UNITED STATES. Understanding NDS for Directory-Enabled Solutions David Condrey, LAN Systems Manager...
-
Upload
gerard-dalton -
Category
Documents
-
view
216 -
download
0
Transcript of UNITED STATES. Understanding NDS for Directory-Enabled Solutions David Condrey, LAN Systems Manager...
UNITED STATES
UNITED STATES
Understanding NDS forDirectory-Enabled Solutions
Understanding NDS forDirectory-Enabled Solutions
David Condrey, LAN Systems [email protected] University
Jeremy Campbell, Information Resource [email protected] University
UNITED STATES
Novell Directory Services (NDS) and the Computing Infrastructure Novell Directory Services (NDS)
and the Computing Infrastructure
A real world example:
Division of Computing and Information Technology
CLEMSONU N I V E R S I T Y
UNITED STATES
AgendaAgenda
Background on Clemson information systems
Mission and support structure
Userid management Network design Server and network
access Public access labs
Printing Electronic mail Intranet Authentication server Futures
UNITED STATES
Background onClemson Information Systems
Background onClemson Information Systems
UNITED STATES
BackgroundBackground Large systems background Strong development shop Mainframe and open systems expertise Departmental LANs ruled 90’s until Novell
Directory Services (NDS) NDS populated in Summer 1995 (36,000) Departmental LANs gone—more centralized
management of the network NDS is centerpiece of security and authentication
UNITED STATES
Mission and Support StructureMission and Support Structure
UNITED STATES
MissionMission
Provide computing infrastructure Empower users and departments Provide guidance in selecting solutions based
on industry standards Deploy solutions to meet the needs of
institutional computing Provide user support and training
UNITED STATES
Defining GroupsDefining Groups
Network services Supports the physical network (routers, hubs,
backbone)
LAN systems Supports application, group, and personal data
servers
Client Support Group (CSG) Supports faculty and staff via Technology
Support Providers (TSPs)
UNITED STATES
Defining Groups (cont.)Defining Groups (cont.)
Systems Integration Group (SIG) Supports students and departmental labs
Computer resources Assists with user account problems
Division of Computing and Information Technology (DCIT) sponsored
College consultants DCIT sponsored person and college sponsored
person(s) that help support the end users of the college
UNITED STATES
Defining Groups (cont.)Defining Groups (cont.)
Technology Support Provider (TSP) Supports faculty/staff end users
Help desk Sponsored by DCIT to assist end users
UNITED STATES
Support StructureSupport Structure Support is based on a four tier model
Problems
Resources
LANsystems
Networkservices
1Faculty
Staff
Students
4TSPs
Help desk
3
Collegeconsultant
Clientsupport
Systemsintegration
2Computerresources
UNITED STATES
Server Strategy and ManagementServer Strategy and Management
Novell and Windows NT servers maintained by DCIT
DCIT provides hardware and Network Operating System (NOS)
DCIT administers backups DCIT performs user administration Group maintains data and security with help
of a TSP Virus protection and software metering
UNITED STATES
Userid ManagementUserid Management
UNITED STATES
Automatic Userid System (AUS)Automatic Userid System (AUS)
AUS MVS
UNIX
NDS
Personnel AdmissionsOther
Other
UNITED STATES
Automating User MaintenanceAutomating User Maintenance
MVS Old Method
Daily UIMPORT run
Summer ’97
USRMAINT.NLM
FTP
TCP/IPReal-time
NDS
Add usersModify user attributesDelete users
Personnel AdmissionsOther
AUS
UNITED STATES
Network DesignNetwork Design
Physical Network DesignPhysical Network Design
100BTSwitch
FDDI
ServerServer Server
Server
Server
Server
Server
100BT
T1
UNITED STATES
Tree DesignTree Design
U sers O rg an iza tion s
C lem son U
Every Person Has a PlaceEvery Person Has a Place
to ZA ZA to ZA
Students Misc. Employee Organizations
ClemsonU
to
Every Group Has a PlaceEvery Group Has a Place
Users Athletics DCIT
Forestry Research Dean's office
CAFLS CES
ClemsonU
Partition DesignPartition Design
A
Students Employee Athletics
CSO CSG APS
DCIT
A BZ ZB
ClemsonU
Use Dedicated “ROOT” Servers forNDS Replicas
Use Dedicated “ROOT” Servers forNDS Replicas
CU-ROOT-3
100BTSwitch
CU-ROOT-1
CU-ROOT-2
(ITC)
Masterfor all
R/W for all
R/W for users“A” to “Z”
Group Server
R/W optional
FDDI
Distribute Network ManagementDistribute Network Management
UNITED STATES
Login Script DesignLogin Script Design Based on profile scripts and user scripts No container scripts Use base profiles
EMPLOYEE STUDENT
Base profile includes high level organizational scripts based on membership
Organizational scripts controlled by TSPs Organization scripts may include departmental
scripts managed by others
UNITED STATES
Script Design & ManagementScript Design & Management
.EMPLOYEE.employee.clemsonu
.ENG.ces.clemsonu
.BioE.ces.
