Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.

By Andrew Pollack on 01/17/2008 at 10:27 AM EST

A simple article about the iPhone supporting Notes (through iNotes I think) generated yet another long list of people who want to talk about how much they don't like Notes based on using many years old versions, and completely ignoring the facts of vendor lock in and proprietary vs. open data access models.

http://www.engadget.com/2008/01/17/iphone-putting-on-a-lotus-notes-suit/

How can anyone who is locked into Active Directory + Exchange + Outlook + SQL Server + Sharepoint + Win2k3 servers serious comment about Notes applications being silo'ed or subject to vendor lock in? It boggles the mind.


There are  - loading -  comments....

Don't Need the GriefBy Gregg Eldred on 01/17/2008 at 11:03 AM EST
Tempting as it may be to click the link, I don't need the aggravation. I am
trying to think "Happy Thoughts" before I leave for Orlando. :-)
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Vitor Pereira on 01/17/2008 at 11:33 AM EST
"How can anyone who is locked into..."

It's called ignorance. Well... it's worse than that, ignorants usually want to
learn.
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Jef on 01/17/2008 at 11:37 AM EST
Found You, I agree to take the conversation here since it's not exactly the
kind of thing for Engadget. I'm open to being proven wrong, that the IBM stack
is a robust platform outside of itself. Maybe you can assist in solving the
problems where IBM themselves have not been able too.

It is interesting that we have difference of opinions about lockin. I work in
organizations that it feels we are on the IBM treadmill, where you have
opinions about being on the Microsoft Treadmill. I find IBM spinning the
wheel of blame when you expose issues in their products, but not offering a
clear strategy to solving them across their stack.

They are 2 different stacks with different goals in mind, but they don't play
nice very well. Just because either say they support a standard, it's how they
implement that standard that really matters,no?

I'm not a messaging guy anymore, but a directory services and identity
management guy, so I'm biased toward the technologies which I admit. I care
about authentication, authorization and attribution in complex environments,
then the lack of message callback, or issues with multi-day calendar events,
etc.

I see the problems integrating the IBM stack
(Domino/Sametime/Quickplace/Websphere) into a complex directory environment.
LDAP is a protocol, to which IBM has varied implementations of. What works win
Websphere doesn't work in Domino, which works different in Sametime.
Solutions such as Tivoli Directory integrator doesn't solve these, and Tivoli
Identity Manager, and Tivioli Federated IDentity manager do not integrate
across all of the IBM stack so you find yourself attempting point solutions.


Domino has some great merits in a smaller controlled environment, where
integration into a changing environment is not an issue.

I have asked for case studies from IBM where they integrate their products
under these conditions (Multiple ACtive Directory Domains and forests with
non-unique usernames), and even after many engineers and sales guys coming to
say they have a solution, they admit that it's not something they integrate
well with yet.

Domino attempts to use Directory Assistance, but this fails because it is
"guessing" based on a tiered list of directories. This also can have the
nasty habit of causing further security issues and denial of service where
non-unique usernames (Which are not controllable where business partner
integration is needed).

Sametime/Quickplace supports LDAP (Remember, LDAP is a directory lookup
protocol, not an authentication prtocol), but doesn't support multiple
directories. It has to have a single directory instance for authentication
(Simple binds, why no SASL? Am I missing something?) and
authorization/attribution data. It assumes there is a consolidated directory,
which is not the case. It also still has the paging issue which affects larger
environments.

Websphere has similar problems, but some other solutions (again not consistent
here). SPNEGO is partially supported, but not fully supported, so it has it's
limitations. WS 6 supports a tieried directory environment but does so in the
directory hunting fashion which has the same issues as the sametime/quickplace
integration.

Mail/Calendaring is just one application on the platform, and you can get
around the client issues by using other means, but it's the underlying security
architecture in the stack that I am concerned with. Yes, I've been at several
large enterprises who phased out notes in favor of exchange for messaging (but
still kept Domino Apps for years after) and have used both from an end user and
an adminstrator standpoint. I prefer the MS stack, while others would have
preferred the IBM stack.

I believe in the right tool for the job, and I can see where a Domino stack
makes sense, over the MS stack. The problems with the IBM stack are too severe
for my environment, so naturally I am jaded toward the platform. I don't care
if things run on windows/Unix/linux/osx, if it makes sense for the task.

I'm not here to play the "My platform is better than yours" but maybe find
information to help resolve the problems with the IBM platform. :)
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Jef on 01/17/2008 at 11:46 AM EST
I realize that last comment sounded terse, which someone will say "Well the
problem is with MS not IBM" which was not my intention.

I hope to learn information on how this problem can be resolved from by maybe
finding out how others have resolved the problem. IBM has failed in providing
this information, and perusing the Support forums periodically at IBM doesn't
sound like many others have resolved this issue, so maybe the combined
knowledge of the Domino enthusiasts could be helpful.

