Search Posts:



January 2014

1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

I've now seen every episode to date of Aaron McGruder's animated series "The Boondocks," which airs Sunday nights at 11 p.m. on the Cartoon Network of all places.

I'm not black. I don't really know that many black people. But from my perspective, this show seems to be so brutally honest and introspective into that community that it's a wonder it can get airtime at all.

Why HAVEN'T there been shows like this before? Is it too true? Too hard to swallow?

I don't know if I'm the target audience. I don't know if I have a RIGHT to watch this show, sit there and think - wow, that's how it IS.

To be fair, white people aren't spared by McGruder's wit either. When they do make an appearance, they're spot on as far as I can tell - rich folks blissfully detached from reality thanks to their ability to shape their own worlds with money. Spoiled kids trying their damnedest to be "gangsta" and coming across as the cowardly idiots they are.

But that's clearly not the main point of the show. For the most part the white people seem to exist to make the point that they're not TRYING to keep black people down - they simply don't CARE about them one way or another. To the last, a group so self absorbed that race is wholly irrelevant.

I love iTunes.

But I hate DRM.

For those who don't know, Apple encrypts all your purchased music using a DRM scheme known as "fairplay." It's totally incompatible with anything other than iTunes and it locks you down with ridiculous restrictions.

Now, I use MythTV, and it plays AAC files. That's good. I also use mt-daapd, so I can connect to my home network and stream to any iTunes client. That, also, is good.

But I can't play fairplay music. That is not good.

So, for the past year or so that I've been using ITMS, I've been using a utility called jhymn to fix my broken purchases as soon as I made them. It let me turn DRM'd files into standard AACs that would work with all my devices. Rock.

Then came iTunes 6, and it stopped working.

So here's something Apple needs to understand - there are exactly two reasons that I used ITMS instead of just downloading whatever the hell I want from a peer to peer network. Reason 1: it's easier to find and download a usable copy of the stuff I want. Reason 2: I, you know, actually WANT to support my favorite artists.

In no way is the convenience of iTunes worth the price you pay. NEVER. It's in my best interest in every way to use a peer to peer network, even when the DRM is breakable - if I didn't have some nagging notion in the back of my skull that I should be paying for the stuff I use, I WOULD NEVER USE ITUNES.

So get this - when I get *defective* files from ITMS that don't even play on most of my devices, what exactly do you think I'm going to do? PAY you guys for an inferior version of something I can get for FREE? Not likely. I use ITMS to donate to Apple/the RIAA/the artists because I'm a fucking nice guy - and you're trying to stick it to me by selling me defective merchandise?

You're fucking yourself over - enjoy. Needless to say, I'm not buying anything from ITMS again until this is fixed.

It's something that most people are probably already aware of - if you're an average Joe, working for an average company, getting by in an average sort of way, you really have no say in how vast chunks of your life will play out.

Democracy ends where the company begins. There's so much chatter about "ownership" in this country, how every individual can have his slice of the 'ol pie. But really it's all just that, chatter - ownership doesn't mean you actually own anything. Sure, you may own your car, or some day you may even own your house. But your fate is not your own - at the very least, 40 hours of your week will be spent doing something which you have almost no say or control over.

The notions of "ownership" and "democracy" don't extend to the private sector. You may be able to vote in a Presidential election, but what impact will that have on your daily existence? Very little, I'd wager, unless you work in the politics business. When one considers that so much of one's life is spent in duty not of one's country, but of one's *company*, it's interesting to note that on a personal level your freedom is sharply curtailed, and a large portion of your life is ruled by the "dictator" of your company.

They talk about ownership... stock options, 401Ks, what have you. But what sort of "ownership" is that, really? You're giving them your money to play with - you have no real say in what they do with it. You don't really "own" a part of your company, your company owns a part of you.