ISALAB
.Civil.ces.
.AG.cafls.clemsonu
.Forestry.cafls.
.GROUPIFS.employee.clemsonu
User Script
UNITED STATES
Server Timesync HierarchyServer Timesync Hierarchy
ServerC
Ref
ServerA
Prim
ServerB
Prim
ServerD
Secon
ServerE
Secon
Externalsource
UNITED STATES
Server and Network Resource AccessServer and Network Resource Access
UNITED STATES
Personal Storage (User Data Servers)Personal Storage
(User Data Servers)
EmployeDn
Any faculty or staff member
Any student
Office, lab, or dial-in
Dorm, lab, or dial-in
StudentDn
UNITED STATES
Personal Data Server Configuration
Personal Data Server Configuration
EmployeD(2) StudentD(5)
Processor Dual Pro–200 Pentium II–300
Memory 1024MB 512MB
Disk 90GB (RAID5) 50GB (RAID5)
Replicas None None
Homedirectories
~11,000 ~25,000
Base quota 100MB 25MB
UNITED STATES
Collaborative Storage—“Group Servers” (Faculty and Staff)
Collaborative Storage—“Group Servers” (Faculty and Staff)
Group Server2
EmployeD
Group Server1
UNITED STATES
Collaborative Storage— “Applications Servers” (Students)
Collaborative Storage— “Applications Servers” (Students)
StudentD
Applications Server (N)
UNITED STATES
Group/App/Root Server Average Configuration
Group/App/Root Server Average Configuration
Group App Root
Pro-200 P-200 P2-300
128MB 64MB 384MB
18GB 9GB 4GB
Possible R/W None All replicas
25–250 users 25–250 users 250–800 users*
UNITED STATES
Collaborative Storage (Faculty and Students)Collaborative Storage (Faculty and Students)
EmployeD
Group server1 StudentD
App server
UNITED STATES
Faculty/Student CollaborationFaculty/Student Collaboration
Faculty member wants to put data on the network that students can use
Student submission of work to faculty Students collaborate on team projects with
assistance from faculty member Students and faculty collaborate on projects
or assignments Publish web pages as a team or class
UNITED STATES
Faculty and TSP/Client Support Management
Faculty and TSP/Client Support Management
Group Server1 ReadOnly
TeamsR/W withTgroups
CreateOnly
ReadWrite
UNITED STATES
Collaborative Storage and Network Bandwidth
Collaborative Storage and Network Bandwidth
Group Server1
UNITED STATES
Public Access Labs:Home of the Virtual Personal Computer
Public Access Labs:Home of the Virtual Personal Computer
UNITED STATES
OutlineOutline
Environment for the Virtual PC (VPC) How the current VPC environment evolved Mechanics of the VPC
Setting up the computer Boot time Login and login script User Profiles
Software involved Future directions
UNITED STATES
Standard LabStandard Lab
Standard set of applications Standard operating system Standard Context-less login Standard drive mappings Standard hard drive contents
UNITED STATES
The Environment as Seen by the Machine
The Environment as Seen by the Machine
StudentDn
App server
Local HardDrive
Local Printer
UNITED STATES
Goals of the Virtual PC ParadigmGoals of the Virtual PC Paradigm
Easy maintenance Provide global access to password protected
network disk space Allow user to customize his desktop Same environment (“look and feel”)
regardless of location, hardware, or facility ownership
UNITED STATES
EvolutionEvolution
Pre-NetWare Windows 3.11 under NetWare Windows 95 under NetWare
UNITED STATES
StudentDn
How It Happens to the UserHow It Happens to the User
VPC = A series of software manipulations triggered by user login and logout.
