Identity & Security Management Cool Solutions

Using DNS Aliases with SPNEGO

matt — Fri, 06 Nov 2009 16:46:56 -0700

One of the great features of Novell Access Manager is the integrated single sign-on capability from Microsoft Active Directory (AD) domain member workstations. Through the use of Kerberos and the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), the Access Manager Identity Server (IdS) can seamlessly authenticate a Windows desktop.

Users logon to the desktop using their normal credentials and then when they attempt to access an Access Manager protected site, they are not required to login again. Instead, a token is passed to the Access Manager IdS from the workstation. The IdS then verifies that token and allows the user access per the policies as defined in Access Manager.

Complete details on configuring Access Manager can be found in the product documentation. This basically works by the client requesting a service ticket from the domain controller for the IdS. The actual name it passes to the domain controller is known as the Service Principal Name (SPN).

The SPN is made up of three components, the protocol, the fully qualified domain name of the IdS and the client’s own AD domain name (known as the realm). So, for example, lets say that the DNS name of our IdS (the Base URL) is ids1.appdomain.com and our AD domain (the realm) is ad.appdomain.com. This would make our SPN, as sent by the workstation, the following:

HTTP/ids1.appdomain.com@AD.APPDOMAIN.COM

This is what would be sent to the domain controller (the protocol is always listed as HTTP even if it is HTTPS). The client gets back a token that has information about the user in a service ticket encrypted within the token. This is passed in the header to the IdS where it is decrypted (using the shared secret in the nidpkey.keytab file). At this point the user is authenticated and Access Manager will grant or deny access as appropriate.

This all works fine as long as the fully qualified domain name used to build the SPN matches the actual DNS host record (A record) returned when the Windows desktop does a DNS query for ids1.appdomain.com. But what happens if a DNS alias record (CNAME record) is used? Lets say now that the actual hostname of the server acting as the IdS is linux1.appdomain.com and that the DNS record for ids1.appdomain.com is actually a CNAME pointing at linux1.appdomain.com:

linux1.appdomain.com. 		IN A		10.1.1.1
ids1.appdomain.com.		IN CNAME	linux1.appdomain.com.

What happens in this scenario? When the client builds the SPN, it will look up ids1.appdomain.com which results in the CNAME being returned. It will then take the actual host record and use that to build the SPN, resulting in:

HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM

This will be sent to the domain controller and will obviously fail since the SPN is incorrect, resulting in the browser being presented with a basic authentication dialog box (the IdS falls back to NTLM authentication).

The preferred solution to this problem is to put in a second host entry for the IdS, not a CNAME:

linux1.appdomain.com. 		IN A		10.1.1.1
ids1.appdomain.com.		IN A		10.1.1.1

This would result in a host record being returned to the client when it looks up ids1.appdomain.com and that is the value that would be used to build the SPN. However, there are situations where it may not be possible to enter another host record in DNS. For example, some fault tolerant layer-4 switching solutions provide for management of DNS entries as well in order to support disaster recovery scenarios (such as F5 Networks’ Global Traffic Manager). In this case, the switch may be managing and changing the DNS entries for the virtual IP addresses. Some organizations might use a dedicated or unique zone name for this and therefore have all application names referencing the switch managed entries thorough DNS aliases. In this case, a CNAME must be used.

This will work with Access Manager as long as the true, resolvable, host entry is used for the SPN. So in this example, if a CNAME is used for ids1, the value of linux1.appdomain.com would need to be used for the user ID in AD, in the Kerberos class properties (see figure 1), and in the bcsLogin.conf on the IdS server as shown below:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM"
useKeyTab="true"
keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab"
storeKey="true";
};

Figure 1: Kerberos Class Properties

Click to view.

However, the URL listed in the local trusted site list in the browser must still be the actual IdS base URL (ids1.appdomain.com in this example), not the true hostname as referenced in the A record.

Using the Kerberos feature in Access Manager is a great way to provide seamless single sign-on to Windows desktops. But it is important to understand how the client is resolving the IdS and building the SPN in order to ensure it functions reliably.

Cool Solutions

Webinar - The Novell Integrated Help Desk and Free BrainShare passes for eligible purchases

GroupLink1 — Fri, 06 Nov 2009 14:07:51 -0700

Are you planning on attending BrainShare this year and can't quite get the budget to attend? Are you in need of a help desk that integrates with your Novell environment? GroupLink would like to help you out!

GroupLink's everything HelpDesk solution, the Novell Integrated Help Desk Solution, features critical Novell integration:

- Schedule appointments, tasks and receive email notifications with GroupWise email and calendaring integration
- Manage your assests with NEW! powerful ZEN 10 integration
- Authenticate your users with essential eDirectory integration
- Lower overall costs by leveraging your current Novell technology

If you purchase at least 3 technician licenses of everything HelpDesk before the end of the year, you will receive a free BrainShare pass*. To kick off this great promotion and to learn more about how this solution can benefit your organization we have planned a special webinar. This webinar will feature Angie Veach, from Carrol Consolidated School Corp. She will discuss how this Novell integration has helped her organization be more effective and lower overall costs.

Date: December 3
Time: 11:00 am Eastern
Link: http://www.grouplink.net/redir.asp?id=2009102902

* of for new customers only, cannot be combined with any other promotion or discount.

Cool Solutions

Early Bird Discount: Save $300 on BrainShare

mattclayton — Fri, 06 Nov 2009 13:31:43 -0700

Novell has taken steps to make BrainShare more affordable by dropping the full price of the conference from US$1,895.00 to US$1,695.00. You can save an additional $300 with the "early bird" registration. The "early bird" rate of US$1,395.00 will be available until February 19, 2010. Learn more at http://www.novell.com/brainshare

Cool Solutions

Example walk through of using XPATH in Identity Manager

geoffc — Fri, 06 Nov 2009 11:41:46 -0700

Example of using XPATH in Identity Manager:

Novell Identity Manager originally started as Novell DirXML and required all work to be done in XSLT (XML Style sheets). XSLT is powerful language but not my personal favorite to work in.

With the release of Novell NSure Identity Manager 2.0 we saw the advent of DirXML Script an XML based language designed for the task of managing XML event documents. With each release of Identity Manager since, it has gotten better and better.

Just for the heck of it, I even wrote this article trying to track down what you can only do in XSLT at the moment, with the goal of chipping away at that list, where possible!

Open Call: What Can You Do in XSLT that You Cannot Do in DirXML Script?

There have been new features that make life a lot easier, and new tokens that are very powerful.

The nicest thing about using DirXML Script is that the management tools, iManager with the Identity Manager snapins, or Designer for Identity Manager (an Eclipse based tool for offline editing of a project) parse the XML into a really nice GUI interface that allows you to type it free form in XML, manipulate it in a GUI, or any combination of both. In fact, sometimes, due to the way nested items (if then code blocks, or for each loops) are shown in the GUI it is easier to fix things by switching over to the XML view and working there.

Some examples of the various tokens and things that can be done with DirXML Script are:

One of the languages that has been available inside XSLT and DirXML Script is called XPATH, the XML Path language, which is described here: http://www.w3.org/TR/1999/REC-xpath-19991116

However there is just not enough out there in terms of how to use XPATH in an Identity Manager context for people learning Identity Manager.

I have been working hard on that topic, and you can read some of my articles on the topic at:

XPATH General Concepts:

XPATH Cool tips:

I keep my eyes open as I work in Identity Manager for good examples of XPATH usage that might be handy to others, and this one happened to me today. I walked one of my coworkers through it, who is still learning XPATH, and realized it would be a great example to write an article about the process of debugging what I wanted to do.

For those who do not know, Designer has an XPATH tool built in. It is not perfect, we are told in the forums that there is one or two major issues that make it not 100% complaint with the way Identity Manager views XPATH, but for 99% of the things you need to do in XPATH in Identity Manager it should be fine.

Whenever you use an XPATH related token (strip by XPATH expression, if XPATH expression condition token, clone by XPATH expression, or the XPATH token in Argument Builder) you get a little icon to the right of the text box, that pops open the XPATH tool.

Click to view.

I will try and include some screen shots to make it clear what I mean, where it makes sense.

So what problem was I working on? Well we are syncing POSIX attributes (that is uidNumber, gidNumber, gecos, homeDirectory, loginShell and so on) between two trees. However, the posixAccount auxiliary class that often is used to contain the POSIX attributes that Unix and Linux need to define a user, has some mandatory values.

On a side note, it is a really bad idea in general to make an Auxiliary class have mandatory attributes. It makes it a ROYAL pain to work with! You cannot just add the class to an object by editing say Object Class, in Console One, since you need to save that change, before the UI will let you add one of the new attributes, but if the new attribute is mandatory, you cannot add the Object Class value without the mandatory attribute!

I do not dispute the logic behind this specific case, since it makes little sense to have just uidNumber without gidNumber, from a Unix server perspective, nonetheless it is really annoying.

Now in this particular tree, somehow the base class User got extended with the needed posixAccount attributes. Thus when we originally set this up and populated the tree, all was good, as we could add the POSIX attributes without problem to users in either tree. It was just part of base schema, no need for a posixAccount attribute.

Then things got strange. We found that some LDAP applications, I think it was AIX's equivalent to PAM on Linux, (Pluggable Authentication Modules, which I was sure AIX called LAM, but the AIX guy says he has never heard of that, not that it matters) when doing an LDAP bind to get user information we found that NMAS was throwing a strange failure error, and it looks like you explicitly require the posixAccount object class on the user for it to work. It is not enough to just have all the needed attribute, even though the query does not look for posixAccount. But if the object class does not include posixAccount it does not work. Crazy, but easy to fix.

Thus to fix it, we started adding posixAccount to users. However, we had a couple of edge cases where we should not have been sending it and I wanted to strip out the add object class for posixAccount. Usually when we are missing one of the POSIX attributes, in which case the entire event fails with a 609 Missing Mandatory error. (Because we are missing a mandatory attribute, that posixAccount requires)

Well you say, thats easy, that is what the token, strip operational attribute is for. Just do a strip operational attribute Object Class, and all will be fine.