In a true capitalistic democracy, a company would not exist only to enhance its profit - a company would exist to serve both the people who work for it and the people who do business with it. I suppose that's the dream of the "big L" Libertarians - but it really is just that, a dream. In this day and age, companies are seldom groups of people working together; they're far more likely to be faceless entities run by a few corrupt individuals who shuffle people around to maximize profit.

As those researchers sent the first data across the wire years ago and breathed life into the ARPAnet, they actually had some idea of what was to come. I've heard interviews, and they were in some respects surprisingly prescient - if a bit overly optimistic - about the evolution of the global Internet and its facility for rapid data exchange between geographically remote locations.

No development has been quite as interesting to me as the free flow of previously arcane knowledge, and the spread of ideas despite authors' attempts to restrain them.

While the sum of human knowledge may not be instantly available to every man, woman, and child in my lifetime, I have high hopes that this is the ultimate destiny of the internet. Yes, there are technical barriers that must be overcome first, but I have little doubt that these will in time be addressed. More worrying to me are the social and legal problems - from poverty (the most obvious barrier to entry) to misguided notions of "intellectual property" (used to line corporate pockets at the expense of society), there are serious issues that must be addressed before we can realize the full potential of sharing collective knowledge as opposed to owning individual knowledge. Corporate interests (and, logically, their political extensions entrenched in various governments) have obvious, vested interests in maintaining the latter paradigm, but it remains to be seen if even they can leverage all that power and money to triumph over the basic human desire to learn and share. I think it's going to be rough for the oppressors in the long term, but - as they say - things may get worse before they get better.

Anyway, I'm interested in looking at how far we come, not only how far we have left to go.

There was a time, not so terribly long ago, that there were only a few ways for people to acquire knowledge that they were previously lacking. They could have a) asked around, hoping to be instructed by somebody else who already knew the information, b) dug through books or other static physical recordings of information to try to find the answer (which would likely have required a commute to a library), or c) tried to extrapolate the knowledge through observation and experimentation. For these reasons, it was highly important that a person not only devote a good bit of time to the initial acquisition of knowledge (either in a school, where all methods are employed, or in direct vocational training, where only a) and c) are used extensively), but that this person also have a relatively high capacity for retaining that knowledge in memory and producing it on demand.

Thus it is not surprising that our educational system served primarilly as a method for providing students with knowledge, essentially cramming their heads full of information, and then trying to ensure that they retained it. Knowledge was (and still is) power - and, as we all know, knowing is half the battle.

As I grew up in the 80s and 90s, it seemed that some educators were embracing the notion that perhaps the devil isn't always in the details - at least when it comes to molding the mind of a well-rounded and productive member of society. Still, I was hardly safe from fact cramming, and several instructors took it upon themselves to try and fill our minds with useless trivia. A prime example of such an utterly worthless activity was when my entire class was forced to memorize the name and location of every county in the state of North Carolina. To this day, the exercise stands in my mind as a singularly pointless waste of time. What benefit would knowing this information conceivably provide? If I need to locate a county in the state, do I not have the ability to find it on a map? When will it ever be so vital that I know the name of an obscure county that I cannot take the time to look it up?

I mention this because, much as I could easily acquire that sort of general geographic information utilizing a readily available state map (you'd be hard pressed to find a gas station without one), I can now even more easily acquire all sorts of information utilizing access to the world wide web.

In short - a whole new class of knowledge has become commoditized.

It really is an exciting thing, when you think about it. People are free to share their knowledge, and others are free to easily find it (thanks to the likes of google). From history to car repair, from art to cooking... we can now instantly learn so many things it's simply staggering. We can know about virtually anything that is unrestricted by legal barriers (such as copyright or patent) within a few minutes.

The power of this should not be underestimated. Even now, as information is so readily available, a lot of emphasis is still placed on just what people already know, instead of on their potential to acquire and adjust to new information. Far more valuable, now and in the future, is a person's ability to think in universal terms and to create new solutions by both leveraging existing knowledge and expanding the communal knolwedge base through research and reasoning.

