Dear EMC,
Hey there. How are you doing? It was nice running into you at the AIIM Seminar last week. I’ve been trying to tell people that CenterStage is not intended to take SharePoint out as we discussed. People are listening, but only time will tell if it will matter.
I want to talk to you about an issue that I’ve been encountering. I’ve talked to you about this before, but I’m not sure that you were paying attention. I just wanted to mention it again to let you know that this is actually important.
I just spent 11 hours of my weekend creating a Federation in a production environment. It wasn’t the only thing being done to the environment this weekend, but it was a big-old dependency for many other tasks. We were creating a new repository and don’t want to manage our users (15K), or the corresponding ACLs, in multiple locations. Since a single repository was out of the question, we went the federated route.
Here is the creation process…I create a Federation in the global repository. It then creates a Federation object in the member repositories and then exports the users, groups, and roles into a file. That file is then ingested into the member repositories. The issue is, problems are always encountered during the process. You’ve told me that there is no recovery or “fix”. The answer, according to your tech support, is to delete the Federation and repeat the process. The deletion doesn’t always work and I have to confirm that the data in the database for all repositories reflect the deletion. There are a few service restarts in there to make sure that caches are clear as well.
This is repeated until it works. It isn’t helped that if a user is renamed in LDAP that the change doesn’t get reflected in the groups. This causes the group to fail when it is moved to another repository because it can’t find the user. Why the rename doesn’t work, or why you still use user names and not your unique object ids to do this linking, is for another day.
I finally got it all to work and my team is wrapping the deployment up, after many had to wait around for the Federation to complete. Someone brought in Krispy Kreme, so we aren’t starving (though we probably all lost a few days from our life span). I’m even coming to terms with missing the Tennessee-Florida game and the upset of Southern Cal by Washington yesterday.
Assuming that the process worked the first time, it should have been over and done in an hour or less. My client is paying for the time. The problem is, I can’t get that 10 hours back with my wife or kids. Half of my weekend is gone from this process and I want to know…
How are you going to help me make it up to my family?
See you soon.
-Pie
Word of Pie 
While Federation is a good idea, it doesn’t seem to have been significantly revisited since it’s first implementation (when was that? 4i?). There are so many things that can wreck the integrity of the LDIF.
You should see what happens when you try and mix version (5.3+D6) in one Federation…
LikeLike
Ben, meet a fellow choir singer. It is the same what I first learned in 4i, over 9 years ago. If a name is wrong in a group in the source (which should happen with LDAP synched gorups or users HINT HINT) repository, then the group isn’t created in the target because the user “doesn’t” exist. Don’t ask anyone how to safely remove a non-existent user from the middle of a list (dm_group_r) with over 13K users in it, they won’t commit. (The answer is to set the users_names value to NULL for undesired names).
LikeLike
If you did not get to see the Tigers whip WVU on Saturday, I think comp tickets to the Bama game are in order…;)
LikeLike
I saw the Auburn game. I left at the last minute and set a new time record getting home. I had to get up a 5am the next morning to get back in to finish though since I left before everything was wrapped up.
LikeLike