Peter's Identity Vacuum and other Musings

Rebuild SQL indexes for dummies

2012-01-30T11:57:00.000-08:00

Found this site, it's great.

http://www.ehow.com/how_6375896_rebuild-indexes.html

Reference membership of a set in FIM Portal

2011-10-21T09:51:00.000-07:00

Sometimes you may want to have a group or set in the FIM portal be calculated from another group or set.

Unfortunately, the source can’t be a group, so stop there. But if it’s a set then you’re OK. The great thing about sets is that you can have both criteria based and manual users in it. Once you have it in a group export it to AD. Now you have a solution a group with criteria based and manual users that can be administered from the FIM Portal.

At this point create your target group (or set), go to members tab and do the following:

By choosing ResourceID ‘in’ <source set> it’ll do the trick.

Of course you could always go back the XPath filter, something like this: /Person[ObjectID = /Group[DisplayName = 'sourceSet']/ComputedMember, but why when you can use the GUI.

How to export AD LDS schema

2011-10-20T12:29:00.001-07:00

Working for a client I needed to stand up an LDAP client and create a new class and attributes. It was about 35 new attributes and take take a while when you have to do each one manually. Now it’s time to move it to QA. There ain’t a whole lot out there for exporting LDAP schema and of course the old LDIFE was giving me grief. So after more searching I stumbled on a TechNet article and there it was.

It’s already installed if you set up ADLDS. Look in \windows\ADAM it’s called ADSchemaAnalyzer. I think it’s purpose is to compare different schema, but it also exports them to LDIF – Sweet!

First ‘load target schema’, then ‘load base schema’ I don’t know why, I didn’t have time to find out. Then walk the tree and you’ll see all the object classes and attributes. Now if you created an object class and new attributes just for that object, just select the new object class and the attributes will come along automatically.

Now Create LDIF file and away you go. Very awesome!

Hmm. Windows Live Writer

2011-09-07T20:53:00.001-07:00

So I’m trying out this new program called Windows Live Writer, I guess the idea is to use this little application that will then upload the content to the blog site??

Recently went to visit a old fraternity buddy on mine. Haven’t seen (or heard from him) in 19 years. Wow time really flies. Luckily he found me in LinkedIn. It was great visiting with him.

FIM RCDC Tool

2011-08-29T18:42:00.000-07:00

I'm sure most of you by now have had the chance to see how great the FIM Portal is. I remember when I first saw it; I couldn't believe how slick the interface looked. I thought, what a great place for a User Directory! How many times have clients asked for an interface that offered the ability to view employees, and even a place where employees can update some of their own information.

To this day, I still feel this is one of the best selling points for the FIM Portal. However, clients are always looking to customize those pages and offer up possible attributes that aren't out of the box. FIM doeslet you extend the schema and then you can add those attributes to pages, or RCDCs, so those new attributes come through. Good stuff until you actually see what it looks like to edit the RCDC. As the song goes, 'Could make a grown man cry...'

The way the RCDC looks and behaves is all done through XML and hence an xml file; an ugly, unforgiving and complicated file. After you play around with it for a while, you might finally figure out how it works. Unfortunately all it takes is a single typo and FIM barfs by not rendering the page and offers no explanation as to why it doesn't like what you did. Then it's a matter of going back over and over and over just to figure out what you did wrong. I've spent hours working on these just making small changes each time to make sure it works. Unfortunately, it consumes a lot of time, especially if you're a consultant and it starts burning too many hours on the project. You wonder what was Microsoft thinking when they put FIM together and fell short on some easy way to manipulate these pages! Microsoft, always the king of wizards configurations and WYSIWYG GUI.

Recently I discovered a tool, that does just that! It's a WYSIWYG tool that lets you manipulate RCDCs by dragging attributes around the page, and to other tabs. In addition, it offers easy to use wizards to add new attributes or tabs, or change the properties of existing attributes. After exporting the full FIM configuration, you load it into the tool, called RCDC Editor, and it loads the RCDC configuration and renders the page just like it was the FIM Portal.

