| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
- Directories (1)
- Identity Management (5)
- Random Stuff (1)
- Uncategorized (8)
- April 27, 2008: ID Card Stuff
- March 26, 2008: OSS IDM System - Some Thoughts
- October 9, 2007: Role Based Access in the Enterprise
- September 11, 2007: Open Source IDM Solutions
- September 4, 2007: Marks Apple Hickory BBQ Ribs from the grill.
- August 16, 2007: OpenSuse 10.2 Network install in 6 easy steps.
- May 29, 2007: So, I posted my Resume
- May 11, 2007: This is actually pretty cool.
- May 11, 2007: Started PAM module list
- May 7, 2007: The Trouble with Non-Native Authentication
ID Card Stuff
April 27, 2008 by mabatche.
I haven’t been following the whole ID Card landscape very much to be honest. But lately I was looking over Project Bandit, and downloaded the Digital-Me card selector. It looks pretty promising and can potentially see a lot of very interesting uses for this stuff. But, my question is, does anyone know of a site I can try this against that supports it? Or am I just flat out missing something? I know this is new stuff, but at the moment, I have the card selector and nothing to use it with… Anyone know of anything? And if not, if I were to attempt to set something up would anyone be interested?
UPDATE: So I was looking around some more on ID-Cards, and ran across this great video here. It’s basically a little mini-tutorial on how to get card-space working with a website with very minimal effort. I may mess around with this some more just to see what I can do with it.
Posted in Uncategorized | No Comments »
OSS IDM System - Some Thoughts
March 26, 2008 by mabatche.
Been a while since I’ve posted anything. My apologies if anyone is actually reading this stuff.
I’ve been thinking a lot more about that first question I ever posted.. “Wheres my opensource IDM solution”. And I certainly received some messages from a few people that pointed a few out to me - They all looked fairly promising.
But, I keep wondering if it would be possible to write a module that attaches itself to an openldap server (sort of like a persistent search on steroids) that could subscribe to changes that occur there. That way, you could use openLDAP as a “meta-directory”. From there, you could write connectors that connect to target systems.
This seems a lot like Novell’s IDM, only sort of the opensource brother to it.. without the XML/DirXML engine… (which i imagine is patented somehow anyways).
Any thoughts? Im just kind of rambling on here….
Posted in Identity Management | 1 Comment »
Role Based Access in the Enterprise
October 9, 2007 by mabatche.
I have recently been thinking a lot about role based access in large enterprises. I have personally been involved in quite a few Role Based initiatives, and I got to thinking.. Given the typical bureaucracy that goes along with a large corporation, and given the somewhat disjointed nature of roles in most organizations, can one actually achieve *true* role based access?
I think it depends on what your definition of roles is.
Roles - The Problem:
The trouble with IDM solutions and Role Based Access, is that every vendor out there tells you.. “Sure, we do role based access.” I have even had a few vendors tell me that they will come in and figure out what my roles are for me, and then work with that.
Where I think most fall short, is that in every large company I have ever been to, they don’t know what their own roles are… let alone have some external entity figure it out for them.
The real problem is that a “role” can be anything a company defines it as. It can be something as simple as pay-grade = ROLE or something as complex as your practice+group+pay-grade+manager-reporting-relationship+tenure+location = ROLE. So, as you can see, I think a “role” is a relative thing.
This trouble around roles is where I think most IDM/Role projects fail.
Technology:
Most companies focus their time on the technology behind IDM/Roles and not enough time figuring out what roles mean to their organization. (I have found myself guilty of this at times).
Technology is great, but in the end when doing IDM projects, the technology is just a means of getting your data pushed around from one place to the other. The data is the truly important piece to the IDM puzzle. If you understand your data, the technology is simple. If you don’t, then you’re doomed to have a terrible IDM implementation.
The Data:
I would venture to say, the most large enterprises have a good idea of what they are paying their employees, but, when asked what their employees roles are or what makes up that role, they might not have an answer.
When creating a Role Based Framework, you have to be able to define what makes up a role in its entirety. So, an example might be and Administrative Assistant, what is needed to fulfill this particular role? A File and Print account? An eMail account? Financial reporting Account? PeopleSoft Account? Special access to Admin databases? A home Directory? Special Access for their location?
- As you can see, a simple role like Administrative assistant can become very complex. Imagine having to do this for a company that potentially has thousands of roles?
