Search Posts:



July 2005

1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Who would've thought the best drama on TV would be a remake of a campy, late 70s sci-fi disaster? Hey, I didn't - when I first heard of the BSG miniseries I vowed to never, ever watch it. This is from the channel that brought us such memorable made-for-TV movies as "Mansquito," and managed to completely misuse Bruce Campbell's talents in the depressingly bad "Alien Apocalypse" - an intentionally cheesy flick that somehow failed on every possible level.

But here we are. The new BSG is a re-envisioning of the basic concepts behind the late 70s failure, but it would be a horrible mistake to think of this as a true remake. Some of the names are the same, some of the style can be seen in costume and set design, and the basic premise - that a ragtag fleet of humans is desperately forging on after their entire civilization is destroyed by the Cylons - is in tact. At its core, though, this is a very different type of series aimed for a very different type of viewer, and it's probably the most "grown up" sci-fi I've ever seen on TV.

Picture, if you will, a group of characters who have just had everything they know destroyed by an enemy they created (in this BSG, the Cylons were made by man, became self-aware, rebelled, yadda yadda). You have the aging commander, pulled back into the service right as he was about to retire. You have the gritty officer fighting a not-so-well hidden drinking problem and a fear of command. And, of course, you have the Cylon who doesn't know she's a Cylon - for, you see, these Cylons can look, feel, and act just like humans.

There is a rather large cast of major players in BSG, and an even larger cast of side characters who we get to know at least enough to have a feeling of where they're coming from.

The fun thing about BSG for the viewer is that these characters all interact in delightful ways. The new President - an unassuming Secretary of Education thrust into the position as the President and the cabinet died - deals with the stress of her role remarkably well, and begins playing politics with the best of them, only to subsequently receive drug-induced religious visions that twist her actions to defy logic. The by-the-books squad leader suddenly follows his instincts at the most unlikely time. The hotshot pilot breaks under the stress and lets some of her crippling emotional pain show through. The inadvertantly traiterous scientist manages to somehow remain sympathetic as he's driven mad by the Cylons - even though we know he caused the downfall of man, on some level we still *want* him to get away with it all and redeem himself.

What you have is a bunch of characters who, while being mostly archetypical, are pushed into such difficult decisions and face such enormous stress that they end up showing some underlying depth beyond what we expect.

BSG is basically a study in how all of these characters deal with sequences of no-win scenarios. Every encounter with the Cylons could result in the end of the human race, and there is never a clearcut decision. Do you destroy that passenger ship that you suspect has been compromised and is carrying a Cylon nuke before it gets to the fleet? Do you abandon a personal friend who is stranded on a hostile planet and suspected dead, or do you wait for her despite knowing it's the wrong military decision and that you could be dooming your entire civilization?

It's this sort of gut-wrenching drama that makes BSG so different from most sci-fi. It's not moralistic and preachy (Star Trek: TNG), it's not silly and lighthearted alien blasting (Stargate SG:1), and it's not an epic struggle of good versus evil (Star Wars). What you have are likely characters in an unlikely situation, and more than any other sci-fi show I've seen this is a show about people. And while the Cylons are surely the bad guys, underneath everything they do is a motivation that we can't quite understand, but we have a sense that *something* is there - that the Cylons aren't just killing us for sport, that there's some grand purpose to everything they do.

The show that seems closest to BSG in my estimation is Babylon 5, but I think BSG works better on a more basic level. Even though B5 involved relatively complex people facing complex decisions, some of them were still wearing foam rubber costumes and globbing on a ton of makeup - stuff that's just really hard for a fan of dramas, but not necessarily of sci-fi, to take seriously. B5 was also more meticulous and lacked the urgency of BSG - in BSG *everything* happens so very quickly, and people are forced to respond with decisions that could doom or save everybody in the blink of an eye.

If you can suspend even a little disbelief and look past the space ships and robots, what you'll see in BSG is an impressive study of character interaction in situations where there can be no *right* action, only *some* action. I feel fairly safe in saying that BSG is the best show on TV right now, and I highly recommend it to anybody.

Our maintenance ran out on the commercial Linux mail/groupware package (SuSE OpenExchange) which had all this stuff bundled, so it's time to restart from scratch. OpenXchange, the open source core of the SuSE offering (which is now owned by Netline) is the product of choice. This time our ldap database will also serve as the backend for a samba3 domain controller, which will be a ldap slave, and will authenticate OS X and unix machines. Sound like fun? You betcha. The goal here is really to provide a scalable centeralized authentication service and groupware portal that will work for various OSes and clients, effectively an open source (mostly, except for java) alternative to proprietary solutions like MS Server 2003.

