09.17.13
by

Domino LDAP Insufficient Access

Here’s where you all get to laugh and point at me for not knowing this sooner.  I was setting up Domino for LDAP access on a server with multiple directories in DA.  Everything was working fine until I wanted to write values from another source into the Domino LDAP.  Insufficient access.  OK so let’s check

  1. Account being use to authenticate has Editor access to the ACL in all directories in Directory Assistance
  2. Global Configuration document in Domino is set to allow LDAP write activity
  3. Global Configuration document in Domino is set to allow write activity that doesn’t conform to the schema
  4. I can login to the web interface of Domino using the LDAP credentials and successfully edit the person document I’m trying to change through LDAP

So what was my problem?  Apparently with LDAP write activity the Global Configuration document enabling LDAP to do writes has to appear in every directory used by Directory Assistance !  I finally got there by trial and error but that makes no sense at all, especially because the secondary directory doesn’t even need to use the pubnames.ntf template.  The Global Configuration document by definition controls LDAP activity for the entire domain which surely includes any secondary directories that are set up.  But that’s what it was.

I created a Global Configuration document in my secondary directory and set it to allow LDAP and write activity and my “Insufficient Access” went away.

Ooh look – wordpress has a poll facility , let’s try it.

09.16.13
by

Adventures in TDI – Connections and Updating Profiles

Recently (well the past couple of months) I have been working on building custom Assemblylines to sync Connections data held in DB2 to LDAP data held in Domino.  I really struggled with finding good documentation for doing this and that’s because the best documentation was written for 3.0.1 and hasn’t been updated since.  Thanks to help from some people at IBM (who I’d name publicly here but I’m not sure they want emails from everyone) I managed to get hold of some draft updated documentation and get answers to some questions as I went along so I thought it would be helpful to share what I’ve learnt although this is a very streamlined description, hopefully it will give you some pointers.

Firstly if you are using Connections you need to populate profiles.  Populating profiles requires you to have installed TDI (and the right fixpack, don’t try it without) but once you have done that you have 3 techniques for population, two of which involve you never seeing a TDI configuration screen.

1. The population wizard which is a graphical tool supplied by IBM for pulling data from LDAP into your Connections data source (DB2 in this case).  The population wizard is easy to use and meets that needs of I’d say 60%+ of users who are working with Connections.  It’s certainly where most people begin to get that information populated in the first instance.

2. Underlying the population wizard are XML and properties files.  If you run the wizard you’ll find it has written to  properties and XML files on the file system and then it uses IBM supplied scripts to run the import.   What you can do is take a copy of the TDISOL directory which contains all the properties, xml files and scripts (and is updated on Fix Central occasionally) and use those to create you own custom syncing.  The files you will be working with are

tdienv.bat/sh  This is where you tell TDI to find its own installed files

profiles_tdi.properties  This is where you tell TDI how to find the LDAP and DB2 sources as well as how to authenticate with them

map_dbrepos_from_source.properties This is where you tell TDI how and what to map from LDAP (Domino) to Connections (DB2)

map_dbrepos_to_source.properties  This is where you tell TDI how and what to map from DB2 to LDAP if required.

You can then schedule a batch file called sync_all_dns.bat /sh which will bi-directionally update the information according to those files.  I would always recommend a) doing this in a test environment first b) backing up PEOPLEDB before starting c) running collect_dns.bat/sh first to ensure your search scope for LDAP returns the users you expect

3. So if you’re still with me and you want something even more advanced you’ll need to create an Assemblyline using the TDI Configuration Editor. For instance sync_all_dns does a complete bi-directional sync so for 50k users it was taking nearly an hour and for 25k users 20 minutes because it has to check every record in both LDAP and DB2.  That was taking too long so we wanted something that ran faster, in another case we wanted to pull in data from another data source to populate profiles alongside the LDAP data.  Using TDI and creating a custom assemblyline allows you unlimited scope to pull data from any LDAP or JDBC source (amongst others) into your profiles.

You’ll hear a lot of talk about Assemblylines being “real time” but in fact that’s very difficult to do in a Connections environment.  There is no real time monitor of generic LDAP you can use.  There are change control monitors for both Domino and Active Directory if you are using those as your LDAP source you can use them to  continuously monitor the servers and trigger on any change.  I have found however there is a risk associated with a continuously running and monitoring service and, being risk averise,  I prefer to schedule my Assemblylines to run.     There is also a change connector for RDBMS you could use to monitor DB2 but again, I prefer to use the standard Connector with a SQL statement telling it to look for things modified in the past x minutes or whatever.  I then export the project  and create a batch file to call the Assemblylines I want, scheduling that to run repeatedly in Task Scheduler (for Windows) or Linux.

The hard and fast rule when creating an Assemblyline is that you must use IBM’s supplied files.  They have provided Assemblylines that can be copied and modified to do just about anything you need.  To begin with you will need to complete the tdienv.bat/sh and profiles_tdi.properties files which will be used by the Configuration Editor when it’s launched.  Once launched you’re going to create a new project by importing the profiles_tdi.xml file and that will present you with all the Connectors and starter Assemblylines you need.  In particular there is a Connector called the ProfilesConnector which contains everything needed to write to a profile.