Well there are way more instances where this might occur, and in fact there are legal cases where there might be several object class changes in one document, so what I really want is just to strip the specific object class add value of posixAccount.

Well thats what strip by XPATH expression is for. So what is my XPATH expression to remove the add of the value posixAccount into the Object Class attribute.

Off the top of my head, I tried the following XPATH statement:

modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount]

I opened it in the XPATH editor, (here is what it looks like empty)

Click to view.

and tracked down an example event document, to paste into the sample document on the left hand side in the XML source tab:

<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.1.4427">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <modify cached-time="20091029133625.703Z" class-name="User" dest-dn="corp\acme\americas\Test Users\LDAPTEST" dest-entry-id="37551" event-id="AMERICAS-AD##124a0832994##0" qualified-src-dn="O=acme\OU=Users\CN=LDAPTEST" src-dn="\acme-IDV\acme\Users\LDAPTEST" src-entry-id="38906"
 timestamp="1256823385#2">
      <association state="associated">{2F95C242-557F-3c40-A3B8-2F95C242557F}</association>
      <modify-attr attr-name="userPrincipalName">
        <remove-all-values/>
        <add-value>
          <value timestamp="1256823385#2" type="string">LDAPTEST@acme.corp</value>
        </add-value>
      </modify-attr>
      <modify-attr attr-name="Object Class">
        <add-value>
          <value>posixAccount</value>
        </add-value>
      </modify-attr>
    </modify>
  </input>
</nds>

Click to view.

Before we start using the XPATH editor for real, lets make sure we can get it to work at all! So lets try a simple common XPATH selection. Lets select the src-dn XML attribute of the <modify> node. With XPATH, you can do a couple of very different things, which sometimes gets confusing, and the different uses depend on the context of tier use, which makes it more confusing.

Basically you can use XPATH to select a node, value, or attribute. That is the sort of thing you do in a set local variable kind of context. Makes sense, you want to set a variable to something in the event document.

Conversely you also can use XPATH to do math, and some string functions, in which case, you might also in a set local variable context try to add 86400 seconds to a Time value, to set the value to tomorrows time. erPrincipalName"] but wanted the value before the @ sign. Well you could combine the two into something like substring-before( attr[@attr-name="userPrincipalName"], "@") to get what you wanted.

Back to our example, lets make sure we can get the XPATH editor working with a simple test or two, starting with our @src-dn, which KNOW will work, since it is the most common example used in Identity Manager.

Click to view.

Ok, so I have my event doc on the left hand side, looks good, type in @src-dn as my expression, hit the arrow button to Go, and no nodes are found. What the dickens?

Well this stymied me for the longest time, and I just assumed this was broken, but it is really the simplest thing to resolve. The XPATH editor is a very generic XPATH editor. Identity Manager is a specific XPATH usage case, and it all comes down to the context node!

Its almost as easy to show it, as it to explain it... Look at this screen shot:

Click to view.

Here you can see I switched over to the XML Tree view on the left has side. The most important thing is I clicked on the Modify node. This sets the current context to the modify node (Which the XPATH Select Context bit on the right says is now /nds/input/modify) which is the default context in an Identity Manager example. Now suddenly we see a result! Once you do this, it starts being a really useful tool!

Back to my actual example now, and I had thought that this ought to be close:

modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount]

Well first thing the editor complained about where my typos. Miss matched the " and ' around the Object Class, and missed a close " at the end of posixAccount.

Click to view.

That left me with:

modify-attr/add-attr[@attr-name="Object Class" and value/text()="posixAccount"]

I switched the left hand pane to the tree node view of the sample XML event document and start looking at the actual document, and I realized my memory stinks!

First off, I got an <add> and <modify> event mixed up. In an <add> event, you get add-attr nodes, with an attr-name attribute, and then an add-value node and then a value node, or something like that. But in a modify, you get a modify-attr node, with an XML attribute of attr-name and then an add-value or remove-value (or remove-all-values) node under that, followed by a value node.

Thus no need for the add-attr, and the predicate (the stuff in square brackets []) needs to be on the modify-attr node.

That gets me closer with:

modify-attr[@attr-name="Object Class" and value/text()="posixAccount"]

But I get nothing the XPATH Editor, since nothing matches that criteria, and as I looked closer I realized I forgot that there is an add-value node to include in there. That leads me closer with:

Click to view.

modify-attr[@attr-name="Object Class"]/add-value/value="posixAccount"]

But there is an error at the end I am told. Oops, left a trailing ] and then I take that off and still an error.

Well I think I need to put a predicate on the add-value test, so that it looks more like:

modify-attr[@attr-name="Object Class"]/add-value[value/text()="posixAccount"]

So lets parse that out. Select the modify-attr node that matches the condition where the XML attribute attr-name is equal to the string "Object Class" and then under that node, lets select a add-value node, who has a value whose text string is equal to "posixAccount".

Now you can see the in the XPATH editor what it should look like:

Click to view.

I switched tabs over to the XML Source view, since in this case it is more useful when looking at results. Then you can see on the right hand side the XPATH Selected Context is still /nds/input/modify, which is what we want, and the XPATH expression is what I typed above, and in the results section, it selected an element, lines 16-18.

Look over the to the left hand side, and you can see that lines 16-18 is the <add-value> node to the close version of </add-value>. In this case I selected a node set, and it since what I originally wanted was to strip this out by XPATH, that looks to be what I wanted. This way if there is more than one Object class change, I will only remove this one node, and it is the only one, it leaves an empty modify-attr node, which usually gets cleaned up by the engine.

Tada. See was that so hard? Well yes, a little bit, but it gets a lot easier as you do it more often, and get better at it.

Cool Solutions

Open Call - IDM Association Values for eDirectory Objects

geoffc — Fri, 06 Nov 2009 06:50:36 -0700

Identity Manager stores an association value on each eDirectory object for each connected system.

The association value is meant to be connected in a system-specific way, and uniquely within it. Each driver handles this slightly differently.

I think it would be nice to have the complete list. Here are the ones I know about so far. If you know any more, please email me to add to the list! Or respond in the comments, or send me a personal message via Cool Solutions. All will work

Driver	Association Value
eDirectory	eDirectory GUID value
Active Directory	Active Directory GUID
Lotus Notes	UNID (Notes Universal ID) (32 char string), see Lothars comments down below for how to find the UNID value within Lotus Notes.
GroupWise	NGW: GroupWise ID, this is a string with three parts, DOM.PO.UserName{xxx}GUIDValue I do not know what the {xxx} means, nor whose GUID but everybody in a GW system seems to have the same values.
Delimited Text	email address, but you almost always change that
JDBC	Primary Key value
PeopleSoft	EMPLID (eDirs workforceID)
SAP HR	PERNUM (eDir workForceID) for users, or one letter for object type followed by the OBJID (and leading zeroes are not removed, so an Position's value might be S00001234)
Older SAP UM	"USd" followed by the SAP username
Newer SAP UM	With the CMP release, the SAP UM driver has a couple more modes. It still supports the old format, but now uses a new format of \SytemName\USdSAPUSERNAME which is the old value preceeded by the System name. Docs are here
Bidirectional AS400	USRPRF in the AS400 (basically the username)
Bidirectional Linux/Unix	usernameUser (Username value followed by literal string "User" no spaces. Same for groups, just the string is "Group"
Bidirectional RACF (Mainframe)	"USER\userid" or "GROUP\groupid"
Bidirectional TopSecret	eDir CN
Fanout	GUID of the user or group and then maintains its own "association", a multi-valued field, one per platform, which is just the "CN"
Loopback/Null	By default nothing, but you can add whatever you like
eXtend Composer shims	Whatever you set it to be, no default
User Application	Everybody gets the same value, "AnAssociation"
Scripting	No real default, whatever you set it to be
LDAP	LDAP DN of the user, like cn=bob,o=acme
JMS	Driver GUID & Message ID
Avaya PBX	/DRIVERNAME/workorderCN Time like /Avaya PBX/avaya.test07 01/19/2009 09:24:49:0756
Work Order	Workorder driver name, the workorder CN + creation date/timestamp, e.g "\MyWorkorderDriver\MyWorkorder 1/14/2009 15:23
Remedy	Schema name and request ID of the entry

Third Party Drivers

Third Party Driver	Association Value
Google Apps by Concensus Consulting	Google Username since it cannot be renamed
Pulsen Snapshot Driver V3 by Pulsen	LDAP: Any attribute value available in the application (including dn). ODBC: Any column value available in the result set or a concatenated value from two or more columns (since the association is taken from one column in a result set and not a table it could be anything that a SQL statement can generate).
HL7 Driver from EST Group	A derived value to insure uniqueness
Google Apps Driver from EST Group	Full domain address of the destination domain
Tivoli Access Manager Driver from EST Group	Source DN of the object, since there is nothing unique that TAM provides

Here are the known drivers we are missing values for:

Driver	Association Value
SOAP	I imagine it is whatever you set it to be
SIF	Never seen this driver, so no idea, anyone? Bueller, Bueller?

Did I miss any drivers? I know there are custom ones out there, so if you know of any let me know! But also lets focus on Novell provided ones

Shout out via the comments if you know one that we are missing! Feel free to email me, or send me a message via Cool Solutions if you would like.

Cool Solutions

Using jQuery in Identity Manager Roles Based Provisioning Module Workflow Forms

stevewdj — Thu, 05 Nov 2009 16:15:59 -0700

Please see the attached UseJQuery.pdf document and sample Provisioning Request Definition. It will be necessary to rename JQuery-CoolSolution.xml.txt to JQuery-CoolSolution.xml before it can be loaded into the Designer.

