To all my geek/nerd friends in the blogosphere: I’ll be posting updates on Fedora Directory Server, my Linux training courses, and more in the coming weeks, but I wanted to let you know that I’ve recently been stricken with… umm… Twitter. I’m @bkjones on twitter, so if you’re into beer, brewing, billiards, cooking, guitar/music, linux, system administration, perl, shell, python, php, databases, sql, or anything like that, lemme know, or follow me!
I know, I know. I haven’t been posting nearly enough. But I did come across two URLs that are too handy not to pass on:
- Command-line-fu: this is a repository of handy one-liners submitted by pretty much anyone. You can log in with OpenID or register on the site itself. I expect this, or something like it, will become a great resource. You can browse the sweet one-liner goodness, or “grep the archive”. Nice.
- Down for Everyone or Just me? is a site that’s handy to know about if you’re, say, holed up in a hotel room, forgot to set up port forwarding on your FIOS router, and so don’t have a remote shell to test from, and you can’t reach a site. Pop the url into this site, and it’ll test access for you. Of course, it’s limited — it’ll change url’s with “:22″ to “%3A22″, so you’re not going to get it to be a generic service tester, but still… handy!
The last time I had to do a NIS->LDAP migration, it was in a heterogenous environment with Solaris and Linux boxes, and it was around 2004 or so. Although I hit some rough patches adjusting to changes in how FDS is packaged, the community was awesome, and helped me get back up to speed in no time. We shouldn’t forget that the community was what drove me from OpenLDAP to FDS in the first place.
But I digress. The purpose of this article (first of a series) is to share with you some technical information about how to get things going. How, exactly, do you get RHEL 4, and RHEL 5 to utilize Fedora Directory Server’s data to support NSS and PAM for user information and authentication, and autofs for automounting directories? There are documents on this, written by people who clearly do (or did) care, but at times they can be a little disjointed, a little outdated, and require some tweaking.
This document talks specifically about installing the fedora-ds-1.1.2-1.fc6 package on RHEL 5.2, populating the People and Groups trees, and testing that it actually works. Later posts will deal with getting RHEL 4 and 5 clients to talk to it for various purposes, using TLS (with certificate verification, btw).
If your real issue is understanding how LDAP data works, why it looks the way it does, or you need a refresher, I would urge you to look at two other articles I wrote for O’Reilly, devoted completely to the topic: here, and here.
Get it installed
There is no precompiled binary package of Fedora Directory Server built specifically for Red Hat
Enterprise Server (because Red Hat, of course, provides that, with support, for a fee). If you want to run FDS for free on a RHEL server, the installation process is somewhat non-trivial. First, you must add a couple of new package repositories to your yum configuration:
cd /etc/yum.repos.d/ sudo wget http://directory.fedoraproject.org/sources/idmcommon.repo sudo wget http://directory.fedoraproject.org/sources/dirsrv.repo
Then, you’ll need to import a couple of keys in order to verify signatures of the packages we’ll install
sudo rpm --import \ http://archives.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/os/RPM-GPG-KEY-fedora sudo rpm --import \ http://archives.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/os/RPM-GPG-KEY-Fedora-Extras
Next, install some prerequisite packages (you could do this first – these come from standard
repositories, not the new ones we added):
sudo yum install svrcore mozldap perl-Mozilla-LDAP libicu
You’ll need jss, and I wasn’t able to get it via a repository, so I downloaded it using a URL directly:
sudo rpm -ivh http://download.fedoraproject.org/pub/fedora/linux/extras/6/x86_64/jss-4.2.5-1.fc6.x86_64.rpm
Next, install ldapjdk (used by the FDS console application), and finally, the directory server itself:
sudo yum install ldapjdk sudo yum install fedora-ds
WIth these packages installed, the next thing to check is that permissions are set up correctly, otherwise the initial setup script will fail:
sudo chown -R nobody:nobody /var/lock/dirsrv; sudo chmod -R u=rwX,go= /var/lock/dirsrv sudo chown nobody:nobody /var/run/dirsrv; sudo chmod -R u=rwX,go= /var/run/dirsrv
Finally, run the setup script which was installed with the fedora-ds package:
Populating the Direcotory
The directory initially consists of a top-level entry representing the domain, and by default, FDS creates for you two “organizational units”, which are subtrees representing “People” and “Groups”. I’ll create an LDIF file for the Groups first, but there’s no reason to go in any particular order. We’re just adding data, and LDAP isn’t relational: you can add People objects who are members of Groups that aren’t in the tree yet. Here’s my LDIF file for the groups:
dn: cn=wheel,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: wheel gidNumber: 1000 memberUid: jonesy memberUid: tasha memberUid: molly dn: cn=eng,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: eng gidNumber: 1001
For the moment, only ‘wheel’ contains any actual members. No biggie, you can add members to groups later, or add more groups later whenever you want. Once the clients are configured, there’s no restarting of anything to get them to pick up changes to data in the LDAP data.
It’s easy to use the OpenLDAP tools to add data to FDS, but I’m going to use the FDS-supplied tool here to insert this data:
/usr/lib64/mozldap/ldapmodify -a -D "cn=Directory Manager" -w - -h localhost -p 389 -f ~/groups.ldif -c
If you’re familiar with the OpenLDAP tools, this probably doesn’t look too scary. The OpenLDAP tools require a ‘-x’ flag to bypass SASL. Aside from that, pretty straightforward.