User Profile
Logout
User Profile
Login
UNITED STATES
Constructing the MachineConstructing the Machine
The rebuild disk REBUILD <location> <pctype> {options} VLM Client allows it all on one floppy
rebuild
UNITED STATES
Boot Time EventsBoot Time Events
Location, PC type, “ISALAB”, and other environment variables
Some registry updates to ensure default desktop appearance and server failover keys
UNITED STATES
Contextless LoginContextless Login
Can’t teach end users what a context is Using commercial product because we
needed an immediate solution.
UNITED STATES
The Login ScriptThe Login Script
Perform some basic actions
Perform group-specific actions
Perform lab actions Load profile
UNITED STATES
Isitcool—Failover Applications Server Attachment
Isitcool—Failover Applications Server Attachment
Applications Server(2)
ISITCOOL NLM
Applications Server(n)
ISITCOOL NLM
Applications Server(1)
Work-station
Lab 1
ISITCOOL NLM
WorkstationDisk Image
Applications
1. Using IP, get info from primary app server Isitcool.
2. If attach failure or Isitcool reports no, try next server.
3. Attach to server using NetWare client.
Isitcool?NO!
NO!
YES!
UNITED STATES
Loading the ProfileLoading the Profile
PC-Rdist is called by the login script
PC-Rdist imports user registry keys from directory mapped to drive U:
First-time lab users get setup
Printers
UNITED STATES
Special Mappings and EventsSpecial Mappings and Events
Mapping shared disk Most done by login scripts
Novell Application Launcher (NAL) Will eventually be doing most special mappings
UNITED STATES
LogoutLogout
Logout only Export user
registry
Logout and shutdown Export user
registry Perform
maintenance
UNITED STATES
ProblemsProblems
Present implementation not easily scaled DCIT lab support must do all software installs DCIT lab support must handle all initial lab
setup operations If present trends continue, labs of computers
will be replaced by labs of network jacks Image must live in the login directory (not
protected) Metering
UNITED STATES
Summary of Novell ComponentsSummary of Novell Components
NetWare Client 32 (intraNetWare client) NAL VLM client Novell Replication Services (testing)
UNITED STATES
Summary of Third-Party ProductsSummary of Third-Party Products
SofTrack PC-Rdist and TrapSD
Need a NetWare client with integrated profile handling and event hooks
SFLOGIN NWCopy PCOUNTER
Need better auditing tools
UNITED STATES
Clemson University ProductsClemson University Products
cumap isitcool datacool editreg/patch95 editini difrator/TED (in development) labstats (in re-development)
UNITED STATES
Future Directions for UsFuture Directions for Us
Departmental software (hardware?) installations
Remote control of workstation Queuing users waiting for a computer Move from lab to laptop
UNITED STATES
PrintingPrinting
UNITED STATES
Printing StrategyPrinting Strategy
All shared printers are network attached supporting only IPX protocol (HP JetDirect)
All printer access is controlled through NDS print queues
UNIX print services makes any print queue available to UNIX/Multiple Virtual Storage (MVS)/??? hosts using standard Line Printer Daemon (LPR/LPD) protocols
UNITED STATES
Printing Strategy (cont.)Printing Strategy (cont.)
UNIX print services also makes high speed institutional printers on MVS available to both NetWare and UNIX users/applications
UNITED STATES
Printing StrategyPrinting Strategy
OS/390
UNIX
???
PrintGateway
PC PC PCMac
Q
Q
Q
Q
Q
UNITED STATES
NDS Design for PrintingNDS Design for Printing
B
Library
ITC
...
Printers
Employees
B
Printers
Civil Mechanical
CES
A
Students PrtDev CAFLS
clemsonu
A
Poole
UNITED STATES
Electronic MailElectronic Mail
UNITED STATES
Electronic Mail ServerElectronic Mail Server
Based on Sun Solaris No user accounts required on Solaris Server software developed at Clemson Multiple recipients/one copy of message Server based on Post Office Protocol/
Multipurpose Internet Mail Extensions (POP/MIME) Internet standard protocols Internet Messaging Access Protocol 4 (IMAP 4)
coming?
