Many enterprises - include most I would guess that are Microsoft-centric - use LDAP to establish user identity and
profiles.In the Web 2.0 world, the emerging standard is OpenID. Is there a way to use OpenID to provide logins within the
Enterprise buthave it backed by LDAP, the obvious benefit being one could install off-the-shelf intranet tools inside one's
organization butnot have to LDAP-enable them or create a parallel account system
The OpenID-LDAP Project (http://www.openid-ldap.org/) offers such a tool.
We're testing this on a Macintosh, but there seems to be no reason this won't work on any UNIX-y system.
Installation
First, download an unpack the code into the web server directory.
$ cd ~/Sites
$ curl --location 'http://www.openid-ldap.org/releases/openid-ldap-0.8.5-noarc.tar.gz' >openid-ldap-0.8.5-noarc.tar.gz
$ tar zxvf openid-ldap-0.8.5-noarc.tar.gz
This extracts the code into a non-versioned subdirectory called ‘openid-ldap'. It would be much better form if the
directorywas called ‘openid-0.8.5'.
Interlude: Enabling PHP on Mac OS X Leopard
Leopard has PHP but it has to be explicitly enabled by editing configuration files (if you haven't enabled Apache on
yourMac, see the links below)
$ su -
# cd /etc/apache2
# vi httpd.conf
remove the hash sign on the ‘LoadModule php5_module' line
# apachectl restart
Here are some helpful links if you need more information:
Without configuring anything, let's see what happens when we visit the page:
http://localhost/~davidjanes/openid-ldap/
Note that URL is Leopard's way of referencing a user's (i.e. "davidjanes") local webpage.
A webpage appears with a field for entering a username - but not a password. Entering a username - e.g. dpjanes -
redirectsus to the 404 page:
http://localhost/~davidjanes/openid-ldap/dpjanes
... which definitely wasn't expected.
Reading through their documentation, it looks like they're mainly doing this using SSL/HTTPS and to do that one has to
addsome rewrite rules to the Apache configuration. Since we're not doing that - at least not yet - we're probably using
aninfrequently used code path, thus hitting a bug. Perusing the code we should see the URL above should be internally
rewrittento:
To fix this we have modify the Apache configuration again. Changing ".htaccess" does not work because Apache on Leopard
isconfigured "AllowOverride None" which means the rewrites will be ignored
$ su -
# cd /etc/apache2/users
# vi davidjanes.conf
Note that these rules are predicated on that we're going to be logging in using OpenID's "uid" which will be lower
caseletters, numbers, dash or underscore.
Configuring LDAP
This is obviously the part where we're going to part paths - everyone does LDAP their own way. We don't have an
ActiveDirectory setup here, but we do have VMWare Fusion (http://www.vmware.com/products/fusion/) and a JumpBox for
OpenLDAPappliance (http://www.vmware.com/appliances/directory/1105) so it should be just a simple matter of figuring out the
rightcombination of configuration settings.
The OpenID appliance has the following configuration:
JumpBox Name: openldap 0.9
Application Page: http://192.168.1.120/
Management Page: https://192.168.1.120:3000/
I've already configured a few accounts on this, but for example we have a user:
o=Directory
ou=users
cn=David Janes
In LDAP terms this gives us a "Distinguished Name" which is the really way LDAP (as I understand it) uniquely identifies
arecord. In this particular case our Distinguished Name is "cn=David Janes,ou=users,o=Directory".
This user has the following configuration:
cn: David Janes
gidNumber: 1000
givenName: David
homeDirectory: /home/users/default/dpjanes
objectClass:
inetOrgPerson
posixAccount
top
sn: Janes
uid: dpjanes
uidNumber: 1000
We're going to use "uid" as the login ID - note that this is by no means a universal choice nor is it universally
availableon all LDAP servers. I've seen LDAP servers use "name" to provide a unique identifier and it's possible - maybe even
probably -that many LDAP servers don't provide short unique names at all.
Note then how LDAP logins should probably work:
one provides a part of the record we are looking for, for example "uid=dpjanes", where the user at login time provides
the "dpjanes" part and the configured application prepends "uid="
given a starting point - the "searchdn" in the configuration below - we look for a matching record
when we have the matching record, we get the Distinguished Name which uniquely identifies a record and that we ask LDAP
to validate it with a password
Note that OpenID-LDAP doesn't actually work quite this way; we'll explain this further down.
