I realize that last comment sounded terse, which someone will say "Well the
problem is with MS not IBM" which was not my intention.

I hope to learn information on how this problem can be resolved from by maybe
finding out how others have resolved the problem. IBM has failed in providing
this information, and perusing the Support forums periodically at IBM doesn't
sound like many others have resolved this issue, so maybe the combined
knowledge of the Domino enthusiasts could be helpful.

Thanks!

Catching a flight as we speak for Orlando, sorry but I'll have to respond in
more detail tonight. Catch you on the flip side.

Because its my blog, I have better editing tools, so forgive me for answering
this with in-line quoting that you don't have as easily.

> It is interesting that we have difference of opinions about lockin.
> I work in organizations that it feels we are on the IBM treadmill,
> where you have opinions about being on the Microsoft Treadmill. I
> find IBM spinning the wheel of blame when you expose issues in their
> products, but not offering a clear strategy to solving them across
> their stack.

The thing about "IBM" is that you're not dealing with an organization so much
as a medium sized country. They have an internal economy that would rate among
the worlds top 10 I think. They have their own money (IBM cards that work in
various cafeterias and things) and their own passports (id cards). My point
here, is that you unfortunately have to separate the various organizations
within it as if they're separate. You'll have DB2 guys who don't care about
selling Notes. Hardware guys who will gladly sell you exchange on their blade
servers, and global services folks who will do nearly anything for you if
you're willing to pay for it. Within IBM, the Lotus organization is just one
small piece.

So yeah, I can see (sadly) where much of your frustration comes from IBM
organizationally rather than the product itself. I'm going to get some grief
for saying some of that from the various IBM people reading this, but my
calling things like I see them won't be new to them.

If you really want good help with Domino and Notes -- you need to get together
with a really good, high end, Business Partner who specializes in the product.
Unfortunately, you're not going to get what you need from the IBM Global
Services or even more so from the organization that used to call itself Lotus
Consulting and now goes by some other name.

In the interest of full disclosure, as a consultant they would be my
competitors so you can take that advice as biased if you like.

Now, on to your more specific issues.


> They are 2 different stacks with different goals in mind, but they
> don't play nice very well. Just because either say they support a
> standard, it's how they implement that standard that really matters,no?

Well, the Domino/Notes stack plays VERY well. ALL of its data is FULLY exposed
as XML in a published DTD. Its also available via COM/Active-X in a fully
documented object model. I write code every single day in Visual Studio .NET
that interacts with data stored on my Domino server. Its a VERY good model, by
the way, because you get the business logic, security, and agent tools on the
domino server with the UI control you can only get with a custom interface.

Now, There's no automatic dump to Microsoft for Notes apps, but that's because
there isn't anything to dump to. There is nothing equivilant on the MS side.
As I said on engaget, Domino offers access and plays well in all of these
standards: LDAP, IMAP, POP2, POP3, SMTP, SNMP, XML, HTTP, SSL, NNTP, Java (sort
of a standard), Javascript (also sort of a standard), Web Services (SOAP/XML
HTTP WSDL), MIME, SMIME, x.509, vcards, COM, RSS, -- and now JSF as well. They
can't FORCE Microsoft to use any of them.

> I'm not a messaging guy anymore, but a directory services and
> identity management guy, so I'm biased toward the technologies which
> I admit. I care about authentication, authorization and attribution
> in complex environments, then the lack of message callback, or
> issues with multi-day calendar events, etc.

I've made a good living automating Domino authentication and adminstration
tasks for about 15 years now, so maybe I can help here.

> I see the problems integrating the IBM stack (Domino/Sametime/
> Quickplace/Websphere) into a complex directory environment. LDAP
> is a protocol, to which IBM has varied implementations of. What
> works win Websphere doesn't work in Domino, which works different in
> Sametime. Solutions such as Tivoli Directory integrator doesn't
> solve these, and Tivoli Identity Manager, and Tivioli Federated
> IDentity manager do not integrate across all of the IBM stack so you
> find yourself attempting point solutions.


The real issue, is that LDAP isn't a very good protocol standard because it
leaves so much open to implementation. The Domino LDAP configuration is very
flexible, but it is entirely possible to create incompatible LDAP directories
that both meet the LDAP specification. Within Active Directory, there are
choices you make about your directory implementation that play out in its LDAP
representation in ways which can make it very hard to integrate with.


> Domino has some great merits in a smaller controlled environment,
> where integration into a changing environment is not an issue.

