RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

Thu, 04 May 2006 17:57:22 -0700 

I was thinking of something a little more robust than ADUC with extensions. 
More of a combination of ADUC, DSSITES, ADSIEDIT, Schema Managemer, and some 
yet to be publicly seen ADAM specific management stuff. Maybe some form of tie 
in to MIIS/IIFP/ADAMSynch for easily configuring those products so you don't 
have to hurt your forehead slamming the wall.

I understand the desire for extension capability but even there, how many 
people are actually taking advantage of it? Yes it is a pain now for ADUC but 
it exists and if people wanted to use it bad enough, they would figure it out. 
Next question, how do you do EASY extension capability that is flexible and 
powerful and useable? Add to that not requiring people to use NET to do things. 
I haven't completely shut the door on NET but it is bottom of the pile for 
things I want to do or require. I have had way too many people write me (some 
of whom I even respect) and say that one of the beautiful things about my code 
is that I am not using/requiring NET. 

I feel similar when I hear people say that NET and MONAD are going to make most 
everyone scripters and programmers. I think we will see Australian Ice Hockey 
becoming the next great global sport before we see everyone or even a majority 
of admins becoming scripters and programmers with NET unless MSFT dumbs it down 
considerably more, the object model is enough to scare most people away. Don't 
get me wrong, I think NET is going to be popular, just like JAVA was/is. But 
there are a lot of coders who won't go near it. 

So the next question is.... What kind of extension model do you go with? 
Honestly it would have to be some RAD drag and drop with field tweak kind of 
extension in my opinion. I would visualize you saying ADD TAB, then laying out 
the form the way you like to see data, specifying the attribute to be displayed 
in the various fields and specifying HOW it should be displayed with the schema 
being used to determine a default and possibly helping control what other ways 
it could be displayed. Possibly adding in data rules that control what can be 
typed in the fields (like forcing a phone to fit to (xxx)xxx-xxxx or something 
(yes I know I just pissed off every international person with that example... 
It was an example)). 

Possibly it have some ability to call out to external pieces but most likely 
not because that just adds all sorts of stability and supportability issues. Of 
course that would piss off a some folks who want to integrate some custom NET 
code or whatever but again I think that would be the minority of the folks. If 
someone is so good with NET, they are going to write their own tools anyway. 
Otherwise they are just playing with it and you don't want someone playing with 
NET writing extensions for your application, it would be a nightmare to support 
for a large company let alone someone small like me, myself, and I. 

So interesting. I expected more suggestions, are people just not really using 
ADAM yet or is everyone just happy with the command line tools they are using 
for it?

  joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, April 30, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: 
Internet Authentication Concepts: Pointers?

That really is the point of ADAM, isn't it? To be flexible and highly 
customizable?


I have to agree with JoeK on this: it needs to be extensible in keeping with 
ADAM's charter.

Some of the basics would be cool, but then how do you make sense of an object 
in a customized directory unless you have a way to a) read it and b) get some 
sort of manifest that tells you the meaning and c) maps it for you to your 
task? To my knowledge, there is no standards based definition in that sense.  I 
can pick whatever I want to be a <insert type> object and define whatever rules 
I want as well.  How would a tool know that?

To make it easily extensible, i.e. create a totally easy language that plugs 
into a console would go a lot further in my opinion, than trying to capture an 
ADAM management tool that goes beyond ADSIEDIT/ldp.
Today, it's write your own, or make do.  I'm sure some of that will continue, 
but having the ability to easily write your own and plug it into a well thought 
out graphical based administration system might be useful to some. At the 
least, I'm sure it would differentiate ADAM from other lightweight ldap 
directories that run on more platforms ;-)

