www.idmwizard.com

Some time in Q3 of last year, Stu Harrison (the PM for Defender) got me a beta copy of the latest version of Defender, which was due to have GridSure in it.  Of course, I took the time to record a quick demo of it, but then Stu asked me to delay releasing it.  One thing led to another, and I never got to posting the demo up here.  Today, however, while going through Defender with another architect, I remembered that I had this recording.

Before I go any further, you may be asking, “what is GridSure?”  It is another type of token that is available with Defender, and you can see a 3 minute marketing demo of it in the next URL.  This recording does a good job of explaining how it is used by the end user:

http://www.quest.com/defender/DefenderGrIDsureWeb/DefenderGrIDsureWebVideo.html

Whilst the demo above gives you a good idea of what the end user will see, I recorded a demo showing how to configure the token, and policy and what the user does to register.  In addition, I show the standard Defender desktop token being used with the ISAPI filter at the very beginning of the video.  I’ll apologize now for the microphone settings, and without further ado, here’s the 3 minute, 20 second video:

http://www.idmwizard.com/quest/Defender-GridSure/Defender-GridSure.html

Regards,
Dmitry

I got a call yesterday from a colleague looking for help in importing a text file. For those that don’t know, I do quite a bit of work with a Quest product called ActiveRoles Server, and an add-on called Quick Connect. Quick Connect (QC from now on) is pretty slick, and has come a long way in the last 2 years. However, it can’t do everything quite yet.

The file that was to be imported was a fixed width file, meaning every line was the same width, as was every field. Which meant fields were padded with spaces. Unfortunately, QC cannot import those files out of the box today.

The initial thought was to write a pre-sync script that would alter the file and have it put the file into a usable format. However, that’s a lot of work, and a lot of scripting. And with someone on-site, may take a while with the added pressure.

So I made the following suggestion (note: SSIS is SQL Server Integration Services – the successor to SQL Server Data Transformation Services):
———————-
SSIS lets you take delimited or fixed width files and do whatever you want to them. I suggest you watch this:
http://www.idmwizard.com/quest/SSIS-CSVExport/index.html

Then create a package to do what you want (all wizard and gui driven – very easy). Once the package is created, and executing properly, take a look at the following command line command:
DTSRun

This will let you execute the package, which you can use in a pre-sync step. Also, SSIS can do any format to any format – you don’t have to have SQL Server (or any DB) as either end point. So you could actually use this to convert a fixed width (or ragged right) file to a CSV file that QC can consume.
——————————

Why do I think this is a better solution over a pre-sync step? Well, there are several of reasons, and some may disagree, but I’ll put them out there anyway:

1. Maintaining scripts is a pain – that pre-sync step will need someone “script-capable” to alter it when the file format changes (and it will – it always does)
2. GUIs are easier – the script is just that, while SSIS provides a nice GUI package editor – it’s simply a better tool and is less prone to allowing mistakes
3. Debugging – QC doesn’t have any debugger in it – so you try the job, and it fails, and you re-code. With SSIS, you get debugging, and you can isolate the transformation so you don’t have to run the whole QC job just to see if the file is being built correctly
4. SQL Server infrastructure – using a package around the transformation lets you add many, many other things to it – notifications, other data sources, and other options – you basically have all of SQL Server at your disposal. And the coolest feature is DTSRun which is a command line tool to run the package unattended. I’m all about the command line when possible.
5. Finally – Speed – I’ve found that DTS (now SSIS) is super fast. Its sole lot in life is moving data around. And while QC is quick, too, the SQL Server team has been working on SSIS for years, and is all about ‘speeds and feeds.’ In the past, I’ve had DTS packages that would process over 50 million rows of data – that is some serious data movement, and given that the file needs to get run twice (once to transform and once to load through QC), you might as well cut time down anywhere you can

So there you have it. Will Quick Connect have this functionality in the future? I can’t say for sure, but we’ve got a bunch of smart people working on the product. Why do we not have it already? We can put every conceivable feature into the product, but then we’d never ship it. What do you need to do to get it? Well, you need to let someone know. This is the first time I’ve encountered a fixed width file in 2 years. If its rare, then it will go to the bottom of the feature list. But if lots of people request it, it will rise to the top. And how do you let someone know? You contact someone at Quest (myself, the Product Manager, your sales rep, or even support) and ask for an enhancement request. Its that simple – and it all gets back to our PM who tracks this stuff.

