Laziness extends to authentication and authorization systems, too. At my last job, we started out with five or so primary systems that people needed access two, and a bunch of supporting systems that nobody logged into directly. It was, at the time, no big deal to go ahead and create an account for someone on those five or so machines. That changed over the course of a year or so, when we suddently had 20, 30 and then more systems people needed to use, depending on what they were doing. Had we the foresight, we would have set up something back in the early days to centralize the management and control of user and group accounts. Where I am now, there’s at least NIS to tie everything together. It’s not the most robust technology for a network, but it does the job and will keep doing the job until we get around to LDAP.

LDAP, though, is truly the “bee’s knees”, as all the cool kids are saying these days. (I would call it the cat’s pajamas, but I did that and all the student workers looked at me like I had three heads. Cerberus, or Kerberos, depending on who you ask and whether or not you’re at MIT, has three heads, but that’s another article.) Right off the bat, LDAP offers some important things over NIS that make me positively giddy in anticipation.

First, given appropriate access rights, you can update an LDAP master from anywhere, over the network, securely. This means we can divorce our user creation tools from the “master” server and run them, well, anywhere. This means we no longer have to run them as root. This means we don’t have to have people log on to our master server directly (which is a security risk) to maintain user accounts. We can make a web-based tool if we really wanted to (and I think we do.)

Second, we can restrict it on both the servers and the clients so that LDAP connections only ever go over SSL links. This is, in and of itself, enough of a reason to move to LDAP over NIS in our security-concious world, and I’d be lying if I said it wasn’t at least part of our reason for moving to it.

Third, we can enforce unix “shadow” password expiration policies. I can’t find a way to do this in NIS, though it may be as simple as creating a “shadow” NIS map.

So, you can think of it being the perfect Lazy solution. With a bit of work, you can drastically reduce your workload while, at the same time, helping out your security situation a bit. Hell, I’ll take that any day!

I think, sometimes, that the truth is quite funny. Take, for instance, the goal of every systems administrator I have ever known (including myself): do nothing. Seriously. For sysadmins, a good day is a day when we get to do absolutely nothing but catch up on personal email, read our favorite magazines and web sites, play some foosball or pinball or even a little ping pong, have a beer or two at lunch out at the pub with some friends, and go home feeling like you didn’t really do anything, and feeling happy about it. It is this vision of the perfect day that drives us to pursue all manner of projects in hopes that we can someday get to have slow days every day.

The other day, I complained about one of the tools we lazy sysadmins use when we have more than, oh, say, three systems to maintain: cfengine. At my last job, we had something like 45 systems, and I was wishing we could get just enough time to put cfengine into place. Where I work now, we manage something north of 40 systems (various flavors of Linux and some Solaris) and I had the fortune of walking into a working cfengine deployment. Hooray, someone else did the hard part! Having had the joy of using cfengine for managing large numbers of systems, I never want to go without it again. It’s an amazing and efficient tool for rapidly and easily distributing all manner of configurations across a huge number of systems. It can also, at times, be an amazing and efficient tool for rapidly and easily distributing all manner of broken configurations across a huge number of systems, but that’s a story for another day.

Another tool we’re using extensively is RedHat’s kickstart. Taken from the much more capable Jumpstart from Sun, kickstart is, really, enough to get a system off the ground and mostly configured for what you want. There’s a bit of work we need to do on our kickstart server yet, and our tools for generating new kickstart configurations aren’t quite up to the quality we’d like, but all in all, it’s a serious time-saver. Instead of having to sit there and answer all the questions and configure a package set, we just boot the system off a CD, tell it to do a kickstart boot, and walk away. Depending on the system and what type of install we’re doing, the system will be ready, all on its own, in twenty minutes to an hour.

The real strengths, however, come into play when you combine the kickstarts with cfengine. In about an hour, not only do you have a new system install, but you’ve got it completely configured, along with optional software installs. How cool is that? Sure, coming up with a totally new configuration for a new class of machines can be a pain, but once that’s done, you can crank out as many of them as you want in very short order indeed. And, not only that, but you can then manage it from that point forward from your central infrastructure and ensure it’s a good citizen.

In case you couldn’t tell, I really like cfengine and kickstart. They make me happy, because they allow me (and my coworkers) to spend more time doing real productive work instead of playing box jockey. If you manage more than five machines or so, you owe it to yourself to check into cfengine. If you build machines more than once a month, you owe it to yourself to check into kickstart (or Jumpstart, if you’re a Sun Solaris shop.) Don’t cheat yourself out of valuable time.

How many of us are trapped in that cycle of “If I only had the time,” and when we finally do get time, never manage to get around to what it is we want to do?

I certainly hope I’m not the only one, because that would make me feel like a complete slacker. How many of us, though, frequently hope to tackle projects of admittedly large scope, but consistently write off any free time we do have as “too little” to accomplish anything worthwhile? I’m fairly certain this is why management types come up with things like Gandt charts and milestones. I’m also fairly certain that if I took the time to analyze exactly what it is I’d like to do and broke those projects into their logical steps, I’d actually get somewhere.

So, then, that must be the trick to it all. I need to actually write down what it is I want to do, and define that as the final goal. I need to decompose that final goal into the logical tasks and set milestones for myself. I need to provision time to work on these tasks, and track the time I do spend.

In short, I need to actually manage myself and my time. Who knew that doing work on your own required a manager? Granted, you are your own manager, but if you can’t manage yourself, find a new manager. Or send your current manager to some training seminars.

I got to listen to my wonderful wife complain to no end about the quality of a web-based calendar system, apparently released by a very large and well-known vendor. It’s quite eye-opening that such a large and well-respected vendor could release something that would inspire such invective from such a pleasant woman. This leads me to another important item that seems to go oft-overlooked: it has to be usable by the people you intend to give it to. Yes, that seems immediatly obvious. If it is so obvious, though, why do so many developers ignore it? Why do so many columnists in the IT field harp on it so much?

Probably because it’s not fun. It’s not coding. People have “stupid” ideas about how an application should function, or people want features and behaviors that are too painful or simply too annoying to code for. It’s much easier just to code the functionality you think should be there. In my own work as a sysadmin, I frequently find that when I create a utility for others to, I get requests for improved or new features that I’d rather not care to implement. Call it professional laziness, but probably not in a good way.

So, why am I wasting your valuable reading time telling you all this? Well, I suppose it’s because I’m trying to psych myself into working on a few projects that I’ve had lanquishing in my head for the longest time now. Maybe I want you to share your ideas on getting a project started and keeping it moving. Maybe by getting this out of my head, I can move on to something closer to the actual project work.

Besides, this is my Brain Dump.