Monday, November 19, 2007

WCF LOB Adapter SDK - The Future of the XMA?

People have been talking about ILM adopting the WCF LOB Adapter SDK sometime in the future. What does that mean to you? Personally I'm excited about it, since it has the opportuntity to improve the XMA experience for ILM fans. I'm doing a talk on XMAs at DEC 2008, and might have a demo ready by then using an XMA with the WCF LOB Adapter SDK. In the meantime if you are curious here are some links:

Thursday, November 15, 2007

ILM 2007 FP1

FP1 is available for download now. Look for new and improved Exchange 2007 provisioning support on the ADMA (check out the last property page of the MA). Haven't tried this in a lab yet but the installation didn't ask me about PowerShell so I am not sure what will happen when I provision a new mailbox with the ADMA.

Wednesday, November 07, 2007

DEC 2008 - Anybody Up For A Hockey Game?

Vegas will be sadly missed but I'm pretty excited about the opportunity to speak at the Directory Experts Conference again (this time in Chicago, anybody up for a hockey game?).

Here's a peek into what my session will be:

ILM Extensibility
Hello my name is Craig, and I have a problem. I get XMA hammered on a regular basis. Every problem is a nail and I pound it with my trusty XMA. In this session the Open Source LDAP XMA will be used as a basis for discussion on XMA development, including when and how to use and XMA, but more importantly, when NOT to use and how NOT to use the XMA.

Wednesday, August 22, 2007

DirSync Control - SearchResult Without ObjectClass

The DirSync control is super-easy to use in .NET 2.0 with System.DirectoryServices. It is really as easy as adding one line to your regular DirectorySearcher.
DirectorySearcher searcher = new DirectorySearcher();
searcher.DirectorySynchronization = new DirectorySynchronization();

Once your query is done you can get the cookie quite easily:
Byte[] cookie = searcher.DirectorySynchronization.GetDirectorySynchronizationCookie();

I was happily using this in an XMA when I ran into what I suspect is a bug. ILM requires the objectClass when you import deleted objects. The dirSync control dutifully shows me the objectGuid (my MA's anchor attribute) then I ask it for the objectClass attribute. The attribute is there on the tombstone, I can see it using LDP. The attribute is in the DirectorySearcher's PropertiesToLoad collection, but sometimes when I ask for the objectClass it just isn't there.

Turns out this repros consistently. If the first SearchResult returned by the DirSync search is a delete then the objectClass attribute will not be present in the SearchResult.Properties collection. It will be there for the remaining SearchResult objects, but not the first.

The workaround for my MA was to put the DN back together using the 'name' and 'lastKnownParent' attributes on the tombstone, then find the objectClass using a WMI search of the ILM CS. Bugger, but the workaround works.

Attribute Replace or Object Replace?

Recently I ran into a fun issue with a DSML import in ILM. For years I've assumed delta imports for file MAs did attribute level deltas, meaning that the delta import did not require the full attribute set, only the changed attributes. For example, if an object has ten attributes in the CS and your delta file only has one attribute then the import should just update that one attribute and leave the rest alone, right?

Wrong. My assumption was wrong (for years) and the delta import needs to contain the full attribute set. Importing a delta with missing attributes will result in those missing attributes being deleted from the CS object, which will in turn trigger the sync rules and cause re-population if any other MA is contributing.

I ran into this when doing a dirSync delta for the LDAP XMA. The dirSync control neatly tells you the exact attributes that have changed, so you can package them up into the DSML file and hand it over to ILM. On import I was seeing attributes getting whacked which proved that indeed there is a lot to learn ;-) This problem didn't repro with the changeLog deltas we do on the LDAP XMA because for changeLog we just go to the DS to get the real object, instead of parsing the LDIF from the changeLog entry into DSML for our import file. Turns out that is exactly the way to do it for dirSync deltas too.

Monday, July 02, 2007

OpenLDAP XMA on SourceForge: Files Available for Download

The OpenLDAP XMA project went live a little while ago on SourceForge, and the files are now available for download. Please feel free to download, take apart, file bugs, file feature requests, and of course make use of it!

