That really is the point of ADAM, isn't it? To be flexible and highly customizable?
I have to agree with JoeK on this: it needs to be extensible in keeping with ADAM's charter. Some of the basics would be cool, but then how do you make sense of an object in a customized directory unless you have a way to a) read it and b) get some sort of manifest that tells you the meaning and c) maps it for you to your task? To my knowledge, there is no standards based definition in that sense. I can pick whatever I want to be a <insert type> object and define whatever rules I want as well. How would a tool know that? To make it easily extensible, i.e. create a totally easy language that plugs into a console would go a lot further in my opinion, than trying to capture an ADAM management tool that goes beyond ADSIEDIT/ldp. Today, it's write your own, or make do. I'm sure some of that will continue, but having the ability to easily write your own and plug it into a well thought out graphical based administration system might be useful to some. At the least, I'm sure it would differentiate ADAM from other lightweight ldap directories that run on more platforms ;-) -ajm On 4/29/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
The difficulty with building a tool like this is that it is a huge leap to go from a low level editing tool like ADSI Edit to a high level, task-based UI like ADUC. The problem is that it is nearly impossible to infer the semantic meaning of attributes in the directory in a generic way such that you can have objects with arbitrary schema. It is already hard enough just to come up with reasonable text and graphical views of all the random binary data that a directory can store. For example, your directory might store GUIDs, X509Certificates and JPEGs, but the schema only knows it is binary data. Unless you have a hard-coded list somewhere, it is hard to do anything with it besides showing you the raw bytes (which is almost never interesting to most people). As such, you kind of need to either come up with a UI that just provides some compelling task-based features for a very narrow schema that ships with the product and/or provide a really well-conceived extensibility mechanism that allows easy declarative construction of useful UI features with minimal coding (or you'll scare away the non-coders). Doing something like that successfully it a pretty huge undertaking, not matter what presentation framework you choose (web, CLI, Windows, etc.). Personally, I think the answer for this type of tool lies with the whole managed code/Monad-based MMC thing that is coming. It will significantly lower the bar to getting custom extensions into the UI and hopefully create a new eco-system of useful tools that vary from universally needed to extremely domain-specific. That said, there are probably some tools that we really need for ADAM that would be hard for most of us besides Joe to write. I'm not entirely sure what the sweet spot is though. Joe K. ----- Original Message ----- From: Jef Kazimer To: [email protected] Sent: Friday, April 28, 2006 4:26 PM Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers? Ok.... So are you thinking winForm Gui? Web? MMC? Console? I know you like command line....but ad I hear there are some great tools already in existence. :) ADSIedit is great for MOST things, but I would fear giving it to a helpdesk guy, or an application admin who has no idea what LDAP really is. They just want an Identty store. Soo.... Something that abstracts the user from LDAP (OUs, DNs, etc....scary stuff!) but shows them as a simple TreeView of the directory Management templates that glean data from the defined Schema and are customizeable. Since ADAM can have a very custom Schema, the tool would need to be flexible to accommodate that. IE select the Dog object, and be able to modify the Neutered boolean attribute. These templates should be customizable in a simple fashion that does not require extensive development knowledge :) Build in basic routines for common functions like password reset, etc. I guess a more customizeable ADUC for ADAM :) Maybe the name should be "theWelch" since Jerry said "ME!"? From: [EMAIL PROTECTED] To: [email protected] Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 16:38:16 -0400 I am not quite sure what question that response was intended to answer.... Was that, you would like a good ADAM management tool? If so, describe that tool. If Murray isn't happy, we can take it offlist. I can do this through personal email or spin up a forum on my website for it. I am very interested in hearing what people think is needed. I was told the perfect name for the tool over a year ago, I just haven't written the tool to go with the name yet. At some point I will have to do something with it. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch Sent: Friday, April 28, 2006 4:21 PM To: [email protected] Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers? ME ! Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) IP Phone (VOIP): Jerry_Welch ( www.voipstunt.com ) VOIP to Landline: callto:+1-703-827-0919 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: [email protected] Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: [email protected] Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is "LDAP" I did look at some "friendlier" admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: [email protected] That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI "experience"? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: [email protected] Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef > Date: Fri, 28 Apr 2006 01:40:09 +0200 > From: [EMAIL PROTECTED] > To: [email protected] > Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? > > Jef, > > As Al pointed out, there are numerous products from vendors such as > IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc providing > web-based authentication/authorisation in front of AD. Since from a > design point-of-view it's generally not a good idea to stick AD too > close to the Internet, often these solutions comprise a presentation > tier, e.g. with IIS (using&n bsp; some sort of ISAPI plugins) that th! > en hooks > into your business&n bsp;logic (e.g. middleware) or your data tier (e.g. > LDAP/AD/SQL) ... if you want to look at this from an MS purist > perspective then I'd suggest having a look at n-Tier solutions within > the MSDN area. Although, this has a more developer emphasis than you'll > probably want, it gives a good insight into how Internet authentication > works, particularly .NET as well as older products such as Site > Server/Commerce.. > > Try googling on Authorization Manager (AZMan) to give a good example of > how a & nbsp;role-based mana! gement approach (assuming a web t ier) with > an AD > backend would work..... Also look at ADAM as an initial 'point' solution > for Internet usag rather than AD alone. > > You also mentioned self-registration and this kicks off an entirely > different thread (in my mind anyway)... > > 1. What are you providing access to? > 2. Whom are you registering and for what ? > 3. What authentication mechanism do you wish to use (username/password, > certs, OTP). > 4. Do you need to provide some form of au thorisation once authenticated > as well? What form&nb! sp;does this need to take? > &nb sp; > Hope this helps. > > Regards, > Mylo > > if you need an initial > > Jef Kazimer wrote: > > >Al, > > > >I apologize, as I am going only on what little information I have. I > >guess I was trying to do some pre-meeting recon work since I had seen it > >metioned here about 25mil internet users for some people. I had assumed > >there might be some scenario documentation for such a thing. > > > >I will know more after the meeting of course, so I'll see if I&n bsp;can > >explain myself better.> > > >I understand dire ctory design for an enterprise, but have never done so > >for a internet instance that would have self registration. I suspect > >there are some different lessons learned from that scenario so was > >curious. > > > >Thanks, > > > >Jef > > > > > > > > > > > >>Date: Thu, 27 Apr 2006 15:31:33 -0400> From: [EMAIL PROTECTED]> To: > >>[email protected]> Subject: Re: [ActiveDir] Internet > >>Authentication Concepts: Pointers?> > That's not a lot to go on, Jef. &n > >>bsp;Can you give some more infor mation?& gt; > For example,! these > >>public internet sites? Are they web only? What type> of authentication > >>is needed? What were your plans for authorization?> Are you planning to > >>use something like SiteMinder or Tivoli or ?? to> help you deal with > >>authorization if using web sites?> > Al> > On 4/26/06, Jef Kazimer > >><[EMAIL PROTECTED]> wrote:> >> >> > Ok, here is something I'm just starting > >>to research, and I thought maybe> > someone here has some pointers or a > >>direction they can steer me in.> >>&n bsp;>> >> > We are&nbs > >>p;looking&nbs p;at a potential consoli! dated directory/database to > >>contain>&nbs p;> user registrations (Self registration and possible bulk > >>load) for multiple> > public internet sites for products of our > >>company.> >> >> >> >> >> >> >> > I was wondering if there are any > >>published scenarios that addess this> > solution as > >> > >> > >a starting point for consideration. We are thinking of using a> > public > >AD forest as the potential repository, but I am curious if there ar e> > > >any lessons learned w hen designed& nbsp;such a scenario.> >&! gt; >> >> > > > Thanks,> >> >> >> > Jef> >> >> >> >> >> >> > > >________________________________> > Upgrade for free to Windows Live Mail > >beta and you could win an African> > Safari Learn more> [1]ا~m > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > >----------------- -------------------------------------------------------> > > > > > ;No virus found in this incoming message. > >Checked by AVG Free Edition. > >! Version: 7.1.385 / Virus Database:&nbs p;268.5.1/326 - Release Date: > >27/04/2006 > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win a trip to Africa Upgrade today Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win a trip to Africa Upgrade today List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
