Sunday, September 14, 2008
Wednesday, August 13, 2008
When you are building LDAP objectclasses and attributes for your Identity Management project, should you be using Directory String or IA5 String for your typical attributes? Actually there are several string types supported by LDAP:
IA5String, DirectoryString, PrintableString, OctetString, PostalAddress, CountryString and NumericString.
Most often in the projects I have worked on we would use DirectoryString for most custom attributes. Looking at the RFC's you can pick up bits and pieces about the differences beteen IA5String and Directory String. My friend Thom Anderson does a great comparison of these two string types. Read on:
"The IA5 is more constrained than Directory String. You can think of it is ASCII on steroids . . . ASCII is a 7-bit protocol and for years, persons have been finding themselves with an eight-bit byte wondering what to do with the extra bit. Normally, they use the ‘zero’ value of the extra bit for ASCII characters and then use the ‘one’ value for things such as special characters (early IBM PC) or European characters (IA5). Although the ‘IA’ in IA5 means ‘international alphabet. It does not include all languages as that would require more than 8 bits. That is where Directory String comes in. Directory String is basically UTF-8, a version of Unicode that has only 8 bits for Western languages, but requires more bits (in 8-bit increments) as one moves East."
Thursday, June 26, 2008
Since I have been on a recent project where we had a need to import several thousand OUs one of the questions we asked ourselves was how do we assign an erglobalid to all of these which we can be sure might not already be in use? One way might be to build in some random generator of our own and lookup to TIM to verify that it is not already in use before we choose that number. Another way we thought well we can just assign a sequential number because it is not likely that TIM will have an obvious pattern especially since we haven't yet put any users into TIM. We tried this method and it worked pretty well so we figure the first erglobalid we will use is say erglobalid=11111111110000000001 and then just increment it from there. No problem so long as we don't happen to stumble on one that is already in use. And if that happens the TDI assembly line bombs out and then we'll have to deal with it.
One of my IBM friends recently discovered that we could actually use any ASCII characters as our erglobalid. I never really gave it much thought, but it is really a string anyhow. Internally TIM will use a numeric string. Apparently TIM will never use any alpha or non-numeric characters in the erglobalid. So if you want to be sure that you generate an erglobalid that is sure to not already be in use, just use letters or something other than numbers. Or maybe even a combination of the two.
Just to try this out I threw together this ldif of two Org units and imported it into my TIM tree no problem:
At least if you create your OU's this way you can always tell which erglobalids were created by TIM and which ones were created by your import processes. Just thought this was interesting.
Tuesday, May 20, 2008
The Sirius Tivoli Security contingency along with our IBM friends. On the right side of the table from the front is Jeff Whitehead, then Keith Zunker, Mike James (Host), myself, then Bob Ramsey. From the left side we have Larry Miller, cant remember, Moe, Bill Steadman, and Tim Nicolaou and finaly at the far end of the table Brian Ebersol.
Then I knew I was at a conference when we were herded into a dining tent on the Dolphin parking lot for a continental breakfast. Now, I'm pretty sure I recall having full breakfasts at Lotusphere, unless things have changed recently or something. But, hey the have loads of Starbucks around.
Open General Session was great. Typical of Lotuspherean quality and extravaganza the Pulse Open session was great. The speakers message was pretty clear, demonstration was informative and the guest speaker Lance Armstrong had a great story to tell. I never knew that he was diagnosed with cancer before he had ever one a Tour de France. I never knew that there was no team around who wanted him after he recovered from the cancer. What a fantastic story and very inspirational. I felt bad for Lance when half way through his speech someone from the audience passed out and they had to call paramedics. I mean how weird. Lance is talking about the surgical procedures on his brain and about doctors and stuff and some guy passes out. Granted I felt bad for the guy who got sick and thankfully he was alright after being attended too, but Lance is a trooper for coming back and picking up where he left off.
