So the problem I’m having is with limiting LDAP users access to WebDAV directories; specifically, how do I keep devs from committing to the release branch. The setup is each of the large Projects (Project1, Project2) has a trunk and release branch; however some pesky devs try to ninja changes into the release branch, circumventing the entire process. That’s bad. The access should go like this (note this is a subset of the mess I’m dealing with):

1. Everyone can read and write all projects under / (/Project1, /Project2) EXCEPT:
   1. Only a certain team of devs (and I) can write to /Project1/trunk.
   2. Only a certain team of qa can write to /Project1/branches/release.

Specifically, I should be able to commit to trunk but not release, however that doesn’t seem to be the case. Here’s an abbreviated version of my vhost:

<VirtualHost 10.0.0.5:443>
 blah blah blah snip...
<Location />
     DAV svn
     SVNParentPath /var/svn/
     SVNPathAuthz off
     AuthName  "SVN Access"
     AuthType  Basic
     AuthLDAPUrl     "ldap://ldap.example.int:389/ou=Users,dc=example,dc=int?uid"
     AuthBasicProvider ldap
     AuthzLDAPAuthoritative off
     AuthLDAPGroupAttribute   "memberUid"
     <LimitExcept none>
         Require valid-user
     </LimitExcept>
 </Location>

 <Location /Project1/trunk>
     # Everyone can read, but only devs (and I) can change.
     <LimitExcept REPORT GET OPTIONS PROPFIND>
         Require ldap-group cn=devs,ou=Groups,dc=example,dc=int
         Require ldap-user morgajel
         Satisfy any
    </LimitExcept>

 </Location>

 <Location /Project1/branches/release>
    # Everyone can read, but only QA can change.
    <LimitExcept REPORT GET OPTIONS PROPFIND>
        Require ldap-group cn=qa,ou=Groups,dc=example,dc=int
        Satisfy any
    </LimitExcept>
 </Location>

</VirtualHost>

Any thoughts as to why I’m still able to write to release? and no, I’m not in the QA group; I suspect it has something to do with the Locations essentially being nested. Since we’re managing users and groups with LDAP, simple SVN ACLs won’t work, and I’m not really sure how to accomplish what I need to do.

Thoughts?

Side note: REPORT GET OPTIONS PROPFIND are the only methods needed for read-only svn webdav access. Fun fact, huh?

UPDATE:

I was overthinking the situation- Apache config is not programming. There is no inheritance between locations. There is no nesting. Once you create a new location, you need to set up perms for that, so setting the base / with read/write for everyone, I then define sublocations

So the problem I’m having is with limiting LDAP users access to WebDAV directories; specifically, how do I keep devs from committing to the release branch. The setup is each of the large Projects (Project1, Project2) has a trunk and release branch; however some pesky devs try to ninja changes into the release branch, circumventing the entire process. That’s bad. The access should go like this (note this is a subset of the mess I’m dealing with):

1. Everyone can read and write all projects under / (/Project1, /Project2) EXCEPT:
   1. Only a certain team of devs (and I) can write to /Project1/trunk.
   2. Only a certain team of qa can write to /Project1/branches/release.

Specifically, I should be able to commit to trunk but not release, however that doesn’t seem to be the case. Here’s an abbreviated version of my vhost:

<VirtualHost 10.0.0.5:443>
 blah blah blah snip...
<Location />
     DAV svn
     SVNParentPath /var/svn/
     SVNPathAuthz off
     AuthName  "SVN Access"
     AuthType  Basic
     AuthLDAPUrl     "ldap://ldap.example.int:389/ou=Users,dc=example,dc=int?uid"
     AuthBasicProvider ldap
     AuthzLDAPAuthoritative off
     AuthLDAPGroupAttribute   "memberUid"
     <LimitExcept none>
         Require valid-user
     </LimitExcept>
 </Location>