Using jQuery in Identity Manager Roles Based Provisioning Module Workflow Forms

by Joe Craddock, Bess Siegal, Steve Williams

Introduction

For increased styling, layout, and functionality flexibility, jQuery can be employed to greatly enhance your workflow request and approval forms. Two examples are outlined in this document. A Simple Example shows and hides blocks of fields using CSS and injects labels to the right of some fields. An Advanced Example creates tabs, places controls / fields on the tabs, and inserts a Google Map for obtaining latitude and longitude coordinates.

A. Simple Example

Figure A1

Click to view.

This is a sample workflow request form, comprised of two (2) sections, "Personal Information" and "Work Information." A true/false Radio Button control toggles the appearance of the "Work Information" section. It addresses some customers' specific needs, namely:

Include an image logo in the first column, such as a PeopleSoft icon when the workflow request is for access to PeopleSoft. In this example the Novell logo appears (does not require jQuery).
Include two (2) labels for a single control, such as English to the left of the field and Hebrew to the right of the field. In this example German labels are included for certain fields.
Hide and show blocks of fields using CSS.

Fields

The fields of the workflow form are shown in Figure A2.

Figure A2

Click to view.

Custom CSS class names have been applied to each control and label in the following manner:

Radio Button elements	CSS class names
Field CCS class name(s)	cust-radio
Label CCS class name(s)	cust-radio-label

Personal Information elements	CSS class names
Field CCS class name(s)	cust-personal cust-field
Label CCS class name(s)	cust-label

Work Information elements	CSS class names
Field CCS class name(s)	cust-job cust-field
Label CCS class name(s)	cust-label

The following lines of CSS can be added to theme.css of the custom theme, or you may add them as internal CSS using the "counter-wrapping" technique outlined in the Advanced Example (see Inclusion of jQuery UI CSS Framework).

.cust-personal{
}
.cust-field{
font-size: 10px;
}
.cust-label{
font-weight: bold;
font-size: 12px;
white-space: nowrap;
}
.cust-deLabel {
font-size: 12px;
font-style: italic;
padding-left: 5px;
}
.cust-job{
}
.cust-radio-label {
font-weight: bold;
font-size: 12px;
white-space: nowrap;
background-image: url(images/N_logo_22.png);
background-position: 0px 0px;
background-repeat: no-repeat;
height:30px;
padding-left:20px;
padding-top:3px;
}
.cust-radio {
font-size: 12px;
}
.cust-radio input {
width: 1em;
margin-left: 3em;
text-align: left;
}

Note: If the inline script option is used then the following line needs to be changed
from: background-image: url(images/N_logo_22.png);
to: background-image: url(resource/themes/Neptune/images/N_logo_22.png);

Scripts

All the jQuery injection is done from the Scripts tab of the Forms tab (see Figure A3) in Designer.

Figure A3

Click to view.

Logo

The Novell logo appears next to the radio button label by specifying the cust-radio-label class name as described above.

jQuery

External script with Id of "Script" is the google library to load jQuery. It's value is:
http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js

Hide/Show "Work Information"

Inline Script

Inline script with Id of "Script1" is the simple jQuery to hide or show fields and labels that have the "cust-job" class or the "headingcust" ID. "Script1" is below:

//Show/Hide 'job' related fields
function showWork(show)
{
$(".cust-job").each(function() {
var td = $(this).parent();
var tr = td.parent();
if (show) {
tr.show();
$("#_headingjob").show();
} else {
tr.hide();
$("#_headingjob").hide();
}
});
//show/hide tr holding field with class-name "cust-job"
//since whole tr gets hidden with display:none anyway
//title cannot have custom class, so get it by ID
}

onchange event

The onchange event of the radio button has the following code:

if (field.getValue() == 'true')
{
showWork(true);
}
else if (field.getValue() == 'false')
{
showWork(false);
}

Pre-Activity

The Pre-Activity of the Start activity on the Data Item Mapping tab has "false" specified for the Source Expression of radio.

Add Labels to the Right

Inline script with Id of "Script2" is script using jQuery to insert the German labels to the right of some fields by adding an extra table column where needed. "Script2" is below:

// insert right labels
$(document).ready(function(){
var fld = ["FirstName", "LastName", "HomePhone", "JobTitle", "WorkPhone"];
var de = ["Vorname", "Zuname", "Haus Telefonnummer", "Job-Titel", "Arbeit
Telefonnummer"];
for (var i = 0; i < 5; i++) {
var td = $("#_" + fld[i]).parent();
var tr = td.parent();
tr.append("<td class=\"cust-deLabel\">" + de[i] + "</td>");
}
});

B. Advanced Example – Tabs and Google Map

Figure B1

Click to view.

Building on the Simple Example, the Advanced Example adds a Google Map to determine latitude and longitude coordinates. In addition, tabs are added putting the Home and Work Information of the Simple Example into the last tab.

Fields

Additional fields need to be inserted (see Figure B2). The naming convention of the tabs is used in the Scripts section.

Figure B2

Click to view.

Scripts

All the jQuery injection is done from the Scripts tab of the Forms tab (see Figure B3) in Designer.

Figure B3

Click to view.

Inclusion of jQuery UI CSS Framework

The value of script with Id of "Script3" above is used to inject jQuery UI CSS framework into the workflow form. This will allow tabs to be created. It is slightly modified so that input fields will remain consistent with the rest of the application with font-size: 11px instead of 1em. "Script3" is shown below:

</script>
<style type="text/css">
/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
*/
/* Layout helpers
----------------------------------*/
.ui-helper-hidden { display: none; }
.ui-helper-hidden-accessible { position: absolute; left: -99999999px; }
.ui-helper-reset { margin: 0; padding: 0; border: 0; outline: 0; line-height: 1.3;
text-decoration: none; font-size: 100%; list-style: none; }
.ui-helper-clearfix:after { content: "."; display: block; height: 0; clear: both;
visibility: hidden; }
.ui-helper-clearfix { display: inline-block; }
/* required comment for clearfix to work in Opera \*/
* html .ui-helper-clearfix { height:1%; }
.ui-helper-clearfix { display:block; }
/* end clearfix */
.ui-helper-zfix { width: 100%; height: 100%; top: 0; left: 0; position: absolute;
opacity: 0; filter:Alpha(Opacity=0); }
/* Interaction Cues
----------------------------------*/
.ui-state-disabled { cursor: default !important; }
/* Icons
----------------------------------*/
/* states and images */
.ui-icon { display: block; text-indent: -99999px; overflow: hidden; backgroundrepeat:
no-repeat; }
/* Misc visuals
----------------------------------*/
/* Overlays */
.ui-widget-overlay { position: absolute; top: 0; left: 0; width: 100%; height:
100%; }
/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?
ffDefault=Verdana,Arial,sansserif&
fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgText
ureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHe
ader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.p
ng&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorConte
nt=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=7
5&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=d
adada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHo
ver=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&
bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545
45&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55
&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorEr
ror=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a
&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fla
t.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=
01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShad
ow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px
*/
/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { fontfamily:
Verdana,Arial,sans-serif; font-size: 11px; }
.ui-widget-content { border: 1px solid #aaaaaa; background: #ffffff url(images/uibg_
flat_75_ffffff_40x100.png) 50% 50% repeat-x; color: #222222; }
.ui-widget-content a { color: #222222; }
.ui-widget-header { border: 1px solid #aaaaaa; background: #cccccc url(images/uibg_
highlight-soft_75_cccccc_1x100.png) 50% 50% repeat-x; color: #222222; fontweight:
bold; }
.ui-widget-header a { color: #222222; }
/* Interaction states
----------------------------------*/
.ui-state-default, .ui-widget-content .ui-state-default { border: 1px solid
#d3d3d3; background: #e6e6e6 url(images/ui-bg_glass_75_e6e6e6_1x400.png) 50% 50%
repeat-x; font-weight: normal; color: #555555; outline: none; }
.ui-state-default a, .ui-state-default a:link, .ui-state-default a:visited { color:
#555555; text-decoration: none; outline: none; }
.ui-state-hover, .ui-widget-content .ui-state-hover, .ui-state-focus, .ui-widgetcontent
.ui-state-focus { border: 1px solid #999999; background: #dadada
url(images/ui-bg_glass_75_dadada_1x400.png) 50% 50% repeat-x; font-weight: normal;
color: #212121; outline: none; }
.ui-state-hover a, .ui-state-hover a:hover { color: #212121; text-decoration: none;
outline: none; }
.ui-state-active, .ui-widget-content .ui-state-active { border: 1px solid #aaaaaa;
background: #ffffff url(images/ui-bg_glass_65_ffffff_1x400.png) 50% 50% repeat-x;
font-weight: normal; color: #212121; outline: none; }
.ui-state-active a, .ui-state-active a:link, .ui-state-active a:visited { color:
#212121; outline: none; text-decoration: none; }
/* Interaction Cues
----------------------------------*/
.ui-state-highlight, .ui-widget-content .ui-state-highlight {border: 1px solid
#fcefa1; background: #fbf9ee url(images/ui-bg_glass_55_fbf9ee_1x400.png) 50% 50%
repeat-x; color: #363636; }
.ui-state-highlight a, .ui-widget-content .ui-state-highlight a { color: #363636; }
.ui-state-error, .ui-widget-content .ui-state-error {border: 1px solid #cd0a0a;
background: #fef1ec url(images/ui-bg_glass_95_fef1ec_1x400.png) 50% 50% repeat-x;
color: #cd0a0a; }
.ui-state-error a, .ui-widget-content .ui-state-error a { color: #cd0a0a; }
.ui-state-error-text, .ui-widget-content .ui-state-error-text { color: #cd0a0a; }
.ui-state-disabled, .ui-widget-content .ui-state-disabled { opacity: .35;
filter:Alpha(Opacity=35); background-image: none; }
.ui-priority-primary, .ui-widget-content .ui-priority-primary { font-weight: bold;
}
.ui-priority-secondary, .ui-widget-content .ui-priority-secondary { opacity: .7;
filter:Alpha(Opacity=70); font-weight: normal; }
/* Icons
----------------------------------*/
/* states and images */
.ui-icon { width: 16px; height: 16px; background-image: url(images/uiicons_
222222_256x240.png); }
.ui-widget-content .ui-icon {background-image: url(images/uiicons_
222222_256x240.png); }
.ui-widget-header .ui-icon {background-image: url(images/uiicons_
222222_256x240.png); }
.ui-state-default .ui-icon { background-image: url(images/uiicons_
888888_256x240.png); }
.ui-state-hover .ui-icon, .ui-state-focus .ui-icon {background-image:
url(images/ui-icons_454545_256x240.png); }
.ui-state-active .ui-icon {background-image: url(images/uiicons_
454545_256x240.png); }
.ui-state-highlight .ui-icon {background-image: url(images/uiicons_
2e83ff_256x240.png); }
.ui-state-error .ui-icon, .ui-state-error-text .ui-icon {background-image:
url(images/ui-icons_cd0a0a_256x240.png); }
/* positioning */
.ui-icon-carat-1-n { background-position: 0 0; }
.ui-icon-carat-1-ne { background-position: -16px 0; }
.ui-icon-carat-1-e { background-position: -32px 0; }
.ui-icon-carat-1-se { background-position: -48px 0; }
.ui-icon-carat-1-s { background-position: -64px 0; }
.ui-icon-carat-1-sw { background-position: -80px 0; }
.ui-icon-carat-1-w { background-position: -96px 0; }
.ui-icon-carat-1-nw { background-position: -112px 0; }
.ui-icon-carat-2-n-s { background-position: -128px 0; }
.ui-icon-carat-2-e-w { background-position: -144px 0; }
.ui-icon-triangle-1-n { background-position: 0 -16px; }
.ui-icon-triangle-1-ne { background-position: -16px -16px; }
.ui-icon-triangle-1-e { background-position: -32px -16px; }
.ui-icon-triangle-1-se { background-position: -48px -16px; }
.ui-icon-triangle-1-s { background-position: -64px -16px; }
.ui-icon-triangle-1-sw { background-position: -80px -16px; }
.ui-icon-triangle-1-w { background-position: -96px -16px; }
.ui-icon-triangle-1-nw { background-position: -112px -16px; }
.ui-icon-triangle-2-n-s { background-position: -128px -16px; }
.ui-icon-triangle-2-e-w { background-position: -144px -16px; }
.ui-icon-arrow-1-n { background-position: 0 -32px; }
.ui-icon-arrow-1-ne { background-position: -16px -32px; }
.ui-icon-arrow-1-e { background-position: -32px -32px; }
.ui-icon-arrow-1-se { background-position: -48px -32px; }
.ui-icon-arrow-1-s { background-position: -64px -32px; }
.ui-icon-arrow-1-sw { background-position: -80px -32px; }
.ui-icon-arrow-1-w { background-position: -96px -32px; }
.ui-icon-arrow-1-nw { background-position: -112px -32px; }
.ui-icon-arrow-2-n-s { background-position: -128px -32px; }
.ui-icon-arrow-2-ne-sw { background-position: -144px -32px; }
.ui-icon-arrow-2-e-w { background-position: -160px -32px; }
.ui-icon-arrow-2-se-nw { background-position: -176px -32px; }
.ui-icon-arrowstop-1-n { background-position: -192px -32px; }
.ui-icon-arrowstop-1-e { background-position: -208px -32px; }
.ui-icon-arrowstop-1-s { background-position: -224px -32px; }
.ui-icon-arrowstop-1-w { background-position: -240px -32px; }
.ui-icon-arrowthick-1-n { background-position: 0 -48px; }
.ui-icon-arrowthick-1-ne { background-position: -16px -48px; }
.ui-icon-arrowthick-1-e { background-position: -32px -48px; }
.ui-icon-arrowthick-1-se { background-position: -48px -48px; }
.ui-icon-arrowthick-1-s { background-position: -64px -48px; }
.ui-icon-arrowthick-1-sw { background-position: -80px -48px; }
.ui-icon-arrowthick-1-w { background-position: -96px -48px; }
.ui-icon-arrowthick-1-nw { background-position: -112px -48px; }
.ui-icon-arrowthick-2-n-s { background-position: -128px -48px; }
.ui-icon-arrowthick-2-ne-sw { background-position: -144px -48px; }
.ui-icon-arrowthick-2-e-w { background-position: -160px -48px; }
.ui-icon-arrowthick-2-se-nw { background-position: -176px -48px; }
.ui-icon-arrowthickstop-1-n { background-position: -192px -48px; }
.ui-icon-arrowthickstop-1-e { background-position: -208px -48px; }
.ui-icon-arrowthickstop-1-s { background-position: -224px -48px; }
.ui-icon-arrowthickstop-1-w { background-position: -240px -48px; }
.ui-icon-arrowreturnthick-1-w { background-position: 0 -64px; }
.ui-icon-arrowreturnthick-1-n { background-position: -16px -64px; }
.ui-icon-arrowreturnthick-1-e { background-position: -32px -64px; }
.ui-icon-arrowreturnthick-1-s { background-position: -48px -64px; }
.ui-icon-arrowreturn-1-w { background-position: -64px -64px; }
.ui-icon-arrowreturn-1-n { background-position: -80px -64px; }
.ui-icon-arrowreturn-1-e { background-position: -96px -64px; }
.ui-icon-arrowreturn-1-s { background-position: -112px -64px; }
.ui-icon-arrowrefresh-1-w { background-position: -128px -64px; }
.ui-icon-arrowrefresh-1-n { background-position: -144px -64px; }
.ui-icon-arrowrefresh-1-e { background-position: -160px -64px; }
.ui-icon-arrowrefresh-1-s { background-position: -176px -64px; }
.ui-icon-arrow-4 { background-position: 0 -80px; }
.ui-icon-arrow-4-diag { background-position: -16px -80px; }
.ui-icon-extlink { background-position: -32px -80px; }
.ui-icon-newwin { background-position: -48px -80px; }
.ui-icon-refresh { background-position: -64px -80px; }
.ui-icon-shuffle { background-position: -80px -80px; }
.ui-icon-transfer-e-w { background-position: -96px -80px; }
.ui-icon-transferthick-e-w { background-position: -112px -80px; }
.ui-icon-folder-collapsed { background-position: 0 -96px; }
.ui-icon-folder-open { background-position: -16px -96px; }
.ui-icon-document { background-position: -32px -96px; }
.ui-icon-document-b { background-position: -48px -96px; }
.ui-icon-note { background-position: -64px -96px; }
.ui-icon-mail-closed { background-position: -80px -96px; }
.ui-icon-mail-open { background-position: -96px -96px; }
.ui-icon-suitcase { background-position: -112px -96px; }
.ui-icon-comment { background-position: -128px -96px; }
.ui-icon-person { background-position: -144px -96px; }
.ui-icon-print { background-position: -160px -96px; }
.ui-icon-trash { background-position: -176px -96px; }
.ui-icon-locked { background-position: -192px -96px; }
.ui-icon-unlocked { background-position: -208px -96px; }
.ui-icon-bookmark { background-position: -224px -96px; }
.ui-icon-tag { background-position: -240px -96px; }
.ui-icon-home { background-position: 0 -112px; }
.ui-icon-flag { background-position: -16px -112px; }
.ui-icon-calendar { background-position: -32px -112px; }
.ui-icon-cart { background-position: -48px -112px; }
.ui-icon-pencil { background-position: -64px -112px; }
.ui-icon-clock { background-position: -80px -112px; }
.ui-icon-disk { background-position: -96px -112px; }
.ui-icon-calculator { background-position: -112px -112px; }
.ui-icon-zoomin { background-position: -128px -112px; }
.ui-icon-zoomout { background-position: -144px -112px; }
.ui-icon-search { background-position: -160px -112px; }
.ui-icon-wrench { background-position: -176px -112px; }
.ui-icon-gear { background-position: -192px -112px; }
.ui-icon-heart { background-position: -208px -112px; }
.ui-icon-star { background-position: -224px -112px; }
.ui-icon-link { background-position: -240px -112px; }
.ui-icon-cancel { background-position: 0 -128px; }
.ui-icon-plus { background-position: -16px -128px; }
.ui-icon-plusthick { background-position: -32px -128px; }
.ui-icon-minus { background-position: -48px -128px; }
.ui-icon-minusthick { background-position: -64px -128px; }
.ui-icon-close { background-position: -80px -128px; }
.ui-icon-closethick { background-position: -96px -128px; }
.ui-icon-key { background-position: -112px -128px; }
.ui-icon-lightbulb { background-position: -128px -128px; }
.ui-icon-scissors { background-position: -144px -128px; }
.ui-icon-clipboard { background-position: -160px -128px; }
.ui-icon-copy { background-position: -176px -128px; }
.ui-icon-contact { background-position: -192px -128px; }
.ui-icon-image { background-position: -208px -128px; }
.ui-icon-video { background-position: -224px -128px; }
.ui-icon-script { background-position: -240px -128px; }
.ui-icon-alert { background-position: 0 -144px; }
.ui-icon-info { background-position: -16px -144px; }
.ui-icon-notice { background-position: -32px -144px; }
.ui-icon-help { background-position: -48px -144px; }
.ui-icon-check { background-position: -64px -144px; }
.ui-icon-bullet { background-position: -80px -144px; }
.ui-icon-radio-off { background-position: -96px -144px; }
.ui-icon-radio-on { background-position: -112px -144px; }