Thanks!
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Andrew Pollack on 01/17/2008 at 01:25 PM EST
Catching a flight as we speak for Orlando, sorry but I'll have to respond in
more detail tonight. Catch you on the flip side.
Here's an attempt to give you a real answer.By Andrew Pollack on 01/17/2008 at 10:28 PM EST
Because its my blog, I have better editing tools, so forgive me for answering
this with in-line quoting that you don't have as easily.

> It is interesting that we have difference of opinions about lockin.
> I work in organizations that it feels we are on the IBM treadmill,
> where you have opinions about being on the Microsoft Treadmill. I
> find IBM spinning the wheel of blame when you expose issues in their
> products, but not offering a clear strategy to solving them across
> their stack.

The thing about "IBM" is that you're not dealing with an organization so much
as a medium sized country. They have an internal economy that would rate among
the worlds top 10 I think. They have their own money (IBM cards that work in
various cafeterias and things) and their own passports (id cards). My point
here, is that you unfortunately have to separate the various organizations
within it as if they're separate. You'll have DB2 guys who don't care about
selling Notes. Hardware guys who will gladly sell you exchange on their blade
servers, and global services folks who will do nearly anything for you if
you're willing to pay for it. Within IBM, the Lotus organization is just one
small piece.

So yeah, I can see (sadly) where much of your frustration comes from IBM
organizationally rather than the product itself. I'm going to get some grief
for saying some of that from the various IBM people reading this, but my
calling things like I see them won't be new to them.

If you really want good help with Domino and Notes -- you need to get together
with a really good, high end, Business Partner who specializes in the product.
Unfortunately, you're not going to get what you need from the IBM Global
Services or even more so from the organization that used to call itself Lotus
Consulting and now goes by some other name.

In the interest of full disclosure, as a consultant they would be my
competitors so you can take that advice as biased if you like.

Now, on to your more specific issues.


> They are 2 different stacks with different goals in mind, but they
> don't play nice very well. Just because either say they support a
> standard, it's how they implement that standard that really matters,no?

Well, the Domino/Notes stack plays VERY well. ALL of its data is FULLY exposed
as XML in a published DTD. Its also available via COM/Active-X in a fully
documented object model. I write code every single day in Visual Studio .NET
that interacts with data stored on my Domino server. Its a VERY good model, by
the way, because you get the business logic, security, and agent tools on the
domino server with the UI control you can only get with a custom interface.

Now, There's no automatic dump to Microsoft for Notes apps, but that's because
there isn't anything to dump to. There is nothing equivilant on the MS side.
As I said on engaget, Domino offers access and plays well in all of these
standards: LDAP, IMAP, POP2, POP3, SMTP, SNMP, XML, HTTP, SSL, NNTP, Java (sort
of a standard), Javascript (also sort of a standard), Web Services (SOAP/XML
HTTP WSDL), MIME, SMIME, x.509, vcards, COM, RSS, -- and now JSF as well. They
can't FORCE Microsoft to use any of them.

> I'm not a messaging guy anymore, but a directory services and
> identity management guy, so I'm biased toward the technologies which
> I admit. I care about authentication, authorization and attribution
> in complex environments, then the lack of message callback, or
> issues with multi-day calendar events, etc.

I've made a good living automating Domino authentication and adminstration
tasks for about 15 years now, so maybe I can help here.

> I see the problems integrating the IBM stack (Domino/Sametime/
> Quickplace/Websphere) into a complex directory environment. LDAP
> is a protocol, to which IBM has varied implementations of. What
> works win Websphere doesn't work in Domino, which works different in
> Sametime. Solutions such as Tivoli Directory integrator doesn't
> solve these, and Tivoli Identity Manager, and Tivioli Federated
> IDentity manager do not integrate across all of the IBM stack so you
> find yourself attempting point solutions.


The real issue, is that LDAP isn't a very good protocol standard because it
leaves so much open to implementation. The Domino LDAP configuration is very
flexible, but it is entirely possible to create incompatible LDAP directories
that both meet the LDAP specification. Within Active Directory, there are
choices you make about your directory implementation that play out in its LDAP
representation in ways which can make it very hard to integrate with.


> Domino has some great merits in a smaller controlled environment,
> where integration into a changing environment is not an issue.

You keep saying smaller - but that's not the case. Domino's directory, server
infrastructure, replication and failover strategies, user management tools, and
security model all scale much more easily and across many more platforms than
Microsoft's. With Microsoft, you absolutely must be in a totally homogenous
environment or you're completely screwed. Real enterprises are usually
heterogenus though merger and aquisition, legacy, and management pipelines.


> I have asked for case studies from IBM where they integrate their
> products under these conditions (Multiple ACtive Directory Domains
> and forests with non-unique usernames), and even after many
> engineers and sales guys coming to say they have a solution, they
> admit that it's not something they integrate well with yet.