-ajm


On 4/29/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
> The difficulty with building a tool like this is that it is a huge 
> leap to go from a low level editing tool like ADSI Edit to a high 
> level, task-based UI like ADUC.  The problem is that it is nearly 
> impossible to infer the semantic meaning of attributes in the 
> directory in a generic way such that you can have objects with 
> arbitrary schema.  It is already hard enough just to come up with 
> reasonable text and graphical views of all the random binary data that 
> a directory can store.  For example, your directory might store GUIDs, 
> X509Certificates and JPEGs, but the schema only knows it is binary 
> data.  Unless you have a hard-coded list somewhere, it is hard to do 
> anything with it besides showing you the raw bytes (which is almost never 
> interesting to most people).
>
> As such, you kind of need to either come up with a UI that just 
> provides some compelling task-based features for a very narrow schema 
> that ships with the product and/or provide a really well-conceived 
> extensibility mechanism that allows easy declarative construction of 
> useful UI features with minimal coding (or you'll scare away the 
> non-coders).  Doing something like that successfully it a pretty huge 
> undertaking, not matter what presentation framework you choose (web, CLI, 
> Windows, etc.).
>
> Personally, I think the answer for this type of tool lies with the 
> whole managed code/Monad-based MMC thing that is coming.  It will 
> significantly lower the bar to getting custom extensions into the UI 
> and hopefully create a new eco-system of useful tools that vary from 
> universally needed to extremely domain-specific.
>
> That said, there are probably some tools that we really need for ADAM 
> that would be hard for most of us besides Joe to write.  I'm not 
> entirely sure what the sweet spot is though.
>
> Joe K.
> ----- Original Message -----
> From: Jef Kazimer
> To: ActiveDir@mail.activedir.org
> Sent: Friday, April 28, 2006 4:26 PM
> Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
> WAS: Internet Authentication Concepts: Pointers?
>
>
> Ok....
>
> So are you thinking winForm Gui?  Web? MMC?  Console? I know you like 
> command line....but ad I hear there are some great tools already in 
> existence. :)
>
> ADSIedit is great for MOST things, but I would fear giving it to a 
> helpdesk guy, or an application admin who has no idea what LDAP really 
> is.  They just want an Identty store.
>
> Soo....
>
> Something that abstracts the user from LDAP (OUs, DNs, etc....scary 
> stuff!) but shows them as a simple TreeView of the directory
>
> Management templates that glean data from the defined Schema and are
> customizeable.   Since ADAM can have a very custom Schema, the tool would
> need to be flexible to accommodate that.  IE select the Dog object, 
> and be able to modify the Neutered boolean attribute.
>
> These templates should be customizable in a simple fashion that does 
> not require extensive development knowledge :)
>
> Build in basic routines for common functions like password reset, etc.
>
> I guess a more customizeable ADUC for ADAM :)
>
>
> Maybe the name should be "theWelch" since Jerry said "ME!"?
>
>
>
>
>
>
>
>
>
>
>
>
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
> WAS: Internet Authentication Concepts: Pointers?
> Date: Fri, 28 Apr 2006 16:38:16 -0400
>
>
> I am not quite sure what question that response was intended to answer....
>
> Was that, you would like a good ADAM management tool? If so, describe 
> that tool. If Murray isn't happy, we can take it offlist. I can do 
> this through personal email or spin up a forum on my website for it. I 
> am very interested in hearing what people think is needed. I was told 
> the perfect name for the tool over a year ago, I just haven't written 
> the tool to go with the name yet. At some point I will have to do 
> something with it. :)
>
>
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
> Sent: Friday, April 28, 2006 4:21 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
> WAS: Internet Authentication Concepts: Pointers?
>
>
> ME !
>
> Jerry Welch
> CPS Systems
> US/Canada: 888-666-0277
> International: +1 703 827 0919 (-5 GMT) IP Phone (Skype):  Jerry_Welch  
> ( www.skype.net )
> IP Phone (VOIP):   Jerry_Welch   ( www.voipstunt.com )