This is why I think Roles (as they are talked about today) are not achievable on any kind of scale. While some may disagree with me here, I think if done on a large scale, roles are just too messy this way.
Self Service:
Many IDM vendors are pushing the concept of self-service as a way to help the problem of roles/access provisioning by taking out the middle man and allowing data owners to do their own approval and access granting. I think this is a great concept and can be a good fit in any organization of size. But, self-service has a problem as well.. That is, knowing who the data owners actually are.
Most big organizations have a hard time pulling this off as well. Over the years data owners change, data changes, where data lives changes so if there were owners of the data in the beginning, chances are.. They don’t know who they are now.
Recommendation:
So, if you find yourself working on one of these Role projects at a large shop, before you even start talking about technology you need to ask yourself and the organization the following questions:
1 - Do you already have a rock solid idea of what your roles will look like and what each role *means*?
- Not just what the role name is, you need to know exactly what it means data wise and access wise when someone gets that role applied to them.
2 - If the answer to #1 is no, then the conversation needs to turn away from technology and turn into a matter of exploration to determine if its even possible to figure out what roles are, given current data. Often you will find that given the data, roles are not definable. If this is the case, the the conversation usually turns into.. let’s make up some roles.
I think the right place to be when thinking about roles is somewhere between knowing your roles completely, and providing self-service.
I think that if you can get to a point where you have say, 10-20 general roles out of 1000, and those general roles provide 80% of the people the access they need from day one, then you have succeeded at roles. After you figure out the general roles, then you can add self-service to catch the rest of the 20% that you couldn’t automate in the first place.
So, basically after all this rambling, I think what I’m trying to say is…
1 - Generalize your roles. Being too specific just makes things way to complicated.
2 - Knowing that you generalized, you need to provide a way to make up for the difference. This is where I think providing self-service and workflow comes into the picture.
So, once again, sorry for the rambling.. just had to get it off of my chest.
Posted in Uncategorized | 1 Comment »
Open Source IDM Solutions
September 11, 2007 by mabatche.
In a previous post, I noted that I had not seen any open source IDM solutions that were really focused on provisioning. I had seen quite a few that were focused on SSO and federation. After my post, a blogger pointed out to me a company called Diamelle that had something in that space. To be frank, I havn’t had any spare time to dive into it. But, on the surface, and from what I’ve read, it looks like it could have some good traction.
Another one has popped up since then called Velo. I saw it in response to this post. From the looks of it, it appears to be playing heavily in the provisioning space. Also, it appears to be offered under the GPLv2.
I watched the 2 demos they had up on their website, and it appears to be a descent looking interface. Im assuming its a push/pull type of technology, but I could be wrong since I havn’t actually used it. Either way, more choices in the IDM provisioning space can only be a good thing. Ill be checking this one out next chance I get. So far though given Diamelle, and Velo, at least there are some choice out there.
Posted in Identity Management | No Comments »
Marks Apple Hickory BBQ Ribs from the grill.
September 4, 2007 by mabatche.
So, if you know me. you know I’m no chef. BUT, I do like to grill. I have never really made ribs on the grill before, so this last monday (labor day) I set out to do just that. I figured, I would post how I did it, because one of my biggest pet peves, are when people post how-to’s for recipies, they always assume you know how to cook, and where to actually get everything. So, I provide links, and suggestions on where to do that. (not that it will help anyway..) its just a rib recipie for petes sake!
Ok, I have a gas grill. You know one of those Charmglow stainless steel ones from Home Depot. (this one to be exact. Nothing fancy. Just a boring ole gas grill.) I read all sorts of stuff on the internet about how you can’t really make good ribs on a gas grill, or how charcol is the *only* way to go. It sort of discouraged me. But, im here to tell you that you can make some very very very good ribs on a boring ole regular guy gas grill. Heres how.
First, you will need some supplies.
1 - Hickory Wood Chips (I used the weber firespice brand) but really anything will work. I bought mine at the local truevalue hardware store. (caspers). but, turns out, you can get em at amazon also. And they have a much lager collection. See this link. Here.
2 - A Smoker box (I used this one. Also bought at true value, but it was cheaper at amazon.com. Here.
3 - 1 Gallon of apple Cider. (from your local grocery store.) Brand doesn’t matter.
4 - 1 Bottle of Tobasco sauce. I used the regular ole boring tobasco.
5 - A Rib Stand for your grill. I used the weber brand one. But you can find many here on amazon.com.
6 - A gas grill with a pretty full tank.