When you reach this level of complexity, no case study or pointy haired "lead
consultant" from inside a big organization is going to have an easy answer.
Domino, Exchange, or Magic Directory Solution from the FSM -- all will require
work. If it were me trying to help, I'd be approaching each of the integration
points as a distinct problem, finding the right way to integrate. Some will be
easy, others will be harder. All will integrate.

Again, its hard to be too specific without knowing your environment, but with a
job like this, I usually start with a small (2 day) engagement to understand
the issues, then make each integration point a phase that doesn't get billed
unless and until it works according to the agreed plan for that particular
integration point. I'm going to assume you didn't get that kind of project
proposed to you from the GS people.

Very telling here, by the way, is when you say "Multiple Acive Directory
Domains and Forests with Non-Unique Usernames" you're telling me that you've
not been able to even get Active Directory to fully integrate with itself.
Again, no surprise here. Integrating multiple directory implementations which
were designed to different specifications even in the same software is not an
easy task. It is unrealistic to expect Domino to be EASIER to make integrate
with multiple AD domains than for AD to do it with itself.

> Domino attempts to use Directory Assistance, but this fails because
> it is "guessing" based on a tiered list of directories. This also
> can have the nasty habit of causing further security issues and
> denial of service where non-unique usernames (Which are not
> controllable where business partner integration is needed).

"Domino" is just software. It doesn't TRY to do anything with anything unless
you want it to. DA is just one of many strategies for integration. It is
commonly used for LDAP integrations, but can be used in many different ways and
is by no means the only way to make this happen.

> Sametime/Quickplace supports LDAP (Remember, LDAP is a directory
> lookup protocol, not an authentication prtocol), but doesn't support
> multiple directories. It has to have a single directory instance
> for authentication (Simple binds, why no SASL? Am I missing
> something?) and authorization/attribution data. It assumes there
> is a consolidated directory, which is not the case. It also still
> has the paging issue which affects larger environments.

LDAP can be used to test credentials as well as lookup user names and group
membership. Again, all depends on how its used. Unforunately, when you do
multiple integrations it is possible to create incompatible directory designs.

> Websphere has similar problems, but some other solutions (again not
> consistent here). SPNEGO is partially supported, but not fully
> supported, so it has it's limitations. WS 6 supports a tieried
> directory environment but does so in the directory hunting fashion
> which has the same issues as the sametime/quickplace integration.

You won't find me defending Websphere.

> Mail/Calendaring is just one application on the platform, and you
> can get around the client issues by using other means, but it's the
> underlying security architecture in the stack that I am concerned
> with. Yes, I've been at several large enterprises who phased out
> notes in favor of exchange for messaging (but still kept Domino Apps
> for years after) and have used both from an end user and an
> adminstrator standpoint. I prefer the MS stack, while others would
> have preferred the IBM stack.

"Preferring" the MS Stack is easy if you buy into it 100% all the way -- but
when you do that, you're giving up control of your environment entirely.
People praise the MAC OS because its so stable. Hell, it doesn't support much
hardware. IF you only run XP or even VISTA using a specific hardware made by a
few key vendors you'll have no problems with stability either. The more you
build an entirely controlled, totally homogenous environment the less direct
problems you'll have -- but you pay in flexibility. In Microsoft's case, that
also comes with a HUGE licensing liability. Their business model is to have
you re-purchase every single server OS, sql server license, exchange server
license, outlook client, and desktop OS license no less frequently than every 2
years. IBM says run what you want, where you want to run it.

My question is, if you're going to hand over the keys of your IT shop to
Microsoft -- why bother running an IT shop at all? Why not just outsourse it
as a business cost and get on with life. It won't be cheap either way. It
also won't be as capable.

The two salient points to take away here are:

1. If you really want help integrating, get a really good consultant who will
put his money where his mouth is from a project perspective rather than running
up bills to produce paper.

2. It is unrealistic to expect Domino (or anything else) to easily bring
multiple disparate AD implementations together when even AD can't do that for
you. Integration that complex is going to be more than plug-and-play. It may
require a third party application or two (check out Pistolstar's offerings) or
some custom code to sync the directories. It can be done, however. Domino's
next version continues to make this easier with each release.

re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Randy Smith on 01/17/2008 at 11:44 AM EST
@ Andrew - You're being much too nice. In addition to "Active Directory
Exchange Outlook SQL Server Sharepoint Win2k3 servers", for many "total
collaborative solutions", you would need to throw in a LiveComm Server for
presence awareness/chat a Certification Server for digital signatures an
upgrade to a high-end M$ Office bundle to include InfoPath for workflow all
the d@mn user CALS for each of these server products. Once M$ gets you by the
short hairs, you are at their mercy. Wise up folks and do your homework. Talk
to other companies that have already traveled on this road to failure. Ask
them "if you had it to over again, would you?".


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.