Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.

By Andrew Pollack on 01/17/2008 at 10:27 AM EST

A simple article about the iPhone supporting Notes (through iNotes I think) generated yet another long list of people who want to talk about how much they don't like Notes based on using many years old versions, and completely ignoring the facts of vendor lock in and proprietary vs. open data access models.

http://www.engadget.com/2008/01/17/iphone-putting-on-a-lotus-notes-suit/

How can anyone who is locked into Active Directory + Exchange + Outlook + SQL Server + Sharepoint + Win2k3 servers serious comment about Notes applications being silo'ed or subject to vendor lock in? It boggles the mind.


There are  - loading -  comments....

Don't Need the GriefBy Gregg Eldred on 01/17/2008 at 11:03 AM EST
Tempting as it may be to click the link, I don't need the aggravation. I am
trying to think "Happy Thoughts" before I leave for Orlando. :-)
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Vitor Pereira on 01/17/2008 at 11:33 AM EST
"How can anyone who is locked into..."

It's called ignorance. Well... it's worse than that, ignorants usually want to
learn.
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Jef on 01/17/2008 at 11:37 AM EST
Found You, I agree to take the conversation here since it's not exactly the
kind of thing for Engadget. I'm open to being proven wrong, that the IBM stack
is a robust platform outside of itself. Maybe you can assist in solving the
problems where IBM themselves have not been able too.

It is interesting that we have difference of opinions about lockin. I work in
organizations that it feels we are on the IBM treadmill, where you have
opinions about being on the Microsoft Treadmill. I find IBM spinning the
wheel of blame when you expose issues in their products, but not offering a
clear strategy to solving them across their stack.

They are 2 different stacks with different goals in mind, but they don't play
nice very well. Just because either say they support a standard, it's how they
implement that standard that really matters,no?

I'm not a messaging guy anymore, but a directory services and identity
management guy, so I'm biased toward the technologies which I admit. I care
about authentication, authorization and attribution in complex environments,
then the lack of message callback, or issues with multi-day calendar events,
etc.

I see the problems integrating the IBM stack
(Domino/Sametime/Quickplace/Websphere) into a complex directory environment.
LDAP is a protocol, to which IBM has varied implementations of. What works win
Websphere doesn't work in Domino, which works different in Sametime.
Solutions such as Tivoli Directory integrator doesn't solve these, and Tivoli
Identity Manager, and Tivioli Federated IDentity manager do not integrate
across all of the IBM stack so you find yourself attempting point solutions.


Domino has some great merits in a smaller controlled environment, where
integration into a changing environment is not an issue.

I have asked for case studies from IBM where they integrate their products
under these conditions (Multiple ACtive Directory Domains and forests with
non-unique usernames), and even after many engineers and sales guys coming to
say they have a solution, they admit that it's not something they integrate
well with yet.

Domino attempts to use Directory Assistance, but this fails because it is
"guessing" based on a tiered list of directories. This also can have the
nasty habit of causing further security issues and denial of service where
non-unique usernames (Which are not controllable where business partner
integration is needed).

Sametime/Quickplace supports LDAP (Remember, LDAP is a directory lookup
protocol, not an authentication prtocol), but doesn't support multiple
directories. It has to have a single directory instance for authentication
(Simple binds, why no SASL? Am I missing something?) and
authorization/attribution data. It assumes there is a consolidated directory,
which is not the case. It also still has the paging issue which affects larger
environments.

Websphere has similar problems, but some other solutions (again not consistent
here). SPNEGO is partially supported, but not fully supported, so it has it's
limitations. WS 6 supports a tieried directory environment but does so in the
directory hunting fashion which has the same issues as the sametime/quickplace
integration.

Mail/Calendaring is just one application on the platform, and you can get
around the client issues by using other means, but it's the underlying security
architecture in the stack that I am concerned with. Yes, I've been at several
large enterprises who phased out notes in favor of exchange for messaging (but
still kept Domino Apps for years after) and have used both from an end user and
an adminstrator standpoint. I prefer the MS stack, while others would have
preferred the IBM stack.