 <Location /Project1/trunk>
     # Everyone can read, but only devs (and I) can change.
     <LimitExcept REPORT GET OPTIONS PROPFIND>
         Require ldap-group cn=devs,ou=Groups,dc=example,dc=int
         Require ldap-user morgajel
         Satisfy any
    </LimitExcept>

 </Location>

 <Location /Project1/branches/release>
    # Everyone can read, but only QA can change.
    <LimitExcept REPORT GET OPTIONS PROPFIND>
        Require ldap-group cn=qa,ou=Groups,dc=example,dc=int
        Satisfy any
    </LimitExcept>
 </Location>

</VirtualHost>

Any thoughts as to why I’m still able to write to release? and no, I’m not in the QA group; I suspect it has something to do with the Locations essentially being nested. Since we’re managing users and groups with LDAP, simple SVN ACLs won’t work, and I’m not really sure how to accomplish what I need to do.

Thoughts?

Side note: REPORT GET OPTIONS PROPFIND are the only methods needed for read-only svn webdav access. Fun fact, huh?

UPDATE:

I was overthinking the situation- Apache config is not programming. There is no inheritance between locations. There is no nesting. Once you create a new location, you need to set up perms for that, so setting the base / with read/write for everyone, I then define sublocations

 <Location /Project1/trunk>
    # If you want to write to trunk, you need to be one of the required people. You can still read it.
    <LimitExcept PROPFIND OPTIONS GET REPORT>
         Require ldap-group cn=devs,ou=People,ou=Groups,dc=mrm,dc=int
    </LimitExcept>
    <Limit PROPFIND OPTIONS GET REPORT>
         Require valid-user
    </Limit>
 </Location>

 <Location /Project1/branches/release>
    # Everyone can read, but only QA can change.
    <LimitExcept REPORT GET OPTIONS PROPFIND>
        Require ldap-group cn=qa,ou=Groups,dc=example,dc=int
        Satisfy any
    </LimitExcept>
    <Limit PROPFIND OPTIONS GET REPORT>
         Require valid-user
    </Limit>
 </Location>

What I was missing was the second half of the limits, thinking it would inherit from /. It doesn’t.  Without that require valid-user, it was allowing unauthenticated users to read the files (which was no good). Life is good (until I find out where this is broken).

I watch a lot of TV… well, I should qualify that; I do a lot of stuff with the TV on. I pay attention to the shows, but I’ll be doing other things. Since about halfway through November I started losing track of shows- mainly because of the stupid seasonal holiday crap. Here’s the stuff that I’ve watched at one time and lost track of:

• Dollhouse (Caught Up)
• Fringe (Currently Follow)
• Tosh.0 (Currently Follow)
• Caprica (Currently Follow)
• Lost (Followed)
• Stargate Universe (Followed)
• Heroes (Followed)
• CSI (Followed)
• Scrubs (Followed)
• House (haven’t followed but like it)
• Chuck (haven’t followed but like it)
• Bones (haven’t followed but like it)
• Big Bang Theory (haven’t followed but like it)
• Dirty Jobs (haven’t followed but like it)
• Mythbusters (haven’t followed but like it)
• CSI: Miami (haven’t followed but like it)
• Doctor Who (Binge)
• Legend of the Seeker (Binge)
• Supernatural (Binge)

Seems like a lot, but I never really watched them all at the same time. Shows like Chuck and House I’ve caught bits of over the years and like, where as Supernatural and Doctor Who I watched episodes back-to-back, devouring entire seasons over the course of a few days. So how did I get so far behind on the others? Combination of “christmas break” in programming combined with new job and crazy schedule didn’t help, but the standard “show stopped and I have no idea when it’ll be back on” yearly routine was what really killed it.

Anyways, now that the 2009/2010 season is picking back up and I need to figure out what I’ve missed, and how to catch up. I wish that the networks would better utilize Hulu, too- I can’t afford boxed sets, so that gives me the option of watching it on Hulu with commercials, or finding it elsewhere and them not getting a cent. My budget dictates what I watch- I’d like to watch the TrueBlood, but I can’t afford HBO. If they put their shows on Hulu behind a paywall, I won’t watch them, either.