Now you can move things around anyway you wish. Once you're finished, you save the project and it creates the needed xml file to be imported back to FIM. Run IISreset and that's it, you're done! Imagine sitting there with your client and decided together exactly what they'd like to see in the FIM Portal.

All the controls that are available in FIM are available through the RCDC Editor like: TextBox, Label, Check Box, Radio Button, etc. When adding new controls, the creators have tried to guide you in the right direction by pre-populating certain properties that you will probably want, this in turn makes using the tool that much easier and reduces the risk that the RCDC won't work. For example, let's say you created a new user attribute in the FIM database called 'User Laptop #', using the RCDC editor you click on Add New Control and you are offered a list of attributes that aren't currently used in the RCDC. You find 'User Laptop #' and click it, then decide what sort of control you want. Whether it's TextBox or MultiValue Control, etc, it immediately populates the control with what you might typically want, like Caption to be User Laptop #, and the Control Value to come from the FIM Database and from that actual attribute.

Now that being said, it does have an advanced option that will allow you to change any attribute property you want. Of course at this point you're on your own whether it'll work on not. The tool will let you enter any sort of information or gibberish, at that point.

Check it out, you can find it on www.tools4fim.com. You can download and play around with it, but until you buy a license, you can't save any of your work.

One final trick up this tool's sleeve is the Resultant Rights Evaluator. This is a nifty way of querying FIM and lets you see who will, and will not have rights to certain RCDC attributes. You want to know who can see or modify attributes in the RCDC. You define the requestor and the target and it'll return whether that requestor can Create, Delete, Modify or Read, it's very granular. I'll talk more about this piece of the tool next time.

OpenLDAP and password sync

2011-08-26T06:14:00.000-07:00

Recently at a client's site and they wanted to flow passwords from AD to their OpenLDAP directory.

Went out to SourceForge and downloaded their latest OpenLDAP XMA which can be found here: http://sourceforge.net/projects/openldap-xma/. Very impressed with it's packaging, just run the MSI installer and puts everything where it needs to be. Even includes some handy user guides. For the most part you configure according to the guides and it works. Except if you want to do password sync. Instead you get a warning 6901: The password extension does not implement the entry point.

This will explain what you need to do to get the password sync functionality working. After cruising around I finally found an entry in the sourceforce forum where Randy Weimer mentions an error with password sync that he had to add some missing code. But this was May of 2010 (over a year ago), I'm sure this has been fixed - but it smells the same. Unfortunately it is the same issue. So here's what you have to do.

1. download the code from Sourceforge which is not an intuitive task. Luckily Carrol explains it nicely here: http://www.wapshere.com/missmiis/compiling-the-openldap-xma-to-use-with-fim-2010 Though it seems when you read her post there was no nice msi installer like there is now. But you can figure out how to get the latest code: Read Get the Right Source Code section.

Now I did the rest on my laptop (without FIM installed).
2. Open up the solution OpenLDAPXMA.sln in Visual Studio and choose the PasswordExtension.cs. Search for the following phrase

ConnectionSecurityLevel GetConnectionSecurityLevel

You'll find the function really doesn't do anything. so you'll need to comment out the throw statement and add a return statement within the function like this:

return ConnectionSecurityLevel.Secure;

See below for Randy's entry and the code.

3 Add the missing reference.
Since I was using my laptop, I needed to copy the Microsoft.MetadirectoryServicesEx.dll file from the FIM server over to my laptop. You can find it at ..\Microsoft Forefront Indentity Manager\2010\Synchronization Service\Bin\Assemblies\ folder.
Then add it as a reference. Build the whole solution. Which by the way is just one file called OpenLDAPXMA.dll. There is no extra password DLL file as the user guide mentions.

4. Put the newly compiled dll in the \extensions\ folder and that's it. All should work.

If by chance you don't want to do through all this just contact me at my hotmail account (pjalaff).

I want to give full credit to Carroll Wapshere - who has save me more times than I want to admit, and to Randy Weimer who figure'd out this bug. If anything this blog puts both pieces together.

