Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, February 14, 2024

LDAP differ feedback and the "666" I missed

It's another round of feedback, because there's been a lot going on.

I must admit that I did not expect my post about diffing LDAP to have such a response. I honestly just wanted to tell a story about some mildly rebellious activity I had seen happen and then had decided to do myself, and it turned into a whole thing. Lots of people wrote in to say that they have also been doing it, and others have started as a result of that post! That was not my intent but the net effect is definitely pleasing to me, so it all worked out.

Now, in response to some specific comments - a few people wrote in to say that the "epitaphs" internal page/service at Google (yep) now allows you to line some stuff up before you leave. That way, when you leave and your entry shows up, it'll have something on it that you submitted directly, and you don't have to "bounce through a friend" or whatever.

I think part of this is that people don't realize just how long it's been since I was plugged in to that ecosystem. I left in May of 2011 - almost thirteen years ago now! I thought it was broken badly enough to leave all the way back then, and this was after being there for about four and a half years. It still amazes me when I find out that people willingly go there, but I've had to tell myself to shut up about that and just advise them to "get in, get paid, and get the hell out".

Seriously, get in, take their money, and go. Whatever tech darling status they had was gone a LONG time ago. I dare say that I watched it curl up and die from the inside. I can't even imagine what could possibly be left inside there now that so much time has passed.

It occurs to me that sufficiently young people who are just now entering the industry fresh out of school (or whatever) have no idea what it used to be like. They've only known the current versions of things, and probably figure it's as bad as everywhere else, so why not, right? I guess it's hard to argue with that. Just never make the mistake of thinking that it's special somehow. Those days are gone gone gone and they aren't coming back. Companies which are that massive just can't deliver that kind of environment.

...

In response to the WPA3 stuff and badness happening after 11 hours, Ewen (and a few other people) wrote in and said that I should have been looking at minutes, not seconds. 39960 / 60 gives 666 minutes. Oops. Yeah, I guess I missed the forest for the trees there. 666 minutes would do the job, for sure. \m/ rock and roll?

...

Other people said they were diffing far more than just the list of unixnames in LDAP. They used it to detect people getting promoted when their titles changed, and other things like that. I honestly didn't care about detecting that, and I don't think that the LDAP (really AD behind the scenes) system I was poking at even stored such things.

A fair number of companies have a glossed-over view of things for their permission systems that don't reflect whatever HR has for those same people. Everyone in LDAP might be a "software engineer", but in the actual HR system they might have 100 different varieties for "new grad" and "testing" and "server" and "app" and all of these other dumb things that they think they need. That means you might not see anything change when people get promoted, change teams, or shift around between different parts of the company.

While I'm talking about titles, I will mention one thing: it's interesting that certain companies talk about why they hide levels for random "ICs" (individual contributors, i.e., not managers), but then go ahead and make a big deal out of managerial titles.

Seriously, one company in particular had everyone be some sort of Software Engineer or Production Engineer or something like that without saying that this person was a 3, or a 4, or a 5, or whatever on up the line.

Meanwhile, that same company let you see that a given person was a Manager (5, 6), a Director (7, 8), or a VP (9, 10) with just a glance at their profile page.

The same sort of visibility was not afforded to the ICs at those same higher levels. You had to "just know" that so and so was "one of the 10s" or whatever.

Also, for anyone who hasn't already seen my thoughts on the matter somehow: you are not your level, and your level is NOT an indication of basically anything more than how much they like you. It is only loosely linked to your ability at the bottommost rungs of the "career ladder", and only when management is being forced to adhere to it. If the right people like you, your level will rise. If they don't, it will stagnate. Your technical abilities are *almost* completely disconnected from there.

There is one notable exception I can mention though: if you are somehow able to do something that nobody else can/will do, they will "put up with you" as long as the amount of whatever you bring in outweighs the costs of you being, well, you. But, once you start asking for things or try to do stuff that goes against what they personally want, the balance will tilt, and once it goes past center into the other side, they won't give a damn about what you can deliver any more.

I should note this has little to do with what the business needs at that point. They're probably in it for themselves, and they don't care that chasing someone out is not the right thing for the business. Indeed, they will probably bail out for greener pastures a few years later.

...

Some people from a few very large tech companies that are currently doing layoffs have pointed out that their "epitaphs" or equivalent isn't always accurate. There are groups of people who will be "off limits" and so won't come up in the reports. Obviously, once management has gotten to that level of involvement with the day to day operations of such a tool, it can be considered compromised.

That's pretty much a given: things start out as a simple hack, then grow into a small community that knows about it, and sometimes end up becoming well-known and even legitimized. But, more often than not, these same systems will be co-opted by whoever's running the show in terms of hiring and firing, and it'll stop providing useful data.

At that point, I guess you have a choice: you can try to build another thing from scratch for yourself, or you can admit that the company is too far down the road of corporate lockdown hell, and live with the fact that it'll never be accessible the way it had been.

...

Finally, there's at least one person who was visibly annoyed by the fact that I said "uid" and "(unix account name)" in the same breath. Guess what? That particular LDAP (again, really AD) system I was dumping DID use a field named "uid" to put in the unixnames. Sure, there were also *numeric* uids in the Unix sense, but that lived elsewhere in other fields, like, oh, uidNumber. Surprise surprise.

I just love it when there's this assumption that I must be screwing it up by default. To that person: ask yourself if you'd assume that about every random post on people's web sites that might mention such a thing, or only certain ones. If it's only certain ones, I bet you know which ones, and why.

It's obvious. You're making it clear that you're part of the problem. Knock that shit off.

And, as for me making mistakes, hell yes I make mistakes. I screw up all kinds of stuff and have to go back and fix it and/or explain what happened where appropriate. Anyone who follows the feed will tell you that old posts will "mysteriously" spring back to life with a recent modified time and a handful of tweaks applied. Most of those fixes come about from people sending feedback and going "hey I think X might be Y instead". It happens all the time, and I'm talking about 13 years of posts here.

If you think I made a mistake back in that post by saying "uid" and "unix account name" instead of "numeric unix account number", you could just hit the feedback button and say as much. But you know that it's way more impactful to assume that I'm a dumbass and don't know what the hell I'm talking about and do that on a big orange sewer.

You do know what "projection" means, right?

Okay, enough of that.