The project was announced during Bob Muglia's keynote speech at the Interop conference in Vegas back in May. It was picked up by several online publications, including the following:
CIO Insight
Internet News
IT Management
Wait a sec, isn't there already an OpenLDAP MA on SourceForge? Yes, but this project is the new and improved MA that runs entirely managed code thanks to System.DirectoryServices.Protocols. We have also started filing bugs on the project, all of which should be visible to everybody in hopes of making this more of a collaboration.
There are updates planned already for this summer, including directory trawling and some performance testing. In the meantime, enjoy the current release and feel free to file feedback!

OpenLDAP XMA project

This project had been pretty cool. Adam from Microsoft and the guys from Kernel are an impressive bunch. the code wouldn't be half as good without the guys from Kernel, and the project could have easily gone sideways were it not Adam's passion and organization. There should be many more projects like this, but this is obviously a progression and demonstrates a path moving forward from the Yahoo Groups. I'm happy to see something like this happen, and am even more excited about the collaboration possible in the ILM 2 timeframe when there are even more extensibility points in the product.

Wednesday, May 23, 2007

OpenLDAP MA Round Two

The generic LDAP MA was announced at the Interop conference this week and will be available shortly on SourceForge ( Kernel Networks and Oxford are collaborating on the project which will be 100% managed code thanks to System.DirectoryServices.Protocols (we no longer need to go to the LDAP API in unmanaged code). The increased number of MIIS XMA developers should yeild some cool feedback and participation in the project, which in turn could make for much better XMAs all around since all tend to share the same patterns. The MA is being designed for OpenLDAP but I am also testing it using the IBM DS, the Sun DS, and ADAM. Anybody got a CP DS sitting around to test against?

Thursday, April 26, 2007

DEC'd Out

Just got back from DEC 2007 and still buzzing from the good times. I hope to cover more topics in future blogs but will just sum my conference experience for now.

  • built on top of existing investment in metadirectory, but reaching way farther towards the user with really slick UI
  • ILM2 becomes a lot different than other IDM vendors because of the integration with the Microsoft platform (Windows client, Office, Certificate Services, Windows Workflow, Communication Foundation, Presentation Foundation, etc, etc).
  • migration story should be very good since the core engine is likely to be the same
  • CLM integration should be very slick, no longer looking like a separate product
  • apps supplied in ILM2 (self-service, workflow, etc) will all use public interfaces to ILM so in theory it will be a rich platform for identity apps
  • codeless provisioning is a big scenario
  • Microsoft's adapter framework opens the doors to the connectivity barn
  • SPML is not at the top of the connectivity list, but I don't think it will be difficult to write an adapter for ILM2 that translates from SPML. This will be a fun pet project when the beta arrives.
  • On its own ILM2 is pretty exciting, but combined with other Microsoft identity activities (CardSpace, WS-*, ADFS, Identity Metasystem, etc) I am really excited about the potential.

Kim's throne speech:

  • claims, claims, claims - becoming increasingly important, we should start thinking a lot more in terms of claims as opposed to AuthN, AuthZ
  • "legonic systems" will become more pervasive to the point where rigid systems will become irrelevant. To me this means a platform for identity will be readily available and simple for application developers to use, as opposed to baking identity into the application


  • we should see a service pack towards the end of this calendar year, including Vista support for the CLM client among other things. E12 support might also be in there.
  • The CLM MA bridges the gap between the MIIS sync cycle and CLM long running workflows.

Creating XMAs - Jeff Bohren (BMC)

  • the password management interface in MIIS today does not provide configParams
    A solution to this would be to stuff the configParams into the connectTo as an XML string. I have another solution, it doesn't require duplicating the configParam data but it isn't for the faint of heart at design time.
  • SSH can be made easier using a .NET library at
  • BMC employs an agent approach for asynchronous scenarios such as event-based deltas and password notifications (they call it the delta cache I think). Blockade took the same approach with their host management agents.
  • L18N testing for internationalization is important
  • Jeff uses the DOM in his XMAs. this makes navigation simple but performance must be an issue on larger systems

System Reporting Services and MIIS - Brad Turner (MIIS MVP)

  • Brad released the Community Reporting Pack 2007 - cool!
  • CRP can be used by anybody, pretty much out of the box
  • Some cool features can be added, like export detail reporting (how many samAccountNames were updated last week?)