Enjoy the video, and let me know if it helps.

Cheers,

Dmitry

Some folks have asked why there’s been no post up for over a month, and it had everything to do with WordPress.

After my last post, I upgraded to WordPress 2.9 – and that’s when all the trouble started.  Basically, I couldn’t log in.  I could get to the database, and I could get to the file system, but actually logging in gave me a message that I didn’t have rights to log in.  So my password was good, but everything else was a no-go.  I had been using Fantastico, which is great until it isn’t.  Fantastico is basically a management tool that automates deploying things like drupal, WordPress and other web apps out that my hosting provider uses.  It makes new app deployments much easier than even the built-in ones.  For example, with WordPress, it will create the DB, and set up your first user.

But I think its the fact that I deployed with Fantastico, and then upgraded inside WordPress that caused these problems.  And after lots of googling, searching, and experimenting, I gave up.  I actually needed to move the site to the main address (www.idmwizard.com instead of blog.idmwizard.com) for a while, and this gave me a swift kick in the backside.  Of course,

For those of you stuck with an upgrade, here’s what I did.  First, I deployed a very, very bare bones WordPress to the core site.  Which means I deleted everything in the root directory (except for .htaccess) and then put the default WordPress out there.  I then created the database, and edited wp-config.php.  Once that was done, I went through the default install (found at /wp-admin/install.php) and specified my new admin user.  Once WordPress did its thing, I came through, copied my original files (from the blog.idmwizard.com site) over the ones in the root for www.

Now, here comes the tricky steps – I dropped all but 2 tables in the wordpress database.  The tables I left were wp_users and wp_usermeta.  This would let me log in but then I could bring everything else over.  Next, I exported out my old database, and then edited the SQL file.  The edits I made were:

1. swap the order of the inserts for wp_users and wp_usermeta.  These two tables are linked, and trying to insert into wp_usermeta before the users themselves were updated would cause errors.
2. Remove any entries for user #1 in both tables – this was the main user, and the one I could not log in with, so I wanted to make sure it didn’t get screwed up again.

After that, I imported the database into its new place, and that was it.  It looks like we’re back to where we started (almost).  There are still things that are screwed up – I see my tags are missing from all my posts, as well as the categories.  I’ll need to sort that out later.  But the core site works, and I should probably re-tag everything anyway.

That is all . . . glad I finally got this done, and I’m going to bed . . .

I’ve converted over to using a Mac full-time for work, and its not been without its challenges.  But one of the most annoying things is when I download something, and then go to open it, I get prompted as to whether I actually want to open.  This smacks of Window’s UAC which is one thing I was glad to leave behind in the conversion.  Thankfully, through a lot of searching, I was able to find this solution.  Create a text file with the following text:

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0?>
<dict>
<key>LSRiskCategoryNeutral</key>
<dict>
<key>LSRiskCategoryContentTypes</key>
<array>
<string>public.item</string>
</array>
</dict>
</dict>
</plist>

Now, simply put the file in ~/Library/Preferences/com.apple.DownloadAssessment.plist .  This is a user-specific setting, so the ~ indicates the user’s home folder.  Every user will need this file in their preferences if they don’t want this behavior.

Will this make your machine more ‘insecure?’  Absolutely, so be sure to know what you’re doing by choosing this option.  And if you do it, and are not satisfied, its on you – I take no responsibility for you downloading some malware.

(this post was originally started on 21st Oct 2009 whilst I was still in the UK).

I’m heading home from a good client meeting about my company’s AD Bridge product (QAS – pronounced Vintela) and am still surprised at the politics involved in IDM, even after everyone has agreed something needs to be done for audit/compliance reasons and the product is fit for purpose. My colleagues and I were there to help with technical and commercial questions but there’s nothing we do for the politics.