OH, and a special shoutout to CW. They have flash all over their site, unless you try to watch their shows- they they want to install their own little EXE, which means their either too stupid to use one of the bazillion flash video players out there, or they want/need functionality that flash doesn’t provide- something lower level, like spyware would need. To CW, I say “thank you for Supernatural, lose the shitty website and maybe I’ll use it.”

So I’ve mentioned before that I picked up a motorola droid recently for my new job and have been playing with it relentlessly. One of the many things I like to do with a moment of downtime is browse the android marketplace- lots of interesting things in there (I browse just the free section currently).

Anyways, in the marketplace is an app that looks like a star trek tricorder. When I first saw it, I downloaded it thinking it would be a neat little image display that I could taunt my friend The General with (he’s a big trek fan) when I see him later this year.

I didn’t expect the damn thing to actually *WORK*. Here’s a list of functionality from it’s site:

• GRAV: monitor the local gravitational field and acceleration
• MAG: monitor the local magnetic field
• ACO: acoustic analysis; waveform, frequency and sound level analysis of the ambient sound
• GEO: display geographical information
• EMS: scan the electromagnetic spectrum for radio signals — currently displays cellular and WiFi signals
• SOL: display current solar activity data — downloads current solar data in the background and displays it along with current images

So, there you have it- I have a working tricorder, beeps and all. It’s not that useful, really, but does it matter? HELLO! touch screen tricorder! Nerd, right?

Wait, it gets better. Jackie and I are looking at getting a bigger vehicle, and this weekend we plan on going for some test drives. One thing car commercials always say is “it’s such a smooth ride…” Well, now I have a way to MEASURE how the smoothness of the ride.

To repeat, I have a working tricorder that I plan on using for real world decisions.

This image? That was just me picking up the phone- it shows how much it was jostled. If I set that on the console as Jackie drives around the same area, it will give me an idea of how bumpy the ride will be. This is an actual *useful* application of the motion sensor if it was used in an app built for this purpose. Sadly, I don’t have the time to write it myself, so when we go for a test drive, I’ll use the tricorder app.

Now, picture it- Jackie and I are sitting in a new car with a salesman telling me how awesome his car is, and I’m sitting there, WITH A TRICORDER, going “BEEE-LOOP BOOPBEEP” while he’s trying to talk, monitoring how rough the ride is while he tells me it’s smooth.

So should I be stoked or embarrassed?

My resume says “does not wish to relocate.”

1) You’re calling me about a position in Iowa. I live in Michigan. It says Michigan on my resume. Right next to “does not wish to relocate.” You think I’m gonna bite? Even if (on the off chance) the job paid a small fortune… really? Iowa? IT’S WINTER! Michigan is cold, but at least there’s stuff to look at here. …Now, if it was in Tahiti you might get my attention.

2) Stop calling. You’re calling my wife’s phone and I’m working 3rd shift currently, so I’m a) not gonna get your call and b) not gonna call back if you’re calling about a job I said I wasn’t interested in. If I don’t return your call, I’m not interested. My resume already says I’m not interested. Evan, I’m looking at you. Stop calling.

3) Oh, and as a side note, you guys should get together and figure out a system of “one recruiter per resume per position,” because if I tell Dan “no thanks,” Gary, Ed, Frank, Little Joey, Hooch, Evan and Ringo aren’t gonna have any more luck. To the guy I spoke to on the phone, you’re cool; I was right there, you were non-obnoxious, and took no for an answer. The rest of you? You can stop now… not that I expect you to stop.

The funny part is I’m not actively looking for a job; I just never remove my resume from monster- never know when opportunity will come knocking; but it’s knuckleheads like these than make me want to take it down.