Group Based Provisioning - Markus and Mike (Microsoft)

  • Excellent walkthrough of the challenge and the design decisions
  • Markus had a really good slide showing the scope of reference attribute mappings (CS-CS, MV-MV, CS-CS)
  • Neat solution for getting memberOf onto the MV person object without sucking at performance
  • I'm not sold on bit vectors yet, but agree they improve performance. Just not sure the added complexity is worth it

Wednesday, February 28, 2007

Stuck on ConfigParameters

The XMA comes with this really cool thing, configuration parameters. The ability to store (and encrpyt) configuration data on the MA is a great feature that am constantly on the verge of abusing. You can store anything in there, and easily dig it out when the MA runs to control the MA behaviour.

Often I've wished the MV had the same functionality, as well as every other MA type besides the XMA. Yes I know that I can write an XML file and put that in the Extensions folder, or I can use the registry or something else, but I want to be able to use the MA to store my configuration data.

As it turns out you can kinda do this with some trickery. The story goes something like this:
1. Add your config parameters to your XMA
2. On Import, write code to dig out the configParameters
3. Use the configParameters to create a fake object and inject it into your import file
4. Modify the MA schema to include your new fake object

At this point you should be able to run an Import on your MA and see the fancy new object in the CS.

5. On the Initialize function in the MA or MV extensions, use WMI to find your fake object
6. Get the attributes of your fake object (the config parameters) by looking at the hologram on the CS object.

Not for the faint of heart:
You can get really inventive and get access to real objects instead of attr:value pairs if you serialize an object into the value on Import, then deserialize it after you read it out of the hologram.

Wednesday, February 21, 2007

Enrolling for Smart Cards with CLM Beta 2

Let me preface this by admitting my "CLM noob" status, and that I am going to make some very dumb mistakes on my learning curve with CLM. Hopefully documenting them here will make somebody else look smart, or reduce the number of goats sacrificed on their way to becoming CLM gurus.

CLM installs with two sample Profile Templates:
  • CLM Sample Profile Template
  • CLM Sample Smart Card Logon Profile Template
In CLM a profile template is analogous to an LDAP object class. Profiles in CLM are instantiated according to the policies of the Profile Template. These policies are easily viewed and configured with the CLM UI.

The CLM Sample Profile Template is a great way to start playing with software certs. It is easy to start with because you don't require any smart cards or smart card readers (which tend to also be writers BTW).

The CLM Sample Smart Card Logon Profile Template is much more entertaining, because it writes certificates onto smart cards (as the name implies, but which I found hard to believe during my troubleshooting). This is especially exciting if you have a USB smart card reader with lights. Nothing makes demos fun like flashing lights and something you can physically show people ;-)

Anyhow, I was trying all night to enroll a test user for a new permanent smart card using the smart card template mentioned above. No matter what I tried I couldn't seem to get the certs written to the card. Each time I tried I got an error message saying something about PKCS#11:
"PKCS#11 smart card self-service control error: PKCS11 Error: Failed to load PKCS11 module"
This made no sense to me because I was trying to use Base CSP. My mistake was to spend hours trying to figure out a CLM Client issue. the CLM Client can be tricky to install, but if you have these three steps done you are not likley to hit CLM Client problems:
1. Install the Base CSP (Windows-KB909520-v1.000-x86-ENU.exe for my XP machine)
2. Install the Mini-drivers (Cardmod_x86.msi)
3. Install the CLM Client (comes on the CLM media)

After running out of ideas I decided to check the Profile Template and right away saw that it was not configured to use Base CSP, so when it was trying to deal with the smart card it didn't use Base CSP, but other drivers that were not on my system, and probably weren't supported by my card. I changed the profile template to use Base CSP and poof, it worked.

If you find yourself spending hours trying to solve a CLM Client problem, don't forget to have a look at the server. If you want to make changes to Profile Templates, I suggest copying the templates instead of modifying the existing ones so you can back out of your troubleshooting changes.

Thanks to Brian Komar for helping me figure this out!

Friday, February 16, 2007

MIIS Workflow Using SharePoint and InfoPath

This is a really cool blog post by Alex (one heckuva smart MIIS guy). It shows how you could use SharePoint and InfoPath to do workflow with MIIS.