Configuring OpenID-LDAP to contact LDAP
Following, the instructions in openid-ldap/docs/README.txt, especially point (5) we get the key points of configuration
-edit "ldap.php" and fill in the values.
binddn & password: it works without this; but we assume there's LDAP configurations that require you to login with a
well-known Distinguished Name and password before you can do a search
searchdn & filter: the ‘%s' is replaced with the user's login name (i.e. from the login form) and then these items
are put together to search for the user's record
testdn: when actually logging in, the ‘%s' is replaced as above; the page then tests the modified testdn with the
password provided against the server
Note then the difference between OpenID-LDAP and our hypothetical login scenario in the previous section -
OpenID-LDAPsearches for the login but after validating that it exists, ignores the Distinguished Name and just tries to log in
using asimply constructed testdn and password. This works, but it strikes me that the search is either unnecessary or the
loginprocedure is insufficient.
Failure
Alas, at this point we're going to have to stop, unless someone has a suggestion. When I attempt to log in with "dpjanes"
weend up with OpenID-LDAP bridge trying to log in with "uid=dpjanes,ou=users,o=Directory", which simply doesn't work.
Whetherthis is specific to my LDAP implementation or not is unknown.
If I alter the rules so that I'm logging in with "David Janes" / "cn=David Janes,ou=users,o=Directory" the
(slightlymodified) Apache rewrite rules get confused because of the space. I could probably fix these but quite frankly I don't
want tobecause I want "dpjanes" to be recognized as the login.
So, that's as far as I'm getting with this. If anyone has further suggestions, please let me know and I'll modify
thisdocument and necessary.
Here's a simple and useful SlideShare demonstration on how the Web 2.0 experience (that everyone is enjoying on the web) can
be translated into the enterprise (via Bryce):
The Wall Street meeting for Web 2.0 and SaaS. Web 2.0 collaboration and delivery offer great potential
for Wall Street and the global financial markets.
Web 2.0 technologies - collaboration tools, such as blogs, wikis and social networking, plus deployment
of rich user interfaces and delivery of Software as a Service (SaaS) - are taking off in the financial markets.
Merrill Lynch, Lehman Brothers, Wells Fargo, Jefferies, and others have Web 2.0 applications at work to extend their
business reach and agility.
2007 Web Tech 2.0 on Wall Street will focus on:
Applications for collaborative technologies – blogs, wikis and social networks – on Wall Street
Delivering financial applications using aSoftware as a Service (SaaS) model
Rich User Interface technology options – AJAX, Flex, JavaFXand Silverlight – for the financial
markets
Webtop delivery – a fresh approach to the trader workstation?
Mashups as the new messaging middleware for financial markets business processing
Scalable and On Demand datacenter architectures to support Web 2.0 delivery to Wall Street
The web site is still a work in progress; i.e. there's no conference price yet, for example, except for exhibitors. No
speakers listed yet either.
To make a long story short, it means using inside an enterprise the successful tools of web 2.0.
Please, do not sum-up this to internal blogs or wikis, this notion gather much richer fields and above all implies deep
mutations which go farther than rolling-out new tools.
Also note the emphasis in this diagram of (1) user centricity (2) syndication (3) apis; it's hard to disagree with this
though I expect that syndication, perhaps coupled with Atom
Publishing Protocol-style push (also see our posts on GData), will
probably remain far more important than APIs. We'll see.
On e-mail:
Internal communication gets more simpler: no more lost emails, stacked replies where someone is always missing in CC,
doubles and susceptibility management (”I am the project leader, why am I only in CC?“). Everything is handled by
the blog engine: publication, comments, archives, categories… Blogs are also a perfect match for new comers in a team which
can have access to discussions history. If you are looking for a golden rule, here it is: if more than 5 person are
in CC of your mail, than you better write a post.
This is one reason we've been working so hard on serious e-mail integration of blogging and e-mail; people are
going to remain "mentally comfortably" with e-mail for a long time and will usually be running an e-mail app or have quick
access to one. In the BlogMatrix Platform, with a simple cc: you can move a discussion from the e-mail world into the blog +
comments one.
Brief comments:
Fred has to revisit his CSS to increase line spacing; I actually sucked the entire article into Word and reformatted so I
could read the damned thing. On the other hand, I always do that.
Fred is much more focused on the changes to enterprise culture than I am; years of working at large three-letter acronym
companies garners a certain cynicism to culture change. My personal belief is that if tools are bottom-up useful and
inherently culture changing, that's where we'll see the ball start rolling.
