Egads! an unwatched blog gathers no comments

3 years later.....

Lots to talk about, same job, same place....

Current SITREP

1. older NCS OES11 cluster being migrated to another NCS OES11 cluster, with hopes that we'll continue on this platform onto OES 2015 "Altair"
2. NetIQ IDM is going to be upgraded to 4.5 and lots of work to do then with integration and Role Bases Management 
3. Attended Brainshare for the first time ever. 
4. Implementing Novell Storage Manager 4.0, actually solved an issue in the install , more details here 
5. Part of the O365 deployment here, the scope is far bigger than some people think it is, between this and other projects, it's going to be an "interesting" year. 

All in all, looking at the 25th year of doing IT, the outlook for a change is good. 

Time to get IT done

Run to the Border(manager) and shoot it!

About 4 months ago, we opened up streaming media to the masses. This resulted in a terminal failure of our trusted and loyal Novell Bordermanager (v3.9sp2 on Netware 6.5Sp8, edir885 patch 5) due to their inefficient handling of streaming media. It was so bad that the servers would disappear off the network for up to 15minutes until the stream they were on was completed. Temporary solution was to restrict streaming media again until we could figure a way out.

We didn't.

Shifted gears and since we were already using one vendors filtering database we used our existing license key for their new shiny webfiltering solution. Much better reporting, much better "use and abuse" management as well.

The biggest change is in the licensing size for the management database. Under Bordermanager a user who had an computer, a laptop and came into a remote VDI session counted as "1" user. Under the new system, each devices counts as "1" user. We went from X thousand users connecting to 4X users connecting when you included are "Guest" wireless network (which seems to attract every iPhone in a 20 block radius). Once we got the licensing churn solved, it settled down into a nice pattern. One of the things that happened is that the filter catagories got more accurate. As example, twitter wasn't blocked under the old social media filter, now it is. On the upside we are now able to provide our users with streaming media and also tell their bosses when they've spent the day watching kitten videos.

Internet Cop, just another job for getting IT done

SVN, or how to save your butt on IDM

Subversion support is built into Novell IDM 3.6.1 and late, use it! (but don't trust it)

I set up an old  box as a SVN box on the network, running SLES and using LDAP tied to eDir for authentication in case I want to ever give this out.  All it does is back up my IDM projects and allow me to put them down on other machines. When I'm done doing work in Designer I "check in" the changes and append the changelog to give me a future clue of what I did.

Nice right? I think it is....

Now here's the don't trust it part,

I also export the project as a ZIP file with the project name and date, and then save that ZIP file on the corp file server to make sure it's backed up.....I've seen funky things go wrong with SVN when moving to older versions of code, to prevent that, I can restore from these ZIP backups instead of trying to navigate though the SVN browser in Designer.

Suspenders and belt, whatever IT takes to keep your pants up

Keyboards.....

I was perusing this article about things that have fallen away from the mainstream in computer technology....

I am one of those old keyboard folks. I am typing this on an Apple Keyboard attached via BlueTooth to an iMac, BUT at work I use an IBM Model "M" keyboard. The clunky, clicky keys just "do it" for me. I actually feel like I am accomplishing something and the positive feedback. The one I use has a born on date of July 5 1996. It's been apart several times and cleaned in a dishwasher. I have several other ones that serve as backup and parts repositories. The point is that they may not be efficient or "new" but they work reliably...

And being reliable is what IT is all about.


(Note: I originally wrote this several months ago and found it languishing in the "DRAFTS" folder)

The.... FUTURE!

Beginning in the next few weeks we will be embarking on our journey into the...."FUTURE!" We will be building a OES2SP3 Cluster on SLES10SP4. RIGHT in time for the beta launch of OES11 on SLES11 which means another migration in the near term. At first this will be for file storage, but soon it will be Groupwise (8.02HP2) followed at some point by iPrint (as soons as they ditch the XP SP2 boxen). One my attempts during this is going to be to blog more.

for those of you at Brainshare, enjoy it, but then let's get down to work....


Making IT work , yep that's the job

IDM : when passwords attack

App Analyst for the new IDM made a tactical error, he set the Global password sync attribute to on for the entire environment. In Novell IDM this is the classic NBD (no big deal), in the new one? Well, it does this, it captured password changes off the AD side, which is down stream from the eDir and Identity Vault. It then says "Hey! new password! I need to tell all the downstream apps that it's a new password!." It then sends the passwords to the down to the attached app, which in our case is eDir and AD, ok it's the same password NBD, right? wrong... It does an administrative password set, which means that the password is immediately expired. A hundred help desk calls later, they finally ping me, I investigate since the App Analyst didn't do a change control on this. The password was initially ok, set to expire in 60 days per policy, 5 minutes later it would suddenly be expired. I pulled the Novell IDVault logs on some password changes with the log level set to 5. Nothing, everything looked normal, except that 5 minutes after the password event happen another one appeared, from apparently no where. Off to DSTRACE, I had a suspicion, watch the LDAP records and 5 minutes after a password change another one came through from the other IDM.  Go to App Analyst;
"What did you do?"

"I changed the Global Sync Attribute"

"Change it back"

"Why"

"Cause people are constantly resetting passwords because you caused a logic loop"

"Crap"

Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.

Ease of Use.....

About 2 months ago, we started working on this new "Provisioning Solution".  We had the full court press from the vendor, out of country contractors, VP's of Application, PM's of Doom and the Salesman. Our current provisioning is a rather ingenious in house system that was cooked up using Access and a good deal knowledge. Having been working on Novell IDM for the last 3 years I have a pretty good idea of what it can and can't do.....

This new solution? Can't rename attributes down stream? Can't edit the XML directly, can't reconfigure on the fly or move drivers from one device to another rapidly. No IDE, no easy command line access,. It's all "web" 2.0'd to death, and it's sluggish. IDM routinely parses over 12,000 records in an hour, this one? (and this is from their developer) would take "20 hours" to parse the same amount of records. To support this super duper solution we need to spin up a "DEV" environment, which means that I needed to produce a separate but identical eDir, IDM and AD. The eDir? simple, spin up a SLES 11Sp1 box, load in eDir, load in IDM. Do the connector magic in Designer. LDAP export PROD into the new DEV for the O's and OU's. Deploy, get the Certs right and start. Minor tweaking ensues and in 5 hours I have a duplicate environment with all the users and groups.  The IDM and the AD won't take even close to that long. 

That new fangled one? yeah.... 8 weeks, and it doesn't do anything yet. It could provision eDir and AD sure, but it has this bug....

If you use the new tool to change your password, it sets it in eDir, it sets it in AD, but......

it locks you out of the new solution.......

Because it can't change the password there......

Ease Of Use, Helps get IT done......