.ui-icon-pin-w { background-position: -128px -144px; }
.ui-icon-pin-s { background-position: -144px -144px; }
.ui-icon-play { background-position: 0 -160px; }
.ui-icon-pause { background-position: -16px -160px; }
.ui-icon-seek-next { background-position: -32px -160px; }
.ui-icon-seek-prev { background-position: -48px -160px; }
.ui-icon-seek-end { background-position: -64px -160px; }
.ui-icon-seek-first { background-position: -80px -160px; }
.ui-icon-stop { background-position: -96px -160px; }
.ui-icon-eject { background-position: -112px -160px; }
.ui-icon-volume-off { background-position: -128px -160px; }
.ui-icon-volume-on { background-position: -144px -160px; }
.ui-icon-power { background-position: 0 -176px; }
.ui-icon-signal-diag { background-position: -16px -176px; }
.ui-icon-signal { background-position: -32px -176px; }
.ui-icon-battery-0 { background-position: -48px -176px; }
.ui-icon-battery-1 { background-position: -64px -176px; }
.ui-icon-battery-2 { background-position: -80px -176px; }
.ui-icon-battery-3 { background-position: -96px -176px; }
.ui-icon-circle-plus { background-position: 0 -192px; }
.ui-icon-circle-minus { background-position: -16px -192px; }
.ui-icon-circle-close { background-position: -32px -192px; }
.ui-icon-circle-triangle-e { background-position: -48px -192px; }
.ui-icon-circle-triangle-s { background-position: -64px -192px; }
.ui-icon-circle-triangle-w { background-position: -80px -192px; }
.ui-icon-circle-triangle-n { background-position: -96px -192px; }
.ui-icon-circle-arrow-e { background-position: -112px -192px; }
.ui-icon-circle-arrow-s { background-position: -128px -192px; }
.ui-icon-circle-arrow-w { background-position: -144px -192px; }
.ui-icon-circle-arrow-n { background-position: -160px -192px; }
.ui-icon-circle-zoomin { background-position: -176px -192px; }
.ui-icon-circle-zoomout { background-position: -192px -192px; }
.ui-icon-circle-check { background-position: -208px -192px; }
.ui-icon-circlesmall-plus { background-position: 0 -208px; }
.ui-icon-circlesmall-minus { background-position: -16px -208px; }
.ui-icon-circlesmall-close { background-position: -32px -208px; }
.ui-icon-squaresmall-plus { background-position: -48px -208px; }
.ui-icon-squaresmall-minus { background-position: -64px -208px; }
.ui-icon-squaresmall-close { background-position: -80px -208px; }
.ui-icon-grip-dotted-vertical { background-position: 0 -224px; }
.ui-icon-grip-dotted-horizontal { background-position: -16px -224px; }
.ui-icon-grip-solid-vertical { background-position: -32px -224px; }
.ui-icon-grip-solid-horizontal { background-position: -48px -224px; }
.ui-icon-gripsmall-diagonal-se { background-position: -64px -224px; }
.ui-icon-grip-diagonal-se { background-position: -80px -224px; }
/* Misc visuals
----------------------------------*/
/* Corner radius */
.ui-corner-tl { -moz-border-radius-topleft: 4px; -webkit-border-top-left-radius:
4px; }
.ui-corner-tr { -moz-border-radius-topright: 4px; -webkit-border-top-right-radius:
4px; }
.ui-corner-bl { -moz-border-radius-bottomleft: 4px; -webkit-border-bottom-leftradius:
4px; }
.ui-corner-br { -moz-border-radius-bottomright: 4px; -webkit-border-bottom-rightradius:
4px; }
.ui-corner-top { -moz-border-radius-topleft: 4px; -webkit-border-top-left-radius:
4px; -moz-border-radius-topright: 4px; -webkit-border-top-right-radius: 4px; }
.ui-corner-bottom { -moz-border-radius-bottomleft: 4px; -webkit-border-bottom-leftradius:
4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-rightradius:
4px; }
.ui-corner-right { -moz-border-radius-topright: 4px; -webkit-border-top-rightradius:
4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-rightradius:
4px; }
.ui-corner-left { -moz-border-radius-topleft: 4px; -webkit-border-top-left-radius:
4px; -moz-border-radius-bottomleft: 4px; -webkit-border-bottom-left-radius: 4px; }
.ui-corner-all { -moz-border-radius: 4px; -webkit-border-radius: 4px; }
/* Overlays */
.ui-widget-overlay { background: #aaaaaa url(images/ui-bg_flat_0_aaaaaa_40x100.png)
50% 50% repeat-x; opacity: .30;filter:Alpha(Opacity=30); }
.ui-widget-shadow { margin: -8px 0 0 -8px; padding: 8px; background: #aaaaaa
url(images/ui-bg_flat_0_aaaaaa_40x100.png) 50% 50% repeat-x; opacity: .
30;filter:Alpha(Opacity=30); -moz-border-radius: 8px; -webkit-border-radius: 8px;
}/* Accordion
----------------------------------*/
.ui-accordion .ui-accordion-header { cursor: pointer; position: relative; margintop:
1px; zoom: 1; }
.ui-accordion .ui-accordion-li-fix { display: inline; }
.ui-accordion .ui-accordion-header-active { border-bottom: 0 !important; }
.ui-accordion .ui-accordion-header a { display: block; font-size: 1em; padding: .
5em .5em .5em 2.2em; }
.ui-accordion .ui-accordion-header .ui-icon { position: absolute; left: .5em; top:
50%; margin-top: -8px; }
.ui-accordion .ui-accordion-content { padding: 1em 2.2em; border-top: 0; margintop:
-2px; position: relative; top: 1px; margin-bottom: 2px; overflow: auto;
display: none; }
.ui-accordion .ui-accordion-content-active { display: block; }/* Datepicker
----------------------------------*/
.ui-datepicker { width: 17em; padding: .2em .2em 0; }
.ui-datepicker .ui-datepicker-header { position:relative; padding:.2em 0; }
.ui-datepicker .ui-datepicker-prev, .ui-datepicker .ui-datepicker-next {
position:absolute; top: 2px; width: 1.8em; height: 1.8em; }
.ui-datepicker .ui-datepicker-prev-hover, .ui-datepicker .ui-datepicker-next-hover
{ top: 1px; }
.ui-datepicker .ui-datepicker-prev { left:2px; }
.ui-datepicker .ui-datepicker-next { right:2px; }
.ui-datepicker .ui-datepicker-prev-hover { left:1px; }
.ui-datepicker .ui-datepicker-next-hover { right:1px; }
.ui-datepicker .ui-datepicker-prev span, .ui-datepicker .ui-datepicker-next span {
display: block; position: absolute; left: 50%; margin-left: -8px; top: 50%; margintop:
-8px; }
.ui-datepicker .ui-datepicker-title { margin: 0 2.3em; line-height: 1.8em; textalign:
center; }
.ui-datepicker .ui-datepicker-title select { float:left; font-size:1em; margin:1px
0; }
.ui-datepicker select.ui-datepicker-month-year {width: 100%;}
.ui-datepicker select.ui-datepicker-month,
.ui-datepicker select.ui-datepicker-year { width: 49%;}
.ui-datepicker .ui-datepicker-title select.ui-datepicker-year { float: right; }
.ui-datepicker table {width: 100%; font-size: .9em; border-collapse: collapse;
margin:0 0 .4em; }
.ui-datepicker th { padding: .7em .3em; text-align: center; font-weight: bold;
border: 0; }
.ui-datepicker td { border: 0; padding: 1px; }
.ui-datepicker td span, .ui-datepicker td a { display: block; padding: .2em; textalign:
right; text-decoration: none; }
.ui-datepicker .ui-datepicker-buttonpane { background-image: none; margin: .7em 0 0
0; padding:0 .2em; border-left: 0; border-right: 0; border-bottom: 0; }
.ui-datepicker .ui-datepicker-buttonpane button { float: right; margin: .5em .
2em .4em; cursor: pointer; padding: .2em .6em .3em .6em; width:auto;
overflow:visible; }
.ui-datepicker .ui-datepicker-buttonpane button.ui-datepicker-current { float:left;
}
/* with multiple calendars */
.ui-datepicker.ui-datepicker-multi { width:auto; }
.ui-datepicker-multi .ui-datepicker-group { float:left; }
.ui-datepicker-multi .ui-datepicker-group table { width:95%; margin:0 auto .4em; }
.ui-datepicker-multi-2 .ui-datepicker-group { width:50%; }
.ui-datepicker-multi-3 .ui-datepicker-group { width:33.3%; }
.ui-datepicker-multi-4 .ui-datepicker-group { width:25%; }
.ui-datepicker-multi .ui-datepicker-group-last .ui-datepicker-header { border-leftwidth:
0; }
.ui-datepicker-multi .ui-datepicker-group-middle .ui-datepicker-header { borderleft-
width:0; }
.ui-datepicker-multi .ui-datepicker-buttonpane { clear:left; }
.ui-datepicker-row-break { clear:both; width:100%; }
/* RTL support */
.ui-datepicker-rtl { direction: rtl; }
.ui-datepicker-rtl .ui-datepicker-prev { right: 2px; left: auto; }
.ui-datepicker-rtl .ui-datepicker-next { left: 2px; right: auto; }
.ui-datepicker-rtl .ui-datepicker-prev:hover { right: 1px; left: auto; }
.ui-datepicker-rtl .ui-datepicker-next:hover { left: 1px; right: auto; }
.ui-datepicker-rtl .ui-datepicker-buttonpane { clear:right; }
.ui-datepicker-rtl .ui-datepicker-buttonpane button { float: left; }
.ui-datepicker-rtl .ui-datepicker-buttonpane button.ui-datepicker-current {
float:right; }
.ui-datepicker-rtl .ui-datepicker-group { float:right; }
.ui-datepicker-rtl .ui-datepicker-group-last .ui-datepicker-header { border-rightwidth:
0; border-left-width:1px; }
.ui-datepicker-rtl .ui-datepicker-group-middle .ui-datepicker-header { borderright-
width:0; border-left-width:1px; }
/* IE6 IFRAME FIX (taken from datepicker 1.5.3 */
.ui-datepicker-cover {
display: none; /*sorry for IE5*/
display/**/: block; /*sorry for IE5*/
position: absolute; /*must have*/
z-index: -1; /*must have*/
filter: mask(); /*must have*/
top: -4px; /*must have*/
left: -4px; /*must have*/
width: 200px; /*must have*/
height: 200px; /*must have*/
}/* Dialog
----------------------------------*/
.ui-dialog { position: relative; padding: .2em; width: 300px; }
.ui-dialog .ui-dialog-titlebar { padding: .5em .3em .3em 1em; position: relative;
}
.ui-dialog .ui-dialog-title { float: left; margin: .1em 0 .2em; }
.ui-dialog .ui-dialog-titlebar-close { position: absolute; right: .3em; top: 50%;
width: 19px; margin: -10px 0 0 0; padding: 1px; height: 18px; }
.ui-dialog .ui-dialog-titlebar-close span { display: block; margin: 1px; }
.ui-dialog .ui-dialog-titlebar-close:hover, .ui-dialog .ui-dialog-titlebarclose:
focus { padding: 0; }
.ui-dialog .ui-dialog-content { border: 0; padding: .5em 1em; background: none;
overflow: auto; zoom: 1; }
.ui-dialog .ui-dialog-buttonpane { text-align: left; border-width: 1px 0 0 0;
background-image: none; margin: .5em 0 0 0; padding: .3em 1em .5em .4em; }
.ui-dialog .ui-dialog-buttonpane button { float: right; margin: .5em .4em .5em 0;
cursor: pointer; padding: .2em .6em .3em .6em; line-height: 1.4em; width:auto;
overflow:visible; }
.ui-dialog .ui-resizable-se { width: 14px; height: 14px; right: 3px; bottom: 3px; }
.ui-draggable .ui-dialog-titlebar { cursor: move; }
/* Progressbar
----------------------------------*/
.ui-progressbar { height:2em; text-align: left; }
.ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }/* Resizable
----------------------------------*/
.ui-resizable { position: relative;}
.ui-resizable-handle { position: absolute;font-size: 0.1px;z-index: 99999; display:
block;}
.ui-resizable-disabled .ui-resizable-handle, .ui-resizable-autohide .ui-resizablehandle
{ display: none; }
.ui-resizable-n { cursor: n-resize; height: 7px; width: 100%; top: -5px; left: 0px;
}
.ui-resizable-s { cursor: s-resize; height: 7px; width: 100%; bottom: -5px; left:
0px; }
.ui-resizable-e { cursor: e-resize; width: 7px; right: -5px; top: 0px; height:
100%; }
.ui-resizable-w { cursor: w-resize; width: 7px; left: -5px; top: 0px; height: 100%;
}
.ui-resizable-se { cursor: se-resize; width: 12px; height: 12px; right: 1px;
bottom: 1px; }
.ui-resizable-sw { cursor: sw-resize; width: 9px; height: 9px; left: -5px; bottom:
-5px; }
.ui-resizable-nw { cursor: nw-resize; width: 9px; height: 9px; left: -5px; top:
-5px; }
.ui-resizable-ne { cursor: ne-resize; width: 9px; height: 9px; right: -5px; top:
-5px;}/* Slider
----------------------------------*/
.ui-slider { position: relative; text-align: left; }
.ui-slider .ui-slider-handle { position: absolute; z-index: 2; width: 1.2em;
height: 1.2em; cursor: default; }
.ui-slider .ui-slider-range { position: absolute; z-index: 1; font-size: .7em;
display: block; border: 0; }
.ui-slider-horizontal { height: .8em; }
.ui-slider-horizontal .ui-slider-handle { top: -.3em; margin-left: -.6em; }
.ui-slider-horizontal .ui-slider-range { top: 0; height: 100%; }
.ui-slider-horizontal .ui-slider-range-min { left: 0; }
.ui-slider-horizontal .ui-slider-range-max { right: 0; }
.ui-slider-vertical { width: .8em; height: 100px; }
.ui-slider-vertical .ui-slider-handle { left: -.3em; margin-left: 0; margin-bottom:
-.6em; }
.ui-slider-vertical .ui-slider-range { left: 0; width: 100%; }
.ui-slider-vertical .ui-slider-range-min { bottom: 0; }
.ui-slider-vertical .ui-slider-range-max { top: 0; }/* Tabs
----------------------------------*/
.ui-tabs { padding: .2em; zoom: 1; }
.ui-tabs .ui-tabs-nav { list-style: none; position: relative; padding: .2em .2em 0;
}
.ui-tabs .ui-tabs-nav li { position: relative; float: left; border-bottom-width:
0 !important; margin: 0 .2em -1px 0; padding: 0; }
.ui-tabs .ui-tabs-nav li a { float: left; text-decoration: none; padding: .5em 1em;
}
.ui-tabs .ui-tabs-nav li.ui-tabs-selected { padding-bottom: 1px; border-bottomwidth:
0; }
.ui-tabs .ui-tabs-nav li.ui-tabs-selected a, .ui-tabs .ui-tabs-nav li.ui-statedisabled
a, .ui-tabs .ui-tabs-nav li.ui-state-processing a { cursor: text; }
.ui-tabs .ui-tabs-nav li a, .ui-tabs.ui-tabs-collapsible .ui-tabs-nav li.ui-tabsselected
a { cursor: pointer; } /* first selector in group seems obsolete, but
required to overcome bug in Opera applying cursor: text overall if defined
elsewhere... */
.ui-tabs .ui-tabs-panel { padding: 1em 1.4em; display: block; border-width: 0;
background: none; }
.ui-tabs .ui-tabs-hide { display: none !important; }
nv_hidden {visibility:hidden}
</style>
<script>