UNITED STATES
Electronic Mail ServerElectronic Mail Server
Eudora site license purchased by DCIT List server gaining wide spread acceptance
and use Class/section list automated
Mail ServerMail Server
DOSDOS POPcPOPc
mainframemainframe POPcPOPc
WindowsWindows POPcPOPc
MacMac POPcPOPc
UNIXUNIX POPcPOPc
OS/2OS/2 POPcPOPc?? POPcPOPc
popDListDMail
Server
UNITED STATES
Mail Server: StatisticsMail Server: Statistics
1995 1996 1997* Category
14K 46K 85K Daily average POPconnections
13K 36K 62K Daily average messagesretrieved from server
27K 48K 92K Average messages sentusing server per day
*based on partial year statistics through May 26, 1997
UNITED STATES
Automated Distribution ListsAutomated Distribution Lists
MVS OS/390
ListMGR
popDpopD ListDListD MailServer
MailServer
TCP/IP
Class RolesDepartments
UNITED STATES
Automated NDS Group Membership
Automated NDS Group Membership
MVS OS/390
ListMGR
popDpopD ListDListD MailServer
MailServer
TCP/IP
Class RolesDepartments
NDS GroupMGRNLM
TCP/IP
UNITED STATES
Student Interface toCollaborative StorageStudent Interface to
Collaborative Storage
Use DMOs along with a graphical tool to have users select and map network resources to make them available
UNITED STATES
Managing Distribution Lists with NDS
Managing Distribution Lists with NDS
popDpopD ListDListD MailServer
MailServer
GroupMGR.NLM
Monitor group membershipmodifications
RegisterForEvent()
TCP/IPNDS
1. Membership2. See also
UNITED STATES
NDS Interface to the List ServerNDS Interface to the List Server
Enabler for collaborative work between faculty and students
Uses data from employee system on MVS to keep department NDS groups correct
Lets users use NWAdmin to administer E-mail lists
Eliminates need to make changes to NDS and the list server
Ensures that data is correct everywhere
UNITED STATES
IntranetIntranet
UNITED STATES
Web ServingWeb Serving
Institutional servers Department or group servers Organizational page servers Personal page servers Administrative and student application page
servers
NDS Web Security viaWindows NT/UNIX/???NDS Web Security viaWindows NT/UNIX/???
UNITED STATES
Authentication ServerAuthentication Server
UNITED STATES
Authentication ServerAuthentication Server
Too many userid/password combinations for each user to remember
Need central set of secure servers that all systems use for authentication
Clemson University Personal ID (CUPID) Based on Automatic Userid System (AUS) Idea born in interdepartmental task force Production on July 1, 1996
UNITED STATES
Authentication ServerAuthentication Server
MailMail authCauthC
WebWeb authCauthC
mainframemainframe authCauthC
UNIXUNIX authCauthC
NetWareNetWare authCauthC
SunSun authCauthC
Windows NTWindows NT authCauthCOracleOracle authCauthC
NDS
intraNetWare Server BintraNetWare Server A
AUTHSERV.NLM
intraNetWare Server C
Mainframe (MVS)
VTAM
RACF
AuthClient
Onlines
MAIL (Solaris)
AuthClient
POPd
NTServer (4.0)
AuthClient
Website
Application
User Workstation (Windows 95/NT and MAC Workstation)
Eudora TN3270 Netscape Login.exe
OpenLinux
AuthClient
Apache
Application
AUTHSERV.NLM AUTHSERV.NLM
UNITED STATES
Authentication ServerAuthentication Server
NetWare Loadable Module (NLM) is multithreaded
Clients use common code base Clients have built in failover capability Communication based on TCP/IP sockets > 90% successful password checks complete
in less than 0.1 seconds > 2 million requests serviced by primary
server over a 6 week period (50,000/day)
UNITED STATES
Back toIntranetBack toIntranet
UNITED STATES
NDS Authentication through Windows NT/UNIX/??? to the Web
NDS Authentication through Windows NT/UNIX/??? to the Web
Application:Employee InformationSystem (EIS)
Type:Web
Server OS:Windows NT 4.0
Server Enabling App:Website/Visual Basic
UNITED STATES
Using NDS Security Across the Intranet
Using NDS Security Across the Intranet
AuthenticatedClient
ServerAuthClient
AuthenticationServer
NDS
Netscape IIS32-bitDLL
AUTHSERV.NLM
NDS
Page requestCheckEquiv
Check SecurityEquivalence
Locate user objectand run equivalencelist.
