1dent1ty cHa0s

Yes, I was inspired by the great Wook Lee - here is my attempt at an Identity haiku:

Duplicate users,
Oh, identity chaos!
De-provision now.

In a recent post on Gil Kirkpatrick's blog, Gil talks about performing effective LDAP searches and using objectCategory instead of objectClass. I have to admit that I've been guilty of this in the past and didn't realize the differences between the two indexes. I think even Microsoft's examples tend to use objectClass when referencing searches for user objects.

Short story, to find a user use the 'person' category with one additional filter:

(&(objectCategory=person)(sAMAccountName=*))

You see, contacts are people too (person objectCategory) so if you want to get a user, you need to specify an attribute that doesn't exist in the contact class. The user object also inherits from the Security-Principal auxiliary class which defines the sAMAccountName attribute and the contact structural class does not.

Now that I've blogged about it I'll have to come back to this entry repeatedly to remember which one was taboo and which one is the right one to use. It's "off the stack" now so to say...

In much belated fashion and now that I seem to be over whatever illness it was I picked up on the plane ride home from DEC Europe 2007 I wanted to finally blog about our experience at the Winsec.be Security Users Group meeting.  Peter Geelen (PeGe on the lists) is the founder and works for Belgium's 4all Networks in the IDA space.  Co-founder's include Avanade's Paul Loonen (who also frequents the MIIS lists) , Ascure's Kris Gantois and Jan De Meyer, and Cevi's Stefaan Pouseele.

 

Jerry Camel and I took an opportunity to attend a local users group meeting hosted by Microsoft at their local Belgium office.  Attendance was pretty good for a UG with about 25+ people.  Kicking off the inaugural event was Paul Loonen with a MIIS/ILM overview/demo of simple attribute flow and provisioning. 

Alex Weinert and Fred Delombaerde of the ILM Product Group provided an overview of features and architecture coming in ILM "2" and Thomas Pind of Omada wrapped up the slide portions with a walkthrough of Omada's MIIS enhancing product and workflows.  Due to some technical disagreements between a certain laptop and a projector Alex's demo was saved for last where he walked the group through some of the current beta features.

Winsec.be was a neat opportunity to mix with our European colleagues and witness how the UG phenomenon works across the globe.  All of the participants seemed to be active IT security centric folks and asked good questions.  I'd like to thank Peter and Paul for inviting us and Microsoft for hosting the event!

If you'd like more information on Winsec.be, check out their blog for upcoming events.