Last night we saw a really big surge in Japanese users on PingMe. Irashaimasen! We wondered what was up and saw that this article on a Japanese website might have been the cause.

We were really curious to find out what the article says so we popped it into Google Translate, but their Japanese support is still a little wonky. Can anyone help us out? Is it a decent review?

How would you like to be able to “call in” a PingMe reminder over the phone?

Mike, a PingMe user, writes on his MyTechTalk blog

I think the folks at Jott and the folks at PingMe should join forces to create a stellar service. Jott’s voice to email technology could be modified by PingMe to quickly create reminders when I’m driving in my car and not in front of my computer.

Basically, Jott is a really useful mobile transcription service offering “mobile note taking and hands-free messaging”. Sign up and you can call their 800 number and speak a message that will be converted to written text and sent out by email. PingMe is a mobile service that sends out scheduled reminders to your cell phone and email on a defined schedule. Together, they are unstoppable.

We agreed it would be amazingly useful to phone in Pings while driving or just to save our fingers from typing an SMS message. Thus, we spent a little time coding up the back-end, and the PingMe / Jott mashup was born!

Start by going to http://www.jott.com to sign up. Do it now, don’t wait, because their service rocks. Follow the instructions on their site to activate your account. Then go into the contacts tab and add your PingMe address. (you can find your PingMe address in the welcome email we sent you, or on your profile page in PingMe).

We suggest you call the contact “GoPingMe”, so it’s sufficiently different than the default “Me” moniker that Jott uses for “note to self” type messages.

Then comes the fun part. Add Jott’s toll free number to your speed dial. Call up the Jott number. They say..

Who’d you want to Jott?

You say…

GoPingMe

They say…

BEEP

You speak…

Two days, hour eight, call and wish mom a happy birthday

Wait a few minutes, and voila, you’ve got a brand new Ping that will be sent to your mobile phone and email targets in two days at eight o’clock AM.

IMPORTANT NOTE: Before trying to create a Ping using Jott you should check out our help entry on mobile creation that describes the way PingMe time codes work. It explains why you’d say “2 days, hour eight” instead of “09/01/07 at 8:00am”. You should also read our recent post on Using time codes to create Pings for even more details.

Let us know what you think!

There is no question that Access Management systems provide a host of benefits to the users and maintainers of web applications in large-scale environments. Yet, adding an access management system can also introduce a set of new potential points of failure. Even though infrastructure may be designed to maximize fault tolerance there is still risk because many security “eggs” are now in one basket. Systematic failure of any single component (LDAP directory, Virtual Directory, Access / Policy Server, web/application server plug-in, application integration code, etc.) can render applications unusable. As a result, system monitoring is often one of the most critical considerations in an Access Management deployment.

Thankfully, there are a number of network monitoring solutions that are capable of automatically monitoring applications and issuing notifications when a service become unavailable. We particularly like the open source Nagios system because it’s easily extensible, feature rich, and low cost. In order to make it more useful in the context of Access Management deployments we’ve developed a Nagios plug-in called CkFormLogin that monitors every point in the simple form login process common to most Access Management systems:

1. Initial request for a protected website URL – CkFormLogin verifies that the initial request receives a redirect to the login page.
2. Login page availability – CkFormLogin follows the redirect and performs a content check on the login page to ensure that it is accessible and no errors are returned.
3. Authentication – After login page verification CkFormLogin issues an HTTP Post request with the username, password, or any other credentials to a configurable authentication URL. This step tests the functionality of a web server plug-in like a WebGate, Web Agent, or Policy Agent and implicitly verifies the availability and functionality of any policy/access servers, LDAP directories and other supporting infrastructure components.
4. Content check – Assuming that authentication has succeeded CkFormLogin will follow the redirect back to the requested page and execute a custom content check on the page. By checking for the presence of some personalized text, or other identity specific data, the plug-in assures that application components have properly recognized and authorized the test user at runtime.

In short, this process provides a high level of assurance that secure/protected sites, and all of their externalized security dependencies, are actually available and functional to end-users. If any step in the login, authentication or authorization process fails the plug-in will return an error and the appropriate support staff can be notified by Nagios based on its configurable notification rules. When used in conjunction with other Nagios plug-ins for TCP/IP socket connections, LDAP, and HTTP services it can even help to pinpoint the root cause of a failure before a support technician even starts to troubleshoot.

The plug-in itself was written to validate the form login features of Oracle COREid Access Manager, but should also work with the usual suspects (Siteminder, Sun Access Manager, custom form based authentication) without significant modification. Its simple to install, requiring only Nagios, Perl and a few CPAN libraries. Like Nagios, CkFormLogin is released as open source software under the GNU Public License. Feel free to check it out.

As part of a large Identity & Access Management project we’ve beenmigrating a number of LDAP dependent systems from running under ASP.NET 1.1 to the 2.0 framework. The upgrade process has been remarkably painless, with the notable exception of a small but significant “breaking” change to authentication with System.DirectoryServices. In .NET 1.1 it is perfectly acceptable to issue an LDAP simple bind with code like this:

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.somecompany.com:389/");
entry.Username = "cn=Directory Manager";
entry.Password = "bigsecret";
/*...use entry for searching, etc, here...*/

However, execution of this code will fail under the .NET 2.0 framework unless it is modified to explicitly set the DirectoryEntry’s AuthenticationType property, because the class constructor no longer defaults the propertyto None. Here is what new 2.0 code should look like:

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.somecompany.com:389/");
entry.Username = "cn=Directory Manager";
entry.Password = "bigsecret";
<strong>entry.AuthenticationType = AuthenticationTypes.None;</strong>
/*...use entry for searching, etc, here...*/

Overall, its an easy fix, but finding every use of an authenticated DirectoryEntry in code can be tricky…

Microsoft ADAM provides a nice LDIF export tool, roughly equivalent to ldapsearch, called ldifde. However, the ADAM directory itself tracks a number of internal attributes that will cause a subsequent import of a generated LDIF to fail. In order to get a “clean” export, you need to selectively omit, via the -o command line flag, those operational attributes that you’re not interested in exporting (line breaks inserted for readability):

ldifde -f c:\people.ldif 
  -d "ou=people,dc=xyz,dc=com" 
  -s localhost 
  -t 389 
  -r "(objectclass=*)" 
  -o   "whenCreated,whenChanged,uSNCreated,
          uSNChanged,name,objectGUID,badPwdCount,
          badPasswordTime,pwdLastSet,objectSid,objectCategory,
          dSCorePropagationData,lastLogonTimestamp,
          distinguishedName,instanceType,lockoutTime"

The output generated by the command can now be cleanly imported into another ldap directory, or into a separate ADAM instance using a simple import:

ldifde -i -f c:\people.ldif -s localhost -t 389