(03:42:42 PM) Jackie: do you know what your son did!?
(03:46:06 PM) Jesse Morgan: ?
(03:52:19 PM) Jackie: we made it to KFC, he was good. He fell asleep in the car and woke up slightly when we got here. He went back to bed oh so well. That was my first mistake
(03:53:09 PM) Jackie: he says he has to go to the bathroom. Much to my dismay, he already had and had spent a few minutes painting his wall and window

That was two days ago. Needless to say, Ian hasn’t had a fun two days. He lost a bunch of toys, no dessert, etc. and while I knew I hadn’t gotten through to him, I at least thought we’d discouraged him from ever doing it again.

Silly daddy.

So here’s the timeline:

6:30am: Ian wakes up, pounds on his door, Jackie lets him into our room, turns on saturday morning cartoons for him, and he sits in his chair. This is routine. He gets some cheese from the fridge, is well behaved, and generally smells like a rose. I am still unconscious, oblivious to the world, and Jackie goes back to sleep.

8:00am: Ian drops a deuce in his footie pajamas. Rather than let us know, he squishes it around until it oozes out the top of his diaper like a $20 playdoh toy. He’s still in footie pajamas, so it’s contained.

8:15am: Ian starts jumping around the bed and all over jackie. I vaguely wake up when he climbs over end of the bed and Jackie starts screaming at him. I comment something smells like shit and roll back over. Jackie sits him back down and goes back to sleep. At this point neither of us has really “woken up.”

8:30am: Tired of sitting in his own filth, he strips out of his poo-covered pajamas and throws them downstairs. Thankfully the weight of this excrement makes it land like a badminton birdie, and it folded over on itself when it hit, sealing in the sludge.

8:31am: realizing his hands are now covered in poop, Ian comes into MY BEDROOM and proceeds to do cave paintings on the mirror in our bedroom (the closet door).

8:32am: hands “clean”, the boy sits down in Jackie’s 40+ year old rocking chair, smearing his crap all over the 1960’s fabric. As he sits down, shit is smeared down the edge of our bed and bedding, where the chair rests.

8:35am: Ian wants to “climb in bed and cuddle with the baby,” and proceeds to climb on top of jackie’s side of the bed and across her pillow. The thing you have to understand is our bed is in the corner, so I am separated from all of this. Jackie opens her eyes and sees his fecal stained hands and rightly freaks the fuck out. She grabs Ian and runs to the bathroom. I bolt upright and see the turdstains on her side of the bed AND PILLOW. I put on my glasses and look towards the foot of the bed and see the poo on the mirror.

8:40am: At this point Jackie has ian on his potty seat, which looks like a truckstop crapper.I call her in to see the mirror and she goes off. I survey the room looking for other sources of the stench, and see the edge of our $1500 bed smeared with shit as well as the chair, I go numb.

We then spend the next hour cleaning, bleaching, washing and scolding.

Did I mention Jackie’s having a bunch of people over today? Yeah, she’s having a party… and our house smells like shit and bleach.

For the new job, I had to go out and get my own cellphone.  Since my last workphone had been Sprint (and that’s what Jackie has), I figured I’d stay with them. My last three phones had also been blackberries, and while they’d been fairly reliable, I couldn’t turn down the chance to get a new, shiny android phone.

I did a bit of research and found out there were only two android phones that sprint carried- the Hero and the Moment. I ended up choosing the Moment since I preferred the physical keyboard. Jackie and I upgraded her plan to family everything plan and away we went with one month to cancel if I didn’t like it.

Samsung Moment

The moment got off to a rough start.