Unix Engineering, AD Architecture, InfoSec, End-User Services and the PMO were well represented and from all regions.  And I think that’s the big problem with IDM in general.  This is a common scenario, and I often have 3-5 different groups represented in my meetings. Having worked in Dev, DB, Infrastructure, Support and other IT functions, I’ve never gotten involved in anything that included all these groups at once.  Usually, some group was left out, which made things easier.  But with IDM, everyone is involved and stays engaged throughout the project.

And, of course, each group wants the project to succeed but everyone also realised that territories were getting re-arranged. So each lobbied for things to make their part easier or better. On the one hand, I can see every person’s position having done all of those jobs in the past. But if I were an exec, I’d try to figure out a way to have more cooperation and less posturing.  When it comes to IT processes, an IDM project is going to quickly uncover everyone’s motives and show the unlying politics which may seem dormant or non-existent with other projects.

And so it goes . . . with all large projects, its the people, and not the process or tools, that complicate things.

As an aside, when I managed folks and a re-org was needed, I’ve often (half jokingly) asked who would you put where if you “fired” everyone and started over. Not for real, of course, and you can have all the same people, but would you put them in different roles? Would you let anyone go?  Are there any roles that are missing?  What about necessary people in unnecessary roles?

A long time, when dotcoms rules the land, I was a Dev Manager for www.eTour.com (don’t bother following the link – they’re gone). In those days, we were still trying to introduce people to the web and there was a buzz in the industry that I hadn’t seen before or since. And one that will probably never occur again.

Well, one of the funniest, yet instructional moments came during our death throes. The conversation with the Product Manager went something like this:

Brian: Dmitry, check this out – we need to do this one the site.

Dmitry (walking over): BC, put that site away – this is the workplace – go look at that stuff at home.

BC: no, look at this (closes browser window). See that? There’s another window under it.

DK: yeah, ok. A porn site with pop-ups – what’s your point?

BC: No – check it out.  They manage to put the pop-up under the main window.  Watch again.

DK: OK – I see.  Definitely interesting . . . send me the URL and we’ll figure it out.

Plain and simple, they came up with the ‘pop under’ which was much less obnoxious than the ‘pop-up’ that was so prevalent at the time.  I then had to go to one of our (female) developers and ask her to reverse engineer how it was done.  It turns out it was a simple call to a window.blur() function.

Its interesting that porn (followed by gambling) lead innovation in terms of technology.  It certainly was the only thing making money at the time of the dotcom meltdown and a lot of the things you now see with streaming video (a la YouTube) was not developed by Google or some other well-known company, but by those in the ‘seedy part’ of the internet.

What does this have to do with ‘Identity Management?’ I’m not sure, but I’m willing to bet they will continue to innovate, and it will have some sort of impact on the rest of the computing field.

I spent the better part of a week in October in Luxembourg, and most of this post was written on October 21st, 2009.  However, its been sitting in my Drafts queue this whole time.

In any case, it was about what I expected.  It was a cute little city/country nestled inside of Europe with a good mix of people from various other countries.  The one thing that did truly surprise me was a Greek developer name Michael P.  What surprised me most was that he was able to take Quest VSJ and get it running in about 30 minutes, with minimal instructions, and having a machine on a different domain, with no DNS resolution to the AD domain where VSJ was installed.

Now, I should point out that Barry G and I have gone out of our way to make VSJ accessible to customers trying it out the first time, but its still a hard product for developers to truly ‘grok.’  And the product itself is not difficult but the whole notion of ‘Java using Microsoft for authentication and authorisation’ seems to really trouble some people.  Even though its really a code library, like many others, and is often used as a servlet filter, like many others, developers get really hung up with the fact that its working with Active Directory.  Its some sort of stumbling block for them, even though it behaves like any other piece of Java code.

But Mike just nodded when I told him it was a servlet filter, and grabbed the USB stick from me with the binaries.  One of a few developers I’ve met in a long time that didn’t subscribe to any sort of ‘religion.’

