Integrating Apple Macs Using Novell Technologies

Integrating Apple Macs Using Novell® technologiesTaking it to the Macs!

Simon FloodSystems & Networks SpecialistUniversity of [email protected]

© Novell, Inc. All rights reserved.2

Macs

• Should we care?

• Why integrate?

• Options?

• The administrative experience

• Other Novell® products?

• Open discussion


Should we care?

• Increasing Mac usage at work and home

• ITIC's 2009 Global IT and Technology Trends Survey

“... 68% [respondents] … likely to allow ... Macs as their corporate ... desktops in the next 12 months”

“... 23% have a significant number of Macs … in their organizations”

www.itic-corp.com/blog/2009/02/apple-gets-more-entrenched-in-the-enterprise/

• Macs can (legally) triple-boot Mac OS X, Windows and Linux!


Why integrate?

• Unified experience

– Seamless access to same information, regardless of platform

• Choice

– Best of breed

• Ease of administration

• Ease of use

• Making IT work as one!

Options?


What options do Macs support?

• File services– AFP– SMB– NFS– WebDAV

• Directory services– LDAPv3

> Open Directory> RFC 2307-compliant system

– Active Directory> Magic triangles


What options does Novell® offer?

• Novell Open Enterprise Server 2 SP2– AFP (or CIFS/Samba) + Novell eDirectory™ (LDAP)

– Domain Services for Windows

• Microsoft Windows Server– Dynamic File Services for Windows

• SUSE® Linux Enterprise Server• Novell Identity Manager• Kanaka (Condrey Corporation)


What is missing?

• NetWare® Client for Mac OS X (Prosoft Engineering)

– Mac OS X 10.3.9 or 10.4.2 and later (including Snow Leopard)

– Novell NetWare 5 and 6

– No planned support for Novell® Open Enterprise Server (Linux)

Let's Take a Closer Look


Mac OS X Snow Leopard support


Novell® Open Enterprise Server 2 SP2

• Includes all you need to support Mac users– AFP (or CIFS/Samba)

– Novell eDirectory™

> LDAP

– iPrint

– Novell iFolder®

– NetStorage

– Cluster Services> All of the above components can be clustered


File and print services

• AFP (and CIFS)– Requires Universal Password– Cross-protocol file locking between AFP, CIFS and NCP– Does not support Dynamic Storage Technology

• Novell iFolder®

– Client for Mac OS X available with Novell iFolder 3.7 and later• NetStorage

– Safari is not a supported browser!– WebDAV via Finder is broken

• iPrint– Not suited to multi-user clients (stuck print jobs)

Novell® Open Enterprise Server 2 SP2


Before you start

• Ensure AFP is installed, configured and working

– Universal Password must be configured!

• Ensure Mac can resolve server's hostname

– With Leopard, simply adding entries to /etc/hosts will not work!

> # dscl localhost -create /Local/Default/Hosts/oeslinux. example.com IPAddress 192.168.10.101


Fix SSL certificates

• With Leopard OpenLDAP trusts no one! (TLS_REQCERT demand)

– ldapsearch -b cn=admin,o=example -H ldaps://oeslinux.example.com -v -x will error with 'certificate verify failed'

• Grab and edit the certificate– # echo | openssl s_client -connect oeslinux example.com:636 -showcerts > /System/Library/ OpenSSL/certs/example.cert

– # vi /System/Library/OpenSSL/certs/example. cert

> Delete everything except the second certificate (2x Organizational CA)> So just left with section -----BEGIN CERTIFICATE-----

through to and including -----END CERTIFICATE-----


Fix SSL certificates (continued)

• If only ever one tree– # vi /etc/openldap/ldap.conf

> Add TLS_CACERT /System/Library/OpenSSL/certs/example.cert

• If multiple trees– # vi /etc/openldap/ldap.conf

> Add TLS_CACERTDIR /System/Library/OpenSSL/certs

– For each tree> # openssl x509 -noout -in example.cert -hash

» This will return a hexadecimal hash value

> # ln -s example.cert <hash value>.0


Extend the Novell® eDirectory™ Schema

• LDIF for Mac OS X 10.3 is available from MacEnterprise.org

– LDIFs for 10.5 & 10.6 will be available via Cool Solutions

– Macs include schema files in /etc/openldap/schema

> … and iManager can apparently handle .schema files

– Make sure macAddress attribute type is pre-defined

> ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26{128} )


Extend the Novell. eDirectory™ Schema (continued)

• Extend schema– Can use iManager

> Schema | Extend Schema | Add schema from a file

– Or ConsoleOne®

> Wizards | NDS Import/Export... | Import LDIF file

– But quicker via LDAP!> ldapmodify -D cn=admin,o=example -f applev2.ldf -h oeslinux.example.com -v -W -x -Z