NT 4.0
UNITED STATES
AUTHSERV Client FunctionsAUTHSERV Client Functions
Password check Password change Resolve to fully distinguished name Check security equivalence Return group membership Miscellaneous administrative functions
UNITED STATES
Authentication Server as an NDS Data Gateway
Authentication Server as an NDS Data Gateway
Application:Call tracking system
Type:Web
Server OS:Windows NT 4.0
Server Enabling App:Website/Visual Basic
Not AssignedBILLBROYLESCCRDAVEDAVIDCDONJAMBOYATES
DAVIDC
UNITED STATES
Caldera OpenLinux and ApacheCaldera OpenLinux and Apache
Web gateway to NetWare file system
Caldera OpenLinux
FileServer
FileServer
FileServer
AuthC
Browser
Browser
Browser
BrowserAuthServer
FileServer
FileServer
UNITED STATES
Caldera OpenLinux and ApacheCaldera OpenLinux and Apache First attempt to provide web services via Novell
made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable
Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server
Out of the box Caldera/Apache did not provide home directory redirection and/or authentication It did however provide the source code needed to
make these modifications
UNITED STATES
Caldera OpenLinux and ApacheModifications
Caldera OpenLinux and ApacheModifications
Added a module that would link Apache’s user directory directive to the user’s Novell home directory Making http://www.clemson.edu/~erich point to
EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers
UNITED STATES
Web Interface to Home Directories via AUTHSERV NDS Gateway
Web Interface to Home Directories via AUTHSERV NDS Gateway
Application:Personal pages
Type:Web
Server OS:Linux
Server Enabling App:Apache/Caldera
http://www.clemson.edu/~acollin
UNITED STATES
Web Interface toDepartment PagesWeb Interface to
Department Pages
Application:Departmental pages
Type:Web
Server OS:Linux
Server Enabling App:Apache/Caldera
http://dcitnds.clemson.edu/CSO/depts/maint
UNITED STATES
Caldera OpenLinux and ApacheModifications
Caldera OpenLinux and ApacheModifications
Added another module using the previously mentioned Authentication Server routines to provide both user and group authentication Makes use of standard HTACCESS format with
additional Novell directives
UNITED STATES
Using NDS to Secure Web PagesUsing NDS to Secure Web Pages
NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>
WebAuth: Web Single Sign-OnWebAuth: Web Single Sign-On
Workstation 3rd PartyWebServer
WebAuthClient
AuthServNLM
NDS
WebAuthNLM
AuthClient
WebBrowser
1
WebBrowser
2
DCITAuthentication
WebServer
WebAuthTrustedClient
CHECK
STORE
Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.
Redirect
UNITED STATES
Auditing NDS ConnectionsAuditing NDS Connections
Have not had much luck with standard auditing in 4.x
Hook login/logout in AUDITLGN.NLM Writes easy to manipulate log files Data logged includes fully distinguished
object name, login time, logout time, and MAC address
Monitor file server and print server as well as user connections
UNITED STATES
Dial-InDial-In
Mostly rely on contract between users and Internet Service Providers (ISPs) for dial-in access Campus-MCI
Some PPP connectivity through Livingston server with Remote Authentication Dial-In User Service (RADIUS) modified to use NDS via the Authentication Server
UNITED STATES
Dial-In (cont.)Dial-In (cont.)
Attempting to get NetWare/IP deployed this summer for file server connectivity via PPP
Starting to deploy Dynamic Host Configuration Protocol (DHCP) for dial-in and dorm usage only
UNITED STATES
Server GrowthServer Growth
Split user data servers e.g., StudentD1 and StudentD2
Common access server for both students and faculty/staff (scratch disk)
Develop tools for user disk clean up Develop more tools to help end users get
more out of NDS and the network in general
UNITED STATES
What We NeedWhat We Need
Web interface to unresolved as well as resolved issues at Novell
More out of Simple Management Protocol (SMP)
NDS on Windows NT (no replicas required) Help from Novell on resolving “Windows NT
Server” marketing-through-documentation issues
UNITED STATES
What We Need (cont.)What We Need (cont.)
Code exits in Novell products such as Client 32, RADIUS, FTP server, Web server
Good performance monitoring (SMP) tools
UNITED STATES
Questions and AnswersQuestions and Answers
UNITED STATES