To populate the “People” tree in FDS, or any other LDAP product, I wrote a really cheesy awk script that I can pipe the contents of /etc/passwd or ‘ypcat passwd’ through and get good results with only minor tweaking. Redirect the output to a file called ‘people.ldif’, and then you can populate your “People” tree:
/usr/lib64/mozldap/ldapmodify -a -D "cn=Directory Manager" -w - -h localhost -p 389 -f ~/people.ldif
At any time, you can verify that your FDS installation is returning results by running a query like this:
/usr/lib64/mozldap/ldapsearch -b dc=example,dc=com objectclass=organizationalUnit
I have a few more posts to follow this one. One is one getting SSL/TLS working (either one, perhaps both), creating a root CA and setting things up with certutil, another on getting the RHEL 4 and 5 clients to use LDAP, and another separate one for configuring autofs to talk to LDAP, which is a little different between RHEL 4 and 5. Subscribe to this blog in your reader to be updated as those posts come out over the next 2 weeks.
Last night I discovered likaholix.com and was able to get an account during their beta phase testing. You can see my likaholix page here, but I thought I’d take a few minutes to jot down some initial thoughts about it, because I do think it’s interesting.
Likaholix makes it Mind Numbingly Easy™ to quickly “like” something. To do that, all you do is type in a title for the thing you like, and then type a short description telling people why you like it. Then, add a couple of tags so the site can easily categorize your likes, making them easier for visitors to find.
Why is this cool? Well, a few reasons:
- The huge masses of internet users happen to really like reading reviews. This is pretty easy to prove. Go to technorati.com and you’ll see that sites like Engadget and Gizmodo and other sites that do reviews are among the most highly trafficked sites. Other sites that aren’t blogs, like CNET, are also enormously popular. And what’s your favorite feature of Amazon? I know what mine is: customer reviews!!
- The huge masses of internet users don’t really write thorough reviews, because they’re long and take time and more effort than you might think. However, just about anyone can tell you in 5 seconds or less why they like something, and are usually happy to do so.
- The huge masses of internet users don’t really read thorough reviews, because they’re just too damn long. I mean, sure, if you’re making a major purchase in your life, you might read every letter you can find about a product, but for many things, people just want the bullet points. I’m not aware of a limit on the number of characters you can use in your descriptions on likaholics, but it certainly doesn’t encourage you to ramble on, like, say, this WordPress interface does
- The huge masses of internet users love the idea of being a trend setter, which likaholix facilitates. Perhaps even more, they tend to follow and respond to trends, and likaholix facilitates that, too, by making it really easy to connect with other people, assigning credibility points to users making them “tastemakers” in certain areas, and making it really easy to find recommendations for whatever you’re interested in.
- It’s appealing to huge masses of internet users, because it is, by definition, not specialized. You can like anything, and so this becomes sort of the internet equivalent to the “show about nothing”, Seinfeld, which if you remember, was hugely popular.
Of course, with the good comes the bad. There’s nothing really bad about likaholix, and the product is still in beta, so it’s very likely that it’ll change, but here are some quirks I noted:
- There’s no feedback link! Why have people sign up for a beta if they have no interface to tell you what’s going on, why they like/don’t like, etc? That’s goes beyond bad into this really bizarro world of… bizarreness.
- When you put in a title for your new like, likaholix tries to find a URL for what you’re about to describe. If you pick one of those URL’s, it changes your title to whatever the page title is of the URL you chose. That’s bad, because a) I would say most sites don’t pay proper attention to what their page titles should look like, and b) I typed in my title for a reason. Please don’t subvert my attempt to communicate through the use of an effective title.
- Also, when you type in a title, while you’re typing, there’s a drop down that’ll appear with suggested completions. This is, unfortunately, too clunky and slow to be effective. Several times something would appear, and the right choice would barely have time to catch my eye before disappearing again. This is probably due to lag between results being generated and my typing. This means I’m sitting there pushing the back button, maybe a few times, then typing letter by letter very slowly until it comes back. At least the results are cached; I was usually able to get back to the right set of results and pick what I intended.
- You can only be a tastemaker in two categories, and that kinda sucks, but I think I understand why that is: they’d probably like you to focus on one or two areas and “own the topic”, which is a big catch-phrase in the blogosphere. I think it’s kind of lame, but it’s not a big deal, and it’ll probably change anyway.
- likaholix will post your likes to twitter, but with no link back to the site, and no indication that the tweet came from likaholix whatsoever! What’s the point? I’m sure this will change. I’ve disabled the feature on my account for the time being, and opted to post my likes to facebook, where people are less likely to have a real-time interface spamming them with my likes all day.
In the end, I think likaholix is a hit. I’ve never used a single site to get product reviews and recommendations, but now I might. I understand that this site only shows good reviews, but bad reviews are so easy to find that I don’t really care, and if the masses tend not to like something, then the fact that a site with (someday) millions of users mentions a product a mere 3 times will be indication enough. “If you have nothing nice to say…” and all that.
Also, if I want to know if some gadget, we’ll call it ‘foo’, sucks, Googling for “foo sucks” still works like a charm.