7 - Alluminum foil.
8 - A spray bottle.
9 - Olive Oil (doesn’t matter what brand/type. I used extra virgin stuff from the local store).
10 - Some kind of small pan to hold some water/apple juice.
11 - The RIBS of course. I used a full slab of baby back pork ribs from the local store. I seriously think this would work with just about any type of ribs.. pork or beef. (im doing beef next time). But make sure they have the bones in them. (not boneless). And make sure you remove that membrane from the back of them before you cook them. (if you don’t it won’t hurt anything.. its just a little wierd.).
Ok, now that you/we have all that stuff. Heres what you do. Its pretty simple.
Take your woodchips, and put a few handfuls into some tupperware/medium sized bowl.
Next, poor enough water into the bowl with the woodchips so that they are mostly submerged. Then, take your apple cider and mix in about 2 cups full or so. Then, cover them, and let them soak for at least an hour. The goal here is to get the chips pretty soggy so that they will smolder when placed in the smoker on the grill.
At the same time as the chips. (or there abouts). Take our your ribs and and place them into some tupperware as well. then poor in a generous amount of apple cider and about 10-15 little dots of tobasco. Make sure you get the ribs nice and wet. Then cover em up and place them in the frige. The goal here is to let them marinate in the cider for at least an hour. (the longer the better, but remember you’re gonna wanna cook these ribs for a long time, so do this first thing in the morning, or the night before to make sure you get a good long marinade.).
Ok, Now you wait for everything to soak/marinate. Now is a good time to get everything else ready.
While we are waiting, take your spray bottle and fill it up about 3/4 the way with apple cider.
Next, add a few drops of tobasco to the mix. Then fill it up the rest of the way with olive oil. (note that I used a pretty small spray bottle.. not some huge thing. So, just be your own judge of how much to mix.) The goal here is to get a cider/oil/tobasco concoction that you can spray on your ribs while they are cooking.
Ok, next, lets get our grill ready. You want to cook these things really really really slowly to get the best flavor/tenderness. My grill has 3 burners on it. Left-Middle-Right. I turned the right burner on as low as it would go, and left the other two completely off. This let my grill heat up to only about 225F. This is the sweet spot. Anything much hotter than this and things start to dry out. 250F works as well.. just don’t get too hot.
Next, I took aluminum foil and covered the entire left side of my grill. This is going to be where the ribs are going to sit on their rack.
Next, My grill has one of those upper levels that always seem kind of useless. Up there, I took a very small square glass pan, and filled it up with apple cider. I then just sat it on that little shelf. This evaporated during the cooking process and really helped keep things moist. Once all this is in place, your grill is all set to go.
Now that’s all done, lets get back to our ribs/woodchips.
Take your woodchips our of your water/cider mix, and place them into your smoker box. (don’t worry, you don’t have to use them all.). Then place the smoker box on the right hand side of your grill over where the burner is running. Then just leave them there for the duration of your cooking. (this will provide in our case a hickory flavor that a traditional smoker would usually provide).
Now, its time for the ribs. Since I used a full slab, I cut the slab in half and stood each half slab up on the rib stand that I linked to previously. Now, take the stand/ribs out to your grill and sit them down on the left hand side opposite the burner thats running. Make sure they look comfortable, as they are going to spend the next 6 hours that way.. :).
After placing the ribs, take your spray bottle, and spary them down with your oil/cider/tobasco mixture.
now, for the next 6 hours we go into rib maintainance mode. Every 30-45 minutes go back out to your grill and spray down your ribs with your spray bottle mixture. Also, while there, make sure that the grill isn’t getting much hotter than 225F. Otherwise, its all for nought. Make sure you are diligent about the temperature and the spraying of the ribs, this is what makes them so darn good. (attention to the small details can make this better than you imagine).
Ok, in hour 5 or so, you can if you want to.. apply your favorite barbecue sauce with a brush. I did this with some sweet baby rays, about every 15 minutes or so in the 5th hour. It was pretty damn good.
Ok, now that your in your 6th hour, and the ribs look freaking awesome… go get em and eat!
(sorry for the long winded post about ribs.. they were just so damn good!)
Mark.
Posted in Random Stuff | No Comments »
OpenSuse 10.2 Network install in 6 easy steps.
August 16, 2007 by mabatche.
Step 1
Download and burn the mini CD iso from the opensuse.org website. I found it here. This is the 10.3 miniboot.