Also note the mention of microblogging and "lifelog" (elsewhere called a lifestream), you know, just because ;-)
The next -- and Enterprise -- version of the BlogMatrix Platform will support the Metaweblog API; that is, you will be able to post to BlogMatrix using posting
tools such as Windows Live Writer
(my favorite, though don't let it screw up your IE settings) or w.Bloggar.
The official "endpoint" for Metaweblog XML/RPC calls will be:
http://userid.blogmatrix.com/:admin/xmlrpc/metaweblog/.
At some point we'd like to support the Atom API, Google GData-style, but library support on Python at this time is
lacking.
I don’t believe that the collaboration tools of Enterprise 2.0 are about replacing e-mail as much as they are about
allowing e-mail to simply be a messaging platform and not a collaboration platform. Right now in most organizations, e-mail
is the primary means for sharing and collaborating on files and doing group-think for geographically dispersed groups.
However, e-mail was never designed for those functions and is not very good at them.
The Enterprise version of the BlogMatrix Platform tries to integrate the strengths of blogging and email, allowing blogging
(and commenting) to be done via e-mail, and blogs read via automatic e-mail sending.
Younger employees -- like that new batch of college grads hitting the market right now -- are going to be pushing
employers to use Web 2.0
technologies on the job. And if their companies don't start adopting them, younger workers will most likely just start using
them on the sly.
"The upcoming generation is going to have a major impact on business. She will expect to have access to her tools in the
workplace," said Marthin De Beer, a senior VP with Cisco Systems. "It would be like someone from my generation not having
access to e-mail and instant
messaging. If they don't get this stuff, they probably won't be there for a long time."
For those interested in grown up business intelligence, Andy Hayler has a terrific blog on the topic. I first met Andy when he ran Kalista, a specialised data warehouse company. He is super smart. The other day Andy pointed to an Information Week discussion about information overload. That in turn was based upon an Accenture report (sorry, no link available) which talks about the consequences of accessing the right information. According to Information Week:
IT managers say information-overload affects their jobs in a number of ways. Forty-two percent complain they are bombarded by too much information; 44% complain other departments in their companies are not forthcoming with data; 39% say they can’t figure out which information is current; 38% say they need to weed out duplicate information; and 21% say they don’t understand the value of the information they do receive.
What a mess? It’s an issue to which I can relate because try as I might, much of the information I really want is still hard to find. And that’s coming from someone who spends all day searching for stories. Andy’s incisive commentary argues:
The issue is not only that technologies are insufficiently intuitive. In my experience there are a number of factors that come into play:
- no culture of sharing information
- inconsistent data definitions
- poor data quality
- inability to locate appropriate data sources
- insufficient understanding of how to use BI tools effectively.
The one that interests me is ‘no culture’ because I believe the technology issues go away. But that’s for another day. Andy says:
If you set out to produce a useful new report in some area and succeed in doing so, what incentive is there for you to make this easily shared around the company, and to help others find it? In most companies this would be pure altruism, and so people just keep the information on their hard disk, and indeed may gain kudos from the “information is power” syndrome. Overcoming such cultural barriers is hard, and few companies succeed.
This worries me. I find it hard to believe that in the current world we occupy, that such Soviet style thinking persists to such an extent. It simply doesn’t make sense. I know as a profession we tend to believe that what we ‘know’ has an intrinsic value. Well, yes, in an academic sense, but knowledge is of no value unless it has context. Like the conversation I had with Julie Le of Zoobug where we talked about the value of certain services. My understanding of the area only takes on value when it is shared. As I explained to Julie, I can and do give a way a lot of information and I find it pays off.
It's the altruism bit that caught my attention here. Del.icio.us gets around the "altruism problem" by making selfish actions -- tagging sites for easy future retrieval -- a public good. It's not unlike captialism:
It is not from the benevolence of the butcher the brewer, or the baker that we expect our dinner, but from their regard to their own interest.
How then can we using blogging and Web 2.0 technologies to provide an individual benefit that will in turn lead a social/business benefit? The first quoted paragraph from Business Week gives a clue: do save employee's time; don't introduce new tasks; make everything fast (1 second turn arounds would be ideal); put simplicity in the interface; put complexity in the code; replace multiple tasks with a single one.
Once that's done, there's little need to talk about making "cultural change", as it will make itself.
Individual project teams can collectively create social bookmark (or tag) lists to support their work. These can be attached to their wiki or blog. They can be shared and discussed at virtual meetings. At the enterprise or division level, a knowledge manager can create an ongoing library of links to critical documents with annotations on their importance. These could be drawn from the best of team tag lists. Then official enterprise tag lists can be developed that represent the best thinking on specific issues that are important to the company.