• Check schema– ldapsearch -b cn=schema -D cn=admin,o=example -h oeslinux.example.com -s base -W -x -Z objectClass=*


Extend user objects

• Can use iManager (make sure you Apply before Edit)– Schema | Object Extensions | select user object(s) | [Add] |

select apple-user | [OK] | [Close]• Or ConsoleOne®

– Right-click on user and choose 'Extensions of this object...'– Click 'Add Extension...', select 'apple-user' and click [OK]

• Or LDAP (LDIF file) – assumes LUM-enabled– objectClass: apple-user– apple-user-homeDirectory: /Network/Servers/oeslinux.example.com/oeslinux.USER/Users/user1

– apple-user-homeurl: <home_dir><url>afp://oeslinux.example.com/oeslinux.USER</url><path>Users/user1</path></home_dir>


Extend user objects (continued)

• If users are not LUM-enabled

– objectClass: posixAccount

– uidNumber: <integer>

– gidNumber: <integer>

– homeDirectory: /home/user1

– loginShell: /bin/bash

> unless you don't want users to be able to access Terminal!


Create mount objects

• Create container to store them• Mount object per server/volume – name is unimportant• Using iManager (similar for ConsoleOne®)

– Directory Administration | Create Object | Show all object classes | select 'mount'

• Using LDAP (LDIF file)– objectClass: mount– apple-mountDirectory: /Network/Servers– apple-mountOption: net– apple-mountOption: url==afp://;AUTH=NO%20USER%[email protected]/oeslinux.USER

– apple-mountType: url


Connect Mac to Novell® eDirectory™

• Launch Directory Utility and click Services– Leopard and earlier - /Applications/Utilities– Snow Leopard – /System/Library/Core Services

• Configure the LDAPv3 plug-in– Create and edit a new LDAP connection (Manual)– Set up Search & Mappings

> Mappings equate to LDAP queries – default is to match all (AND)

> Start with Open Directory Server

> Delete shadowAccount from Users and extensibleObject from Users, Groups, ComputerGroups and People

> Change User NFSHomeDirectory to map to apple-homeDirectory

> Prefix Mount mappings with apple- (so mountDirectory becomes apple-mountDirectory)

> Check search bases for Users, Groups, Computers and Computer Groups (or Lists)


Connect Mac to Novell® eDirectory™ (continued)

• Add LDAPv3 to Search Policy

• Prefix with # to use a local static mapping

• Use $variable$ to use a local variable mapping

• Can also use dsconfigldap and dscl to set up

• Use dscl to test

– dscl /LDAPv3/oeslinux.example.com read Users/user1


Extend or create other objects

• Groups (Workgroups)– objectClass: apple-group

• Computers– objectClass: apple-computer– macAddress: 01:23:45:67:89:ab

• Computer Groups– Introduced in Leopard

> objectClass: apple-group

– Previously Computer Lists> objectClass: apple-computer-list


Managing preferences

• Can be applied to Users, Computers, Computer Groups and Workgroups

• Extend relevant objects - can't currently use iManager– apple-mcxflags: <leave blank>– apple-mcxsettings: <leave blank>– apple-mcxsettings2: <leave blank>

> Optional – continuation of apple-mcxsettings

• Use Workgroup Manager– Command+D to skip initial authentication dialog– Enable the Inspector to allow you to see raw directory data

> Workgroup Manager | Preferences... | Show “All records” tab and inspector

Demonstration


Issues

• For Administrators– Fiddly to set up– Tricky to manage, especially from a Mac

• For Users– Finder does not understand NSS rights

> “iManager is the recommended method for managing rights” !» Novell® AFP for Linux Administration Guide (section 9.2.4)

– Changing password via System Preferences has not always worked

> Can also change password via Finder> Or create custom script to change password via LDAP


Suggestions

• Rename your AFP volumes to remove server element– So server.VOLUME becomes VOLUME– Normally suggested for cluster environments– Will then match CIFS experience – easier for users

• Create a LoginHook that runs a script to set up a user's home directory when they log in

– The ? icon in Dock might alarm some users– When user logs in for the first time Desktop, Downloads and

Library folders are created in home directory> Documents, Music and Pictures folders are initially missing and are created

as necessary

– /System/Library/User\ Template/<Language>.lproj/ is not used

Other Options?


Domain Services for Windows

• Directory Utility includes an Active Directory plug-in• No need to make schema changes to the AD domain

to get basic user account information• Samba access to NSS volumes• Configure Macs using Directory Utility or dsconfigad

– Change Mappings under Advanced Settings and Options> UID: uidNumber> user GID: gidNumber> group GID: groupMembership?