Randy's original post: http://sourceforge.net/tracker/?func=detail&aid=2996718&group_id=196847&atid=959098

troubleshooting EREs and provisioning

2011-04-17T19:41:00.000-07:00

Just a quick note. I was having some problem with codeless provisioning and couldn't figure it out. the ERE was pending, it was being imported, the user object was reference. searching through the internet, I found this little gem. http://setspn.blogspot.com/2010/11/fim-troubleshooting-codeless.html Finally I figured out my FIM MA was the culprit. The AIF for the ERE attribute was missing from the user object . Added it back in and viola, all is well.

Security Questions

2010-06-22T11:24:00.000-07:00

So now that I'm doing FIM, I must do all the new things FIM offers. Before it was just attribute synchronization. Now its web design, workflow, self service password reset to name a few. OK its fun learning new stuff.

Right now I'm dealing with password reset and I've run across a new challenge: what else do you ask besides 'What's your mother's maiden name?' ugg.. so I check my own bank website, it had some good questions. Checking the googlesphere doesn't reveal much. Then one of my colleagues, Tom, mentioned to go to www.goodsecurityquestions.com . This is a great place to get started and understand good from bad questions, it also a some great examples too.
Enjoy!

Request for the ILM product Team

2009-09-22T08:20:00.000-07:00

So here I am, pounding away at creating a synchronization solution for a client. One of the last things you might want to do before committing a bunch of changes to their directory is verify the pending exports before you actually export.

Now there is functionality to do that: by searching the connector space and filtering for pending exports. But anyone who has used this knows that the window where the results are shown is small and you have to scroll through them to view more than a few objects at a time. Not very handy if you have a lot of changes going on. To make things worse, there's no 'Save to a file' button anywhere so you can review this table in something more comfortable like Excel. Now that's not totally true, because there in a CSExport.exe tool that can be found in the ...\bin\ folder that you can use to create a file. Unfortunately the file is XML. What am I supposed to do with a 90 meg XML file that has over 250,000 changes in it??? And why is this even in XML format anyways? I would love to know what they were thinking when they decided to make it XML. Why not make it in a text or CSV format, I say. So I take with huge XML file and try to open it, now the only application I know that open this is a way that will ultimately make sense to me is Excel. You wanna know how long it takes to open a file of this size? No you don't... OK it takes about 30-45 minutes and it pretty much uses all the resources on the computer too, so I can't do much else but wait around and think about writing a blog about it. Once it finally finishes I save it in TXT for XLS format, then it opens in a jiffy next time.

So here's my ask, ILM product team: Can you put a button on the GUI search result window that allows users to export that result into a file? And give us options with file formats, just like we've become accustomed to in the past with every other product Microsoft offers. At the very least, if you won't put a button on the ILM UI, would you could you please allow for different file formats in the CSExport.exe tool?

If Edgar Allan Poe only knew computer security

2009-04-24T06:29:00.000-07:00

This is the winning entry from the RSA Conference's - Prose like Poe's Poetry Contest. This entry comes from Jamie Armstrong.

The Salesman

Once upon more malware nested, while I reflected broken and bested,
Over many hacks and attacks and safeguards that failed,
While I worried, clearly nervous, succumbed by relentless denials of service,
My blackberry did chirp with purpose - apprising me of new email,
"Tis some salesman" I muttered, surprising me with new email -
Only a salesman with products for sale.

But the caller, with his expertise, was soon to put my mind at ease,
That one meeting, all his knowledge in that one meeting he did convey,
He spoke of technical innovation - providing for security and prevention,
Access controls and authentication: hackers be gone, intruders away,
Sound the alerts of penetration: viruses contained, worms done away,
The threats of tomorrow addressed today.

Congratulations Jamie!

ILM2 delay - say it ain't so

2009-03-30T15:29:00.000-07:00

Lots of people were caught off guard when it was announced at TEC that ILMv2 is going to be delayed. It wasn't so much the idea of a delay, as everyone is pretty much use to product releases being delayed by a month or so. The weeping and gnashing of teeth is due to the fact that ILMv2 won't be released till Q1 of 2010 - that's a year, not a month.