The 10.2 miniboot can now be found here.
Step 2
Boot off or your newly burnt mini CD.
Step 3
Once at the screen where you can choose “Installation”, press the F4 key and choose HTTP.
Step4
Now, when prompted for the server place the following in that field suse.mirrors.tds.net
Now, when prompted for the directory, place the following in that field /pub/opensuse/distribution/10.2/repo/oss/
Step5
Now, choose installation and your off and running!
Step6
Wait……… installing over the internet isn’t the fastest thing in the world, but it works pretty well.
Note, that this doesn’t take into account anything like proxy servers, or nfs mounts, or anything like that. These 5 steps assuming you have a direct connection to the internet.
Updated: I changed the link to point to the 10.3 miniboot CD. It should work for 10.2 as well. (But I have not confirmed this).
Posted in Uncategorized | 4 Comments »
So, I posted my Resume
May 29, 2007 by mabatche.
I poseted my resume like everyone else does. Nothing special. I’ve been with the same company for 10 years and recently was wondering if there is anything else out there. Don’t get me wrong, I actually like my job. But you never know unless you look. So, here is the resume. Its a work in progress, this is just the first draft, so if it isn’t all that pretty, i apologize. 
Mark.
Posted in Uncategorized | No Comments »
This is actually pretty cool.
May 11, 2007 by mabatche.
A few days ago, I put up a little article asking where my open source IDM solution was. Looking across someone elses blog, I was directed to this link here.
Its a very cool mapping tool used to create a map of known open source IDM projects and their status. I found this very helpful. Maybe you will as well.
Posted in Identity Management, Uncategorized | No Comments »
Started PAM module list
May 11, 2007 by mabatche.
I just started putting together a list of all the pam modules I can find that are open source. It can be found here.
I’ve been getting a bit frustrated at finding some of these. Many of these are very useful! And it would be nice to a one place to go to find out about some of these… Sooo.. im starting this little list and updating it as i come across them.
Mark.
Posted in Directories, Identity Management, Uncategorized | No Comments »
The Trouble with Non-Native Authentication
May 7, 2007 by mabatche.
Recently, I’ve been working on a project which is intended to replace access/authorization mechanisms on Solaris/Linux servers with PAM_LDAP. (see www.padl.org ). Getting PAM-LDAP to work has actually proven to be a relatively easy thing to do. (We happen to be using Novell’s eDirectory as the LDAP environment for it). But, we have been running in to multiple problems when it comes to non pam aware applications running on our servers.Heres an example. IBM DB2. Technically, it looks up users/user access information from /etc/passwd and from /etc/groups. This is all well and good. But, on some older isntances of it, it doesn’t necessarily seem to adhere to the standards that nss_ldap uses for lookups. Which leaves us in a scenario where we have to maintain a local copy of the account on the solaris servers in order for DB2 to function correctly. Now, this completely defeats the idea behind using a central directory for access/authorization. Whats the point in having one, if you have to also maintain local accounts for non-system level users on the server as well? An Idea -
For anyone who has ever worked in a Novell shop you are most likely all to familiar with this same problem only from a different angle. When the Novell client is installed on a windows workstation, there had to be a mechanism for local users (or domain users for that matter) to be authenticated to a workstation as well as the eDirectory user. In Microsoft’s wisdom, they are assuming that everything is windows, and no third-party matters. Novell got around this with what they used to call (I have no idea if its still called this) “Dynamic Local User”. What it would do, is upon login, if you had never logged into that machine before, it would create a local account for you with whatever security specific policies you had assigned to that user. Then, you had the option (via policy) to make that a non-volatile user (meaning it would never be deleted unless someone deleted it) or make it a volatile user (meaning upon logout, the user would be cleaned up from the workstation and all was good). This worked surprisingly well. Now, of course one thing Novell had on their side was that they knew the users password upon login, and could sync it up. It was also a fairly small use case. (meaning it was really intended for workstation and the types of things they would be doing).
Now, I realize that a server (especially one of the unix variety) is a very different beast from a workstation. But, what I was wondering is if this is possible for a unix box?
I’ve seen some stuff out there that has some of this functionality, but nothing that really got me going yet.
Has anyone every run across software (maybe a pam module) that supports this type of functionalty? I have seem pam_mkhomdir before and even used it. That is sort of a dynamic provision for the home directory on unix. But what about the user?
Anyone?
Posted in Uncategorized | No Comments »