Without going into 40 pages more detail, I hope this helped.  This paper from IBM is the absolute best source for setting up your environment, although significantly out of date it will set you on the right path .  I am also anonymising a simple Domino – DB2 and DB2 – Domino Assemblyline  that I am happy to share with people once it’s complete.  I can’t support it and you take it at your own risk but it may help you to see something configured.

09.14.13
by

A Refreshing Dose of Meh..

At Malpensa (Milan) airport and heading home for a few days I really notice the Italian difference. You see although I travel a lot, about 70% is to the US and the rest to Europe but much of that’s driving. I haven’t been to Italy in 3 years since I visited Rome but I remember travelling with only hand baggage and being frustrated I couldn’t buy some perfume in Capri because I’d have to check a bag to get it home. However when we flew back from Rome no-one cared about liquids, laptops, shoes or anything else.

Fast forward to this trip and Tim and I were lucky to get tickets to the Verona Arena which seats 15k people to see Aida. It was only when we were sat in our seats I realised, for the first time in my recent memory going to an event did not involve high security and a bag search – just people checking our tickets and that we were going where we were meant to.

So here we are at Malpensa. Turning up at 3pm for a 7pm flight to find no-one on check in until 5pm and then through fast track security where the first boarding pass check was unmanned and the scanner took my case and bag with liquids, laptops, phones and everything. Not even a shoe check.

What’s my point? I found myself relaxing into it and letting go of the control and the fear that has come to mean travelling through airports for me. Did I feel less safe in the arena knowing no-one had been checked for “dangerous substances” ? No.

The Italians aren’t living in constant fear and maybe we shouldn’t be either.

20130914-180051.jpg

09.12.13
by

SAMETIME 9 – PT 2: DON’T PANIC!

THIS IS THE BLOG I MEANT TO WRITE – CALL IT A DO-OVER

Still staying within NDA here until Sametime 9 ships, so please bear in mind there are things I can’t talk about in detail until then. I’m not leaving gaps purposefully but did want to post what is public to help people prepare. So let’s get started on what you need to know if you’re an existing Sametime customer.

As I said yesterday the Community Server, which is still based on Domino, runs on Domino 9 and isn’t supported on earlier versions. This may be the time, if you haven’t already, to move your Sametime servers into their own Domino Domain so their server version and updates can be managed outside of the rest of your infrastructure. For those of you who were happily (!) using the old legacy (yes I hate that word too) classic meetings on the Domino server, that’s been removed in Sametime 9. If you want meetings you want the Collaborate license and the WebSphere Meeting server. In the past few years I’ve made sure to tell customers the the classic meetings were purely there for backwards compatibility and transitioning to the new servers but I’m often amazed how many people complain about Sametime Meetings because they don’t realize they are still using the old, applet based, creaky, non-updated codecs – Domino version. I’m glad it’s gone GLAD I TELLS YA! Hopefully that will cut down on confusion.

For those of you not ready to commit to the WAS Meeting server experience, IBM have deployed it into SmartCloud so you can try it out there first if you want

Sametime will not support SAML but will continue to support SPNEGO. SAML would have been nice to streamline the single sign-on technologies we are using with other products but hopefully that’s coming later, support for SAML is still very new within ICS.

The really good news, If you are already experienced in installing Sametime 8.5x then nearly all the components remain the same. You still have a Sametime System Console, a Sametime Proxy Server, a Sametime Meeting Server, a Sametime Advanced Server, etc. All have relatively the same roles as in 8.5x. The big changes are with the Media components where the Packet Switcher has been replaced by two Video components (more when the infrastructure details are completely public but I’ve had this referenced on public calls so we’re good). One important note is that the video components will only be supported on a Linux platform and there is no Windows solution coming. I do understand that the processing and complexity involved in multiperson video requires a lot of development and support so it makes sense thatIBM have opted to focus that on one OS for that one component. Time to brush up your Linux skills people! Again Linux has been my OS of choice for servers for some time now but for some companies wanting video it will require some internal retraining.

The key takeaway is that what you have already learnt and already manage will set you in good stead for Sametime 9.

As far as A/V is concerned, the announcements have been a bit murky so to make it clear – Audio and Video in Sametime Communicate (the IM license) is for 1-to-1 traffic only. Multiperson / Multipoint Video is only available with the Sametime Conference and Complete licenses and the server components that come with those. The server components you install for Communicate will not allow multiperson video (so no installing and accidentally trying it out….).

Lastly I have had 3 people email me today asking about migration strategies and that’s not something I can talk about yet, not least because I haven’t tried myself with gold and I don’t believe in offering advice until I have failed a few times myself :-). Having said that I’m not planning in place upgrades unless I can help it with the exception of the Community server it’s simply easier for me to build in parallel, migrate the Meetings and Advanced data and change the DNS usually. The exception to that would probably be gateway which I never fancy rebuilding from scratch.

So that’s part 2. In Part 3 we’re going to discuss some of the more exciting new features to get you all ready for the big day that’s coming soon.

