Subversion support is built into Novell IDM 3.6.1 and late, use it! (but don't trust it)
I set up an old box as a SVN box on the network, running SLES and using LDAP tied to eDir for authentication in case I want to ever give this out. All it does is back up my IDM projects and allow me to put them down on other machines. When I'm done doing work in Designer I "check in" the changes and append the changelog to give me a future clue of what I did.
Nice right? I think it is....
Now here's the don't trust it part,
I also export the project as a ZIP file with the project name and date, and then save that ZIP file on the corp file server to make sure it's backed up.....I've seen funky things go wrong with SVN when moving to older versions of code, to prevent that, I can restore from these ZIP backups instead of trying to navigate though the SVN browser in Designer.
Suspenders and belt, whatever IT takes to keep your pants up
Showing posts with label IDM. Show all posts
Showing posts with label IDM. Show all posts
Nov 2, 2011
Jun 16, 2011
IDM : when passwords attack
App Analyst for the new IDM made a tactical error, he set the Global password sync attribute to on for the entire environment. In Novell IDM this is the classic NBD (no big deal), in the new one? Well, it does this, it captured password changes off the AD side, which is down stream from the eDir and Identity Vault. It then says "Hey! new password! I need to tell all the downstream apps that it's a new password!." It then sends the passwords to the down to the attached app, which in our case is eDir and AD, ok it's the same password NBD, right? wrong... It does an administrative password set, which means that the password is immediately expired. A hundred help desk calls later, they finally ping me, I investigate since the App Analyst didn't do a change control on this. The password was initially ok, set to expire in 60 days per policy, 5 minutes later it would suddenly be expired. I pulled the Novell IDVault logs on some password changes with the log level set to 5. Nothing, everything looked normal, except that 5 minutes after the password event happen another one appeared, from apparently no where. Off to DSTRACE, I had a suspicion, watch the LDAP records and 5 minutes after a password change another one came through from the other IDM. Go to App Analyst;
"What did you do?"
"I changed the Global Sync Attribute"
"Change it back"
"Why"
"Cause people are constantly resetting passwords because you caused a logic loop"
"Crap"
Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.
"What did you do?"
"I changed the Global Sync Attribute"
"Change it back"
"Why"
"Cause people are constantly resetting passwords because you caused a logic loop"
"Crap"
Systems Orchestration can be an Art, but it takes an Artist to truly appreciate IT.
Jun 4, 2011
Ease of Use.....
About 2 months ago, we started working on this new "Provisioning Solution". We had the full court press from the vendor, out of country contractors, VP's of Application, PM's of Doom and the Salesman. Our current provisioning is a rather ingenious in house system that was cooked up using Access and a good deal knowledge. Having been working on Novell IDM for the last 3 years I have a pretty good idea of what it can and can't do.....
This new solution? Can't rename attributes down stream? Can't edit the XML directly, can't reconfigure on the fly or move drivers from one device to another rapidly. No IDE, no easy command line access,. It's all "web" 2.0'd to death, and it's sluggish. IDM routinely parses over 12,000 records in an hour, this one? (and this is from their developer) would take "20 hours" to parse the same amount of records. To support this super duper solution we need to spin up a "DEV" environment, which means that I needed to produce a separate but identical eDir, IDM and AD. The eDir? simple, spin up a SLES 11Sp1 box, load in eDir, load in IDM. Do the connector magic in Designer. LDAP export PROD into the new DEV for the O's and OU's. Deploy, get the Certs right and start. Minor tweaking ensues and in 5 hours I have a duplicate environment with all the users and groups. The IDM and the AD won't take even close to that long.
That new fangled one? yeah.... 8 weeks, and it doesn't do anything yet. It could provision eDir and AD sure, but it has this bug....
If you use the new tool to change your password, it sets it in eDir, it sets it in AD, but......
it locks you out of the new solution.......
Because it can't change the password there......
Ease Of Use, Helps get IT done......
Oct 14, 2010
IDM and How I learned to love Directory Services
2 months ago I spent some time in Dallas, TX. training on Novell's IDM solution. I've been supporting an IDM system since 2008, but only had training from the implementing consultant and what I could find on Novell.com. Came back from the training with a new appreciation for what this software is capable of bringing in terms of value to any enterprise.
One of the best things to train up people, in my opinion, is by doing. Living by my own advice I built up a duplicate test environment resembling our production network, and use the edir2edir driver to mirror the users through the new environment. Some small tips arose from this, and it is worth it to put them down here.
Novell Designer for IDM : While the iManager IDM suite works quite well, the Designer from Novell is one of the best tools for dealing with the in's and out's of working with IDM. The ability to export your IDM as a backup is must have.
Apache Directory Studio : A must have for working with Directory Services, a very flexible and free tool from the Apache project. Platform neutral, it runs on most hardware. I use it to look at the results of various "what if's?" as well as correcting issues.
Terminal, using SSH you can do many things, but the most helpful one was running "tail -f" on the idmtrace logs
One of the best things to train up people, in my opinion, is by doing. Living by my own advice I built up a duplicate test environment resembling our production network, and use the edir2edir driver to mirror the users through the new environment. Some small tips arose from this, and it is worth it to put them down here.
Novell Designer for IDM : While the iManager IDM suite works quite well, the Designer from Novell is one of the best tools for dealing with the in's and out's of working with IDM. The ability to export your IDM as a backup is must have.
Apache Directory Studio : A must have for working with Directory Services, a very flexible and free tool from the Apache project. Platform neutral, it runs on most hardware. I use it to look at the results of various "what if's?" as well as correcting issues.
Terminal, using SSH you can do many things, but the most helpful one was running "tail -f" on the idmtrace logs
Aug 26, 2010
Brave New World
Today was rather epic. We finally installed our first eDir 8.8.5 server in our tree. We did it on a SLES 11 64bit VM box. My GAWD it's fast. We are definitely on a fast track to OES2 after we upgrade our Identity Manager implementation. Replication times have fallen and several of our "issues" with eDir were resolved by this.
Last week I completed the 3091 IDM course. Great product, the shame of the training was that it was on 3.5.1 and we're moving to 3.6.1. Not a big deal in the scheme of things, and the course was very informative. This will make several of the projects currently in motion much easier.
Now I need to do a crash course in XML scripting and driver logic.
Last week I completed the 3091 IDM course. Great product, the shame of the training was that it was on 3.5.1 and we're moving to 3.6.1. Not a big deal in the scheme of things, and the course was very informative. This will make several of the projects currently in motion much easier.
Now I need to do a crash course in XML scripting and driver logic.
Subscribe to:
Posts (Atom)