Talk about an identity vacuum... (I'm glad I was able to connect a topic to the name of my blog - he he)

Speaking to clients on a daily basis, most are in disbelief about this decision by Microsoft. Some clients are scrambling to figure out how to deal with this delay. Many vendors are doing similar shuffles due to this delay too. Selling ILM services, as I did in my past life, is proving to be somewhat difficult right now because clients aren't sure what to do. I know lots of ISVs that add value to both ILM and ILMv2, and it'll be interesting to see how they adapt to this news.

I'm sure Microsoft thought long and hard before making this sort of a big decision, I trust it'll pay off for them in the long run. I hope the IDA sales team can hold out till then.
Here's the news from Microsoft http://blogs.technet.com/stbnewsbytes/archive/2009/03/24/identity-lifecycle-manager-2-schedule-update.aspx
Thanks to Richard Blackham for pointing this out. (Updated 4/6/09)

Here's what other bloggers are saying about it: (http://www.wapshere.com/missmiis/?p=387 , http://jacksonshaw.blogspot.com/).

The Daily Show Musings

2009-03-13T07:01:00.000-07:00

Jon Stewart interviews Jim Cramer from Mad Money on CNBC. It really is a strange world when CNBC can be described as a circus side show and Comedy Central does the serious reporting…

It’s a 3 part episode that’s un-edited. Absolutely great television.

http://www.dailykostv.com/w/000988/

Amazing! I can post a blog from MS Word

2009-03-10T15:04:00.001-07:00

Just had a conversation with one of the folks at Hitachi-ID. They seem to be positioning themselves to go after the big boys; like IBM and Oracle. I don't think they have all the pieces yet to compete head to head with the likes of Larry Ellison. I'll be very interested to see how things shape up for the former M-Tech company. I do like some of their products such as their P-Synch app, it has lots of great connectors to most apps in the field. I do get confused that they are re-branding their products to new names – uggh… I'll keep an eye on these guys and see what happens.

Break in at U of Florida

2009-02-26T18:19:00.000-08:00

I read the article today about 3 break-ins at the U of Florida http://www.networkworld.com/news/2009/022309-three-months-three-breaches-at.html?nlhtident=rn_022509&nladname=022509security:identitymanagemental

I find it incredible, partly because they have such a great team in the IT department. In reality, it's hard to watch everything all the time. Even having all the greatest staff and good security equipment, if comes down to the weakest link. One break-in was due to really, really old equipment - back from 1996. That one got fixed pretty quick. I'm glad to see they took the corrective steps, and reported it also.

Reporting security break-ins should be mandatory. I'm from the camp that believes all break-ins should be reported and not hidden. It allows the community at large to know about their own personal data, while holding institutions responsible. I'm not just talking about the University as much as I'm talking about corporate America. In California, there was a law passed requiring companies to disclose break-ins. If it wasn't for that, companies like ChoicePoint, Citigroup and LexisNexis would have no reason to report on the break-ins they had. At the end of the day these laws help by putting the spotlight on these mistakes and this motivates them to stop the bad press.

Like most IT investments, security can be boiled down to ROI. Is it worth it for the company to spend a bunch of money to secure the public's data? Bad press resulting in lower stocks is definitely an ROI driver.

Security in Politics

2009-01-15T07:23:00.000-08:00

Caption says 'Security upgrades are now in place for all Bush press conferences'

Intro to Bruce Schneier

2009-01-15T05:57:00.000-08:00

Back in 2000, Microsoft was getting hammered for it's lack of security. At the time I was working for the Exchange team focused on Key Management Server (or KMS). This was functionality used by Exchange to offer signed and encrypted emails to users in the system. Because of all the bad publicity at Microsoft, there was a push from upper management (I mean way up high) to get better at security. Some of you may remember when Microsoft stopped coding for a while to better their security. This wasn't just PR, but it was something they believed in. So because I worked on signed and encrypted email, that meant I knew something about security (which I didn't). I got drafted to the newly formed Exchange Security team. Actually it was a lot of fun. I got to learn new concepts and think in ways I wasn't use to.