I believe in the right tool for the job, and I can see where a Domino stack
makes sense, over the MS stack. The problems with the IBM stack are too severe
for my environment, so naturally I am jaded toward the platform. I don't care
if things run on windows/Unix/linux/osx, if it makes sense for the task.

I'm not here to play the "My platform is better than yours" but maybe find
information to help resolve the problems with the IBM platform. :)
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Jef on 01/17/2008 at 11:46 AM EST
I realize that last comment sounded terse, which someone will say "Well the
problem is with MS not IBM" which was not my intention.

I hope to learn information on how this problem can be resolved from by maybe
finding out how others have resolved the problem. IBM has failed in providing
this information, and perusing the Support forums periodically at IBM doesn't
sound like many others have resolved this issue, so maybe the combined
knowledge of the Domino enthusiasts could be helpful.

Thanks!
re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Andrew Pollack on 01/17/2008 at 01:25 PM EST
Catching a flight as we speak for Orlando, sorry but I'll have to respond in
more detail tonight. Catch you on the flip side.
Here's an attempt to give you a real answer.By Andrew Pollack on 01/17/2008 at 10:28 PM EST
Because its my blog, I have better editing tools, so forgive me for answering
this with in-line quoting that you don't have as easily.

> It is interesting that we have difference of opinions about lockin.
> I work in organizations that it feels we are on the IBM treadmill,
> where you have opinions about being on the Microsoft Treadmill. I
> find IBM spinning the wheel of blame when you expose issues in their
> products, but not offering a clear strategy to solving them across
> their stack.

The thing about "IBM" is that you're not dealing with an organization so much
as a medium sized country. They have an internal economy that would rate among
the worlds top 10 I think. They have their own money (IBM cards that work in
various cafeterias and things) and their own passports (id cards). My point
here, is that you unfortunately have to separate the various organizations
within it as if they're separate. You'll have DB2 guys who don't care about
selling Notes. Hardware guys who will gladly sell you exchange on their blade
servers, and global services folks who will do nearly anything for you if
you're willing to pay for it. Within IBM, the Lotus organization is just one
small piece.

So yeah, I can see (sadly) where much of your frustration comes from IBM
organizationally rather than the product itself. I'm going to get some grief
for saying some of that from the various IBM people reading this, but my
calling things like I see them won't be new to them.

If you really want good help with Domino and Notes -- you need to get together
with a really good, high end, Business Partner who specializes in the product.
Unfortunately, you're not going to get what you need from the IBM Global
Services or even more so from the organization that used to call itself Lotus
Consulting and now goes by some other name.

In the interest of full disclosure, as a consultant they would be my
competitors so you can take that advice as biased if you like.

Now, on to your more specific issues.


> They are 2 different stacks with different goals in mind, but they
> don't play nice very well. Just because either say they support a
> standard, it's how they implement that standard that really matters,no?

Well, the Domino/Notes stack plays VERY well. ALL of its data is FULLY exposed
as XML in a published DTD. Its also available via COM/Active-X in a fully
documented object model. I write code every single day in Visual Studio .NET
that interacts with data stored on my Domino server. Its a VERY good model, by
the way, because you get the business logic, security, and agent tools on the
domino server with the UI control you can only get with a custom interface.

Now, There's no automatic dump to Microsoft for Notes apps, but that's because
there isn't anything to dump to. There is nothing equivilant on the MS side.
As I said on engaget, Domino offers access and plays well in all of these
standards: LDAP, IMAP, POP2, POP3, SMTP, SNMP, XML, HTTP, SSL, NNTP, Java (sort
of a standard), Javascript (also sort of a standard), Web Services (SOAP/XML
HTTP WSDL), MIME, SMIME, x.509, vcards, COM, RSS, -- and now JSF as well. They
can't FORCE Microsoft to use any of them.

> I'm not a messaging guy anymore, but a directory services and
> identity management guy, so I'm biased toward the technologies which
> I admit. I care about authentication, authorization and attribution
> in complex environments, then the lack of message callback, or
> issues with multi-day calendar events, etc.

