The difficulty with building a tool like this is that it is a huge leap to
go from a low level editing tool like ADSI Edit to a high level, task-based
UI like ADUC. The problem is that it is nearly impossible to infer the
semantic meaning of attributes in the directory in a generic way such that
you can have objects with arbitrary schema. It is already hard enough just
to come up with reasonable text and graphical views of all the random binary
data that a directory can store. For example, your directory might store
GUIDs, X509Certificates and JPEGs, but the schema only knows it is binary
data. Unless you have a hard-coded list somewhere, it is hard to do
anything with it besides showing you the raw bytes (which is almost never
interesting to most people).
As such, you kind of need to either come up with a UI that just provides
some compelling task-based features for a very narrow schema that ships with
the product and/or provide a really well-conceived extensibility mechanism
that allows easy declarative construction of useful UI features with minimal
coding (or you'll scare away the non-coders). Doing something like that
successfully it a pretty huge undertaking, not matter what presentation
framework you choose (web, CLI, Windows, etc.).
Personally, I think the answer for this type of tool lies with the whole
managed code/Monad-based MMC thing that is coming. It will significantly
lower the bar to getting custom extensions into the UI and hopefully create
a new eco-system of useful tools that vary from universally needed to
extremely domain-specific.
That said, there are probably some tools that we really need for ADAM that
would be hard for most of us besides Joe to write. I'm not entirely sure
what the sweet spot is though.
Joe K.
----- Original Message -----
From: Jef Kazimer
To: ActiveDir@mail.activedir.org
Sent: Friday, April 28, 2006 4:26 PM
Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
WAS: Internet Authentication Concepts: Pointers?
Ok....
So are you thinking winForm Gui? Web? MMC? Console? I know you like
command line....but ad I hear there are some great tools already in
existence. :)
ADSIedit is great for MOST things, but I would fear giving it to a helpdesk
guy, or an application admin who has no idea what LDAP really is. They just
want an Identty store.
Soo....
Something that abstracts the user from LDAP (OUs, DNs, etc....scary stuff!)
but shows them as a simple TreeView of the directory
Management templates that glean data from the defined Schema and are
customizeable. Since ADAM can have a very custom Schema, the tool would
need to be flexible to accommodate that. IE select the Dog object, and be
able to modify the Neutered boolean attribute.
These templates should be customizable in a simple fashion that does not
require extensive development knowledge :)
Build in basic routines for common functions like password reset, etc.
I guess a more customizeable ADUC for ADAM :)
Maybe the name should be "theWelch" since Jerry said "ME!"?
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
WAS: Internet Authentication Concepts: Pointers?
Date: Fri, 28 Apr 2006 16:38:16 -0400
I am not quite sure what question that response was intended to answer....
Was that, you would like a good ADAM management tool? If so, describe that
tool. If Murray isn't happy, we can take it offlist. I can do this through
personal email or spin up a forum on my website for it. I am very interested
in hearing what people think is needed. I was told the perfect name for the
tool over a year ago, I just haven't written the tool to go with the name
yet. At some point I will have to do something with it. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Friday, April 28, 2006 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
WAS: Internet Authentication Concepts: Pointers?
ME !
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-5 GMT)
IP Phone (Skype): Jerry_Welch ( www.skype.net )
IP Phone (VOIP): Jerry_Welch ( www.voipstunt.com )
VOIP to Landline: callto:+1-703-827-0919
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 3:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires......
WAS: Internet Authentication Concepts: Pointers?
I have some curiosity in this realm...
What would everyone consider good things and requirements for an ADAM
management tool. Even assuming, cough, GUI.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Friday, April 28, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Since it is "LDAP" I did look at some "friendlier" admin tools, but none
really hit the mark for me. I believed that group looked at Softerra's
tool, and there is the web based PHP LDAP manager, and also the C# LDAP
manager tool. You can Live search the names or I can post the links here if
you want.
In the end I wrote my own as a .NET web app since I found them lacking.
Yet as I said if I want to go global, I don't know if I want to position
what I wrote without some major changes. :)
J
Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Date: Fri, 28 Apr 2006 09:44:55 -0400
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
That’s a very good point. Does anyone know of any 3rd parties which improve
the ADAM administrative UI “experience”?
J. Fitzgerald (Fitz) Stewart
Systems Architect
IRM/OPS/ENM
Worldwide Information Network Systems
USAID/DoS IT Infrastructure Collaboration Program
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
703-866-7473
703-626-5741 (cell)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Friday, April 28, 2006 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Mylo,
Thanks for the information!
I have setup ADAM utilizing a custom web UI utilizing AZman for a small
project before, but I have concerns about scalabilty. The issues are not
with the ADAM instance at all, but the UI that is needed to manage ADAM.
ADSIedit is great for someone who understands the directory, but it's not
that user friendly for web application owners, helpdesk, etc. This was for
a simple application of about 500 users, and it met their needs but I don't
see this as a scalable solution from a global perspective.