Within 10 minutes, he came back saying he was getting licensing errors!  Perfect – it was ‘as expected’ as I forgot to give him a file called vsj-license.jar and he disappeared when I did.  About 5 minutes after that, he came back with ‘access denied’ error messages, which meant that he installed it, and it was behaving ‘as expected.’

Some things Mike saw when he first tried to log in turn into good tips to keep in mind if you’re actually deploying or testing VSJ:

• Kerberos didn’t work, which was expected, so he failed to login.  This was not a surprise, as VSJ defaults to leaving NTLM and Basic Auth turned off.  Good settings for a production environment, but one that trips people up when they first using VSJ in a development and test environment.  So he checked the vsj.properties file and turned both options on for testing.
• Internet Explorer is an abysmal browser.  Once it starts doing something (like NTLM) there is no way to get it to stop.  Even turning NTLM off in the servlet filter doesn’t stop it from trying.  Nothing short of a reboot stops it from behaving this way.  So we enabled SP-NEGO in Firefox and continued on.  We also turned off NTLM, but left Basic Auth on, which then has the servlet filter requesting the Kerberos ticket on the user’s behalf.
• Mike P was not in the test domain, so Kerberos would never work for him off his machine.  Unless . . . he used the “runas” command.  But even runas doesn’t work well off machines that are on another domain.  However, we used the “runas /netonly” command which gets past that.
• Finally, we did reconfigure Mike’s machine to use the test domain’s DNS.  There is no way to do proper Kerberos without good name resolution, and we needed to get host and SRV records to get a ticket onto Mike’s machine.

There are definitely a lot more things to keep in mind when working with VSJ.  If you do need help, check out these forums or call your Quest rep to get you in touch with some knowledgable people.

One thing that has come up a lot recently is how to provision Oracle DB users from ActiveRoles Server.  Oracle DB users are not very hard to create but most people using ARS have little to no experience with managing DB users.  And, unlike applications, DB users can’t simply be inserted into a table as tables like SYSUSER may have dependencies to other parts of the DB.

There are a lot of different ways to do this, but below is an outline of something I wrote almost 2 years ago, and is still applicable today.  Note: this is all in VB Script and is compatible with any version of ARS 6.x.  It may even work with 5.x.  I do have plans on converting this to PowerShell for use in 6.5, but this ought to be enough to get you moving.

Start off with a script library called “DB Code.”   The idea is to have all the connection and DB execution code in one place, and then decide which DB code (the actual SQL commands) gets called into the ARS event handlers.  Here is that code with a hard-coded connection string.

Option Explicit

' ************************************************************
' This function executes any SQL command sent to it against
' the Oracle DB
' ************************************************************
Function ExecuteSQLScript(p_sSQLToExecute)
 Dim oFS
 Dim oFSFile
 Dim strConnectionString
 Dim oConnection
 Dim oCmd

 Const cnstCommand = 1 'Command type - 1 is for standard query
 Const ForReading = 1
 Const ForWriting = 2
 Const ForAppending = 8

 ' sample connection string from www.connectionstrings.com
 ' Driver={Microsoft ODBC For Oracle};Server=myServerAddress;Uid=myUsername;Pwd=myPassword;

 ' connection string - only server name and DB name should change
 strConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OraDB1;Uid=SYSTEM;Pwd=Password1;"

' uncomment next 3 lines for debugging
 On Error Resume Next
 Set oFS = CreateObject("Scripting.FileSystemObject")
 Set oFSFile = oFS.OpenTextFile("C:\\Log.txt", ForAppending , False) 

 ' connect to oracle db
 Set oConnection = CreateObject("ADODB.Connection") 

 'Open connection using ConectionString
 oConnection.Open strConnectionString 

 Set oCmd = CreateObject("ADODB.Command")

 ' prepare SQL Statement

 ' create the user to be external
 oCmd.CommandText = p_sSQLToExecute
 oCmd.CommandType = cnstCommand
 oCmd.ActiveConnection = oConnection
 oCmd.Execute