Note that the value yields syntax and invalid XML errors in Designer, which you may ignore. This is because the form renderer is expecting valid ECMA Script, so it wraps all its contents within <script> and </script> tags. To get around that, the internal CSS is "counter-wrapped" to begin with </script> and end with <script>.

jQuery UI

External script with Id of "Script4" is the google library to load jQuery UI. It's value is:
http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js

Google Maps API

External script with Id of "Script5" is the Google Maps API. It's value is:
http://maps.google.com/maps/api/js?sensor=false

Create Tabs

Inline script with Id of "Script6" converts each Title control with Form Field Name of tabNtitle to a tab using jQuery with each of the controls under the tab-title on its respective tab (see Figure B2). Script6 is below:

// transform the input, placing in tabs
$(document).ready(function(){
// obtain all rows in table
var trGuys = $("form table tr");
try {
var tabNumber = 0;
var foundFirst = false;
for (index=0; index < trGuys.size(); index++) {
var currentRow = trGuys.get(index);
var tabTitle = $("#_tab" + (tabNumber+1) + "title", currentRow);
if (tabTitle.size() > 0) {
tabNumber = tabNumber + 1;
foundFirst = true;
// if this is our first tab, start to build the structure
if (tabNumber == 1) {
$('<div id="tabs"><ul id="tabTitlebar"></ul>').insertAfter("#uiform
input[name='uasess']");
}
var tabLi = $("<li></li>");
var anchor = $("<a id='tab" + tabNumber + "anchor' href='#tabs-"+ tabNumber
+"'>" + "</a>");
tabLi.append(anchor);
tabLi.appendTo("#tabTitlebar");
//as of jQuery 1.3.2 (currently working in FF but not IE)
//$("'#_tab" + currentTab + "title'", currentRow).appendTo("[href=#tabs-"
+ currentTab + "]");
//so instead append and remove
$(currentRow).remove();
anchor.append(tabTitle);
//Add the div wrapper for jquery tabs
//and the table wrapper for the tab contents (ie, the table rows of form
controls)
$("<div id='tabs-" + tabNumber + "'><table cellspacing='2' cellpadding='0'
border='0' id='tab" + tabNumber + "-content'></table></div>").appendTo("#tabs");
} else {
//place the buttons in a table by themselves
if ($(":has(':button')", trGuys.get(index)).size() > 0) {
$("<table id='jquery-action-buttons' align='center'
width='180px'></table>").insertAfter("#tabs");
trGuys.slice(index, index+1).appendTo("#jquery-action-buttons");
} else if (foundFirst == true) {
trGuys.slice(index, index+1).appendTo("#tab" + tabNumber + "-content");
}
}
}
} catch (e) {
alert(e);
}
function init() {
$('#tabs').tabs();
}
// transform the input, placing in tabs
init();
});

Add Google Map

Inline script with Id of "Script7" inserts a Google Map onto the first tab. The regular form controls are repositioned to be to the right of the map. A Click listener is added to the map so that the latitude and longitude are put into the form's locationLatitude and locationLongitude fields,
respectively. "Script7" is below:

//Add Google Map
$(document).ready(function(){
var map;
var marker;
// place the google maps control to be used as a tower location chooser
// on the first tab on left side of page, move existing juice controls
// to right side of page
function addLatLongHelper() {
$('<table cellspacing="2" cellpadding="0" border="0"><thead><tr
valign="top"><td><div id="map_canvas" style="width: 400px; height:
400px"></div></td><td><div
id="insertControlsHere"/></td></tr></thead></table>').insertBefore("#tabs-1
table");
var removedElement = $("#tabs-1 table:nth-child(2)").remove();
$('#insertControlsHere').append(removedElement);
var myLatlng = new google.maps.LatLng(39.034271,-77.174936);
var myOptions = {
zoom: 16,
center: myLatlng,
mapTypeId: google.maps.MapTypeId.SATELLITE
}
map = new google.maps.Map(document.getElementById("map_canvas"), myOptions);
google.maps.event.addListener(map, 'click', function(event) {
placeMarker(event.latLng);
});
}
// function to add lat/long to page
function placeMarker(location) {
var clickedLocation = new google.maps.LatLng(location);
if (marker == null ) {
marker = new google.maps.Marker({
position: location,
map: map});
marker.set_draggable({flag:true});
} else {
marker.set_position(location);
}
try {
// get lat/long from the click
var lat = Math.round(location.lat()*Math.pow(10,4))/Math.pow(10,4);
var lng = Math.round(location.lng()*Math.pow(10,4))/Math.pow(10,4);
// set lat/long on form
$('#_locationLatitude').val(lat);
$('#_locationLongitude').val(lng);
} catch (ex) {
alert(ex);
}
}
// functions have been defined, call them
addLatLongHelper();
});

Conclusion

With the ability to import external JavaScript libraries, you can utilize jQuery to manipulate your form's look and layout. In addition, you can also capitalize on other libraries such as Google's Map API.