The digital signing ability on the forms is especially cool as it improves the workflow security.

Thursday, February 15, 2007

CLM is Coming in ILM 2007, Are You Ready?

MMS deployments required many goat sacrifices until MIIS came along. We've had quite a while to master MIIS so goats are no longer required. Watching participation in the MIS forum is great because where there used to be only a handful of metadirectory gurus, we have loads!

What happens with the CLM side of ILM 2007? Clearly we've mastered the MIIS side but is CLM just a new feature?

CLM is the tip of the PKI iceberg, and it comes with ILM 2007. If you're looking to master ILM 2007 then I suggest some PKI homework to cover the CLM side of things. There is a CLM course in the works but I don't know when it will be released or when it will get scheduled. In the meantime, a good place to start is:

Friday, February 09, 2007

Affirmation of Microsoft's Identity Plans

The big ILM announcements by Microsoft this week are starting to settle in and draw responses. This one is complimentary and well written (as always in that newsletter):

It begs the demonstration of execution. The ILM 2 and ILM 2007 demos are a great start. I'm looking forward to getting my hands on the ILM 2 stuff, and I'm really looking forward to seeing more execution on Microsoft's strategy.

Wednesday, February 07, 2007

ILM 2007! Just Add Canadians

ILM 2007 was announced at RSA yesterday, and it is going to be a pretty big wave to ride. On the surface it could be confused with just two CDs in a box, but it is much more. The MIIS team (originally from Zoomit) joined forces with the formerly-known-as-CLM team (another Canuck identity management company, Alacris). So it is something big in terms of marketing AND engineering. Pretty exciting stuff, along with the new pricing, new reach into stronger authentication, etc, etc.

For MIIS folks convinced they've learned all there is to know about sync, welcome to the next learning curve! Woo-hoo! New toys!

Saturday, February 03, 2007

CLM Beta 2 - Provision API

Certificate Lifecycle Manager (CLM) is the result of Microsoft's aquisition of another Canuck identity (oxymoron?) company. The product promises to make PKI easier, especially when it comes to smart cards. Desktops and laptops seem to be increasingly coming with smart card readers, so this could really hook up, eh?

Anyhow, CLM exposes a Provision API to automate parts of their system. I've been playing with it lately so will start to post some of the experiences here. The documeation is a bit rough but at least it exists. Actually I've already been told to RTFM, and yes, I deserved it.

Wednesday, January 31, 2007

DEC 2007 - Best MMSUG In Ages!

If you're on the fence trying to decide whether or not to trek to DEC in Vegas this year then I'd suggest going. While last year's MIIS track dealt with, well, MIIS, consider what's going on this year:
Join MIIS MVP's James Booth and Craig Martin from Oxford at the MIIS pre-con and take away new MIIS techniques and tricks -- plus bleeding-edge details on what the future holds for Gemini.

New stuff, cool! If I survive the moutain biking I'm planning on doing before the conference then I'll see you at DEC!

Sunday, January 28, 2007

I've Been MVP'd Again!

I'm honoured to be an MVP for another year. Over the past year I've been lucky to do some really cool stuff with MIIS. This year promises to be the most exciting since 2003. There are a lot of cool things coming from Redmond regarding MIIS soon. MIIS is going to need MVPs this year more than ever and I'm happy to be nominated to help!

Letting the CD Generate the Anchor with an XMA

The MIIS developer reference includes a provisioning sample for systems that generate the anchor attribute. Pretty simple idea, at provision time you set the anchor to some random value that will get thrown away. After export the target system will generate the anchor for you, then on import you have a shiny new object with a new anchor.

In an XMA you can do this too, but it takes just a little more work. It wasn't intuitive to me until I saw it work, then it was pretty cool.

In your XMA code's ExportEntry routine you export the addition using whatever call you need to. If that call returns the ID of the thing you just created, then it has just created the anchor for you. You can then take that anchor and put it on the csEntry.

The pseudo code looks like this:
if modificationType == Add
export the addition
get the anchor of the exported addition
put the anchor on the csentry using csentry["yourAnchorAttribute"].value = NewAnchor