Ease of Use.....

About 2 months ago, we started working on this new "Provisioning Solution".  We had the full court press from the vendor, out of country contractors, VP's of Application, PM's of Doom and the Salesman. Our current provisioning is a rather ingenious in house system that was cooked up using Access and a good deal knowledge. Having been working on Novell IDM for the last 3 years I have a pretty good idea of what it can and can't do.....

This new solution? Can't rename attributes down stream? Can't edit the XML directly, can't reconfigure on the fly or move drivers from one device to another rapidly. No IDE, no easy command line access,. It's all "web" 2.0'd to death, and it's sluggish. IDM routinely parses over 12,000 records in an hour, this one? (and this is from their developer) would take "20 hours" to parse the same amount of records. To support this super duper solution we need to spin up a "DEV" environment, which means that I needed to produce a separate but identical eDir, IDM and AD. The eDir? simple, spin up a SLES 11Sp1 box, load in eDir, load in IDM. Do the connector magic in Designer. LDAP export PROD into the new DEV for the O's and OU's. Deploy, get the Certs right and start. Minor tweaking ensues and in 5 hours I have a duplicate environment with all the users and groups.  The IDM and the AD won't take even close to that long. 

That new fangled one? yeah.... 8 weeks, and it doesn't do anything yet. It could provision eDir and AD sure, but it has this bug....

If you use the new tool to change your password, it sets it in eDir, it sets it in AD, but......

it locks you out of the new solution.......

Because it can't change the password there......

Ease Of Use, Helps get IT done......

Novell Datasync

Smart App, good interface, needs to be marketed better.....

We're implementing Datasync because we have an influx of iPhones and tablets starting to wander into our world. At effectively zero cost except for the CA Cert and SAN space it makes it an economic good choice in my book. Right out of the box, it's going to save time and money, down the road we should be able to leverage it to our SharePoint Implementation.

The build is straight forward, build a SLES 11 SP1 x64 box with 8GB of RAM. Fairly steep RAM requirement for a SLES box, but it's running in VMWARE, so it's just a configuration gotcha. We updated the build via our SMT before configuring. We followed the build guide and it worked like a charm. We did upgrade the groupwise back end to 8.02 HP2, this is important since it throws SOAP errors unless you do this update. Mail setup is fairly straightforward an easy. We're currently testing blowing up phones remotely and should be implementing this in May/June.....

It really needs to be talked up better by Novell. Businesses have potential savings in large amounts, either through migrating from Blackberry and BES to Android/iPhone or by adding it as a value added service to their users (never underestimate the value of good will).

If we can figure out how to allow some of our outside users onto Mail clients, this should be a slam dunk

Caveats.

You MUST be running GW 8.02 HP2, anything less will SOAP error your PO into a down state very quickly. For access outside your network get a REAL cert from a cert provider, but on the plus side you only need to expose one port to the outside world, 443.

IDM and How I learned to love Directory Services

2 months ago I spent some time in Dallas, TX. training on Novell's IDM solution. I've been supporting an IDM system since 2008, but only had training from the implementing consultant and what I could find on Novell.com.  Came back from the training with a new appreciation for what this software is capable of bringing in terms of value to any enterprise.

One of the best things to train up people, in my opinion, is by doing. Living by my own advice I built up a duplicate test environment resembling our production network, and use the edir2edir driver to mirror the users through the new environment. Some small tips arose from this, and it is worth it to put them down here.

Novell Designer for IDM : While the iManager IDM suite works quite well, the Designer from Novell is one of the best tools for dealing with the in's and out's of working with IDM. The ability to export your IDM as a backup is must have.

Apache Directory Studio : A must have for working with Directory Services, a very flexible and free tool from the Apache project. Platform neutral, it runs on most hardware.  I use it to look at the results of various "what if's?" as well as correcting issues.

Terminal, using SSH you can do many things, but the most helpful one was running "tail -f" on the idmtrace logs

Brave New World

Today was rather epic. We finally installed our first eDir 8.8.5 server in our tree. We did it on a SLES 11 64bit VM box. My GAWD it's fast. We are definitely on a fast track to OES2 after we upgrade our Identity Manager implementation. Replication times have fallen and several of our "issues" with eDir were resolved by this.

Last week I completed the 3091 IDM course. Great product, the shame of the training was that it was on 3.5.1 and we're moving to 3.6.1. Not a big deal in the scheme of things, and the course was very informative. This will make several of the projects currently in motion much easier.