In effect, thinking should carry far more weight than knowing. In a world where anybody can essentially know everything that has already been codified, knowing something becomes fairly meaningless - the real value is the ability to create entirely new knowledge and to apply existing knowledge in new ways.

Old is the new new. I wrote this months ago and forgot to submit it - doh!

I was never much of a music snob growing up. I listened to most of the same crap that everybody else listened to at whatever point in time it was - Dave Matthews, Metallica, R.E.M., U2, Nirvana, and the countless forgettable bands that enjoyed equal popularity but with shorter lifespans. I had my share of 80s music first, but at this point it's mostly a blur - maybe there was some Don Henley or some AC/DC or some Billy Joel or some Dire Straits floating around in there, but even though I *heard* the 80s music at the time I wouldn't say I was very musically *aware* until the early 90s - and even then, not so much.

So alterna-rock probably left the biggest impression on me, given that I was at that point old enough to have some notion of what I liked and didn't like. But really, I didn't ever get into the indy music scene - it was all stuff that I'd heard on the radio, or rarely something a friend picked up from somewhere.

So a decade or so later I see this movie called Fight Club, and at the end of this movie is this incredible guitar riff as the financial district crashes down around us. The song continued on into the credits and it was somehow perfect for the movie - I liked it, but had no idea who did it or what it was called.

Later I found out who it was - the Pixies - and finally broke down and bought one of their albums ("Surfer Rosa") when I heard a David Bowie cover of "Cactus." If Bowie thinks they're worth covering, then they must be for real...

So fast forward to now - I finally get the chance to see the Pixies in concert, after solo careers and a long seperation, they're back in the game.

The Pixies rock. They rock in a way that all the wanna-be alterna-grungers clearly wish they could emulate. You can hear Nirvana and Soundgarden and all the other Seattle bands give it their all, but the Pixies came first and they did it better. And man, they still have it - other than an early misstep on "Bone Machine" they were nearly flawless. Too bad the house audio equipment was so lousy and the amps were jacked up way too high, but it was a killer concert nonetheless.

This hypothetical scenario was presented in an issue of National Geographic about a year ago. Remember that, according to our beloved politicians, what happened in New Orleans could not have been anticipated...

It was a broiling August afternoon in New Orleans, Louisiana, the Big Easy, the City That Care Forgot. Those who ventured outside moved as if they were swimming in tupelo honey. Those inside paid silent homage to the man who invented air-conditioning as they watched TV "storm teams" warn of a hurricane in the Gulf of Mexico. Nothing surprising there: Hurricanes in August are as much a part of life in this town as hangovers on Ash Wednesday.

But the next day the storm gathered steam and drew a bead on the city. As the whirling maelstrom approached the coast, more than a million people evacuated to higher ground. Some 200,000 remained, however—the car-less, the homeless, the aged and infirm, and those die-hard New Orleanians who look for any excuse to throw a party.

The storm hit Breton Sound with the fury of a nuclear warhead, pushing a deadly storm surge into Lake Pontchartrain. The water crept to the top of the massive berm that holds back the lake and then spilled over. Nearly 80 percent of New Orleans lies below sea level—more than eight feet below in places—so the water poured in. A liquid brown wall washed over the brick ranch homes of Gentilly, over the clapboard houses of the Ninth Ward, over the white-columned porches of the Garden District, until it raced through the bars and strip joints on Bourbon Street like the pale rider of the Apocalypse. As it reached 25 feet (eight meters) over parts of the city, people climbed onto roofs to escape it.

Thousands drowned in the murky brew that was soon contaminated by sewage and industrial waste. Thousands more who survived the flood later perished from dehydration and disease as they waited to be rescued. It took two months to pump the city dry, and by then the Big Easy was buried under a blanket of putrid sediment, a million people were homeless, and 50,000 were dead. It was the worst natural disaster in the history of the United States.

