP that give me the most troubles. How is Netscape in this regard ? Can you define by-object ACL ? How are they stored ? How do you manage them ?
I couldn't stand the package management in the past. Is it barable now?
yum (YDL, RedHat), up2date (RedHat), urpm (Mandrake), YaST (SuSE) and Red Carpet (Ximian ?) is what is in common use for package management under RPM-distro today. They all basically cover the ground of apt relatively well. Keep in mind apt have been ported to the RPM package format; actually, this is what I use on my Fedora Core 2 machine. apt is still better on various aspect (mostly, it is faster), so people in the know tend to use it.
Complains about package management and "dependancy hell" in RPM-based distro is a thing of the past. Welcome to 2002.
I'll add to that the RPM package manager, paying Alan Cox to work full-time on kernel developpement (not anymore, but he have been hacking full-time on RedHat payroll for a few years), Cygwin, a lot of Gnome stuff, etc.
It's a trend in every language flame wars involving Perl recently to blame programmers deficiencies (ie unability to write readable code) on Perl's lack of strictly enforced policies. Really, it is sad to see otherwise smart people unable to do their job properly without being strongarmed into doing the right thing.
But, with all of the terrorist threats lately, bringing passport documents into the digital world is sure to increase security.
Thanks for the wishful thinking, but "bringing passport documents into the digital world" (whatever that mean) is not exactly a silver bullet for security.
That this post is being moderated "Insightful" despite the fact that it is just off-hand generalization (and not a very good one at that) is the definitive proof of Slashdot intellectual bankruptcy, if there is need for one.
I guess I should take lessons of tolerance and open-mindness from the right. Not doing so, after all, would be so.... unpatriotic !
1. I still don't know how much a 32 CPU Unisys box is worth.
2. I still don't know what kind of workload could justify such a box.
So basically, you are perpuating the kind of anecdotes you seem so irritated about. Unless you are under an NDA, why don't you just tell us how much you paid and what kind of work you need done so we can make our own mind about the value of these proprietary box ?
Slashdot Mirror
Software distributed on Windows are either compiled statitically or ship with their own kit of .dll. It's necessary because Windows does not have *any* dependency resolution facility and, up until recently, had no library versionning mechanism either. There are drawback of shipping "ready-to-run" software : waste of disk space (static executable are larger, and duplicate .dll take up room), having library spread all over your disk instead of having them in a central location, potential library overwriting (aka "DLL Hell") and no way to update library centrally (witness the recent security hole with GDI+; you had to run an utility that scan your entire disk in search of vulnerable application). The Windows way *do* work, but it is certainly not the optimal way. People have gotten used to the drawback thus they don't complain.
Just for fun, search for files named "mfc42.dll" on your disk (or any other common Windows dll; I'm not very up-to-date on these). How many are there ? Are all of these up-to-date ? Does any of them have security issues (known buffer overflow, for example) ? How much disk space do they use collectivelly ?
You could distribute application the same way on Linux, but people don't because it would break the architecture of having your libraries centrally stored and managed. The Linux architecture to libraries management is much superior but have the drawback that it require that you use a dependencies-aware package manager correctly. Apparently, you don't.
You don't understand. A package manager is a piece of software that does resolve dependency, download packages (from the Internet or local media) and install them for you. That is why they are called package manager. Using these, you never have to "chase" down package, it's all automated. There are many of them : apt, yum, up2date, urpm, emerge, etc.
Please get current instead of making a fool of yourself on the Web; this problem have been solved a few years ago. Your favorite distro probably use one, and you don't even know. Which one is it, anyway, so I can give you the executive summary on it's usage ?
I don't believe the everything-is-cheaper-in-rural-area hype. I am from a very rual area, and commodities (food, lifestyle items, etc) cost the same indeed. Service (like restaurant) tend to cost a little bit more at equal quality (less competition). Utility cost exactly the same, and you probably spend more on long-distance. And it is impossible to live without at *least* one car per household, and more probably two if both parent work. Plus you put a lot more mileage on your vehicule.
That being said, mortgage is the dealbreaker. I am from the province of Québec, Canada. In the rural area where I come from, you can get a nice house with a *lot* of land for about 45K$ CDN. Same house near a bigger city like Québec City would cost around 120K$ CDN, and around a metropolitan area such as Montreal would cost no less than 180K$ CDN in the suburb.
When you pay three or four time less for your mortgage, you can afford a little dent in your salary and pay a bit more for certain things, and yet come out winner. You do the math.
(And in case you come up with the "mortgage is equity !" line, let me remind you the insane interest you are paying is not)
You are pretty much on topic. With three solid years of linux administration (and a good deal of drive and talent at what I do), I still consider myself only intermediate-level. As I said in another post, Linux is unforgiving: if you don't know your shit, you will get nowhere. Contrast that with Windows, where a monkey could achieve at least *some* level of result by clicking his way out of setup wizard.