09.11.13
by

Icon UK Presentations

Doesn’t time fly? Icon UK is already nearly two weeks’ behind us but here, finally , are my presentation slides.  I did two presentations this year both with great presenters.   My first one was with Mark Myers (who, despite having a genius brain, has not grasped that I understand very little of what he says regarding development).  Our presentation was on how Administrators and Developers have to work together when doing Connections customisations and developments and was based on our experience working together on the SocialBizUG site.  Our presentation is here and was a new idea we’re hoping people liked.

Chimera

I also did a presentation with Paul which was an update on planning and preparing for Connections 4.5 installs, it’s aimed at anyone wanting to know what’s involved in deploying Connections or who is about to being an install themselves.

PreparingForFirstConnectionsInstall

09.11.13
by

Sametime 9 – Pt 1: The Basics

Kind of IBM to announce Sametime 9 on the very week when I”m moving to a new blog, so let’ start there.  Several people have asked me in the past 48hrs “what’s new” and there’s a lot more than I want to cover in one blog but let’s start with the simple stuff

Products

The Sametime product licensing has changed and that’s great news for those that wanted some of those extra Sametime Advanced features for instance or those that want full featured Instant Messaging but not Meeting functionality.  Let me try and sum up as simply as possible (if you hear an explosion it’s someone on the IBM ST Product team’s head exploding but I think this is right)

Firstly Sametime Entry is being withdrawn, that was the simple restricted IM only server license for a single Community.  It is not the limited use entitlement you get with a Notes license, that’s still unchanged.   For those of you that wanted Sametime Entry what you’ll now be buying is Sametime Communicate which gives you everything Entry entitled you to and more.  You want more.  If you’re using Instant Messaging your users want more features and the ability to use multiple clients.

Sametime Communicate is what I’m thinking of as the IM license.  If you aren’t doing meetings at all , in any way, but you want to use instant messaging on mobile devices, embedded clients, standalone and web with the addition of persistent chat, screen sharing, file transfer and full voice and video – then the Communicate license gives you all the IM related features that used to come with a combination of ST Standard and Advanced but without the use of meetings. The license allows you to use all the features that were previously available in the Advanced licensing including skill tap and the redesigned rich client as well.

Sametime Conference is the license for using meetings including completely re-engineered continuous  video and a new redesigned meeting client.  There’s a lot more to say on the work done on voice and video on Sametime 9 and what’s coming in the future but I’m leaving that for a later blog however if your only experience of ST Voice and Video is in 8.5x then you are in for a very pleasant surprise with the  work that has been done.  The Sametime Conference license allows you to attend meetings via a browser , not via the rich meeting client and you don’t have the IM features that come with Sametime Communicate.  Think of it like Webex (but obviously much better and with more features).

Sametime Complete is the combination Communicate/Conference license allowing you to do everything that comes with both of those licenses, full featured IM and Meetings both with Audio and Video plus the use of the new Rich Client for both IM and Meetings.  I would expect most of my existing Sametime customers to be  on Sametime Complete however those new to Sametime and with limited requirements for Meetings may prefer to opt for Sametime Communicate.

For me the most exciting things in Sametime 9 are

  1. Improved UIs for meeting and client
  2. Overhauled voice and video to enable multipoint conversations with persistent video (no more looking at a video of me when i’m speaking or switching to the person talking)
  3. Faster web based meetings supported on more browsers
  4. All the cool stuff that came with Advanced including skill tap and broadcast tools, persistent chat rooms, offline messaging and screen sharing – as part of the Communicate and Complete licensing.  Those are some of the best features that Sametime offers and historically customers were reluctant to take up because of additional licensing.
  5. As always the integration with other ICS products such as Connections,  Notes and iNotes takes a big step forward (more on that later too)

Oh and yes, the Community Server component is still on Domino and it’s Domino 9.

I will be doing a Podcast with Chris Miller and others on September 26th talking about Sametime 9 and how to deploy it.  See here

IBM are doing a webcast on what’s new in Sametime 9 you can register for here on September 19th

Making myself stop at this point.  My next post is on the servers, system requirements and suggestions for new installs and upgrades.

.. and today’s view from my holiday here in Lake Como

IMG_0238

09.10.13
by

Let’s try that again

Hello there … Well apparently I haven’t blogged in some time, at least not publicly.  I’ve written countless ones in my head but somehow (let’s call it time passing too quickly when you’re busy) they never made it from my head onto the page.  That’s a shame, if only for me, because the past year has been full of learning and doing and (oh my!) PMRs and Sametime and Connections and Tivoli and SSO and Cognos and DB2 and Filenet and DON’T FALL ASLEEP AT THE BACK.

So, things discovered and lessons learned that I’d like to write up so I don’t have to learn them twice.  Plus random stuff that needs to leave my brain and be free.    Expect to see both Mike and Tim posting updates here too, but first I need to write about Sametime 9 because I’ve been biting my tongue for months and there’s much goodness coming your way that I can now talk about. Enough in fact that I needed to start a new blog just to share.

More very soon…