When did this calamity happen? It hasn't—yet. But the doomsday scenario is not far-fetched. The Federal Emergency Management Agency lists a hurricane strike on New Orleans as one of the most dire threats to the nation, up there with a large earthquake in California or a terrorist attack on New York City. Even the Red Cross no longer opens hurricane shelters in the city, claiming the risk to its workers is too great.

"The killer for Louisiana is a Category Three storm at 72 hours before landfall that becomes a Category Four at 48 hours and a Category Five at 24 hours—coming from the worst direction," says Joe Suhayda, a retired coastal engineer at Louisiana State University who has spent 30 years studying the coast. Suhayda is sitting in a lakefront restaurant on an actual August afternoon sipping lemonade and talking about the chinks in the city's hurricane armor. "I don't think people realize how precarious we are,"
Suhayda says, watching sailboats glide by. "Our technology is great when it works. But when it fails, it's going to make things much worse."

I've gone and done it now, I've quit my job. I did this with another job already lined up and with an offer letter in hand, but it doesn't really change the fact that I'm in for a major transition.

Mobile content is their game. Whatever that means. I'm sure it's something super-cool, and it's buzzword worthy if nothing else.

The company has one of those happening late-90s-style dot-com offices, with coders plopped down in front of their pretty LCD monitors, caffeinated beverages at hand, and nerf guns at the ready. Nice open spaces, chill lighting, a foozeball table in the breakroom, blinking lights coming from the hardware residing behind glass doors (that are glass, presumably, to show off the blinking lights).

On the one hand, I'm thinking "cool!" but on the other I recognize all the signs of a situation that's simply not sustainable. Indeed, my very job will be something that seems like it could float away on a whim - I'm the Linux Guy, but my main role initially will be to help migrate some systems to an Active Directory environment. Yeah, lots of job security there.

I took the job knowing it'd be... well that it'd be an experience, and god knows I need an experience of some sort. I'm in a pretty substantial rut at this point, personally and professionally - I migrated all the systems here over to Debian (which went very well) recently, but I'm afraid that I'm running out of things to do in my current position. And personally, well... does World of Warcraft count as a social life? No? Didn't think so.

Do I think this company will be around in 5 years? I don't know, maybe. Do I think I'll be working for the same company even if they *are* around in 5 years? I doubt that. But the worst thing I could possibly do at this point in my life would be to become complacent and lethargic, coasting along at my current position... and god knows I've fucked things up by coasting in the past. I need to be challenged or I'll let my mind drift and waste away, which isn't doing me any damn good.

Underlying everything though is a deep founded concern that I'm sliding into a doomed career, and that I should really be trying to bail myself out before I get in too deep. Will I manage to hang in there to become one of those wisened sysadmins, knowing every system inside and out, who have become so invaluable due to their wide range of expertise? Or will I, like so many others, fall by the wayside as ever improving automation whittles away at the job market?

It's a little unnerving to think that as technology advances I'm in a field that will require fewer and fewer people - though, I suppose, the same could be said for most fields, the sysadmin is likely to be the first to feel the pain.

A part of me thinks I should go to a community college and really learn how to be a technical writer. As long as there are products, there will be documentation - and there is no artificial intelligence or program that can possibly change that fact. It's a field with longevity, one that will survive, and as I understand it writing skills are becoming less and less common in the workforce. I don't claim to be a brilliant writer, but I'm certaintly competent enough to hold a job of some sort where my primary duty is to put words together.

Am I getting in too deep? Am I burying myself under a load of experience that's going to preclude such a career jump in the future? I think that's a valid concern, and it's something that continues to bother me. For the short term this is undoubtedly the most lucrative path for me to follow, but what about in 5 years? 10?

I suppose only time will tell.

This has gotta go down as one of the crappiest weekends in recent memory.

Crappy aspect numbero uno - full work day and then some Saturday.

The migration to new servers finally hit the fan, and I wasn't nearly as well prepared as I should've been. My time estimates were drastically off and I had tons of problems I'd failed to consider.

