I have followed a number of blogs in the Lotus Notes world for some time and while my job over the past several years has primarily revolved around supporting collaboration systems with Lotus Notes and Domino, I have found myself dropped into the world of Identity Management as of late.
First, our organization started looking at building a better web presence and being able to deliver applications to staff and customers using WebSphere Portal. It was also a "no brainer" early on to integrate our Domino infrastructure into Portal since so many of our productivity applications were already in Domino. Another key to deploying WebSphere Portal was the fact that it needed an LDAP with our users and customers identities. It just so happened that our Domino infrastructure already consisted of a centrally located server with replica's of all our customers' Domino directories. Within a few days, I had a Domino LDAP up and running with 30,000 users that we could connect up to Portal for authentication. Way cool. The other benefit here was that our customers continue to maintain their Domino directories as they always have and as changes occur, our LDAP is updated automatically thanks to Domino replication. This would be a reasonable LDAP for the time being while we learn Portal and explore the possibilities for delivering our applications and services in new ways.
A year later we recognized what we had in the back of our minds early on. For one the Domino LDAP we had configured was limited to only our Domino customers unless we desired to manually add users and maintain them. Two, we expect to someday have maybe hundreds of thousands of entries in our LDAP and we were questioning the scalability of Domino for that purpose. Our IBM consultants recommended using Tivoli Directory Server and since it comes included with several of IBM's other software offerings it seemed logical.
Over the last year my colleague and I have spent a significant amount of time getting to know some of IBMs software for building an enterprise LDAP. Tivoli Directory Server and Tivoli Directory Integrator. This has been quite an experience. For those of you Domino experts out there, if you ever get the chance to work with TDS or TDI you will quickly be reminded how cool Domino is. Take replication for example. This is nothing for Domino. Creating a replica is one of the easiest operations. TDS on the other hand is far more complex and the documentation is severely lacking. I remember countless tech support calls before we were able to successfully get two TDS servers to replicate in a cluster. TDI is some seriously cool software. I'll have to post a separate entry about that, but as cool as it is we always ran into issues that made us wonder if this stuff was really ready for prime time. Either way our experience with TDI has been good and we have used it successfully to build prototypes for detecting changes in disparate systems and writing those changes to TDS.
After a year of this TDS LDAP, TDI and developing assembly lines to detect changes in directories and write them to an enterprise LDAP we recognized that building the LDAP was certainly not enough. We always new that access control and provision were going to be necessary, but in what order? Do you build the LDAP first? Provisioning system first? Access control? After countless hours reading talking with consultants, meeting internally trying to figure out our requirements, it was finally clear that Identity and Access Management was the next step to pulling all this together. We finally realized that our goal is to synchronize user accounts from many (as many as 100 or more) disparate systems to the Identity Management system and then provision those users to LDAP and any other managed resource including Portal and applications surfaced by Portal.
So here we are at the beginning of a very large Identity and Access Management project. As I mentioned at the beginning of this post I follow many very good blogs about Notes and Domino. After scouring the Internet for some good blogs about Tivoli security software, I have come up with really nothing even close to the blogging community for Domino. The only thing close is the Tivoli forums on IBMs web site. So, I figure maybe I'll blog about my experiences with Identity Management. With any luck I'll learn something along the way and possibly contribute in some small way.
No comments:
Post a Comment