This will be a backend data store that contains the user identity, but the
applications that utilize it will be of different flavors from DMZ hosted
web apps, to externally hosted apps. The flavors of web apps will range
from websphere, ColdFusion, .NET and I suspect some PHP apps.
With AD, I guess I was thinking it has a well known support interface
(though I am sure I would need to customize anyway...so I'm not sure that
value is really there). So I was expecting to maybe find 3rd parties that
do sit in front of this to manage the IDs stored. Though this could be AD or
ADAM with ADAM being the most cost effective. This looks like siteMinder
might be a good solution to manage all of these environments but I will need
to look into that.
I suppose I am getting ahead of myself, because I do not know the
requirements as of yet, and I'm making assumptions that could be totally off
the mark here. I guess it's a new environment and wanted to get some info
ahead of before it was needed. :)
Thanks again!
Jef
Date: Fri, 28 Apr 2006 01:40:09 +0200
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Jef,
As Al pointed out, there are numerous products from vendors such as
IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc providing
web-based authentication/authorisation in front of AD. Since from a
design point-of-view it's generally not a good idea to stick AD too
close to the Internet, often these solutions comprise a presentation
tier, e.g. with IIS (using&n bsp; some sort of ISAPI plugins) that th!
en hooks
into your business&n bsp;logic (e.g. middleware) or your data tier (e.g.
LDAP/AD/SQL) ... if you want to look at this from an MS purist
perspective then I'd suggest having a look at n-Tier solutions within
the MSDN area. Although, this has a more developer emphasis than you'll
probably want, it gives a good insight into how Internet authentication
works, particularly .NET as well as older products such as Site
Server/Commerce..
Try googling on Authorization Manager (AZMan) to give a good example of
how a & nbsp;role-based mana! gement approach (assuming a web t ier) with
an AD
backend would work..... Also look at ADAM as an initial 'point' solution
for Internet usag rather than AD alone.
You also mentioned self-registration and this kicks off an entirely
different thread (in my mind anyway)...
1. What are you providing access to?
2. Whom are you registering and for what ?
3. What authentication mechanism do you wish to use (username/password,
certs, OTP).
4. Do you need to provide some form of au thorisation once authenticated
as well? What form&nb! sp;does this need to take?
&nb sp;
Hope this helps.
Regards,
Mylo
if you need an initial
Jef Kazimer wrote:
>Al,
>
>I apologize, as I am going only on what little information I have. I
>guess I was trying to do some pre-meeting recon work since I had seen it
>metioned here about 25mil internet users for some people. I had assumed
>there might be some scenario documentation for such a thing.
>
>I will know more after the meeting of course, so I'll see if I&n bsp;can
>explain myself better.> >
>I understand dire ctory design for an enterprise, but have never done so
>for a internet instance that would have self registration. I suspect
>there are some different lessons learned from that scenario so was
>curious.
>
>Thanks,
>
>Jef
>
>
>
>
>
>>Date: Thu, 27 Apr 2006 15:31:33 -0400> From: [EMAIL PROTECTED]> To:
>>ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Internet
>>Authentication Concepts: Pointers?> > That's not a lot to go on, Jef. &n
>>bsp;Can you give some more infor mation?& gt; > For example,! these
>>public internet sites? Are they web only? What type> of authentication
>>is needed? What were your plans for authorization?> Are you planning to
>>use something like SiteMinder or Tivoli or ?? to> help you deal with
>>authorization if using web sites?> > Al> > On 4/26/06, Jef Kazimer
>><[EMAIL PROTECTED]> wrote:> >> >> > Ok, here is something I'm just starting
>>to research, and I thought maybe> > someone here has some pointers or a
>>direction they can steer me in.> >>&n bsp;>> >> > We are&nbs
>>p;looking&nbs p;at a potential consoli! dated directory/database to
>>contain>&nbs p;> user registrations (Self registration and possible bulk
>>load) for multiple> > public internet sites for products of our
>>company.> >> >> >> >> >> >> >> > I was wondering if there are any
>>published scenarios that addess this> > solution as
>>
>>
>a starting point for consideration. We are thinking of using a> > public
>AD forest as the potential repository, but I am curious if there ar e> >
>any lessons learned w hen designed& nbsp;such a scenario.> >&! gt; >> >>
> > Thanks,> >> >> >> > Jef> >> >> >> >> >> >> >
>________________________________> > Upgrade for free to Windows Live Mail
>beta and you could win an African> > Safari Learn more> [1]ا~m
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>----------------- ------------------------------------------------------->
> >
> ;No virus found in this incoming message.
>Checked by AVG Free Edition.
>! Version: 7.1.385 / Virus Database:&nbs p;268.5.1/326 - Release Date:
>27/04/2006
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Join the next generation of Hotmail and you could win a trip to Africa
Upgrade today
Join the next generation of Hotmail and you could win the adventure of a
lifetime Learn More.
Join the next generation of Hotmail and you could win a trip to Africa
Upgrade today
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
