Password Expiry Notification June 19, 2006
Posted by Phillip in : sysadmin, work , add a commentProblem:
We need a method to notify users who are not logging into Active Directory (ie: Mac and Linux users) that their password is going to expire.
Solution #1: Password Notification Identity Manager Driver
Description: This is an Identity Manager Loopback Driver that watches for password events in your directory and notifies users (via email) that their password is going to expire.
Issue: Does not work as designed, requires MAJOR FREAKIN’ REWRITES (xslt, yuck)! The driver pseudo-works for detecting users who have limited Grace Login levels. It completely fails on trying to notify users that their password is going to expire.
Solution #2: Password Expiration Email Notification
Description: This is a console-based java application that runs out of CRON every night. It is supposed to scan the defined containers in your directory and notify users (via emai) that their passwords are going to expire in defined intervals (30,15,5,3,1 day(s)) and send them a URL to the self-service portal. It also identifies users whose passwords have already expired and notifies them to contact the IT Help Desk.
Issue: Missing something. I have it working in a not-so-working state. For whatever reason, it detects all levels (set to expire and expired) as expired and notifies me as such. Time to hack away at the java source.
what is all of this wet stuff? June 17, 2006
Posted by Phillip in : Field Report , add a commentIt is finally raining!
The funny things you see in nature. June 13, 2006
Posted by Phillip in : misc , add a commentThis past weekend, I was out at Enchanted Springs Ranch for a company picnic hosted by Raba-Kistner, the company for which my father-in-law works.
All and all, it was an excellent experience, I took the liberty to snap a few photos. Here is one of those photos where I took the picture *after* I figured out what this animal was doing:
I seriously washed my eyes out after that one.
mobile blogging June 10, 2006
Posted by Phillip in : misc , 1 comment so farGreetings from the car wash. I’m sitting in my car anxiously awaiting my turn in the automatic carwash at my neighborhood Valero Gas Station when it suddenly comes to me: I have a blackberry now and I can blog from ANYWHERE.
So how pathetic is that? Well it’s not really *that* bad. It certainly seems like a worthwile way to kill time in the carwash.
From proble-Mac-tic to Mac-tastic June 8, 2006
Posted by Phillip in : geek , add a commentUnbeknownst to most people, except maybe my co-workers, I have been having some SERIOUS issues with my MacBook Pro. As it turns out, I got a pseudo-dud laptop from CDW. My MacBook Pro shipped with a faulty logic board that caused my laptop to spontaneously reboot at random times. It turns out my logic board didn’t even care if I had saved my work! After taking it to the Genius Bar and having them tell me nothing was wrong, I called CDW. They were able to get me fixed up with an RMA.
Problem — I can’t be without my laptop!
Solution — After another call to CDW and a nice long talk with our the account manager, they were able to send out a new laptop of the same model prior to my returning the old one! This would, in theory, give me the chance to migrate all my shizzle (music, apps, docs, etc.) and then wipe the old one.
True SSO June 6, 2006
Posted by Phillip in : work, geek , 1 comment so farAt last! Someone who understands what SSO really entails finally asked me what it would take to implement it. Some people are under the impression that SSO is simply re-using the same password in multiple places (*yuck*). For those of us in the identity management business, we know that SSO is really much more.
I like Wikipedia’s definition of SSO: “Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.”
The idea is that Jo[e] User comes to work, sits down in his/her sterile cubicle and logs into his/her desktop. Once Jo[e] User has logged into his/her desktop (via some form of Directory Services), he/she should have access to everything he/she needs to do his/her job without authenticating again.
There are several ways to accomplish this. Ideally, you are managing identities in these disparate systems via some federated form of directory services, maybe you are using Novell’s eDirectory with Identity Manager to integrate OpenLDAP and Active Directory. Assuming you have a decent way to manage identities, the next layer can be mildly challenging. Providing the authentication into each application. If you are using web-based apps, you can utilize a WEB-SSO or Web-AM (Web access management) technology to provide this authentication, something like iChain. If you are using any non-web-based apps, you will have to use something a little more robust. Never fear, SecureLogin is here.
From what I have read, this is exactly what I am looking for. Not sure on the price, so I’m glad I don’t own any budgets. I have the full trial version, but I have yet to find time to install it. More on that is it unfolds.
I am still concerned about how to handle the last layer of access, the authorization part. Most applications have their own authorization and access level scheme based on profiles and roles. Figuring out how to integrate to this level is the Real Challange (TM).