> VOIP to Landline:   callto:+1-703-827-0919
>
>
>
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, April 28, 2006 3:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
> WAS: Internet Authentication Concepts: Pointers?
>
>
> I have some curiosity in this realm...
>
> What would everyone consider good things and requirements for an ADAM 
> management tool. Even assuming, cough, GUI.
>
>  joe
>
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
> Sent: Friday, April 28, 2006 10:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>
>
> Since it is "LDAP" I did look at some "friendlier" admin tools, but none
> really hit the mark for me.   I believed that group looked at Softerra's
> tool,  and there is the web based PHP LDAP manager, and also the C# 
> LDAP manager tool.  You can Live search the names or I can post the 
> links here if you want.
>
> In the end I wrote my own as a .NET web app since I found them lacking.
> Yet as I said if I want to go global,  I don't know if I want to 
> position what I wrote without some major changes. :)
>
> J
>
>
>
>
>
> Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
> Date: Fri, 28 Apr 2006 09:44:55 -0400
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
>
>
> That's a very good point.  Does anyone know of any 3rd parties which 
> improve the ADAM administrative UI "experience"?
>
>
> J. Fitzgerald (Fitz) Stewart
> Systems Architect
> IRM/OPS/ENM
> Worldwide Information Network Systems
> USAID/DoS IT Infrastructure Collaboration Program 
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> 703-866-7473
> 703-626-5741 (cell)
>
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
> Sent: Friday, April 28, 2006 9:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>
> Mylo,
>
> Thanks for the information!
>
> I have setup ADAM utilizing a custom web UI utilizing AZman for a 
> small project before, but I have concerns about scalabilty.  The 
> issues are not with the ADAM instance at all, but the UI that is needed to 
> manage ADAM.
> ADSIedit is great for someone who understands the directory, but it's 
> not that user friendly for web application owners, helpdesk, etc.  
> This was for a simple application of about 500 users, and it met their 
> needs but I don't see this as a scalable solution from a global perspective.
>
> This will be a backend data store that contains the user identity, but 
> the applications that utilize it will be of different flavors from DMZ hosted
> web apps, to externally hosted apps.   The flavors of web apps will range
> from websphere, ColdFusion,  .NET and I suspect some PHP apps.
>
> With AD,  I guess I was thinking it has a well known support interface 
> (though I am sure I would need to customize anyway...so I'm not sure that
> value is really there).   So I was expecting to maybe find 3rd parties that
> do sit in front of this to manage the IDs stored. Though this could be AD or
> ADAM with ADAM being the most cost effective.   This looks like siteMinder
> might be a good solution to manage all of these environments but I 
> will need to look into that.
>
>
>  I suppose I am getting ahead of myself, because I do not know the 
> requirements as of yet, and I'm making assumptions that could be totally off
> the mark here.   I guess it's a new environment and wanted to get some info
> ahead of before it was needed. :)
>
> Thanks again!
>
> Jef
>
>
>
> > Date: Fri, 28 Apr 2006 01:40:09 +0200
> > From: [EMAIL PROTECTED]
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
> >
> > Jef,
> >
> > As Al pointed out, there are numerous products from vendors such as 
> > IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc 
> > providing web-based authentication/authorisation in front of AD. 
> > Since from a design point-of-view it's generally not a good idea to 
> > stick AD too close to the Internet, often these solutions comprise a 
> > presentation tier, e.g. with  IIS (using&n bsp; some sort of ISAPI plugins) 
> >  that th!
> > en hooks
> > into your business&n bsp;logic (e.g. middleware) or your data tier (e.g.
> > LDAP/AD/SQL) ... if you want to look at this from an MS purist 
> > perspective then I'd suggest having a look at n-Tier solutions 
> > within the MSDN area. Although, this has a more developer emphasis 
> > than you'll probably want, it gives a good insight into how Internet 