Right now things seem to be mostly kosher. This is the most challenging project I've ever headed up in my professional career, and I'm working without a safety net every step of the way. I haven't *done* this before. I feel like something of a fraud, leading boldly forward but just praying I don't fuck things up horribly.

Crappy aspect part b - I don't understand women at all.

I could expand upon that generality, but I imagine it stands well enough on its own.

Who would've thought the best drama on TV would be a remake of a campy, late 70s sci-fi disaster? Hey, I didn't - when I first heard of the BSG miniseries I vowed to never, ever watch it. This is from the channel that brought us such memorable made-for-TV movies as "Mansquito," and managed to completely misuse Bruce Campbell's talents in the depressingly bad "Alien Apocalypse" - an intentionally cheesy flick that somehow failed on every possible level.

But here we are. The new BSG is a re-envisioning of the basic concepts behind the late 70s failure, but it would be a horrible mistake to think of this as a true remake. Some of the names are the same, some of the style can be seen in costume and set design, and the basic premise - that a ragtag fleet of humans is desperately forging on after their entire civilization is destroyed by the Cylons - is in tact. At its core, though, this is a very different type of series aimed for a very different type of viewer, and it's probably the most "grown up" sci-fi I've ever seen on TV.

Picture, if you will, a group of characters who have just had everything they know destroyed by an enemy they created (in this BSG, the Cylons were made by man, became self-aware, rebelled, yadda yadda). You have the aging commander, pulled back into the service right as he was about to retire. You have the gritty officer fighting a not-so-well hidden drinking problem and a fear of command. And, of course, you have the Cylon who doesn't know she's a Cylon - for, you see, these Cylons can look, feel, and act just like humans.

There is a rather large cast of major players in BSG, and an even larger cast of side characters who we get to know at least enough to have a feeling of where they're coming from.

The fun thing about BSG for the viewer is that these characters all interact in delightful ways. The new President - an unassuming Secretary of Education thrust into the position as the President and the cabinet died - deals with the stress of her role remarkably well, and begins playing politics with the best of them, only to subsequently receive drug-induced religious visions that twist her actions to defy logic. The by-the-books squad leader suddenly follows his instincts at the most unlikely time. The hotshot pilot breaks under the stress and lets some of her crippling emotional pain show through. The inadvertantly traiterous scientist manages to somehow remain sympathetic as he's driven mad by the Cylons - even though we know he caused the downfall of man, on some level we still *want* him to get away with it all and redeem himself.

What you have is a bunch of characters who, while being mostly archetypical, are pushed into such difficult decisions and face such enormous stress that they end up showing some underlying depth beyond what we expect.

BSG is basically a study in how all of these characters deal with sequences of no-win scenarios. Every encounter with the Cylons could result in the end of the human race, and there is never a clearcut decision. Do you destroy that passenger ship that you suspect has been compromised and is carrying a Cylon nuke before it gets to the fleet? Do you abandon a personal friend who is stranded on a hostile planet and suspected dead, or do you wait for her despite knowing it's the wrong military decision and that you could be dooming your entire civilization?

It's this sort of gut-wrenching drama that makes BSG so different from most sci-fi. It's not moralistic and preachy (Star Trek: TNG), it's not silly and lighthearted alien blasting (Stargate SG:1), and it's not an epic struggle of good versus evil (Star Wars). What you have are likely characters in an unlikely situation, and more than any other sci-fi show I've seen this is a show about people. And while the Cylons are surely the bad guys, underneath everything they do is a motivation that we can't quite understand, but we have a sense that *something* is there - that the Cylons aren't just killing us for sport, that there's some grand purpose to everything they do.

The show that seems closest to BSG in my estimation is Babylon 5, but I think BSG works better on a more basic level. Even though B5 involved relatively complex people facing complex decisions, some of them were still wearing foam rubber costumes and globbing on a ton of makeup - stuff that's just really hard for a fan of dramas, but not necessarily of sci-fi, to take seriously. B5 was also more meticulous and lacked the urgency of BSG - in BSG *everything* happens so very quickly, and people are forced to respond with decisions that could doom or save everybody in the blink of an eye.