So, while at the conference this week one of my ToDo's was to get through some certs if possible. So I winged it in the cert lab on the Tivoli Solution Advisor Security test. I really have not had time to prepare for this being on a project lately so I figured I would just wing it on experience. So I passed that early in the day. I actually thought about taking a practice test first, but the real tests are free this week so I figured if I didn't pass then my test would be like practice and I would just take it over later this week. If you are thinking about taking this test, make sure you understand the appropriate meanings (as defined by IBM) for things like "baseline document", "context document", and any other design artifacts relative to an IAM project.
Met Bob Kalka today. If you are doing Tivoli Security in any way you have something to thank Bob Kalka for. Or at least I do. Many of the presentations and positioning information I have used in the past came from Bob. He's a great speaker as well and really knows the security stuff. It was a pleasure talking with Bob today and he reminded me I have to reach out to Chris Craver when I get a chance. See there are not too many Tivoli Security people in the world and when one lives in the same town as you, it's a good idea to keep in touch!
Hit a couple sessions today, but I spent a great deal of time in the Expo talking to Encentuate and some other Tivoli dudes. Met the guys from SecureIT. I'm looking forward to playing around with their stuff soon. Found out some new things about Tivoli Training. Watch for more emphasis on instructor led Online training. Tivoli is putting in some efforts here.
Anyhow, more later
Monday, May 19, 2008
I'm staying at the Port Orleans Riverside so to get to the Board Walk, naturally I Disney Bused it. See, this time of year theres a lot more families around so it is busier in general than around the time Lotusphere runs so traveling to the board walk was like ano hour ordeal.
The Business Partner Summit was not exactly a jaw dropping experience. I met a lot of people which was nice and we got some advance word on what the general message was going to be this week. This apparently is the first time Tivoli has brought all the software including Maximo under one conference so I guess it feels a little like a Lotusphere from right after 911. Over 800 Business Partners and about 4000 customers so not bad. The BP Welcome Reception was great. Finally I got to meet up with my "peeps". Up until then I figured I was the only Sirius employee at the conference. Turns out we have 6 or 7 of us attending this year.
Many thanks to Mike James (our channels rep) who sported for Dinner at Shula's tonight. Their 12oz filet was top notch. The Pinot Nior wasn't bad either. ;-)
Well after dinner the old folks had to turn in so I meandered around in search of after dinner festivities. Mind you I'm a trained conference attendee so if there is a party I will sniff it out. I have my old friend Bill Brown to thank for this rare skill. Anyhow, I noticed a nice crowd forming at the Blue Zoo down stairs at the Dolphin. When you see a potential party like this the key is to assume you belong there. Walk up to the waitresses at the club entrance and ask which way to the party. Without question your wrist will be fitted with some fruity colored arm band and your drink order filled. Whomever was hosting that gig, thank you very much for the Amstel Lights!
Well, it really was a productive day anyhow. I was on the job registered by 9:30am and planning my week as I normally do for a good conference. All in all it was a slow start, not the big bang that Lotusphere usually is, but hey maybe the opening general session will get things going.
Monday, May 12, 2008
So a while back I let go of Lotus (around v6.x) and switched hats to Tivoli (Security that is). This year is my first Tivoli conference (See IBM Pulse 2008). So far my expectations are not all that high. For one, a number of my IBM friends from ISST are not going. Boo! Apparently the way IBM is recording the big profits this year is quite simple. They don't spend any money. Not even on new business cards. So I'm not sure I will see many familiar faces at Pulse. But hey, I'm optimistic that it will be a very valuable experience. I had the Lotusphere Conference down to a science, especially when finding the best parties for the evening. Looks like I'll have to start from scratch this year at Pulse.
Some things on my agenda:
1.) Meet the folks at SecurIT - I'm interested in any companion products to TIM
2.) Take a test or two
3.) Get through a bunch of Security Sessions - Not sure which ones yet
5.) Hopefully find some info on Encentuate - Labs, Sessions, Demos, anything
6.) Need to do some TFIM - Labs, Sessions, etc...
