LDAP Search Filter

Search Tip: To retrieve all the users from a Domain who belong to a specific group use this query.

(&(objectclass=person)(memberOf=fulldn))

For two groups:
(&(objectclass=person)(|(memberOf=fulldn1)(memberOf=fulldn2)))

Use the same tip for multiple groups.

A must read - "Sun Loses Co-Founder to Start-Up"

The first few lines may not be of interest for many, however the entire article is an awesome read. Go ahead and read it.

One does - Remaining follow

If I am not wrong, the concept of Compliance manager was first started by Aveksa. Unfortunately they were a little late to the market and in the mean while Sailpoint already pitched in. Now we have one more big player ... guess who ....... its none other than Sun Microsystems.

They recently launched their Compliance Manager product. I think I will be able to do a comparative study soon and publish to my blog readers.

Congrats India

Picture Courtesy: www.isro.org

Congrats to all the Indians. A most awaited moment in the history of Indian Space Mission has just begun. Its not far when all the myths are broken and an Indian lands on Moon.

Kudos to ISRO and all its associates.

Good Read on LinkedIn

Came across an excellent article on how to use LinkedIN and the profits associated with it. Give a read.

US TSA's excellence in Identity Management

Read this article by Jackson.

News from Nous Infosystems

An interview of the CEO of Nous Infosystems on CIOL. Give a read.

Open SSO from SUN

May be I am one of those last guys in the world who is talking about this. However I was wondering about a simple concept. How long will Sun be a charity organization?

"Indiscipline" has taken over good part of the Software Industry

During my college days, the computer illiterates use to call me a good programmer and under that assumption I used to be in a hurry to keep the name going on. Once there was a task given and we were coding in C. As usual in my hurry to complete it first and faster, I have completed the program. There I press "CTRL+F9" just to see some garbage. Wondering what would have gone wrong I quickly checked the 100 lines of code. Couldn't find an error. My professor came in and started debugging, rather just checking the functionality. In the mean time I think good number of people in my class somehow completed the program.

Still my prof scrolling up and down ... and suddenly I see that I have missed the "&" before the variable name in the "scanf" statement. :-)

That was history, however this is what is happening in the industry today. People are always in a hurry to see their product selling in the market, and in that hurry the programmers deadlines are pushed and what one gets into the market is a faulty product. The sales guy sells it, cos he knows how to handle the POC and a foolish partner picks up the product to implement.

Tough times start when actually people start implementing it.

In the other scenario, these days, people are in such a hurry to implement and show how great they are to their customers; architects are not even making design documents. Finally they mess up the project and somehow deliver some nonsense. If you have read my previous article, its because of such hasty implementations in past the future becomes grim and even after knowing this, people repeat mistakes.

To conclude ... I want to write about a funny experience I had ...
Once when I was taking up a final lab exam for a batch of Electronics engineering, a girl submitted her observations to me. The few details were
Project: Implementation of logical gates using circuits and verifying results.
Precautions:
1. The connections should be tight
2. Readings should be taken without parallax error.

I asked two simple questions.
How do you get parallax error when you have a result of 1 if light glows and a result of 0 if it doesn't?
When from did you start having losses in results if the connections were not tight in electronic experiments?

A weird output from a SQL query to Sybase

Environment: Sybase OS, J2EE app running on Tomcat, Driver used was com.sybase.jdbc3.jdbc.SybDataSource

The query goes like this "Select T1.UserId AS ID, " T2.UserId AS GrID ......"

Now the output when logged shows this way
Exiting getColumnNames = [UserId, UserId, .................]

So the "AS" keyword seems to be not working. Problemssssssss

Now the solution was we changed the driver to net.sourceforge.jtds.jdbc.Driver downloaded from Sourceforge. Just downloaded jtds-1.2.2-dist.zip and extracted the jtds-1.2.2.jar to the lib and a simple restart with changes in the connection information.

Hope this would be useful to someone.

What am I doing?

Yepp, its been sometime that I got uncertain about what should I be doing. Finally I have decided to move a little ahead in Identity and learn somethign on Identity Governance. I am currently working on Sailpoint's Identity IQ implementation for a large bank.

Sailpoint - Identity IQ

Ever heard of Recertifications? I am talking about Access Recertifications which happen in organizations to periodically check who is allowed to access what? This process in many organizations goes this way ...

1. Collect user database from every Application owner across the organization
2. Consolidate the list with respect to managers
3. Send the lists to manager to verify if each of those users require the access to the application with whatever access level specified
4. Once the manager gives his decision, the users' accesses are either revoked or modified for which again its a lengthy process, as everyone acknowledges

Sailpoint's Identity IQ addresses this issue. The product just like an Identity Manager provides a unified view of the entire organizational users, with all the data pertinent to Recertifications. Once the application is configured for all the necessary applications and the user data is in, scheduled Certification Requests can be fired to every manager in the organization. Also the escalations can be handled. The managers can just login to the application and either recertify or revoke or modify user access to every application.

So most of the process is automated now. Don't think its done yet. It also can make SPML calls to any provisioning engine avaialable (not OOB) in the Identity market and thus automatize the complete Recertification process.

Read more about these at Sailpoint

One last thing, if I am not wrong these features are available in the world's renowed ... :-)

Why do companies end up paying huge amounts for Identity Projects?

The sure answer would be indiscipline. Any doubt?

When one starts up a company, least preference is given for IT discipline. No directory implementation, no domains etc which result in a process chaos after few years. Then managements start thinking about bringing things in order and end up not only paying huge amounts to get it straight moreover end up in improper implemenations. I have seen many companies which never had any system according to conventional methods when it comes to user management.