Problems going in:

- I'm most familiar with Exim as an MTA. I'm competent with Sendmail. I know very little about Postfix except what I had to pick up to add some functionality to our previous solution
- OpenXchange has shitty documentation
- I'm more familiar with the Courier IMAP daemon, which is signifigantly more simple than Cyrus
- We need to migrate the mail spools from an existing IMAP server
- LDAP. I've been running LDAP already, but we've got a whole new set of requirements at this point, and I'm going to have to migrate over an existing LDAP database and add in new fields. Will I be able to populate them with what I need via a script? I think this will require something beyond bash, so it may be time to learn perl.

Given that, it's tempting to ask why the hell I've chosen this combo - a good question, but the answer is that a lot of the setup is required by openxchange. For the things I *do* have some say over (MTA and IMAP daemon), I felt it was better to use what SuSE themselves decided were the best options in their commercial product. Plus, at the end of the day, I'll know a lot more stuff.

Step 1: Choose a distribution.

There are a few valid options here:

Debian Stable (Sarge). I love Debian.
CentOS 3.x (RHEL 3 clone). CentOS is solid, and I already run this.
CentOS 4.x (RHEL 4 clone). No experience with 4, but presumably it'll be easy to pick up.
FreeBSD 5.4 RELEASE. I've used it in testing environments, never in production.

I opted for Debian, mainly because it's the easier to configure and maintain. There's a strong case to be made for CentOS 4 (3 I ruled out due to ancient versions of LDAP) since RHEL is pretty ubiquitous these days, but the lack of needed packages in that distribution means it would require more time to maintain. FreeBSD has all the packages, but of all the options I'm the least familiar with it, and the chance of stuff from ports breaking seems much higher than having breakage in Debian Stable or CentOS (since their packages are frozen and are only updated for critical bug fixes or security updates).

Step 1: Install Debian.

Easy. You should have no issues with this. Despite the grief it gets and the lack of any sort of GUI, Debian's installer is fast and effective. I always just do a minimal install and add what I need after the fact.

Step 2: Install Packages

There are quite a few things we'll specifically need here (along with all the dependencies that aptitude automatically manages), so we'll use aptitude to get this stuff. Note that you need to pull from "contrib" for at least some of these packages (and maybe non-free too, I always pull from both so...):

postfix cyrus21-imapd cyrus21-pop3 cyrus21-admin slapd ldap-utils gq libnss-ldap libpam-ldap xfree86-common xutils clamav-daemon amavisd-new sasl-bin xbase-clients

For Open-Xchange (more on this later) we'll need:

apache2-mpm-prefork apache2-prefork-dev libapache2-mod-php4 tomcat4 tomcat4-admin ant java-package

apache2-prefork-dev is needed to compile a mod_jk (needed for java, more on that later).

Debconf is going to ask a bunch of stuff, so answer to the best of your ability with the knowledge that you'll have to reconfigure everything at some point. Most of those packages are self explanatory, but gq you may not know - it's an X11 ldap browser. This is why we've got the X stuff in here as well, if you're curious.

Step 3 - Get stuff

Lots and lots of stuff needed here. You'll want to refer to this howto for the full list. This is a great resourse for getting OX itself up and running as well, but we'll need some of this stuff to configure LDAP initially - namely we want to get the schema from the openxchange tarball.

Step 3 - Configure slapd.conf

If you haven't done this before, this is a great chance to learn. I'm migrating from an existing ldap server so I'm able to slapcat on the old one and slapadd on the new one, modifying and adding fields as needed - but starting from scratch is beyond the scope of this entry and is best acheived by using other resources.

However as I mentioned above we'll need to add the schema from the openxchange tarball, which is in /open-xchange-0.8.0-2/system/setup/openxchange.schema. Copy that to your /etc/ldap/schema/ directory and add it (along with other needed schemas, such as samba.schema) in your slapd.conf file.

Step 3 - PAM / NSS

Ah this one's a lot of fun. Once you have a working ldap directory, it's time to get it to work on all this jazz.

Let's hit NSS first. debconf would've helped set up /etc/libnss-ldap.conf, but it's important that it's set up properly. Make sure the entries match your environment:

base dc=yourdomain,dc=tld
ldap_version 3
pam_min_uid 10

If you've got entries with "posixAccount" attributes in different LDAP leaves (I have such a leaf for samba machines, which for some reason are added with this attribute - maybe a bug in the idealx samba scripts, though), you can restrict which leaves are searched with the following entries:

nss_base_passwd ou=Users,
nss_base_shadow ou=Users,
nss_base_group ou=Groups,

Now, edit /etc/nsswitch.conf so it'll check against ldap:

passwd: ldap files
group: ldap files
shadow: ldap files

Ready for PAM? I knew you were. First up is /etc/pam_ldap.conf, which can be set up exactly the same as /etc/libnss-ldap.conf. Confused? You might well be, on most distributions these two things are configured from the same file, usually /etc/ldap.conf, but debian allows you to configure them independently. You could just symlink one to the other if you felt like it. I'm assuming this is done so you could (for example) have pam actually bind with admin rights (to change passwords and such) and have nss use anonymous lookups.