Employees or teams can download tag lists to fit their work needs. Then, they can make these tag lists once again personal as they engage in work activities by modifying them with both new annotations on the usefulness of existing links, as well as new links. Anyone in the firm, including the original knowledge manager, can access these new derived tag lists to enhance their own or add back into the official enterprise tag list on the topic for continuous improvement.
With tagging behind the firewall, the best thinking in the firm can become more transparent and constantly updated to the benefit of all. Knowledge is easily shared and communities can consolidate their key documents and resources. It can also be linked to other on-demand business solutions to enhance their value.
I wrote about IBM’s enterprise tagging system, dogear, in another FAST post. There is also Mitre’s Onomi. Ii is likely more are being developed. Let us know about any you have heard of.
The reason I saw positive is because here's a more negative assessment of the same. I guess it depends on the type of person in the organization -- if it's a 1%er (that is, 1% of the employees do innovative stuff) -- you need a fairly large organization to get the "social" component.
Another barrier or opportunity is the time it takes to tag something. I've become more and more focused recently on the fact that the real barrier for anything being adopted is the time it actually takes to complete an operation.
Freeform: Only minimal upfront structure, with simple lists, tags, and microformats at first, with more structure later if absolutely needed.
Zero Training/Simple: Any barrier to use means that automatically fewer people will use the application or its more complicated features. The most successful sites on the Web require no trainingat all and guide the user to do the right things. Your business systems can and should be similarly effortless to use.
Software as a Service: Online software, with its functionality and information available on any computer, home or work, anywhere in the world, day or night, is the most productive and useful software possible. Installed native software just cannot compete with such persistent availibility.
Easily Changed: If a user can’t easily make the necessary change to the structure or the behavior of a system, he or she must have an expert — usually in the IT deparment — to do it, and get in line to wait for it, not to mention pay for it. This simply won’t do when there are ways to put much of this control back in the user’s hands. Using the structure of the Web to chunk up functionalty, the increasing use of feeds, badges, and widgets, will transfer many common IT tasks back to end-users in the next few years.
Unintended Uses: Preconcieved notions about how an IT system will be used can cut it off from the most valuable uses down the road. RSS syndication is teaching us a lot about this phenomenon on the Web, as well as mashups. It’s all about letting the structure and behavior of IT systems emerge naturally and organically. Having open APIs, easily wired together pieces, and loose and fluid tools helps enable this as well. Discoverability of all of these is essential too. Examples: Not UDDI, search. Not Web services, RSS. Not portals, widgets.
Social: Business software tends to harness collective intelligence and even e-mail is social to a certain degree (but darn it, it’s push isn’t it?). Enterprise Web 2.0 software enables pull-based systems that enable people to come together and collaborate when they need to and are entirely uncoupled when they don’t. Enabling just-in-time, freeform collaboration is the key, and so is capturing and publishing the results to be reused and leveraged afterwards by others. Wikis combined with enterprise search do all this automatically for example.
Dion Hinchcliffe of ZDNet has posted a "Enterprise 2.0 Year in Review" article:
Readers of this blog will be familiar with my coverage of Enterprise 2.0 throughout 2006 and by all indications 2007 is very likely the year that it will significantly break out into the enterprise. CIOs, and more importantly, technology savvy workers are increasingly applying Enterprise 2.0 within their organizations because it can often be adopted very inexpensively, is by its intrinsic nature easy to use (requiring little if any end-user training), and many believe that it can be applied incrementally. This makes Enterprise 2.0 IT-friendly on numerous fronts to deploy by already harried, budget-pressured IT departments that are eager to deliver some low-risk wins. And informal data does suggest that many organizations will indeed be trying next year to get at the promise of productivity that Enterprise 2.0 tools offers.
a) supports choice of customer deployment of functionality as a service, and in installed mode
b) is architected and priced/sold as a series of services
c) sells maintenance broken in to support and upgrade charges and allows an ecosystem of partners, not just the publisher, to alternatively provide support.
d) largely automates bug fixes/upgrades which require little customer (or service partner) intervention
e) provides process management, configuration, conversion, integration, testing, systems management, end user training tools to minimize implementation and support labor
f) provides customers with a wide range of service partners which are audited, graded and certified each year based on product training completion, customer feedback,
g) commits to transparency to customers around product quality, customer service ticket resolution, outages (where provided in SaaS mode) etc.