 ' uncomment next line for debugging and put them right where you think the error is happening
 oFSFile.WriteLine(p_sSQLToExecute & " *** Error: " & Err.Number & " " & Err.Description)

 ' close the connection and disconnect from oracle db
 Set oCmd = Nothing

 oConnection.Close
 Set oConnection = Nothing

' uncomment next 3 lines for debugging
 oFSFile.Close
 Set oFSFile = Nothing
 Set oFS = Nothing
End Function

Note that I’ve got some debugging coded in there, and this will write every SQL command sent to a file called c:\Log.txt.  You may wish to turn this off in production.  Also, this script is meant to go into “Script Modules/QSC Scripts” and is called “DB Code”.  If you alter any of this, you’ll need to change the objLib references below.

Next, you simply create some script policies that have event handlers which will execute this code.  My suggestion is to use the OnPost set of events so that if something happens, the rest of the action can continue. The first bit of sample code is for creating the account in Oracle.  Now, keep in mind that creating a user doesn’t do anything until you GRANT the user some rights.  So its OK to create users since they cannot connect up and do anything just yet.

Option Explicit

Sub onPostCreate(Request)
 Dim strsAMAccountName
 Dim strExecuteSQL
 Dim strTitle
 Dim objLib

 Set objLib = ScriptLib.Load("Script Modules/QSC Scripts/DB Code")

 Request.GetInfo
 strsAMAccountName = UCase(Request.Get("samaccountname"))
 strTitle = UCase(Request.Get("title"))

 ' if this change is not for a user, get out
 If (LCase(Request.Class) <> LCase("user")) Then Exit Sub    

 ' prepare SQL Statement

 ' write the new account into the table
 strExecuteSQL = " CREATE USER " & strsAMAccountName & " IDENTIFIED BY Password1 "

 Call objLib.ExecuteSQLScript(strExecuteSQL)

 'grant access if the new account is a production dba
 If strTitle = "PRODUCTION DBA" Then
 strExecuteSQL = " GRANT CONNECT TO " & strsAMAccountName & " "
 Call objLib.ExecuteSQLScript(strExecuteSQL)
 End If 

End Sub

Next, we have an example that shows a simple grant/revoke command based on someone’s job title (if the user is a Production DBA he gets connect access while anyone else is revoked).

Option Explicit

Sub onPostModify(Request)
 Dim strsAMAccountName
 Dim strExecuteSQL
 Dim objLib
 Dim strTitle

 Set objLib = ScriptLib.Load("Script Modules/QSC Scripts/DB Code")

 Dim objObj
 On Error Resume Next
 If (DirObj Is Nothing) Then
    Set objObj = Request
 Else
    Set objObj = DirObj
 End If
 On Error GoTo 0

 ' if this change is not for a user, get out
 If (LCase(objObj.Class) <> LCase("user")) Then Exit Sub    

 strsAMAccountName = UCase(objObj.Get("samaccountname"))
 strTitle = UCase(objObj.Get("title"))
 strEmpStatus = UCase(objObj.Get("edsvaEmpStatus"))

 ' prepare SQL Statement

 ' If you are DBA you should have connect rights
 If strTitle = "PRODUCTION DBA" Then
 ' write the new account into the table
 strExecuteSQL = " GRANT CONNECT TO " & strsAMAccountName & " IDENTIFIED BY Password1"

 Else
 ' delete the account from the table
 strExecuteSQL = " REVOKE CONNECT FROM """ & strsAMAccountName & " "
 End If

 Call objLib.ExecuteSQLScript(strExecuteSQL)

 If strEmpStatus = "TERMINATED" Then
 objObj.Put "edsvaDeprovisionType", 1
 objObj.SetInfo
 End If

End Sub

Finally, here’s an example of what you can do when someone is deprovisioned:

Option Explicit

Sub onPreDeprovision(Request)
 Dim strsAMAccountName
 Dim strExecuteSQL
 Dim objLib

 Set objLib = ScriptLib.Load("Script Modules/QSC Scripts/DB Code")

 ' if this change is not for a user, get out
 If (LCase(DirObj.Class) <> LCase("user")) Then Exit Sub    

 strsAMAccountName = UCase(DirObj.Get("samaccountname"))