Once you have a working /etc/pam_ldap.conf, you need to set up pam itself to use ldap. Debian's pam.d contains 4 "common" config files referenced by other pam service entries, so setting those up should get any debian service working properly.

In /etc/pam.d/common-account:

account sufficient pam_ldap.so
account required pam_unix.so

It'll check LDAP first, and account info from that is sufficient. If not it'll fallover to the local account database.

There's also /etc/pam.d/common-auth:

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

Same basic deal, this is for authentication. I have no idea what "nullok_secure" is, but it's always been present in any "auth required pam_unix.so" statement I've seen, so we keep it. Pam tries to auth against ldap first in this setup, and if it fails it'll fall back to local unix accounts. The "use_first_pass" directive tells pam to just use the password that failed against ldap for local accounts, and if you don't have it you'll be prompted twice when trying to log on as a UNIX account (such as, most notably, root). You don't want that to happen.

Now /etc/pam.d/common-passwd:

password sufficient pam_ldap.so
password required pam_unix.so use_first_pass nullok obscure min=4 max=8 md5

Same basic muckity muck here.

I also edited /etc/pam.d/common-session:

session optional pam_ldap.so
session sufficient pam_unix.so

I've read that you don't need that, but what the hell. Let's go all out.

That should do it for PAM. Make sure you can log in from both local and LDAP accounts, and you can check to make sure stuff works with "getent passwd"


Fun fun... let's get started.

Debian Postfix runs chrooted, which is a blessing and a curse. Aside from standard postfix stuff (debconf gets you started) we need to make it work with LDAP, saslauthd, amavis, clamav, and spamassasin, and we want it to provide smtp auth. A lot of stuff going on here.

Let's look at

Recently I saw, again, the final round of a US Open golf tournament at Pinehurst. I'd seen the last one at that venue in 1999 as well, and my first trip to Pinehurst was for a PGA Tour tournament in the early 90s. I've also seen the GGO (now the GGCC) probably half a dozen times at Forest Oaks in Greensboro.

Golf - especially as a spectator sport - is one of those mysterious things that many people (including almost all females) just don't "get." "Isn't it boring to watch a bunch of guys hitting tiny balls with a stick?"

I don't know. Is it?

I like golf a lot. I don't suppose I like it because it's fast paced or action packed, but on a certain level the excitement is still there. I don't normally watch golf on TV (except for the majors, occasionally), but there's something compelling about seeing, in person, a group of people who are undisputedly the absolute best at what they do, even if it is something like hitting a tiny white ball around.

This year's Open was pretty exciting (as far as golf tournaments go) as Campbell, who had posted solid but unimpressive scores for the first 3 rounds, kept rising up the leaderboard by simply sticking near par. When I first saw him under par on the front 9, I had a feeling that he was going to win the whole thing - everybody else had been sliding, and sliding hard. Being the leader going into day 4 of the US Open doesn't necessarily mean anything, as Retief Goosen demonstrated - the leader and odds on favor to win as of his tee off on round 4, Goosen sank 11 strokes in the final round to drop off the leaderboard entirely by the end of the day.

Despite not winning, Tiger Woods was the guy who made this tournament interesting. While Campbell won by just playing solid golf all day long, Tiger's ups and downs had the crowd enthralled. Opening with 2 bogeys off the start (I saw both of them), he looked to be backsliding rapidly going in - and he was sitting about 7 strokes off the lead at one point. I was ready to write him off then, but he made several birdies to get back under par for the day and make it a great finish. Campbell walked up to the 18th hole with a 3 stroke lead over Woods, who was sitting in the clubhouse, and ended up bogeying the hole to win by 2 strokes. At that point you have to look back at Tiger's opening two bogeys, or his dreadful 3 put on 17 from 10 feet, and you start to realize just how close this thing really was.

All in all, it was a great experience, and I don't know that I could've asked for a better way to spend Father's Day with my dad and uncle. My Grandfather unfortunately cancelled on us the previous night, and I can't really tell you how disappointing that was - golf is one of those few hobbies that the men in my family share, and to see my Grandfather ducking out of something like this on Father's Day makes me really worry about his mental health and wellbeing. It really was a disturbing shadow hanging over an otherwise wonderful event, and I just wish there's something I could do to help him.