The question that bugs me every moment is why companies do not leverage the open source tools avialable? Directories are avialable in the open, operating systems are available in open, why cant one avail these?

These are my view points:

1. The day the company is christened a directory structure should be in place

2. Every employee record should be present in it.

3. All the available systems in the office should authenticate the user against this directory

4. Employee should be given an option to change his passwords and few other details online

5. Form filling should be avoided on the induction day, instead a webpage should be used and the data should be recorded into a HR database and then should be fed to the directory

6. A small PLSQL trigger on the database can create the email address without conflicts

7. Free Identity tools like SUN Identity Manager should be implemented within one year

8. Every application or tool that the organization needs should be under the perview of Identity Manager

Am I missing something???

I feel these are the basics that one should do for the company's IT wellness in the long run.

It happens only in ..........

Recently I visited my Car Service center. While they were working on my car I was going through the workshop and was shocked to read this (last one).

An update on ViDT

Today I received a comment on my previous post on ViDT.

"Is VIDT available in Market or from Sun? Could you provide some more detail about VIDT?"

The answer would be ViDT which was previously known as a VIP was the IP of Neogent. This tool makes the implementation of the organizational Identity framework much easier and thus faster. As this tool started achieving popularity, SUN acquired Neogent. Now this tool is used by SUN PS folks to implement the framework faster. This is not available outside for anyone else. SUN has kept it for self :-)

Over-Security consciousness hurts sometimes

Yesterday I was at the PVR Bangalore. I noticed a couple of foreigners arguing with the security at the entrance of the Audi. The guard says they do not allow laptops inside and the couple say its their official laptop and they cannot leave it with the security. They argued with everyone in the hierarchy and finally they left the theater cursing my country and their time. They said they were waiting in the mall for more than two hours just to watch the movie, finally which they couldn’t.

So when it comes to security, where are we heading to? Things meant to keep us happy and safe are troubling us? A theater which charges relatively double to any other ordinary theater in town doesn't provide enough infrastructure where such things can be handled.

Security is something which when dealt by uneducated and unsophisticated people will be the same.

An Observation

I was going through Linkedin and just clicked on a survey. The results it showed for the survey have something noteworthy. Check it out.

Why IDM initiatives fail?

First check this post


What is said here is true. The people who are building solutions only think of technical issues always, rather than the features which are roots of the organization, viz. Processes and Policies. From an architecting perspective it is very crucial to understand the processes of the organization and then chalk out a plan for work rather than checking out what can be done by the product.

I feel, technologically everything is possible, with the only two constraints - TIME and MONEY. If a space shuttle can be sent to MARS, then an Identity implementation is possible, with or without the chosen product's features. However the feasibility of a solution with respect to time and money has to be planned when one architects.

Just my thought ...

Metaview deprecated - SUN Identity Manager 8.0

The best thing I feel SUN developers did was they removed the Metaview feature. This reportedly had couple of bugs and I was once caught by them :-(

SUN Identity Manager 8.0 is released

SUN Identity Manager 8.0 is out

For all the enthusiasts - come download and experience the amazing product

A brief overview of this release:

Sun Identity Manager 8.0 is the latest version of the Sun Identity Manager product offering with expanded Role support, enhanced reporting capabilities, and updated resource adapter and application server support. This update improves upon the industry-leading Identity Manager 7.1 solution with:

# Role Enhancements

• Role life cycle management can require approvals on Role creates, edits and deletes, and Role changes can be applied to all assigned Users.
• User-to-Role life cycle management improvements enable support for future and temporary Role assignments.
• Default Role types including Business Roles, IT Roles, Applications, and Assets are now provided to encourage best practices with regards to Role management.
• Business Roles can contain roles required by all, conditional for some, and optional (by request and optional approval) for others. A Business Role designer can define coarse grain access, while delegating to the user or a manager the ability to fine tune the access within the scope of a Business Role.

# Enhanced Reporting with Data Exporter

• Manager operational data can be made available for use by other processes and applications.
• Data held by and flowing through Identity Manager can be periodically exported to a customer-managed data warehouse or third-party business intelligence and reporting tools.
• Exported data can be used to answer historical questions regarding 'Who had access to a system, and who approved that access?'. It can also be used to provide reports on operational behavior over time, such as 'Provision Operations by Resource' and 'Workflow Approval Response Times'.

# Attribute Configuration

• Extended, queryable, and summary attributes can now be configured for roles as well as users.
• The new extended attribute configuration supports specification of value syntax (STRING, INT, DATE, or BOOLEAN), whether the attribute can have a single or multiple values, and a text description for the attribute.

# Other Notable Updates

• UNIX resource adapters now support SSH connections using private/public key pairs for authentication to managed resources.
• Service Provider user password changes will be checked against the password policy configured on the user directory.

# Supported Resource Additions and Updates

• Exchange 2007 (New)
• Microsoft Active Directory Application Mode (ADAM) (New)
• RSA SecurID 6.1.2 (Updated)
• Siebel CRM 8.0 (Updated)
• Oracle E-Business Suite on Oracle Applications 12 (Updated)
• HP OpenVMS 8.3 (Updated)

# Supported Application Server Updates

• Sun Java System Application Server 9.1 (GlassFish v2 UR1, 32-bit and 64-bit)
• Oracle Application Server Enterprise Edition 10g Release 3 (10.1.3)
• Oracle Application Server Standard Edition 10g Release 3 (10.1.3)
• BEA WebLogic Server 10
• JBoss Application Server 4.2

# Bug Fixes and Platform Support Updates

For more information about the features in this release, see the Identity Manager 8.0 Release Notes or the Identity Manager documentation set.