I attended a seminar on security from some outside guy. This was Bruce, he was definitely a geek, he knew what he was talking about. The best thing about him was that he dogged Microsoft - in their own house. I thought that was ballsy. I immediately became a fan, read his books and joined his monthly newsletter. I like how he explained security in his books. He took abstract security concepts and brought them down to every day tangible examples. The tell tale sign that someone really knows what their talking about is when they can break it down in terms that even a child can understand. Not that techno-babble speak we all hear from time to time.

So in the end, Microsoft can out a bit more secure. Some may debate to what extent though. I came out of this a bit wiser when it came to software testing. Identity management is a small slice of the security pie, and I would argue that not to understand the overall security implications undermine any IdM system.

Bruce has a monthly newsletter that I would recommend to everyone. http://www.schneier.com/crypto-gram.html. In this latest issue he talks about impersonation - very relevant to IdM. It can also be found here. There's been some talk lately about OpenID, I think the ability to validate one's ID will decide how viable OpenID will be.

Finally, more on the musings topic than IdM there's a great article on the NSA can be found here

Virtual Directories and Meta Directories

2008-12-30T15:03:00.000-08:00

I just got done reading Jeff's post (http://idlogger.wordpress.com/2008/03/22/which-is-better-phillips-or-flat-head/ ) on the topic at hand, entitled well enough "Which is better Phillips or Flat-head?"

I not only agree with Jeff, but let's take it to another level. Sometimes you can use a phillips or a flat-head interchangeably, which is the case sometimes with Virtual vs Meta. But many a time you can't interchange them. I've been learning a bit about virtual directories lately thanks to Mike Brengs and his team from Optimal IDM. Here are a few differences to share right now.

When to use a virtual directory:
1- Use it as a proxy. What if you aren't allowed (or can't) query directly against AD. Meta directories shouldn't do this.

2- Extend the schema. Yea like ADAM, but it won't take weeks to set up.

3- Creating single views that update immediately. Similar to meta directories, data can be brought together in many different way. Unlike meta directories that poll connected sources in intervals, virtual directories can meet client requirements that need immediate results.

Here's something that meta directories must be used for and not virtual directories: provisioning and de-provisiong user accounts. This is one of the main pushes for meta directory technology and it still holds true, especially de-provisioning. Now some vendors have added a sync engine to their virtual directory product so it can do both. Which is fine, but then call it what it is.

As I continue to understand more about virtual directory technology I'll include it here.

Does anyone agree / disagree or can add more to this?

Hello all

2008-12-04T10:05:00.000-08:00

My name is Peter Jalaff and this is my first blog. I've heard / read so much about them, thinking how cool is that - you can write down your thoughts so others can read them. Then I vacillated between how cool, and do others really care about my thoughts??? time will tell...

My background includes working in the IT field for over 10 years, most recently in the Identity Management field for the past 2 years. Back in 1996 I realized how bored I was while working for a copier company. The company was good to me and I sold enough copiers for a decent living, at the time. I kept picturing myself as a gorilla in a suit and tie, slinging copier machines around. I wanted something more. So I decided to study and get certified in Visual Basic. I already knew BASIC way back from high school days - How much harder could it be? After studying for over a year, I finally got certified. Living in Pensacola I couldn't find a job without experience. So I started searching nationally and finally I got a job with Microsoft as a contractor. I had one year to prove myself as a tester on the Exchange team. So I rented a U-Haul packed what few things my wife, daughter and myself had and drove cross country. I felt like the Beverly Hillbillies, but it was a fun yet tiring trip.

Once on the job, I learned all about Active Directory and Exchange 5.5 and 2000. All about software testing and drinking micro-brewed beers. I even used my VB training to create some cool testing software. I was really proud of myself that I created something that others on the team were using. I guess they liked me enough that they asked me to stay full time. It was the best job I ever had. The Exchange team really treated it's people well. We had parties and they would buy beer on Friday's, they would take us all to the movies. I remember seeing Austin Powers - Man of Mystery with everyone. This lasted for 3 years.

That's enough for right now. I'll continue my story at a later time.