Now I need to do a crash course in XML scripting and driver logic.

BorderManager, WebSense and Abends...Oh My!

Last week a BorderManager server abended, nothing new there, happens. When it came back up, checked that the internet was there, and case over right?

Wrong....

The Surfcontrol filtering wasn't working, free porn and facebook for everyone!

1. The ruleset was restored from backup, no change
2. Removed the surfcontrol db and redownloaded it, no change
3. Management panic because actually letting the employees make decisions on time management is bad.
4. Call to the vendor
5. 2nd Call to the vendor
6. Email from vendor
7. Troubleshooting ensues
8. change this file, reboot, no change
9. change this setting, reboot, no change
10. reinstall software, reboot, no change
11. downgrade Bordermanager to 3.9 SP1, reboot, no change
12. see a pattern here?
13. reupgrade to BM3.9 SP2, but keep the proxy.nlm from 3.9 SP1, reboot, no change
14. Apply the BM3.9 SP2 IR1 patch, reboot, well the rules load quicker, but otherwise no change
15. Escalated to 2nd level support, repeat most of above, no change
16. Boss emails sales rep, sales rep calls support, escalated to the real geeks
17. 10 minutes of technical jiggery pokery, corrupted filtprod.dat found in sys\etc\border\english, replaced corrupted file, no reboot just issue a "stopbrd and a startbrd" and everything works!

I hate this sort of thing, if you work frontline support and can't fix it in ten minutes send it the next level please. Holding onto it may make you look like a hero, but you aren't doing much to inspire confidence in the users.

Experiments in Novell Management....

Attempting to setup my primary work desktop as a SLED 11 monster. Thinking SLED 11 64 specifically.  At this point 90% of my management work for the Novell side of the farm is done via the web, so that's a no brainer, the AD side may be an issue though, time will tell.....

The "Old" Argument

Should we get rid of "Novell"?

I've heard this argument several times during my career with various outcomes. With a well reasoned argument it's a good discussion. it's the non-rational ones that tick me off

"It's OLD!"
That doesn't make it bad, just means you haven't studied enough to find out that 4.11 was several major revisions ago. Currently Novell is at the forefront of Identity Management along with the old core business of File and Print. The current OES2 has much more than MS offers and Novell has a lower price.

"It doesn't work with ANYTHING!"
Define that, usually it means that MS doesn't work with Novell. Which isn't "anything", and if you look a bit deeper, Novell works with MS products better than anything else, including MS's own products.

"It's not OUTLOOK!"
One word answer - Good! More words answer, by not being Outlook, it means that you don't need to worry about targeted attacks or users making royal blunders. Teamed with good spam and virus filtering, good ol Groupwise keeps the mail flowing without the necessity of constant vigilance. And IF you insist on using MS Outlook, there are connectors for it for the Groupwise 7 backend.

"It's it's it's not what I know!"
It's not Novell's fault you have never studied anything else but MS. Novell has far more experience doing Directory Services and user authentication than MS does. eDirectory runs circles around Active Directory. The only system that may have been able to give eDir a run was Banyan Vines and MS bought them and took the code into AD, and didn't know what they had.

"It won't connect to X, Y, or Z"
Neither will MS. Well in actuality, MS will connect to MS. So will Novell, Novell will also connect to IBM, Sun/Oracle and about 90 other things. (see Identity Manager).

"It's too hard!"
It's not that nothing worthwhile is easy, more so that it's different and damn near impossible to understand unless you get off the MS branded sippy cup. Not everything requires a wizard.

"It's broke all the time!"
Is it broke? or because you have no understanding of it, you hired people who had no understanding of it, or worse, hacked around in it to make it sort of work. Build a Novell system from the ground up with competent people at the helm and it will be a paragon of virtue and reliability. Muck with it? and you deserve what you got.

"I don't like "Novell""
Define Novell, no really, define it, and I'll bet the part you don't like is something that has been ignored, abused or abandoned for a long time. You need to keep current, and keep up maintenance. Do you not change oil in your car and then complain when it strands you on the road? Yes there are stories about old 3.11 Netware servers sitting in walls that run forever, these were also servers that did not require 10 fans to run, and only had 10-30 users on them. You need to keep up with things, otherwise you become the people in Star Trek who forgot how to fix their tools and lived in fear of them.

"Homogeneous environments are easier to support."
This is true, right up to the moment that a zero day virus gets in your network and eats all the MS based things and you find yourself looking out at a vast homogeneous wasteland that is effectively dead.