h) provides a mechanism for certification of integration of third party software products, and re-certification as releases change
i) actively encourages a on-line developer/integrator community and pushes for an "open source" licensing of community intellectual property
j) commits to sharing with each customer a "sticker" showing standard list of various components/services and various discounts and taxes
k) shares with customer base on a regular basis summary results of various implementation and support metrics from its service partner ecosystem
But most organizations already understand that spreadsheets, presentation files, e-mails, word processing documents, and private databases are where much of the valuable institutional information is. While centralized "big IT" systems do a lot of routine record keeping, the heart and soul of an organization in the form of corporate strategies, product development plans, project notes, key performance metrics, and so on is really kept in e-mail folders and user's directories. And while some of it must remain under strict control, particularly in public companies, much of it is unnessarily — and usually to a fault — hidden, unreused, and unexploited.
I like this quote, as it ties into the "datasphere" concept we've been tossing around, which says that the way to a semantic web is not through data formats but through the HTML world we're already familiar with:
Discoverability isn't an afterthought, it's the core.
Google and other search engines made the Web usable. The enterprise has not caught up, largely because most enterprise information doesn't allow a hyperlink structure, and links aren't encouraged very much when it does. McAfee recommends setting up blog and wiki directories as well as good enterprise search based on link ranking (which is what Google does to make the right information come up in the first few pages of search results.) Enterprise 2.0 tools should also extract folksonomies and other structural information (from microformats and XML tags) into discoverability mechanisms like tags lists and clouds, making user organization schemes obvious, public, and emergent. One easy trap to fall into is to assume your existing enterprise search will do the job. It probably won't, so be sure that it's well integrated into your Enterprise 2.0 effort, perhaps by offering a blog or wiki search option. Provide your own search engine in the tools only if you must.
So to recount, let us list the main pro’s of discussion forums:
just plain Q&A or information sharing
the information remains stored and available
the information is linkable and searchable
community building
customisation to different company entities / divisions / employee specialisms or enterprise applications (via sub-forums and categories)
easy editing (WYSIWYG).
I'll briefly note that many of these features are applicable to blogging tools also. Discussion forums allow random topics to be started by random people, with the caveat that no one "owns" the end discussion which means (even though it's searchable) it may get "lost".
One way to bridge this would be either a "lazy web" type solution, where people could ask a question from their blog but the end result would be aggregated in a central location of question/responses.
I estimate each Vista user will cost your company between $3,250 and $5,000. That's each and every Vista user. Money will go to Microsoft for Vista and Office 2007, to hardware vendors for new PCs and components, and possibly a few bucks to Apple for those users jumping to a Mac. After all, if Apple's higher cost has been the factor keeping your company from trying a Mac, that factor just washed away.
That's a lot of money for small or big businesses. And what makes Office 2007 or Vista better than what you have now. Ummm ... more rounded corners? Or just the fact that MS will someday cut off tech support. Hell, I was happy with Windows/Office 2000.
According to the 2006 Intranet research report of the Irish Computer Society (ICS), 80pc of large organisations surveyed said that employees are not taking full advantage of company intranets as an internal communications tool.
[...] According to the research, document management, e-learning, and contact management were the most prominent intranet tools and Microsoft Office formats the most prominent file format. Intranet features typically revolved around staff announcements and messaging but the list was varied and included documentation and forms, blogs and wikis, phonebooks and directories, weather and menus and even bus timetables.
However, despite the high amount of organisations that believe their intranets are massively under-utilised, 86pc of survey participants indicated that intranet will become more important in the near future. The report found that staff collaboration is the main driver for intranet development.
Rajen Sheth [Google Enterprise guy -- dpj] was on fire today…as were some of the Google Data centers he showed us in his presentation. Fortunately, Google is prepared for such events.
One of the nuggets that I think folks will take away from his talk was that software-as-a-service – SaaS - allows companies to focus on business and not on infrastructure. Instead of having to focus on the technology – installing, maintaining, etc. – they can use hosted services that just work.
While all of us were looking at the social-networked Web 2.0 sites for consumers, business applications emerged as the next big AJAX market player. Of course, we've seen what 37 Signals is doing but there are some new names in the market. itredux.com is promoting the use of AJAX based solutions for network computing. As mobile too becomes increasingly ubiquitous, the small local footprint of Web Apps will make them a logical choice.
Anything and everything about the semantic web, microformats and structured blogging. We're building this site live, so expect more than occasional flakiness.