Technology Partners

Let's talk about DirXML-Associations

geoffc — Wed, 04 Nov 2009 14:37:30 -0700

Novell has done a pretty good job in the forums, organizing volunteer (what used to be called Sysops, but in this "i-everything" or "e-everything" age, the name had to change and are now called Novell Knowledge Partners, or NKPs) to try and either answer the questions themselves, or try to find someone they know who can help. If you have not used the forums when you need help, I highly recommend it! Search first, ask questions second, and provide details and trace in your questions.

I regularly read and post in the Identity Manager forums (as do a number of other helpful people) and often can help people out there in a fun way. This article was a post I wrote to answer a question, and I realized would make a good standalone article for Cool Solutions.

The forums are available at http://forums.novell.com over a silly vBulletin web interface (Icky! Works well when Google searching to show the results), but I prefer to use NNTP the real protocol for newsgroups dang it! Use your GroupWise client, Thunderbird, tin, nm, whatever you like, and point it at nntp://forums.novell.com and look for the novell.support.identity-manager.engine-drivers forum.

A user in the forums asked a question a little while back:

I am utterly confused.. and have a very basic question.Whenever I set an association while on the subscriber channel with the source object, will the association be with the driver? If yes, then how do we make sure that the same destination row will be hit each time I modify the user object? (If I talk bout synchronizing data)

I thought that maybe an explanation of the Association values use is pertinent here.

So you have two (or more, more is left as an exercise to the reader) connected systems. You have an object in each system and the porpoise of IDM is to link the two of them.

Thus we have a matching policy to decide who is matched, and failing a match, a create to determine rules to allow creation, and then a placement policy to tell us where to place them for creates.

If you have not already, please read David Gersic's excellent series of articles that walks through this process, step by step through the process flow:

But once they are created, it would be needlessly inefficient to match on every event. Imagine the horrible overhead! Queries into other systems are 'slow' in the grand scheme of things, and costly. Watch it in trace sometime. You will often see second long delays, depending on the system for queries to respond. Plus the query document needs to be processed through the driver rules as well. Now to be fair, some systems are slower than others, and eDirectory and Active Directory drivers are usually pretty quick for queries. Nonetheless in general, if you can avoid needless queries, it is better.

Interestingly enough, the engine is pretty darn smart about reusing the data in previous query (aka caching it) and also about reading ahead in the policy object, to bundle upcoming queries for attributes, into one single query event, to pre load the cache. It is sort of disconcerting watching in Dstrace, when a query for an attribute you know is expected, actually queries for three or four other attributes. Until I realized what was going on, I could not understand why it was querying for these extra attributes when all it needed was a single one for the current rule.

But since much of the overhead is in the connection, crossing the system boundaries, etc, it turns out that the actual retrieval of the data, once the target user is found is usually quite quick. Thus this is a really nice efficiency optimization. Imagine the case of an LDAP query, that needed to first find the object. Then retrieve either a single attribute, or three. The cost in terms of time to find the object is the same (usually, discounting any caching the LDAP server might have done for previous queries) and retrieving one or three attributes is barely different. Thus you save the extra two instances of the search overhead.

Sometimes you want to get the data again, not using the cache, which can interesting, and I talk about that more in this series on the use of the Destination Attribute, Source Attribute, Operation Attribute.

Therefore, in order to avoid this costly situation we need to store something that identifies the users in both systems.

In an ideal world it would be a two way link, with some kind of attribute on both sides of the fence. (The eDir-eDir driver, actually does do that! There is an Assoc value on the objects on both sides of the directory). That would help makes things faster!

Alas, it is hard enough getting the AD guys to let us install a Remote Loader and the password sync filters, get the Domino guys let us install ndsrep.exe on their Domino servers, get the AS400 guys to let us install the Remote Loader on the AS400 and so on, let alone extend their schema and start storing data on every single object we use. Like thats going to happen. On a side note, what is up with Active Directory admins? Why are they so uptight about schema! Even a simple schema change is a big deal with them.

So assume for a moment that a two way link is like the solid gold potty of Austin Powers fame. We all want one, but it just ain't in the cards baby.

What is our next best option? Well we are enlightened people, using eDirectory where schema is meant to be useful and used, not feared and locked up in the monastery. So there is an eDir attribute called DirXML-Associations.

Next, we have a bit of info we need to store. One of the many neat things about eDirectory are the interesting schema syntaxes that exist. They are pre defined, and as far as I know, there is no way for us, mere peons to add new schema syntax types.

In this case, DirXML-Associations is using a syntax type called Path syntax, which was designed to describe a file, in the file system. You can read more about some of the interesting eDirectory attribute syntax types that are available in these articles I wrote:

State: the 0,1,2,3,4,5 which indicates what state the association is in. 1 is what you want to see, 0 means ignore, the rest are no longer very relevant in IDM 3.5 and higher. This is the nameSpace component of the attribute syntax and was meant to represent the name space number (DOS, OS2, MAC, etc were assigned numbers starting at 0) but is really a 32 bit integer field.

Driver DN: This allows us to have more than one association per object. As each association has a per driver instance, via DN reference to the driver. It does mean you should only have one association per driver, but the schema does not enforce that, you could by hand set multiple DirXML-Association values, on one object. I am not sure why you would do it, and I am can pretty much guarantee it will break Identity Manager for that user, but you could!

This is the component called volume in the attribute syntax and is meant to represent the DN of the volume object holding the file.

Assoc Value: This is the unique identifier in the other system (not eDir) that allows us to skip matching each time and tell the other system, give me this guy please! Or modify this specific guy. It needs to be something unique, because that means with a single search we can definitely find the other object in that target system.

Now each connected system is very different and has different ideas about what is the truly unique identifier. From Lotus Notes, where every document has a UNID (Universal ID) that is a 32 character hex string. (Hmm, 16 to the power of 32 is about 3.4 time ten to the 38 possible values, or about a 128 bit counter? Because 16 to the 32 is about like saying 2 to the 4 to the 32, which is 2 to the 128. Thats a lot!) Active Directory uses the 128 bit GUID that Active Directory maintains. Whereas a system like Unix or Linux running NIS or NIS+ drivers, can only really use the object name as the unique identifier. Older systems have this issue. The AS400 drivers, the mainframe drivers, usually reference the name of the object as the unique identifier.

With so many drivers out there, and each one having a different notion of what is a unique value, I started this article, that quickly grew out of control (but in a good way!!) to try and get all the known patterns into a single location to make looking it up easier.

Open Call - IDM Association Values for eDirectory Objects

Now with that preamble out of the way lets try and answer your questions:

So the association value is stored on the object (User in this case) in eDirectory as the multi valued and multi part (aka structured) attribute DirXML-Associations. There is one association per object, for each driver to which they are associated. It is stored on the user, per driver.

The reference for a simple JDBC driver is typically the Row, in the table, in the schema, as you have posted in trace before in this thread. (Lets focus on the simple case first).

Thus a Sub channel event (Change of Last name for example in eDir) would send a modify to the Row referenced by the association value, and ask the DB to change the Last Name for that Row.

Going the other way, on the Pub channel, a change in the DB, detected either by triggerless mode's poll cycle looking at timestamps of values in rows and columns, or by a trigger setup in the DB to event upon the change to the Row's Last name column value would be detected and sent to the driver shim, including the information of which row, table, schema it came from.

The engine picks up this value (You should see a node that looks like

<association>USERID=123,TABLE=tableName,SCHEMA=schemaName</association>

in the event before it completes the Pub-Event Transform, to show what the driver shim thinks the reference to the changed object is.

If the engine cannot find this reference in eDir on a User, then it is an operation on an un-associated object and runs through Match, Create, and then Placement policies.

If in the Matching rule it does find an object it skips ahead to the Pub-Command Transform (having previously completed the Event transform).

Ok, so now on to your more complex DB case.

Ok, in my case I have 2 tables, one which stores his data and has a primary key, the other one has a foreign key dependency on the first one and stores the role. I am detecting change on this second one which doesn't have a primary key. Also, I update them by hitting dest data store directly (with dest command processor).. I think I should have told these things earlier..Apologies!!

I don't know the answer. :) (Those who can do, those who can't ice skate... I am a consultant now, and thus more of an idea rat... (Anyone remember that Dilbert episode?))

Can you store the primary key of the second table on the user in eDir as part of the process? I.e. There is a reference in the second table to the primary key of the first table, (aka Foreign key). When that is set, somehow store a reciprocal link on the user in eDir, where schema is flexible and useful?

Perhaps sync that second table as a second set of objects? Dunno what class, heck make one up, or pick one. There are hundreds of interesting object classes in basic eDirectory schema, and even in common schema extensions that you can leverage.

Then references between them can be maintained by the engine?

On a side note, you can execute SQL commands via the driver on the Sub channel pretty trivially using policy if needed: Using the JDBC Driver and Direct SQL

What must change on the User object in eDir, when a change in the 'role' (aka second) table changes?

Walking down the tracks that this train of thought takes, might help out in this case.

Cool Solutions

Heads Up! Novell Pulse Coming Your Way

ssalgy — Wed, 04 Nov 2009 09:28:47 -0700

Novell just announced the first real-time collaboration platform for the enterprise, called Novell Pulse. Novell and Google jointly announced that they are working together to enable Novell Pulse users and Google Wave users to seamlessly work together across both systems. Novell is the first collaboration provider to integrate Google Wave.

