fidzu : Identity

This is a true story. Names have been changed to protect the innocent.

I had lunch with my friend "Jason" from Universal Widgets last week. We hadn't talked for more than two years and Jason's first comment was "Did you know I left Universal to go work for Galactic Widgets but I've gone back to Universal Widgets?" I was surprised because I had missed out on what my friend was up to for more than two years. But, here we were back at the beginning again. Anyway, we had a good discussion about what each of us were up to but the most interesting part of Jason's story was his answer to this question: "How was your return to Universal?"

Jason answered that they hadn't allocated his desk to anyone else so it looked as if a "Jason shrine" had developed while he was gone. "But the worse part of my return was that I was able to logon with my old userid and password!" Where had I heard this before? However, rather than agreeing with me Jason's comment was: "The worse part was when I started Outlook and I had 25,000 unread messages!"

I guess there can be some things even worse than a security compromise with not being de-provisioned and that's coming back to two years worth of unread e-mails! I think Jason is still too busy deleting messages to answer his phone…

One of the things that I think is particularly nice about the UnboundID LDAP SDK for Java is the way that it allows you to perform a search and have it collect the matching entries in a list that is available in the search result. However, this is really only well suited for cases in which you're sure that you won't get a huge number of entries returned because otherwise the need to hold all of the matching entries at once can cause significant memory problems.

However, if you are going to be dealing with large search result sets, then the LDAP SDK provides a couple of additional APIs that may be of use. The SearchResultListener interface defines methods that can be invoked whenever an entry or reference is returned by the server that allows you to act on that entry or reference as soon as it is received. I've had a number of people ask for an example of how to use this interface, so I've created a simple program, WriteAttrToFileUsingListener.java, that you can use to accomplish this. It's a pretty simple program that performs a search to retrieve all entries containing a specified attribute, and then writes all of the values for that attribute to a specified output file. It's a little more complex than it absolutely needs to be in order to demonstrate just the SearchResultListener interface, but it also serves as a nice example of the LDAPCommandLineTool API that you can use to easily write command-line utilities that need to talk to a directory server.

We also have another class, LDAPEntrySource, which can be used to make dealing with large result sets easier. This class provides an implementation of the EntrySource API (which makes it easy to iterate across entries in a common way regardless of how they were obtained, like returned as search results or read from an LDIF file), and you can treat it kind of like an iterator across search entries. I've created another version of the example program, WriteAttrToFileUsingEntrySource.java, that demonstrates how to use the LDAPEntrySource as an alternative to SearchResultListener to achieve the same result.

It's been a while since I last posted an OpenDS tab sweep. So here's a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

iConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

Also in the recent days a couple of new LDAP browsers appeared.

• Symlabs announced a Free LDAP Browser, tested to work against many directory servers including Sun Directory Server Enterprise Edition, Oracle Internet Directory and OpenDS. The browser is currently available for Solaris, Linux and Windows.
• For the developers who are using NetBeans, Allan Lykke Christensen is rapidly developing a Maven-based NetBeans module for exploring LDAP services from within NetBeans. The plugin works well with OpenDS, but is currently only offering a read only view of the data.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: directory-server, identity, ldap, opends, opensource, software

This is when everyone can get work done - when the students are away!

Congrats to John Slanina on a job - in Youngstown!

"Take away my people, but leave my factories and soon grass will grow on the factory floors……Take away my factories, but leave my people and soon we will have a new and better factory." - Andrew Carnegie

BloggerCon redux

The Buzz campaign

The year Open Data went worldwide

MidVentures25 got some press

Jon Medved on Entrepreneurism b'Israel

5 reasons why your company should be distributed

Universities and Open Access - interview with David Weinberger

Dave is upset that they watered down Alice, made it more palatable for American/mainstream palettes. My daughters enjoyed it - regardless.

NYTimes is hiring

JayCut - white labeled on-line video editor with Open APIs

Penton Publishing is bankrupt - just walked away from $270M in debt

100 mbps coverage coming - en masse

IronMan 2 trailer

Prezi, Reaktor 5, CrowdSpring, JayCut, the NYC Data mine, Open Clip Art Library, sfe

The project we're working on here at CWRU was written up in the WSJ today. Unfortunately I can't link to the full article, as it's behind a paywall.

In it Lev Gonick (the CIO of CWRU) explains that we're working on figuring out the recipes for success of ultra high-speed connectivity.

"What do you DO with a 1G connection?"

That is the question.

Now for some answers.

What we launch in late May '10 won't be the final answer, but it'll be a beginning.

By combining advanced health, energy, education and safety services, a personalized News page and a social network, with blogging, activity streams, live-video help, groups with media sharing we hope to start to answer the question.

Now throw in some compelling local content and services and you've got yourself a full fledged ultra high-speed dashboard 2.0.

And that is what is required of every Digital City.

I've had my first customer discussion around implementation of a SAML-based authorization system. Yes, I said SAML - not XACML. There are lots of companies out there building XACML management products. Axiomatics and BitKoo come to mind but while customers have been discussing the potential use of XACML I have yet to run into a customer who is actually writing applications that use XACML. But I have run into my first customer who is already using SAML for the authentication side of an application and now wants to enable attribute-based authorization via SAML. Why SAML? Because they are already using it for authentication.

Is SAML the right "thing" for authorization? Hmmm, I guess if I were a purist I'd say "No" but since I'm a pragmatist I'd say "If it works for your application then use it". In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won't be supporting XACML.

Who will win the war? I don't know but there's something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.