You keep saying smaller - but that's not the case. Domino's directory, server
infrastructure, replication and failover strategies, user management tools, and
security model all scale much more easily and across many more platforms than
Microsoft's. With Microsoft, you absolutely must be in a totally homogenous
environment or you're completely screwed. Real enterprises are usually
heterogenus though merger and aquisition, legacy, and management pipelines.


> I have asked for case studies from IBM where they integrate their
> products under these conditions (Multiple ACtive Directory Domains
> and forests with non-unique usernames), and even after many
> engineers and sales guys coming to say they have a solution, they
> admit that it's not something they integrate well with yet.

When you reach this level of complexity, no case study or pointy haired "lead
consultant" from inside a big organization is going to have an easy answer.
Domino, Exchange, or Magic Directory Solution from the FSM -- all will require
work. If it were me trying to help, I'd be approaching each of the integration
points as a distinct problem, finding the right way to integrate. Some will be
easy, others will be harder. All will integrate.

Again, its hard to be too specific without knowing your environment, but with a
job like this, I usually start with a small (2 day) engagement to understand
the issues, then make each integration point a phase that doesn't get billed
unless and until it works according to the agreed plan for that particular
integration point. I'm going to assume you didn't get that kind of project
proposed to you from the GS people.

Very telling here, by the way, is when you say "Multiple Acive Directory
Domains and Forests with Non-Unique Usernames" you're telling me that you've
not been able to even get Active Directory to fully integrate with itself.
Again, no surprise here. Integrating multiple directory implementations which
were designed to different specifications even in the same software is not an
easy task. It is unrealistic to expect Domino to be EASIER to make integrate
with multiple AD domains than for AD to do it with itself.

> Domino attempts to use Directory Assistance, but this fails because
> it is "guessing" based on a tiered list of directories. This also
> can have the nasty habit of causing further security issues and
> denial of service where non-unique usernames (Which are not
> controllable where business partner integration is needed).

"Domino" is just software. It doesn't TRY to do anything with anything unless
you want it to. DA is just one of many strategies for integration. It is
commonly used for LDAP integrations, but can be used in many different ways and
is by no means the only way to make this happen.

> Sametime/Quickplace supports LDAP (Remember, LDAP is a directory
> lookup protocol, not an authentication prtocol), but doesn't support
> multiple directories. It has to have a single directory instance
> for authentication (Simple binds, why no SASL? Am I missing
> something?) and authorization/attribution data. It assumes there
> is a consolidated directory, which is not the case. It also still
> has the paging issue which affects larger environments.

LDAP can be used to test credentials as well as lookup user names and group
membership. Again, all depends on how its used. Unforunately, when you do
multiple integrations it is possible to create incompatible directory designs.

> Websphere has similar problems, but some other solutions (again not
> consistent here). SPNEGO is partially supported, but not fully
> supported, so it has it's limitations. WS 6 supports a tieried
> directory environment but does so in the directory hunting fashion
> which has the same issues as the sametime/quickplace integration.

You won't find me defending Websphere.

> Mail/Calendaring is just one application on the platform, and you
> can get around the client issues by using other means, but it's the
> underlying security architecture in the stack that I am concerned
> with. Yes, I've been at several large enterprises who phased out
> notes in favor of exchange for messaging (but still kept Domino Apps
> for years after) and have used both from an end user and an
> adminstrator standpoint. I prefer the MS stack, while others would
> have preferred the IBM stack.

"Preferring" the MS Stack is easy if you buy into it 100% all the way -- but
when you do that, you're giving up control of your environment entirely.
People praise the MAC OS because its so stable. Hell, it doesn't support much
hardware. IF you only run XP or even VISTA using a specific hardware made by a
few key vendors you'll have no problems with stability either. The more you
build an entirely controlled, totally homogenous environment the less direct
problems you'll have -- but you pay in flexibility. In Microsoft's case, that
also comes with a HUGE licensing liability. Their business model is to have
you re-purchase every single server OS, sql server license, exchange server
license, outlook client, and desktop OS license no less frequently than every 2
years. IBM says run what you want, where you want to run it.

My question is, if you're going to hand over the keys of your IT shop to
Microsoft -- why bother running an IT shop at all? Why not just outsourse it
as a business cost and get on with life. It won't be cheap either way. It
also won't be as capable.

The two salient points to take away here are:

1. If you really want help integrating, get a really good consultant who will
put his money where his mouth is from a project perspective rather than running
up bills to produce paper.

2. It is unrealistic to expect Domino (or anything else) to easily bring
multiple disparate AD implementations together when even AD can't do that for
you. Integration that complex is going to be more than plug-and-play. It may
require a third party application or two (check out Pistolstar's offerings) or
some custom code to sync the directories. It can be done, however. Domino's
next version continues to make this easier with each release.