I've made a good living automating Domino authentication and adminstration
tasks for about 15 years now, so maybe I can help here.

> I see the problems integrating the IBM stack (Domino/Sametime/
> Quickplace/Websphere) into a complex directory environment. LDAP
> is a protocol, to which IBM has varied implementations of. What
> works win Websphere doesn't work in Domino, which works different in
> Sametime. Solutions such as Tivoli Directory integrator doesn't
> solve these, and Tivoli Identity Manager, and Tivioli Federated
> IDentity manager do not integrate across all of the IBM stack so you
> find yourself attempting point solutions.


The real issue, is that LDAP isn't a very good protocol standard because it
leaves so much open to implementation. The Domino LDAP configuration is very
flexible, but it is entirely possible to create incompatible LDAP directories
that both meet the LDAP specification. Within Active Directory, there are
choices you make about your directory implementation that play out in its LDAP
representation in ways which can make it very hard to integrate with.


> Domino has some great merits in a smaller controlled environment,
> where integration into a changing environment is not an issue.

You keep saying smaller - but that's not the case. Domino's directory, server
infrastructure, replication and failover strategies, user management tools, and
security model all scale much more easily and across many more platforms than
Microsoft's. With Microsoft, you absolutely must be in a totally homogenous
environment or you're completely screwed. Real enterprises are usually
heterogenus though merger and aquisition, legacy, and management pipelines.


> I have asked for case studies from IBM where they integrate their
> products under these conditions (Multiple ACtive Directory Domains
> and forests with non-unique usernames), and even after many
> engineers and sales guys coming to say they have a solution, they
> admit that it's not something they integrate well with yet.

When you reach this level of complexity, no case study or pointy haired "lead
consultant" from inside a big organization is going to have an easy answer.
Domino, Exchange, or Magic Directory Solution from the FSM -- all will require
work. If it were me trying to help, I'd be approaching each of the integration
points as a distinct problem, finding the right way to integrate. Some will be
easy, others will be harder. All will integrate.

Again, its hard to be too specific without knowing your environment, but with a
job like this, I usually start with a small (2 day) engagement to understand
the issues, then make each integration point a phase that doesn't get billed
unless and until it works according to the agreed plan for that particular
integration point. I'm going to assume you didn't get that kind of project
proposed to you from the GS people.

Very telling here, by the way, is when you say "Multiple Acive Directory
Domains and Forests with Non-Unique Usernames" you're telling me that you've
not been able to even get Active Directory to fully integrate with itself.
Again, no surprise here. Integrating multiple directory implementations which
were designed to different specifications even in the same software is not an
easy task. It is unrealistic to expect Domino to be EASIER to make integrate
with multiple AD domains than for AD to do it with itself.

> Domino attempts to use Directory Assistance, but this fails because
> it is "guessing" based on a tiered list of directories. This also
> can have the nasty habit of causing further security issues and
> denial of service where non-unique usernames (Which are not
> controllable where business partner integration is needed).

"Domino" is just software. It doesn't TRY to do anything with anything unless
you want it to. DA is just one of many strategies for integration. It is
commonly used for LDAP integrations, but can be used in many different ways and
is by no means the only way to make this happen.

> Sametime/Quickplace supports LDAP (Remember, LDAP is a directory
> lookup protocol, not an authentication prtocol), but doesn't support
> multiple directories. It has to have a single directory instance
> for authentication (Simple binds, why no SASL? Am I missing
> something?) and authorization/attribution data. It assumes there
> is a consolidated directory, which is not the case. It also still
> has the paging issue which affects larger environments.

LDAP can be used to test credentials as well as lookup user names and group
membership. Again, all depends on how its used. Unforunately, when you do
multiple integrations it is possible to create incompatible directory designs.

> Websphere has similar problems, but some other solutions (again not
> consistent here). SPNEGO is partially supported, but not fully
> supported, so it has it's limitations. WS 6 supports a tieried
> directory environment but does so in the directory hunting fashion
> which has the same issues as the sametime/quickplace integration.

You won't find me defending Websphere.