> > authentication works, particularly .NET as well as older products 
> > such as Site Server/Commerce..
> >
> > Try googling on Authorization Manager (AZMan) to give  a good 
> > example of how a & nbsp;role-based mana! gement approach (assuming a 
> > web t ier) with an AD backend would work..... Also look at ADAM as 
> > an initial 'point' solution for Internet usag rather than AD alone.
> >
> > You also mentioned self-registration and this kicks off an entirely 
> > different thread (in my mind anyway)...
> >
> > 1. What are you providing access to?
> > 2. Whom are you registering and for what ?
> > 3. What authentication mechanism do you wish to use 
> > (username/password, certs, OTP).
> > 4. Do you need to provide some form of au thorisation once authenticated
> > as   well? What form&nb! sp;does this need to take?
> > &nb sp;
> > Hope this helps.
> >
> > Regards,
> > Mylo
> >
> > if you need an initial
> >
> > Jef Kazimer wrote:
> >
> > >Al,
> > >
> > >I apologize,  as I am going only on what little information I have.  
> > >I guess I was trying to do some pre-meeting recon work since I had 
> > >seen it metioned here about 25mil internet users for some people.  
> > >I had assumed there might be some scenario documentation for such a thing.
> > >
> > >I will know more after the meeting of  course, so I'll see if I&n 
> > >bsp;can explain myself better.> > I understand dire ctory design 
> > >for an enterprise, but have never done so for a internet instance 
> > >that would have self registration.  I suspect there are some 
> > >different lessons learned from that scenario so was curious.
> > >
> > >Thanks,
> > >
> > >Jef
> > >
> > >
> > >
> > >
> > >
> > >>Date: Thu, 27 Apr 2006 15:31:33 -0400> From: [EMAIL PROTECTED]> To:
> > >>ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Internet 
> > >>Authentication Concepts: Pointers?> > That's not a lot to go on, 
> > >>Jef. &n bsp;Can you give some more infor mation?& gt; > For 
> > >>example,!  these public internet sites? Are  they web only? What 
> > >>type> of authentication is needed? What were your plans for 
> > >>authorization?> Are you planning to use something like SiteMinder 
> > >>or Tivoli or ?? to> help you deal with authorization if using web 
> > >>sites?> > Al> > On 4/26/06, Jef Kazimer <[EMAIL PROTECTED]> wrote:> 
> > >>>> >> > Ok, here is something I'm just starting to research, and I 
> > >>thought maybe> > someone here has some pointers or a direction 
> > >>they can steer me in.> >>&n bsp;>> >> > We are&nbs p;looking&nbs 
> > >>p;at a potential consoli! dated directory/database to
> > >>contain>&nbs p;> user registrations (Self registration and 
> > >>contain>possible bulk
> > >>load) for multiple> > public internet sites for products of our 
> > >>company.> >> >> >> >> >> >> >> > I was wondering if there are any 
> > >>published scenarios that addess this> > solution as
> > >>
> > >>
> > >a starting point for consideration.  We are thinking of using a> > 
> > >public AD forest as the potential repository, but I am curious if 
> > >there ar e> > any lessons learned w hen designed& nbsp;such a 
> > >scenario.> >&! gt; >> >>
> > > > Thanks,>  >> >> >> > Jef> >> >> >> >> >> >> >
> > >________________________________> > Upgrade for free to Windows 
> > >Live Mail beta and you could win an African> > Safari Learn more> [1]ا~m
> > >List info   : http://www.activedir.org/List.aspx
> > >List FAQ    : http://www.activedir.org/ListFAQ.aspx
> > >List archive: 
> > >http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > >
> > >----------------- 
> > >------------------------------------------------------->
> > > >
> > > ;No virus found in this incoming message.
> > >Checked by AVG Free Edition.
> > >! Version: 7.1.385 / Virus Database:&nbs p;268.5.1/326 - Release Date:
> > >27/04/2006
> > >
> > >
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ    : http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
> Join the next generation of Hotmail and you could win a trip to Africa 
> Upgrade today
>
>
>
> Join the next generation of Hotmail and you could win the adventure of 
> a lifetime Learn More.
>
>
>
> Join the next generation of Hotmail and you could win a trip to Africa 
> Upgrade today
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
.+w֧B+v*rz     Vryi˽箊

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to