• Time is important (as always!)– Beware Mac helpfully rewrites server lines in /etc/ntp.conf


Kanaka (Condrey Corporation)

• Current version requires a Novell® NetWare® server– Version 2 will not

• Supports AFP and CIFS (SMB)• Simple or Universal Password• Windows-based install of server component ...• Web interface via Novell Remote Manager (port 8009)

– As per DocXchanger• Minimal additions to Novell eDirectory™ schema• Mac clients can receive MCX Settings from Kanaka

– Or from Mac OS X Server


Dynamic File Services for Windows

• Perhaps you're already running Microsoft Windows Servers … ?

• We already know Macs like Windows Servers

• Connect to network shares (SMB)

• Use a third-party AFP product?


SUSE® Linux Enterprise Server

• Netatalk (or Samba)

– Spotlight can index volumes

– Can use volume as Backup Disk for Time Machine

> Version 2.0.5

– Question about scalability

• OpenLDAP

– Extend schema by copying files to /etc/openldap/schema

– Create objects as per Novell® Open Enterprise Server process


Novell® Identity Manager

• Can be used to provision users in Novell eDirectory™

– or Active Directory (free Novell Identity Manager Bundle Edition)

– or Open Directory

> Scripting Driver is supported on Mac OS X (Intel)

• Can be used to extend user and other objects

The Administrative Experience


iManager for Mac OS X … !


Administration

• iManager– Safari is not a supported web browser!– No version of iManager Workstation for Mac OS X

• ConsoleOne®

– Unsupported except for Novell® GroupWise 8 and ZENworks® 7– No version for Mac OS X

• LDAP– Use LDIF files

• Apple Workgroup Manager– Included with Server Admin Tools available for free from Apple– Use for managing MCX settings


Administration (continued)

• Novell® Identity Manager– Designer can be made to run on Mac OS X

> Limited functionality (missing JClient so no NCP access)> www.novell.com/communities/node/9637/idm-designer-your-macintosh

• Novell Support Advisor– Linux install can be copied to Mac OS X and run

> Limited functionality> Plans to produce Mac installable version

• Apache Directory Studio– Use to test LDAP and create LDIF files– directory.apache.org


What else can you do?

• NetBoot Server (bootp/dhcp, tftp and nfs/http)– Apple's use of dhcp does not quite observe RFC 2131!

• Bonjour– Avahi added in Novell® Open Enterprise Server 2 SP2

– … but January 2010 Scheduled Maintenance 20100130 patch breaks AFP on 32-bit servers

> See TID 7005351

– By default only Apple File Sharing, Workgroup Manager and SSH services advertised

> Can easily advertise additional services (e.g. for iPrint)

Other Novell® Products?


Other Novell® products?

• Access Manager® (BorderManager replacement?)– Includes SSL VPN client for Mac (PowerPC 10.4, Intel 10.5)

• GroupWise®

– Includes client for Mac (but Snow Leopard not officially supported until Novell GroupWise 8.0 Support Pack 2)

– Safari is a supported web browser for WebAccess client• Teaming

– Safari is a supported web browser• ZENworks®

– Asset Management can inventory Mac OS X clients (10.2.4 +)– Patch Management supports Mac OS X clients and servers

(10.2.8 - 10.4.7)


Other Apple devices?

• Specifically iPad, iPhone and iPod Touch• ITIC's 2009 Global IT and Technology Trends Survey

– “... 50% [respondents] ... plan to increase integration with ... products such as the iPhone to allow users to access corporate Email and other applications”

• ActiveSync Connector (Datasync)• MonoTouch

– Allows developers to create C# and .NET based applications

– Requires an Intel-based Mac, Apple's iPhone SDK and membership of Apple's iPhone Developer Program

Discussion


Some ideas

• Novell Client™ for Mac?• Directory Services for Mac?

– Since we have Domain Services for Windows ...• ZENworks® Configuration Management

– Allow us to manage Mac OS X clients (MCX?)

• Novell® GroupWise® vs. Exchange– Snow Leopard has built-in support for Microsoft Exchange

Server 2007 ...• Novell Open Enterprise Server

– Add support for Dynamic Storage Technology, Spotlight and Time Machine to AFP

• Support Safari!


Mac community support from Novell®

Good?

Bad?

Ugly?


Log enhancement requests

www.novell.com/rms


Other Sessions

• CL115 Novell® Open Enterprise Server:Roadmap and Futures

• CL116 File Access in Novell Open Enterprise Server 2 SP2


Resources

• MacEnterprise.org• AFP548.com• www.novell.com/communities/coolsolutions/ (smflood)• forums.novell.com

– Native File Access• www.apple.com/business/resources/• support.apple.com/kb/HT3186

– Enabling Directory Service debug logging in Mac OS X 10.5+


And finally ...

Apple once urged us to think different

Simon says think Novell®!

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Integrating Apple Macs Using Novell Technologies

Documents

Transcript of Integrating Apple Macs Using Novell Technologies