• Keyboard - The keyboard keys were tiny and smooth, which made it harder to type than a blackberry, despite the keyboard being wider. The tactile feel of it just wasn’t there.
• Holster - They didn’t have a holster, only a belt clip, and it had the screen facing out, meaning I’d activate it when my wrist brushed up against it; I nearly made two emergency calls this way.
• Slider - Since the phone slid open and didn’t have a holster, it would also get caught on my coat our office chair arm and get slid open. on top of that it felt wobbly when open, like you could accidentally snap it in half.
• Camera - The optics were just bad. pictures were always fuzzy, and god forbid it was dark, because you couldn’t get people to hold still long enough for the picture to snap.
• Touchpad - I’m not sure what the deal with the touchpad is, but it’s entirely too sensitive- you either press it too lightly and it doesn’t work, or you press too hard and it scrolls 3 places. the mechanics of it were hard to figure out- was it a slider like the kindle? a sloppy keyboard nub? a directional pad? I still don’t know, it was too sloppy.
• Battery - The final nail in the coffin was a twofer; poor signal at home and at work. Since I spent most of my time in the basement (at both home and work), I somewhat expected the signal to be poor; but I didn’t expect to go to roaming several times an hour. This of course killed the battery, leaving a fully charged battery at 20% by noon, requiring a recharge for the next hour or so. I’d get home, go to the basement, and by 8pm need yet another charge. This got old real quick.

My first reaction was to go back to Sprint and make sure the phone wasn’t defective. They tried to “change frequencies” on it with a system reset, but it did no good. Truth be told I had already made up my mind, and just went in to get their pamphlet  with the plans for comparison’s sake.

After I decided to dump sprint, I tried to take the phone back (with two weeks to spare). Funny thing tho, when I bought the phone on the ~23rd of December, the packaging got recycled with the rest of the Christmas packaging. Little did I know that, by losing this 30 cent box, I could no longer return my $400 retail value phone, and by canceling the plan, I had to pay the $200 difference.

Needless to say I was furious, and the “tough shit” attitude from the counter jockeys who’d previously been decent did not help the situation. After I stormed out, jackie canceled the service with the intent of calling sprint’s customer service to deal with the rest. From there we went to the Verizon store. While I spoke to the Verizon people, Jackie rained fired and brimstone through her own phone until the sprint rep agreed to send us packaging so we could return the phone and be refunded. So we are back to square one at this point; I need a phone, and jackie’s plan is back to normal.

Motorola Droid

When I looked at android phones, I initially didn’t limit my search to sprint; the one phone that impressed me the most was the Droid, however a combination of crappy website, confusing plans and 30 minute wait in-store left me feeling like verizon was doing everything in it’s power to keep me from giving them money.

After realizing Sprint wasn’t a viable option, I waited the half hour and talked with the verizon rep. The verizon plan cost more and offered less, but honestly only cost $15 more a month. For the time being, Jackie is staying with sprint until next november, when she’ll transfer her number over to Verizon.

So, how is the droid?

• Keyboard – Despite the keys being more crowded, their simple square shape and feedback lets you know when you press the button.
• Holster - The holster slid in nicely and kept the screen facing inward. No more accidental 911 calls. That, plus the design of the holster prevents it from opening while in place.
• Slider - On the verge of being “too hard” to open; it requires a good grip to open, and that’s not a bad thing in my book.
• Camera - Faster reaction time to take a picture, but I haven’t played with it much. More settings for controlling focus, quality, etc.
• Touchpad - despite the gold design making me think it was a fingerprint scanner, it turns out it’s a very obvious directional pad with a good feel to it.
• Battery -  4 bars in my basement. 4 bars at work. After running from 6am-2am, the battery is at 60%.

That said, the droid isn’t perfect. In the dark it’s hard to tell which end is up, and when the alarm is going off, trying to find the power button is impossible.

The real test of the droid will be my attempts to write apps for it. I have a couple ideas in mind, so hopefully I’ll get a chance to toy with the Android toolkit. I played with it on the moment and found it slightly limited, but hey, it’s better than anything I had with the blackberry.

Anyways, the end result of the comparison is Verizon and Droid  beat the hell out of the moment, and it’s definitely worth the extra money if ya know, you value your phone conversations.

Ok, enough incoherent rambling, time for bed. Spellcheck tomorrow.

The second half of Ziggy’s autobiography has finally reached the finished rough draft stage. I was just starting the 3rd draft of The Rise when November (NaNoWriMo) struck, and I dropped everything to begin The Fall. Now that the rough draft of The Fall is complete, I can go back to revising the The Rise. It’s been a wild journey tracking this story; my initial vision had been a single book, but it quickly grew into something larger than that.