If you can suspend even a little disbelief and look past the space ships and robots, what you'll see in BSG is an impressive study of character interaction in situations where there can be no *right* action, only *some* action. I feel fairly safe in saying that BSG is the best show on TV right now, and I highly recommend it to anybody.

Our maintenance ran out on the commercial Linux mail/groupware package (SuSE OpenExchange) which had all this stuff bundled, so it's time to restart from scratch. OpenXchange, the open source core of the SuSE offering (which is now owned by Netline) is the product of choice. This time our ldap database will also serve as the backend for a samba3 domain controller, which will be a ldap slave, and will authenticate OS X and unix machines. Sound like fun? You betcha. The goal here is really to provide a scalable centeralized authentication service and groupware portal that will work for various OSes and clients, effectively an open source (mostly, except for java) alternative to proprietary solutions like MS Server 2003.

Problems going in:

- I'm most familiar with Exim as an MTA. I'm competent with Sendmail. I know very little about Postfix except what I had to pick up to add some functionality to our previous solution
- OpenXchange has shitty documentation
- I'm more familiar with the Courier IMAP daemon, which is signifigantly more simple than Cyrus
- We need to migrate the mail spools from an existing IMAP server
- LDAP. I've been running LDAP already, but we've got a whole new set of requirements at this point, and I'm going to have to migrate over an existing LDAP database and add in new fields. Will I be able to populate them with what I need via a script? I think this will require something beyond bash, so it may be time to learn perl.

Given that, it's tempting to ask why the hell I've chosen this combo - a good question, but the answer is that a lot of the setup is required by openxchange. For the things I *do* have some say over (MTA and IMAP daemon), I felt it was better to use what SuSE themselves decided were the best options in their commercial product. Plus, at the end of the day, I'll know a lot more stuff.

Step 1: Choose a distribution.

There are a few valid options here:

Debian Stable (Sarge). I love Debian.
CentOS 3.x (RHEL 3 clone). CentOS is solid, and I already run this.
CentOS 4.x (RHEL 4 clone). No experience with 4, but presumably it'll be easy to pick up.
FreeBSD 5.4 RELEASE. I've used it in testing environments, never in production.

I opted for Debian, mainly because it's the easier to configure and maintain. There's a strong case to be made for CentOS 4 (3 I ruled out due to ancient versions of LDAP) since RHEL is pretty ubiquitous these days, but the lack of needed packages in that distribution means it would require more time to maintain. FreeBSD has all the packages, but of all the options I'm the least familiar with it, and the chance of stuff from ports breaking seems much higher than having breakage in Debian Stable or CentOS (since their packages are frozen and are only updated for critical bug fixes or security updates).

Step 1: Install Debian.

Easy. You should have no issues with this. Despite the grief it gets and the lack of any sort of GUI, Debian's installer is fast and effective. I always just do a minimal install and add what I need after the fact.

Step 2: Install Packages

There are quite a few things we'll specifically need here (along with all the dependencies that aptitude automatically manages), so we'll use aptitude to get this stuff. Note that you need to pull from "contrib" for at least some of these packages (and maybe non-free too, I always pull from both so...):

postfix cyrus21-imapd cyrus21-pop3 cyrus21-admin slapd ldap-utils gq libnss-ldap libpam-ldap xfree86-common xutils clamav-daemon amavisd-new sasl-bin xbase-clients

For Open-Xchange (more on this later) we'll need:

apache2-mpm-prefork apache2-prefork-dev libapache2-mod-php4 tomcat4 tomcat4-admin ant java-package

apache2-prefork-dev is needed to compile a mod_jk (needed for java, more on that later).

Debconf is going to ask a bunch of stuff, so answer to the best of your ability with the knowledge that you'll have to reconfigure everything at some point. Most of those packages are self explanatory, but gq you may not know - it's an X11 ldap browser. This is why we've got the X stuff in here as well, if you're curious.