 ' prepare SQL Statement

 ' delete the account from the table
 strExecuteSQL = " DROP USER " & strsAMAccountName & "" & " CASCADE "

 Call objLib.ExecuteSQLScript(strExecuteSQL)
End Sub

At the end of it all, all I’m doing is calling SQL statements that a DBA would use in creating and managing users within Oracle.  This same approach will actually work with MySQL, SQL Server, DB2 and most other RDBMS provided the correct syntax.  And, for example, if you want to get really clever, you could create AD groups that are analogous to Oracle Roles, like SYSDBA,

I would suggest you be careful with that last one as the CASCADE part of the command will drop any objects owned by the user within Oracle, and you could lose data.  Be sure to talk to the Oracle DBAs first, and walk them through what you’re doing.  And, as always, this post is made available with no guarantees, assurances, promises or commitments.  Your mileage may vary, and you really should contact Quest Professional Services if you need assistance with ActiveRoles Server.

I spent some time with a manufacturing client this week, and did quite a bit of hands on work with ActiveRoles Server.  The guy I worked with was quite good, “grokked” exactly how the product worked, and all the features it had.  However, there’s quite a lot there, and if you don’t spend your time in it day in and day out, you’ll probably forget some key points.  At the time, I made a note that I need to record some additional videos to show some of the functionality we reviewed.  This would help him later on as a refresher without having to schedule myself or someone else to walk him through it again.

Of course, when I think to do these things, other tasks take over, and I never get to them.  However, as luck would have it, I got an internal email on the way home.  The email was asking for help with showing granular delegation through QARS.  So here is my 6 minute, really quick and off-the-cuff recording (this one has audio).  Enjoy:

http://www.idmwizard.com/quest/QARS6.1GranularDelegation/QARS6.1GranularDelegation.html

Hopefully, I’ll be able to find the time to post more of these recordings . . . or coerce someone else into doing a few as well.

I had a client a long time ago (in 2007) ask if they can have a way to never re-use an account name.  They were looking at Quest ActiveRoles Server (google for it), and this was a key requirement.  Well, this would be very easy to do with the built-in policies if they kept their disabled users around.  However, they didn’t want to clutter AD with similar account names, and disabled accounts.  Which meant that QARS wouldn’t be able to check AD for uniqueness as the accounts would be wiped out.  I initially suggested they use an ADAM (now called AD LDS) store for this, and have AD include it in the scope.  However, but they thought it was too cumbersome for this task (and, honestly, it was).

So I had to come up with a scripted solution to get past this hurdle and still provide them a way to create unique names into perpetuity without leaving objects in AD or ADAM.  This question has come up again internally, so I thought it would make sense to publish this to the rest of the world for future reference. First is a recording of how to install the bits and show you how it works.  The short version is that it:

a. creates a table in the QARS database to keep track of every user name created as the account is being provisioned.
b. it installs a policy that checks the table from part (a) and generates a new user name based on the previous names in the DB.

The way the script is written (and this is what the client wanted), they wanted to create a user with first name, then last initial.  If that was taken, use the next 2 letters, 3 letters, and so on.  At some point, you run out of options, and have to resort to numbering.  Obviously, the script needs to be modified to meet your needs, and there are some great Professional Services people at Quest to help if you need it, but perhaps this sample is enough.

This post, as with all others, implies no warranty, and I do NOT support this solution (unless you wish to pay me) and is posted as an example of what is possible with Quest ActiveRoles Server.  If you have questions, please contact your Quest account manager about what support options are available.

Now . . . without further ado, here are the links you want.  First, here is a recorded video of the installation and usage:

http://www.idmwizard.com/quest//UniqueUserID/index.html

And here is the zip file shown in the video (albeit renamed – but you should be able to figure it out):
http://www.idmwizard.com/quest/UniqueUserID/UniqueUserID_policy.zip

Cheers,
Dmitry

(note: edited 2009-09-22 – changed some text and updated links to open in new windows and work properly).