New look sought for Planet Identity – calling web artists

If you’ve visited Planet Identity yet then you’ll probably have noticed that it’s inherited the same look as Planet Sun – not surprising, since I just reused the PS code. Now, I have pretty limited graphical talent – as you can probably see from my almost-standard Sotto theme. This is where you come in – if you have a modicum of artistic flair, and feel like contributing a new look for Planet Identity, I’d like to hear from you. I can’t pay you, but I’ll give you full credit on the page, and your work will be seen by thousands… ok, hundreds… well, a few people every day.
Incidentally – this is my first post using BlogEd – if you can read this then it’s working.

Planet Identity is live!

I took the plunge: I registered, configured Planet and got it working all in under 48 hours. So, go take a look at Planet Identity. There seems to be an issue with entry times – Andre Durand of Ping has a load of old entries at the top, but I’m hoping that will go away as it beds in. Enjoy – and let me know if there are any other blogs you think I should add – I’m sure I’ve missed a load.
Huge thanks to Steve Lau for contributing hosting space, and Ludo Poitou for giving me his existing Sun internal Planet Identity as a basis. Without them I’d still be googling for hosting and scratching my head over the Planet docs.

Groups and Roles

Rohan Pinto posts on the subject of groups and roles. Following on from Rohan’s excellent description, there is one more salient detail. Roles and Groups are implemented (at least in Sun’s Directory Server) in very different ways:

  • A group contains a collection of member DNs. Navigating from a group object to its members is very fast. Finding the groups to which a given object belongs requires a search. The classic use for a group is a mailing list. Given a list name, I need to find the members so I can forward the email to them.
  • By contrast, a member object contains a list of DNs representing the roles to which it belongs. Navigating from an object to its roles is very fast. Finding the members of a role requires a search. The classic use for a role is in (surprise, surprise!) role-based access control. Given a user, I need to find the roles so I can provide access to appropriate resources.

There is much more to it than that – here is an excellent reference to groups and roles in Sun’s Directory Server – but the description above should help guide you in deciding between groups and roles for a particular application.

Sun Java System Directory Server Enterprise Edition – Net Talk

Remember I was blogging about the great people you get to work with here at Sun? Well, one of the best is Don Bowen, Product Line Manager for Directory Server. I first met Don in Munich at the Burton Catalyst Conference in 2002 – gosh, was it really only 2½ years ago? Don knows everybody in the industry – he was working in identity management before it was even called identity management. If you’re on LinkedIn, his profile is here. If you’re not on LinkedIn, and you work in tech, sign up, RIGHT NOW! It’s the single most efficient mode of networking I know, and a great way to get back in touch with people you used to work with.
Anyway – back to the point. Don has recorded a ‘Take 10‘ – a < 10 minute presentation on Directory Server Enterprise Edition (‘DSEE’), explaining why we now talk about the directory service rather than a directory server and the huge functionality included as standard in DSEE. There is also a white paper explaining in more detail just what we mean by a ‘directory service’.
Go take a look, and feel free to leave a comment here with feedback – I’ll make sure it gets to Don.

Is anyone using DSML?

Directory Services Markup Language (DSML) “bridges the world of directory services with the world of XML” (quote from OASIS DSML page). Effectively, it’s an XML encoding of LDAP. Sun implemented it in Directory Server 5.2 way back in June 2003, in common with other directory server vendors (Novell, Microsoft).
The question is, is anybody using it? I’ve never heard of a DSML client in production, and, in my unofficial popularity poll, Google shows only 115,000 hits for DSML, compared to over 7 million for LDAP.
So – has anybody implemented DSML from the client side? And if not, why not?