I had an idea a few years ago that it would be a great idea for IBM (or someone) to create a directory service that could be used BOTH for server and application security AND for application services. Like the directory in Domino does for Notes and Domino app builders today, but based on a platform (RDBMS) that everyone already has.
When I (re-) joined IBM in 2005, I wrote it up on an internal blog site. I think I got 3 comments. But I still think it's a good idea, and, so far as I can tell, nobody's implemented it yet. See what you think.
Here's a series of propositions that lead me to think that directory services should be based on relational database technology, especially to support collaboration technologies:
1. Collaboration technology rests, as one of its major foundations, on directory services. So do many other kinds of applications. 2. Most companies treat directories as security mechanisms only 3. Developing collaboration-based applications depends in part on access to good directory services, and that means a lot more than mere security 4. LDAP is good, but not good enough for collaboration apps 5. Directory services would improve dramatically if they were based on a transacted, relational data store 6. Nobody (that I know of, anyway) is combining these 2 technologies 7. Somebody should
I don't want this to turn into a book, so I will be brief in addressing these points.
1. Collaboration technology rests, as one of its major foundations, on directory services Collaboration online, as well as a lot of other things that happen online, depend on the application authenticating the user before allowing access. You have to know who the user is before deciding a) what they're going to be allowed to do, and b) to track what they did when they've done it. Without reliable authentication, you don't have either security OR collaboration (you can't collaborate when you don't know who is contributing to your content/workflow). Authentication and authorization both depend on access to a trusted directory service. Furthermore, directories are the right place to store the organizational information (e.g., "reports-to" hierarchies) that are required for most kinds of workflow apps.
2. Most companies treat directories as security mechanisms only Again, I think this is obvious by inspection. Certainly Microsoft has this attitude -- just look at any of their so-called Single Sign-on programming examples for .net. They all depend on looking up a password or something in a SQL database, nobody (in her right mind) would try to store that stuff in Active Directory.
3. Developing collaboration-based applications depends in part on access to good directory services, and that means a lot more than mere security Anyone who has developed a workflow app knows this. Beyond authentication you need authorization. And it has to accommodate per-application role-based stuff, not just coarse-grained access control. And you need it exposed in a way that's easy for AppDev types to use (LotusScript, @functions, whatever), in addition to the usual declarative mechanisms (e.g., ACLs). The directory "schema" needs to be extensible to accommodate random applicatoin needs.
4. LDAP is good, but not good enough for collaboration apps The beauty of using a standard protocol like LDAP to access directory services is that you don't have to care how the service is implemented, right? Well, only if "you" are an application developer. Then you don't, but if you're an admin, you sure do have to worry about it, because you have to build, populate and maintain it. These things are expensive, especially the maintenance part. Extensibility is difficult, because the underlying schemas are usually too rigid (this is an area where Domino really shines, the directory is "just another database", and it's not hard to extend the schema). I had the misfortune recently to have to use Active Directory APIs in a .NET app I built to test whether a given string represented a valid user name. Sheesh. All I can say is, it might be inflexible, but at least it's really hard to use.
J2ee says nothing about directories -- "just use LDAP". So they punt, which is reasonable for an app server, it gives you the ability to plug in the best available product. If you were going to implement a directory server with large data storage requirements, and with the ability to do a number of the things I mentioned above, what would you pick? I, for one, would NOT pick ISAM files. I've already said I like the flexibility provided by Domino's NSF solution, but of course that's not practical for all enterprises (especially if they don't have or want to install Domino).
5. Directory services would improve dramatically if they were based on a transacted, relational data store What are the characteristics a "good" directory service MUST have? Accessibility (no problem). Standard protocols (you can layer LDAP on top of nearly anything). Easy to administer/populate/query/maintain volatile data (that's what relational is all about). Secure (duh). Must be EASY to extend to handle arbitrary, per-application, per-user and per-group data (this is almost trivial in the relational model, just create a new table and join....).
6. Nobody is combining these 2 technologies I know Microsoft isn't (yet), nor is IBM. I discussed this topic with a Microsoft exec a few years ago (again, before I was an IBMer). I asked why they weren't doing this already (they have a good dbms too). "Too hard" he said. Personally, I don't think much of that as an excuse. If it's important enough, you find a way. But it's good news for everyone else -- it's a wide open space, with no other serious players. Google has yet to release an enterprise directory service of any kind, let alone the kind I'd like to see...