On the other hand, remember skills have to be compensated. Maybe you are just not competitive in your compensation ?
Yes. I have been working 3 years for a Linux integrator that mostly service the SMB market; I also worked on a few "large" project (mostly, email servers). I would not say I have a large network of contact, but I have a good reputation in my circle. So far, all my lead where from contact made at my LUG, where I often do presentation at the monthly meeting. These presentations help build my credibility, and friends from the LUG contact me with offer when they heard I started freelancing.
I don't know how well this could apply to your situation, though. The LUG idea is a good one assuming that 1. you have one in your area, and 2. at least some professionnal frequent it.
I think the idea is to make yourself visible, and demonstrate technical proficiency. Other avenue might be to participate in local technical mailing list and forum, and offer sound advice. Or frequent your local board of trade to network with local businessman (although you will need to adapt your discourse for these people).
Sorry I do not have anything more concrete, I must admit I have been very lucky so far to be in the right place at the right time. Could you expand a little on your professionnal background ?
Since I have gone freelance last month, jobs are being lined back-to-back : integrating OpenLDAP, building a Samba domain controller, tweaking SpamAssassin, auditing security for a web server, etc.
Open-Source now have a lot of momentum, a kind of honey moon of sort if you want. Gone are the day of 1999 where IT director where laughing at the concept. It's now part of the landscape. Lot of people are not using on a large scale right now, but are trying deployement or pilot.
Since most of the IT workforce have been happy to drink the MS Kool-aid exclusively for the past decade, they are basically helpless when it come to deploying and maintaining Linux. Unfortunately for them, they can't click their way to competence, Linux not being as forgiving as the various flavor of Windows in this regard. Actually, it's pretty damn hostile to newbie sysadmin. Thus these people need help with Linux and Open-Source, and their bosses are willing to pay.
At this point in time, a lack of Linux expert in the workforce and the service industry may slow the adoption of Open-Source. If you have been earning a living doing the proprietary stuff in the past years and considering going freelance eventually to offer Linux and Open-Source services, NOW IS THE TIME !
The walk in the desert is coming to an end for us Linux geeks. For most of us, it's been mostly a work of love, faithful that we where doing the right choice when using and advocating Linux. Now, it's payback time.
I am not sure exactly what the guy meant by "single sign-on to Active Directory". People often confuse centralized authentication with single sign-on. Centralized authentication mean the authentication data and process is managed centrally, by a "domain controller", for example. Single sign-on mean you provide your credentials only once (at login time, most likely) and don't need to provide them again to access a set of services (files, email, etc). The principal benefit of the former is to ease management of credentials (ie change your password in a single place) while the benefit of the later is to let you provide your credentials only once per session (instead of once to log on your workstation, once to access your email, another time to access the intranet, etc).
Centralized authentication from Linux to Active Directory is available here and now, and work flawlessly. It's all possible with the magic of nsswitch and PAM. At most, you will need to install MS Service for Unix or AD4Unix on your ADC to extend the AD LDAP schema so it include attribute required for Unix account information (login shell, home directory, etc). It take about 5 minutes to setup on Linux. I do it all the time, it's boilerplate stuff. The password expiration stuff have nothing to do with the client, it's all a function of the server (password expire, authentication fail).
No Linux distribution do single sign-on to Active Directory (Kerberos, actually) out-of-the-box AFAIK. Technically, it is entirely possible though. You would just need to Kerberize all the applications your desktop use and the service you provide. On the desktop applications front, it is not granted that everything support Kerberos application at this point, that would be worth checking. On the service front, I know all the daemons that use the Cyrus SASL library (OpenLDAP, Cyrus imapd, etc) are by definition Kerberized, and so is Samba. The biggy would be to figure out how to Kerberize Web application, although I seem to recall Mozilla have recently gotten some level of Kerberos support.
That being said, it is worth noting that there is no such thing as a single sign-on under Windows even. I guess "AD-aware" network service can authenticate via Kerberos, but if you must provide your password more than once a day, you are not doing single sign-on.
In short : centralized password management against AD is here and fully functionnal now, single sign-on is within the grasp of a determined organisation.
You, sir, are a total ignorant.
Kerberos is an authentication protocol. Kerberos ticket are not used to encrypt communication, they only convey authentication data. Encryption of the datastream is up to the application. SSL and STARTTLS are two popular way to encrypt various communication protocol. OpenLDAP happen to support both.
You wish you did. But you are entirely in your right to make a fool yourself publically, if you so wish.