My hope is that the book is enjoyable and compelling; if/when I finish these and they’re well received, I’ll continue to write. There’s plenty in Ziggy’s world that needs telling- the origins of Willis, the fall of King Vern, and of course the trilogy that is supposed to follow Ziggy’s story, which will be the next set I do. After that I have two or three more books about Ziggy to write.

In the meantime, I’ll just be happy to finish these two. Maybe someday I’ll get around to revising and finishing Sinblade and the half dozen other non-Willis books I have floating around in my head.

So I recently accepted a new job as many people have heard. While I gave 2 weeks notice, due to my access my manager was kind enough to walk me out that day (thanks mick).

This means I’ll get paid for the next 2 weeks per my notice without actually having to work. I just want to be clear that this is *AWESOME*, not rude or lame.

New job will be as a Linux/Tomcat administrator. sure, my drive jumped from 15 minutes to 25 minutes, but it’s worth it for a number of reasons:

• Pay bump
• More Tech focused (EPI was moving me to a more paper-pusher type role)
• Open Source Focused (EPI was moving away from Opensource in an effort to cut costs by replacing a well known free opensource technology with a relatively unknown proprietary technology that will cost a small fortune. It’s ok tho, i’m sure there’s no difference in the talent pool.)

Anyways, yesterday was my first day on the new job and so far it’s going good- I set up apache, mysql, openldap, phpldapadmin, mediawiki, svn, webdav and some self-signed certs. It was a good first day, and I have a good feeling about the job and the team. Alright, off to work.

“The petrified dragon hit the ground like a freight train, sending ripples across the field and shards of stone in all directions.”

It’s a simple enough saying, yet Ziggy can’t say it. Why? Because in his world, there are no freight trains. Now, while Ziggy’s brain has been shattered into a million pieces, and he often sees glimpses of other worlds, there are problems with him using the phrase. I’ve thought long and hard about the best course of action whenever I’m writing and this phrase comes to mind. Idioms and metaphors are essential writing tools, but I find myself constrained at times by keeping things “in line” with the world I’m writing about. If Ziggy starts talking about his Twitter Feed in the book, it’s gonna seem out of place. The same thing goes for the metaphors/idioms he uses.

• Use it anyways: It may be amusing for Ziggy to speak about cars and radios and coppers, and within the context of the book it might even lend to his instability (in a deadpool 4th wall sorta way). The problem is it may throw unsuspecting readers as sloppy writing.
• Use another common Idiom: Things like “hit like a ton of bricks” are well known in our world and make sense in his, so the common dialog makes sense. Good luck finding a free Idiom Thesaurus.
• Create a parallel: Replace “Lets get shit-faced,” with “Let’s get orc-faced.” While visually I can see Ziggy making an orc-like face while drunk, parallels can feel forced or false. Perhaps I’m just not good at them.
• Avoiding them altogether: Use more generic metaphors like ‘rammed like an angry goat.’ I suppose ramming something like an angry goat isn’t really more generic, but ultimately it may give you more creativity.

So where does that leave me? I judge it on a case by case basis. Sometimes you can take the bull by the horns, other times it’s best to just get orc-faced and forget about it.

One of the characters in my book is a wizard who is only allowed to stay in Willis because he knows no “battle” spells- i.e. fireballs, fire shield, etc. Now as many DnD players know, sometimes the best offensive spell is a simple utility spell- Grease, Floating Disk, Shatter, Spider Climb, Sepia Snake Sigil, illusions, flying, haste, teleport, etc.

So, I have a 17th level mage who can only have utility spells, and he needs help a silver dragon defeat a much larger red dragon. Which spells should he have on-hand? Keep in mind that the red dragon will be immune to most magical attacks, so it’s really about finding a way to outsmart the dragon.

Thoughts?