7.) Find some good parties
8.) Work the Showcase
9.) Learn something new - I'm open to suggestions here. Anyone know what is hot hot hot? Besides security.
10.) Buy some Tivoli gear.
Anyhow, I'm hoping this conference will be valuable and hopefully Ill meet some cool people with the same type of passion I used to meet at Lotusphere.
See you at Pulse!
Monday, March 24, 2008
From what I've read on Partnerworld there are some nice benefits to the new product and the acquisition as a whole:
1.) IBM owns it, therefore the buck stops at IBM. When TAM ESSO was OEM'd from Passlogix, some of the tech support issues were not great. For instance if it was a Passlogix product we had to open a PMR through IBM, then IBM Support would have to open a ticket through Passlogix. Most of the time IBM Support could solve the problem. There are some really good support people there who really knew the product well. But every now and then stuff had to go back to Passlogix and it was not always quickly resolved.
2.) Functionality seems to be more complete in the new product. For instance Encentuate has over 300 proven applications that work. Some applications were tough to get working with TAM ESSO 6 or simply didn't work.
3.) There seems to be a wider list of supported and working 2 factor devices. Physical Access cards are also supported. They even support Sonar as a convenient sign-off option and active RFID so you don't have to "tap" in or out.
4.) There options for roaming and multiple users seems to be well documented and flexible.
5.) It has won several awards for most complete end point coverage, most comprehensive session management, widest choice of 2 factor authentication, and price for value proposition.
6.) Integrates with Active Directory and LDAP, but does not require schema extension. We don't get too many AD Admins objecting to schema extension, but every now and then it does happen. It also is sometimes an issue when the IT department evaluating an SSO solution does not actually own the AD environment therefore schema extension is not an option.
7.) Reports. There are audit reports built-in which tells you who accessed what application, etc.... I have yet to see these, but I know many customers I have spoken to recently desire this ability. This is not available in TAM ESSO 6.
8.) Works with Novell Client. I had a few customers running Novell so were using Novell's client. TAM ESSO 6 does not work with Novell. The new Encentuate product does.
Now some of the things that could be considered the down side:
1.) Requires a server (running Tomcat). TAM ESSO 6 did not require it's own server since it was largely a client side application. Encentuate uses a server to keep track of users, what apps they can access, credentials, and just about everything. It looks like credential caching is typically enabled so I do not know yet how critical the server is for end users accessing their applications, but it is likely very important and could be important enough that clustering this thing will be necessary.
2.) Because this Tomcat server is required for this solution, it would not surprise me to see IBM integrate this into WebSphere. I'm looking for some direction from IBM on this. This is not necessarily a bad thing at all, but it will be interesting to see what happens.
3.) The Windows GINA is replaced. This is also not necessarily a bad thing, just a big difference from before.
4.) Possibly more complicated to implement. Now this depends on how good the training and documentation is. The added functionality of Encentuate could make installing a bit more complicated, however the original TAM ESSO product was so poorly documented in my mind that it too was more complicated than it needed to be and in some cases the documentation was just wrong.
We'll see how it goes. More on this later...
Thursday, March 13, 2008
As for the features and functions of the new TAM ESSO product (call it version 7), well from what I have seen in the past the Encentuate product has the goods, Web, Host Based, Java, and Client Server support, but one thing stands out for sure and that is the reporting built-in. I've heard from a number of customer who want to know who accessed what and when, etc... with respect to their users of SSO and there are some decent reports built-in to the Encentuate product that was lacking in the TAM ESSO 6 (Passlogix) product. I am working on getting my hands on the new stuff asap so I can kick the tires a bit. Maybe I'm a little strange, but I get excited when it's time to learn something new.
So what about the folks using the original TAM ESSO (Passlogix)? Certainly IBM has a strategy to migrate to the new stuff. I'll be getting some of those details very soon.
Woo hoo, something fresh to blog about!