Have you been given reason they would not ?
How does Kyoto would make the US lose 5 millions jobs ? I would tend to believe the opposite : increased energy efficiency would make American industries more competitive and help fix the trade deficit.
But who am I to oppose the American people God-given right to burn fossile fuel like there is no tomorrow ?
And that is bad ... how ? RedHat have been making business decision that made them profitable, and all the while they continue to contribute massively to OSS. SuSE, er, Novell have been going in the same direction (continued work on Gnome and Mono, open-sourcing YaST, etc). I'm very much happy with both company's direction.
Exactly. But I could not afford medical care in the US (or India either, for that matter), so the Canadian system's waiting list at least give me the option of actually getting treatment.
Also, keep in mind that the complain about Canadian healthcare system waiting list are often grossly exagerated. I don't know about this guy case in particuliar (new treatment ? elective surgery ?), but the vast majority of people get treated in reasonnable delay. I had two relatives that got bypass last spring, and they both had their surgery within two weeks of being diagnosed. Complaining about healthcare is a national hobby here, not unlike complaining about the weather or the hockey players strike.
The Canadian system could be fixed quite easily. More candidate should be accepted in medical schools for a start, to fix the human ressource problem. For the rest, it's a matter of money.
Which is nice if you can afford it. To relate to TFA, some people apparently can't, and see no other viable choice than to take the risk of getting critical surgery in the third-world. I'll stay on my waiting list, thank you.
The whole point of a public healthcare system is not the cost, it is the universality.
Yeah, I can feel your pain. I feel the same way and need a similar tool too. However, you have to keep in mind that LDAP object are by definition extensible, and the schema modifiable. This make writing a general-purpose tool pretty hard.
I am not quite sure why you have the MySQL step in the middle. You could edit the directory in-place. I know there are pretty good LDAP module for PHP. Personnally, I use Perl's Net::LDAP with good success.
What does GPO have to do with LDAP, except being both part of AD ?
It work fine. Use the package for your distribution, don't try to compile it yourself if you are unsure about what to do. The man page seem to reflect the current command-line options, I don't see much problem here.
LDAP in general and OpenLDAP in particuliar is a complex subject. The initial learning curve is pretty steep. Good luck with it.
In the past, RedHat have been open-sourcing pretty much every applications they acquired AFAIK (see Sistina GFS, for example). Thus, I am pretty confident we will soon have a second Open-Source LDAP server from this deal. There is no garatee, but I am looking forward to it.
For those who are familiar with Netscape LDAP server, could you teach me a bit about its ACL management capability ? OpenLDAP, in this regard, is pathetic. The ACL have to be written in some kind of filter language *inside* the config file, which need a restart/reload to take effect. It is very error-prone and basically the part of OpenLDAP that give me the most troubles. How is Netscape in this regard ? Can you define by-object ACL ? How are they stored ? How do you manage them ?
Thanks for you insights !
Sure it does. It's just that the alternative work better (and safer).
Because NOT eveything should be an object ?
yum (YDL, RedHat), up2date (RedHat), urpm (Mandrake), YaST (SuSE) and Red Carpet (Ximian ?) is what is in common use for package management under RPM-distro today. They all basically cover the ground of apt relatively well. Keep in mind apt have been ported to the RPM package format; actually, this is what I use on my Fedora Core 2 machine. apt is still better on various aspect (mostly, it is faster), so people in the know tend to use it.
Complains about package management and "dependancy hell" in RPM-based distro is a thing of the past. Welcome to 2002.
I'll add to that the RPM package manager, paying Alan Cox to work full-time on kernel developpement (not anymore, but he have been hacking full-time on RedHat payroll for a few years), Cygwin, a lot of Gnome stuff, etc.
It's a trend in every language flame wars involving Perl recently to blame programmers deficiencies (ie unability to write readable code) on Perl's lack of strictly enforced policies. Really, it is sad to see otherwise smart people unable to do their job properly without being strongarmed into doing the right thing.
Thanks for the wishful thinking, but "bringing passport documents into the digital world" (whatever that mean) is not exactly a silver bullet for security.
That this post is being moderated "Insightful" despite the fact that it is just off-hand generalization (and not a very good one at that) is the definitive proof of Slashdot intellectual bankruptcy, if there is need for one.
I guess I should take lessons of tolerance and open-mindness from the right. Not doing so, after all, would be so .... unpatriotic !
1. I still don't know how much a 32 CPU Unisys box is worth.
2. I still don't know what kind of workload could justify such a box.
So basically, you are perpuating the kind of anecdotes you seem so irritated about. Unless you are under an NDA, why don't you just tell us how much you paid and what kind of work you need done so we can make our own mind about the value of these proprietary box ?