Documentum Renewal: Identity Management

Continuing my Christmas present to EMC.  I’ve talked about Application Separation and the need to Focus on the Core.  Now it is time to revisit a critical piece of the puzzle, Identity Management.

This is not a new topic for me. One of my most popular posts this year is the Single Sign-On, SAML, and Authentication in Documentum post that I wrote back in 2007.  I’ve talked to EMC engineers and product managers about this issue repeatedly over the years.  It was one of those things that James McGovern always pinged EMC on when he was a regular blogger.

This is the reason that I feel eRoom died. This is what will stop application developers from using just any ECM platform.

Continue reading

A Letter to EMC About Federations

Dear EMC,

Hey there.  How are you doing? It was nice running into you at the AIIM Seminar last week.  I’ve been trying to tell people that CenterStage is not intended to take SharePoint out as we discussed.  People are listening, but only time will tell if it will matter.

I want to talk to you about an issue that I’ve been encountering.  I’ve talked to you about this before, but I’m not sure that you were paying attention.  I just wanted to mention it again to let you know that this is actually important.

Continue reading

Tip: Federations and Replicating LDAP Definitions

This was going to be part of my post, Documentum and LDAP, Time to Grow Up, but I decided to pull it out as a short post in the Tips section.  Partly because I haven’t posted a Tip in a while, and partly because I think this deserves a little more attention.

The issue? A Federation and multiple LDAP definitions. The solution, simple, but poorly documented.

The Heart of the Matter

Continue reading

Documentum and LDAP, Time to Grow Up

[Edit: See Comments for details on the “Why” of the edits.]

I’ve spent the last several weeks working on LDAP issues.  Some have been simple, others, not so much.  Suffice it to say, if you have Documentum 6.0 sp1, get the hot fixes for LDAP.  They are readily available from EMC.  Most of these are rolled up into D6.5 sp1.

Those issues aren’t isn’t what I want to talk about today. What I want to talk about is the advent of large systems and the need for applications, like Documentum, to accommodate the broader reality of some of today’s environments.

Before I go much deeper, I want to state that some vendors handle this worse than EMC, and some handle it better.  I’m not going to name names.  I do know at least one major player that does a much worse job, and I am pretty sure I can accurately pick one that handles it better.

ALL vendors need to understand this problem.

Enter the Multi-Domain Enterprise

Continue reading

Doquent’s “New in D6 Platform” Series

In case you’ve missed it, at the Content Management etc. blog, there are a series of entries talking about changes to the D6 platform. They are fairly thorough and should help show-off some of the new features.

  • LDAP Integration Enhancements: This describes a feature that I have been waiting for since I heard about it last fall. I plan to use it for Documentum User Names and Default Folder assignments. The failover to a second LDAP server is a pleasant surprise.
  • Property Bag: This is a good explanation, but doesn’t go into why properties would be placed into a Property Bag, aside from performance aspects. I can see some uses, but I would have to work with it some to determine optimal uses.
  • Aspects: I’ve talked about this as one of the most anticipated parts of D6. Aspects has been used in previous versions, but is now opened up to everyone else. I can’t wait to actually get a chance to use these things in the wild.

Going to keep my eye out for more. Hopefully I’ll be adding to these posts soon.

Tips: Watch that Case

As most Documentum users and administrators will tell you, the login accounts for Documentum are case-sensitive. Regardless of source, LDAP or local, when logging into a Documentum system, you have to match. If the login name is DmAdmin, you have to type “DmAdmin”. If you type “dmadmin”, no matter how often you get the password correct, it will fail to authenticate you.

Continue reading

Tips: Fixing LDAP Group Membership

Many of you probably saw my last post on LDAP. It was about forcing a synchronization of LDAP back to a specific date. My basic problem was that a small subset of users were being dropped from one of the LDAP groups within Documentum. We had removed and then added them again, and the re-synch seemed to work. A few days later, they were gone. The question was why?

Continue reading

Single Sign-On, SAML, and Authentication in Documentum

I’ve been meaning to get back to this topic for quite some time. Before moving onto other Standards topics, I want to try and conclude this thread on SAML. James and I traded responses about authentication and SAML, and I applaud James for taking time to look into the capabilities of the DFC to respond to my previous post. James did get several details of the DFC incorrect, but not regarding any points important to this discussion.

Continue reading

Tips: Forcing an LDAP Update in Documentum

I ran into a problem the other day and I thought I would share the solution. I have encountered it before elsewhere, and that means others have encountered it before as well. Before I dive into the problem, I just want to say something to James. When Bex wrote about ECM systems storing Content, not Users, he presents a powerful and logical argument. Outside of the lab, I’ve had several clients where the network wasn’t ideal, and we were more than happy to store a copy of the user information inside of Documentum, only talking LDAP for authentication. I know the solution should be to fix the network, but sometimes that isn’t entirely possible. That is another story.

[REVISED 2007-8-03 (I hate this network)]

Continue reading

Standardizing Authentication

Been a busy week on the ECM standards front. There has been a lot of discussions going around. I’ve been silent on the topic as I’ve been focusing on learning more about SAML and XACML so that I can respond to James’ question. Plus, the dialogs are going great and I haven’t needed to keep them going.

I am not ready to give James an answer on XACML, yet. I feel I am ready to start a dialog on SAML though.

Continue reading