> Mail/Calendaring is just one application on the platform, and you
> can get around the client issues by using other means, but it's the
> underlying security architecture in the stack that I am concerned
> with. Yes, I've been at several large enterprises who phased out
> notes in favor of exchange for messaging (but still kept Domino Apps
> for years after) and have used both from an end user and an
> adminstrator standpoint. I prefer the MS stack, while others would
> have preferred the IBM stack.

"Preferring" the MS Stack is easy if you buy into it 100% all the way -- but
when you do that, you're giving up control of your environment entirely.
People praise the MAC OS because its so stable. Hell, it doesn't support much
hardware. IF you only run XP or even VISTA using a specific hardware made by a
few key vendors you'll have no problems with stability either. The more you
build an entirely controlled, totally homogenous environment the less direct
problems you'll have -- but you pay in flexibility. In Microsoft's case, that
also comes with a HUGE licensing liability. Their business model is to have
you re-purchase every single server OS, sql server license, exchange server
license, outlook client, and desktop OS license no less frequently than every 2
years. IBM says run what you want, where you want to run it.

My question is, if you're going to hand over the keys of your IT shop to
Microsoft -- why bother running an IT shop at all? Why not just outsourse it
as a business cost and get on with life. It won't be cheap either way. It
also won't be as capable.

The two salient points to take away here are:

1. If you really want help integrating, get a really good consultant who will
put his money where his mouth is from a project perspective rather than running
up bills to produce paper.

2. It is unrealistic to expect Domino (or anything else) to easily bring
multiple disparate AD implementations together when even AD can't do that for
you. Integration that complex is going to be more than plug-and-play. It may
require a third party application or two (check out Pistolstar's offerings) or
some custom code to sync the directories. It can be done, however. Domino's
next version continues to make this easier with each release.

re: It is amazing to me how many supposedly tech-savy people fall for the same B.S. over and over again.By Randy Smith on 01/17/2008 at 11:44 AM EST
@ Andrew - You're being much too nice. In addition to "Active Directory
Exchange Outlook SQL Server Sharepoint Win2k3 servers", for many "total
collaborative solutions", you would need to throw in a LiveComm Server for
presence awareness/chat a Certification Server for digital signatures an
upgrade to a high-end M$ Office bundle to include InfoPath for workflow all
the d@mn user CALS for each of these server products. Once M$ gets you by the
short hairs, you are at their mercy. Wise up folks and do your homework. Talk
to other companies that have already traveled on this road to failure. Ask
them "if you had it to over again, would you?".


Other Recent Stories...

  1. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects. In twenty five years, I don't think I've ever written an entry like this, but if you need the kind of work I do now would be a great time to get in touch. Both of the big projects I had lined up for late summer and early fall have been placed on hold and will be that way for a while. With the kids now all off at college and careers, I'm open to more travel than such than I have been in decades, but unless something else comes along, I'll be here working on updates to Second Signal and other things that ...... 
  2. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?We need to address some biases here. IBM has made a deal under which the Notes & Domino software and intellectual property is now being developed and maintained by HCL America. HCL America is part of the very large "HCL Technologies" company that has grown from its roots in India to become an 8 Billion Dollar company with a global presence in the IT Industry. You could be excused for initially believing, as many people do when they hear this, that "they've outsourced the code to India where they'll milk it ...... 
  3. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.BOOM. This will be as important for the platform as Traveler. If your company has ditched Notes and Domino, I feel sorry for you. For companies that do use Notes/Domino this is a game changer and Apple should be paying attention. Here's why: There are hundreds of little Notes client applications you'd never spend the time and money to build and deploy for your internal user base on IOS that we use Notes for all the time (those of us still using it). Now, those are suddenly ALL available on the iPad. ...... 
  4. 02/15/2018Andrew’s Proposed Gun Laws 
  5. 05/05/2016Is the growing social-sourced economy the modern back door into socialism? 
  6. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertising 
  7. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction 
  8. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  9. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  10. 08/06/2015The Killer of Orphans (Orphan Documents) 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.