9. The opportunity is there! Someone could take a neglected area of online computing infrastructure and elevate it into a first-class member of a collaboration suite. They could own THE directory technology foundation of the next 25 years. Think of the patents! The market share! Think of all those happy, happy application developers (not to mention end-users)!
Of course, there are problems. You need more than just fast lookups and the ability to handle a lot of data. You need to add application artifacts (which, by definition, are not knowable in advance) seamlessly. And eventually that means that you have to modify the directory schema in some way or other. In the worst case, you might have to modify it for each class of applications that your enterprise needs to deploy (and that can be a lot). Sure, you can create generic schemas for application artifacts, up to a point, but the more you do that, the more you lose the ability to index in meaningful ways, and the more you slow down access. Sooner or later you're going to want to modify the schema.
Sun, Jun 8th 2014 11:10a Bob Balaban Greetings, geeks! I came across this problem on a project I'm doing: given a RESTful API on a web application server, how do you "throttle" calls so that a given authenticated user can only make a certain number of calls (N) per time interval (W), where both N and W are configurable. The solution I came up with is basically a “Token Bucket” with a sliding time window. What surprised me when I got something working was how easy it really was to implement. The context in whi [read] Keywords: application
"Employee of the Quarter" (not)
Fri, Dec 27th 2013 2:20p Bob Balaban Greetings, geeks! This one is not a technical topic, so feel free to move on. In my work email today, I received a shotgun message announcing the current "Employee of the Quarter". The lucky designee receives preferential parking (near the building entrance) for 3 months. There was a long-ish description of how great the EotQ is, and why they were selected for this honor. Not to take away from someone who is obviously (from the email description) a very hard worker, get-it-done typ [read] Keywords: email
Some Interesting Tech I’ve Been Involved With Lately
Sat, Apr 20th 2013 8:00p Bob Balaban Greetings, geeks! Some of you have been wondering what I've been up to lately. No, not a stealth-mode startup, not a new API for Notes/Domino, nothing like that. In fact, I'm at about the 6-month mark in a whole new (to me) tech area: storage and storage management. It's one of those things that's a whole lot more complicated than you'd ever think, until you start to dig into it. Me, I thought a "disk" started and ended with that box on the end of a USB cable that you plug into a la [read] Keywords: domino
The Interesting Difference Between "Exception" and "RuntimeException" (Java)
Sat, Feb 2nd 2013 6:30p Bob Balaban Greetings Geeks! I hope everyone who attended Lotusphere IBMConnect '13 had a good time and has returned home safely. I didn't attend (again, I stopped going after the first 17), but I've been hearing that it was pretty good. I learned something new about certain types of exceptions in Java programming the other day. Here's the context: I had an Enum class with a few items in it I had a String that came from outside the program that I wanted to convert into an enum'ed constant Thi [read] Keywords: lotusphere
"Reflections on Reflecting Light" - Java program
Wed, May 9th 2012 6:10p Bob Balaban Greetings Geeks! Today it is my very great pleasure to introduce to you a new guest blogger: my son David. He has graciously allowed me to prevail upon him to write about his recent science fair project, titled "Reflections on Reflecteing Light". That may sound innocuous, but to quote one of my favorite movies, "That's no ordinary rabbit!". David took this project through our local high school's science fair, was invited to the regional fair, and then to the Massachusetts state science [read] Keywords: blogger
Happy 5th? Yeah, 5th
Tue, Apr 10th 2012 8:40p Bob Balaban Greetings Geeks! So. March 30, 2007 was my first blog entry. Evidently I missed my own 5th Blanniversary! :-( Better late than never, I suppose. In theory, anyway :-) I know I don't post here often, but I do hope that when I do post, it's worth reading. For some people, anyway. I'll quote from a nice person who commented on that first post: "energetic,funny,cute--that's what I feel about you from your special explanation about "In Theory".I think you must be very content while wr [read] Keywords: lotus
"Programming Domino With Java" - Final Flush
Mon, Jan 2nd 2012 3:10a Bob Balaban Happy New Year, Geeks! Here's the 7th (and final) installment of the book. Thanks again for all the positive feedback. The first installment can be found here The 2nd installment is here The 3rd is here The 4th is here The 5th is here and the 6th is here All of the book content (as is all of the content on this blog) is Copyright 1998 and 2011 by Looseleaf Software, Inc. You may not reproduce or distribute the book's content without permission from me. Some Caveats and ex [read] Keywords: domino