What is Novell Pulse?

Novell Pulse is the first enterprise class, real-time collaboration platform that unites communication, authoring and social messaging tools. Novell Pulse helps drive enterprise productivity and innovation by making it easier to communicate digitally, generate ideas and share information. People continents apart can share and edit documents, jointly browse websites, and have a digital conversation, all in real-time. Individuals can also manage content overload by filtering for people and topics to follow as well as storing files—both native and office type—along with their related groups and conversations.

What can you do with Pulse?
Novell Pulse is an enterprise real-time collaboration solution. Real-time collaboration tools allows people to easily share and work together on documents, have real-time conversations, interact using social media tools, and much more.

Novell Pulse was designed specifically for the enterprise user, so it includes robust security and management capabilities. Novell Pulse will also interoperate with other real-time technologies like Google Wave, as well as existing collaboration solutions.

How would you use it in a business setting?

Communication. Say you have a project that requires input from 5 people. Before Novell Pulse, you would email those 5 people and receive separate responses—some of which would be responding to your email, while others would be responding to other emails from the distribution list, depending on when each was composed. Then you'd have to aggregate all the responses, synthesize them, and begin the cycle of emails all over again.

With Novell Pulse, you send one, synchronous message, and all 5 people can respond to you and each other in real-time. No aggregation, missed information or repetition of efforts—and if you make the conversation public, you may get valuable input from someone you weren't expecting.

Intra- and Inter-company Collaboration. For example, you plan to issue a product datasheet jointly with one of your partners. You work in different document publishing environments such as OpenOffice and MS Word. Before Novell Pulse, you would have written the press release and sent it as an OpenOffice attachment to everyone on your team within your company for input, then aggregated all the input, edited it down for redundancy, and then converted it to MS Word before sending as an attachment to your partner for input. Then you'd begin the cycle again for every round of edits.

With Novell Pulse, you and your partner could simply collaborate on the document in real-time and then both companies could export the document into their preferred format when it's final. This also works seamlessly if you are using Novell Pulse and your partner is using Google Wave.

Breaking Through the Clutter. Information overload is a serious concern for companies today. Users are hit with information from all directions—email, instant messenger, blogs, micro-blogs, social networks, calendars. By unifying all these information mediums into one, easy-to-use interface with folders, filtering and search, Novell Pulse enables users to make sense of it all and focus on what's really important.

Working With Google

This is a technical collaboration between Google and Novell to bring federation to both systems, using the Wave Federation Protocol. We're the first company to show federation using the WFP, and we're the first collaboration solution to integrate with Google Wave. Novell Pulse and Google Wave systems can operate in tandem so that users of the two platforms can work together in real time, each using their preferred tool.

What does federation with Google Wave involve?
Federation involves using a protocol call the Wave Federation Protocol to enable messages (or Waves) to be shared in real-time, character-for-character, as they are being created or edited between two or more separate systems.

The sharing is based on addressing. You place addresses ( which look just like e-mail addresses) from potentially different domains on a message or Wave, then the message is live and any edits made by anyone will be automatically shared in real-time.

How is Novell Pulse different from Google Wave?
The design point for Novell Pulse is the enterprise user, so we've placed a strong emphasis on features such as security and management controls. We've also drawn on our 20+ years experience in the enterprise collaboration space with products like GroupWise, and worked to address enterprise and business use-cases.

Novell Pulse is a key component in Novell’s collaboration strategy and open collaboration architecture, working standalone or in concert with Novell’s broader product portfolio. Novell Pulse is very complementary to Google Wave and to our existing collaboration products such as GroupWise. Key features, which draw on the best of e-mail, instant messaging, document sharing, social connections, real-time co-editing and enterprise controls, include:

Security
Provisioning, sign-on and permissions leverage enterprise identity and access management systems, directory servers and audit tools to integrate with established processes, keep data safe and support compliance requirements.
Real-time collaboration
Collaborative editing and document sharing enables users to get work done with other users in real-time, from co-editable online documents to the ability to share and comment on traditional office documents in real time.
Unified Inbox
A single interface allows users to see, sort and filter all their personal and professional content from various social messaging services, email, Wave, etc. all in one place.
Enterprise social messaging
Social Blog allows users to share, follow and comment on topics and ideas.
Real-time awareness and chat
Allows users to know exactly when their colleagues are available via people, group and message activity monitoring.

Novell Pulse will be available in both cloud and on-premise deployments.

Is Novell Pulse designed for the consumer or the enterprise customers?
Novell Pulse is focused on the enterprise customers. It addresses the needs of a global, knowledge-based workforce and gives enterprises the confidence to embrace real-time collaboration technologies. Novell Pulse leverages Novell's expertise and experience developing enterprise collaboration and communication tools, as well as industry leadership in creating strong identity and security management solutions.

Is Novell Pulse open source?
No.

When will Novell Pulse be available? What will it cost?
Novell Pulse will be generally available in the first half of 2010 in a cloud deployment, and with an on-premise deployment option in a subsequent release. Pricing will be announced at general availability.

How can I get access in when this goes to beta availability?
We'll be announcing that later this year.

Where can I see Novell Pulse in action?
Novell Pulse was demonstrated on Nov. 4, 2009 during the Integrating Google Wave into the Enterprise keynote at Enterprise 2.0 in San Francisco. We'll be giving previews of the technology over the coming weeks via Novell blogs and video. Stay tuned. A select beta is scheduled for early 2010.

Where can I get more information about Novell Pulse?
You can find more information at www.novell.com/pulse . We'll be previewing more of Novell Pulse over the coming weeks too.

End-User Computing

BrainShare Jacket Promotion

mattclayton — Tue, 03 Nov 2009 00:00:00 -0700

Get a free jacket by being one of the first 400 to register for BrainShare 2010 using this registration code: jacket. Sign up and share the news with your friends. The red and gray, athletic jacket is the perfect jacket for the spring weather in Utah. Jackets will be available for pick up at the registration booth on Monday, March 22, 2010.

ZENworks Cool Solutions

Drivers vs DriverSets vs Servers in Identity Manager

geoffc — Thu, 29 Oct 2009 12:04:05 -0600

Driver vs Driver Set vs Servers in Identity Manager:

Sometimes I get confused within Novell Identity Manager, as there are many moving parts with multiple bits and pieces to contend with.

If you have not read through David Gersic's excellent series on the basics of how Identity Manager works, then you really should.

David does a great job of taking the typical iManager or Designer view, that you would see when working on an Identity Manager project and walking through it item by item.

The primary difference between the iManager and Designer view, would be that in iManager to 'fishbone' diagram is laid on its side, right to left, left to right, and in Designer it is top to bottom. Personally, Designers approach works much better for me, as I am a smidgen right-left dyslexic, but can remember up and down directions much better. (I find gravity more digestible than right and left, go figure!)

On top of all the policies, and their order or execution, and why they execute, that David explains, there is further complexity in the use of DirXML Script to write any of the rules.

There is lots of content on the topic of using DirXML Script, more than is worth linking too, but the nice thing is that the names of the various tokens are pretty good. For example, the send-email Action you see in Policy Builder seems pretty straightforward (which is really a <do-send-email> token) and really is. Some subtly exists, which the help is actually often pretty good at dispelling.

Thus most of the articles you will see talking about tokens specifically, will focus on the subtle stuff, that does not really make it entirely into the documentation. For example:

These first two, discuss the subtle and important differences between the Attribute, Source Attribute, and Destination Attribute tokens as well of the benefits of using each.

Here are some more generally interesting token articles that can be helpful.

On top of the policy flow, DirXML Script, there is a further lower level concern.

The basic unit in Identity Manager is an object. Probably the lowest level is the Policy object (could be a Style sheet object, or a Mapping table, or a ECMA Script object, but you get the idea).

These objects exist in containers. There is a pair, the Subscriber and Publisher containers, meant to corral the appropriate objects into reasonable locations, to make finding them easier.

With the release of Identity Manager 3.5 and the change in policy linkage, it is possible to store them pretty much anywhere inside the driver set (heck you could probably get it to use an appropriate object anywhere in the tree, but I have never really tried that). This is pretty common in the use of Library objects now, so that one set of rules could be used in multiple drivers.

The Subscriber and Publisher containers exist below the Driver object. At the same level is usually the Schema Map, Filter, and Input/Output transforms.

Drivers reside inside Driver Set objects. The Driver Set object is often made into an eDirectory partition boundary. I happen to strongly disagree with the interface in Designer and iManager that defaults to creating the Driver Set object as a partition if you are not careful. That it should be a partition, I understand the reasoning. That it should be a default, I think is a mistake, because before you partition an eDirectory tree, you should check and be sure that the tree is healthy, time is syncing, servers are communicating, and what not. Otherwise, you are opening your self up to a world of hurt.

Driver Sets are assigned to servers, which are the where the actual Identity Manager binaries are executed.

Now there comes a little bit of complexity.

One server can host only one Driver Set at a time. One Driver Set can be hosted by multiple servers. One Driver Set can contain multiple drivers. Each driver should only run on a single server at a time (though in principle they could run on more than one at once, which probably would create bad end results).

Now was that clear?

The key is: A Driver Set can be assigned to multiple servers. However a single server can only host a single Driver Set.

Even that has a quibble, since one physical server could host multiple virtual machines, each with an eDirectory instance, or on Unix/Linux even host multiple eDirectory instances on a single server instance. Perhaps a better criteria is that a single eDirectory instance can only host a single Driver Set at a time.

Thus many drivers can be in a driver set, on several servers, with any combination of drivers running on any of those servers.

The servers can be any platform that eDirectory and Identity Manager is supported on, such as Windows, Netware (pre 3.6 alas, since Java 1.5 which IDM 3.6 relies on, has not been back ported to Netware), Solaris, Linux, and AIX.

Cool Solutions