Step 3 - Get stuff

Lots and lots of stuff needed here. You'll want to refer to this howto for the full list. This is a great resourse for getting OX itself up and running as well, but we'll need some of this stuff to configure LDAP initially - namely we want to get the schema from the openxchange tarball.

Step 3 - Configure slapd.conf

If you haven't done this before, this is a great chance to learn. I'm migrating from an existing ldap server so I'm able to slapcat on the old one and slapadd on the new one, modifying and adding fields as needed - but starting from scratch is beyond the scope of this entry and is best acheived by using other resources.

However as I mentioned above we'll need to add the schema from the openxchange tarball, which is in /open-xchange-0.8.0-2/system/setup/openxchange.schema. Copy that to your /etc/ldap/schema/ directory and add it (along with other needed schemas, such as samba.schema) in your slapd.conf file.

Step 3 - PAM / NSS

Ah this one's a lot of fun. Once you have a working ldap directory, it's time to get it to work on all this jazz.

Let's hit NSS first. debconf would've helped set up /etc/libnss-ldap.conf, but it's important that it's set up properly. Make sure the entries match your environment:

base dc=yourdomain,dc=tld
ldap_version 3
pam_min_uid 10

If you've got entries with "posixAccount" attributes in different LDAP leaves (I have such a leaf for samba machines, which for some reason are added with this attribute - maybe a bug in the idealx samba scripts, though), you can restrict which leaves are searched with the following entries:

nss_base_passwd ou=Users,
nss_base_shadow ou=Users,
nss_base_group ou=Groups,

Now, edit /etc/nsswitch.conf so it'll check against ldap:

passwd: ldap files
group: ldap files
shadow: ldap files

Ready for PAM? I knew you were. First up is /etc/pam_ldap.conf, which can be set up exactly the same as /etc/libnss-ldap.conf. Confused? You might well be, on most distributions these two things are configured from the same file, usually /etc/ldap.conf, but debian allows you to configure them independently. You could just symlink one to the other if you felt like it. I'm assuming this is done so you could (for example) have pam actually bind with admin rights (to change passwords and such) and have nss use anonymous lookups.

Once you have a working /etc/pam_ldap.conf, you need to set up pam itself to use ldap. Debian's pam.d contains 4 "common" config files referenced by other pam service entries, so setting those up should get any debian service working properly.

In /etc/pam.d/common-account:

account sufficient pam_ldap.so
account required pam_unix.so

It'll check LDAP first, and account info from that is sufficient. If not it'll fallover to the local account database.

There's also /etc/pam.d/common-auth:

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

Same basic deal, this is for authentication. I have no idea what "nullok_secure" is, but it's always been present in any "auth required pam_unix.so" statement I've seen, so we keep it. Pam tries to auth against ldap first in this setup, and if it fails it'll fall back to local unix accounts. The "use_first_pass" directive tells pam to just use the password that failed against ldap for local accounts, and if you don't have it you'll be prompted twice when trying to log on as a UNIX account (such as, most notably, root). You don't want that to happen.

Now /etc/pam.d/common-passwd:

password sufficient pam_ldap.so
password required pam_unix.so use_first_pass nullok obscure min=4 max=8 md5

Same basic muckity muck here.

I also edited /etc/pam.d/common-session:

session optional pam_ldap.so
session sufficient pam_unix.so

I've read that you don't need that, but what the hell. Let's go all out.

That should do it for PAM. Make sure you can log in from both local and LDAP accounts, and you can check to make sure stuff works with "getent passwd"


Fun fun... let's get started.

Debian Postfix runs chrooted, which is a blessing and a curse. Aside from standard postfix stuff (debconf gets you started) we need to make it work with LDAP, saslauthd, amavis, clamav, and spamassasin, and we want it to provide smtp auth. A lot of stuff going on here.

Let's look at