Jun 16, 2011

IDM : when passwords attack

App Analyst for the new IDM made a tactical error, he set the Global password sync attribute to on for the entire environment. In Novell IDM this is the classic NBD (no big deal), in the new one? Well, it does this, it captured password changes off the AD side, which is down stream from the eDir and Identity Vault. It then says "Hey! new password! I need to tell all the downstream apps that it's a new password!." It then sends the passwords to the down to the attached app, which in our case is eDir and AD, ok it's the same password NBD, right? wrong... It does an administrative password set, which means that the password is immediately expired. A hundred help desk calls later, they finally ping me, I investigate since the App Analyst didn't do a change control on this. The password was initially ok, set to expire in 60 days per policy, 5 minutes later it would suddenly be expired. I pulled the Novell IDVault logs on some password changes with the log level set to 5. Nothing, everything looked normal, except that 5 minutes after the password event happen another one appeared, from apparently no where. Off to DSTRACE, I had a suspicion, watch the LDAP records and 5 minutes after a password change another one came through from the other IDM.  Go to App Analyst;
"What did you do?"

"I changed the Global Sync Attribute"

"Change it back"

"Why"

"Cause people are constantly resetting passwords because you caused a logic loop"

"Crap"

Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.

Jun 4, 2011

Ease of Use.....

About 2 months ago, we started working on this new "Provisioning Solution".  We had the full court press from the vendor, out of country contractors, VP's of Application, PM's of Doom and the Salesman. Our current provisioning is a rather ingenious in house system that was cooked up using Access and a good deal knowledge. Having been working on Novell IDM for the last 3 years I have a pretty good idea of what it can and can't do.....

This new solution? Can't rename attributes down stream? Can't edit the XML directly, can't reconfigure on the fly or move drivers from one device to another rapidly. No IDE, no easy command line access,. It's all "web" 2.0'd to death, and it's sluggish. IDM routinely parses over 12,000 records in an hour, this one? (and this is from their developer) would take "20 hours" to parse the same amount of records. To support this super duper solution we need to spin up a "DEV" environment, which means that I needed to produce a separate but identical eDir, IDM and AD. The eDir? simple, spin up a SLES 11Sp1 box, load in eDir, load in IDM. Do the connector magic in Designer. LDAP export PROD into the new DEV for the O's and OU's. Deploy, get the Certs right and start. Minor tweaking ensues and in 5 hours I have a duplicate environment with all the users and groups.  The IDM and the AD won't take even close to that long. 

That new fangled one? yeah.... 8 weeks, and it doesn't do anything yet. It could provision eDir and AD sure, but it has this bug....

If you use the new tool to change your password, it sets it in eDir, it sets it in AD, but......

it locks you out of the new solution.......

Because it can't change the password there......

Ease Of Use, Helps get IT done......