slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
UNITED STATES PowerPoint Presentation
Download Presentation
UNITED STATES

Loading in 2 Seconds...

play fullscreen
1 / 108

UNITED STATES - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

UNITED STATES. Understanding NDS for Directory-Enabled Solutions. David Condrey, LAN Systems Manager davidc@clemson.edu Clemson University Jeremy Campbell, Information Resource Consultant jerm@clemson.edu Clemson University. CLEMSON.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

UNITED STATES


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
understanding nds for directory enabled solutions

Understanding NDS forDirectory-Enabled Solutions

David Condrey, LAN Systems Manager

davidc@clemson.edu

Clemson University

Jeremy Campbell, Information Resource Consultant

jerm@clemson.edu

Clemson University

novell directory services nds and the computing infrastructure

CLEMSON

Novell Directory Services (NDS) and the Computing Infrastructure

U N I V E R S I T Y

A real world example:

Division of Computing and Information Technology

agenda
Background on Clemson information systems

Mission and support structure

Userid management

Network design

Server and network access

Public access labs

Printing

Electronic mail

Intranet

Authentication server

Futures

Agenda
background
Background
  • Large systems background
  • Strong development shop
  • Mainframe and open systems expertise
  • Departmental LANs ruled 90’s until Novell Directory Services (NDS)
  • NDS populated in Summer 1995 (36,000)
  • Departmental LANs gone—more centralized management of the network
  • NDS is centerpiece of security and authentication
mission
Mission
  • Provide computing infrastructure
  • Empower users and departments
  • Provide guidance in selecting solutions based on industry standards
  • Deploy solutions to meet the needs of institutional computing
  • Provide user support and training
defining groups
Defining Groups
  • Network services
    • Supports the physical network (routers, hubs, backbone)
  • LAN systems
    • Supports application, group, and personal data servers
  • Client Support Group (CSG)
    • Supports faculty and staff via Technology Support Providers (TSPs)
defining groups cont
Defining Groups (cont.)
  • Systems Integration Group (SIG)
    • Supports students and departmental labs
  • Computer resources
    • Assists with user account problems
      • Division of Computing and Information Technology (DCIT) sponsored
  • College consultants
    • DCIT sponsored person and college sponsored person(s) that help support the end users of the college
defining groups cont1
Defining Groups (cont.)
  • Technology Support Provider (TSP)
    • Supports faculty/staff end users
  • Help desk
    • Sponsored by DCIT to assist end users
support structure
Support Structure

2

Computer

resources

Client

support

Systems

integration

  • Support is based on a four tier model

Problems

3

1

4

TSPs

Network

services

Faculty

Staff

College

consultant

LAN

systems

Students

Help desk

Resources

server strategy and management
Server Strategy and Management
  • Novell and Windows NT servers maintained by DCIT
  • DCIT provides hardware and Network Operating System (NOS)
  • DCIT administers backups
  • DCIT performs user administration
  • Group maintains data and security with help of a TSP
  • Virus protection and software metering
automatic userid system aus
Automatic Userid System (AUS)

Personnel

Other

Admissions

NDS

MVS

AUS

Other

UNIX

automating user maintenance
Automating User Maintenance

Personnel

Other

Admissions

MVS

FTP

AUS

Old Method

Daily UIMPORT run

TCP/IP

Real-time

  • Add users
  • Modify user attributes
  • Delete users

Summer ’97

NDS

USRMAINT.NLM

physical network design
Physical Network Design

100BT

Switch

Server

FDDI

T1

Server

100BT

Server

Server

Server

Server

Server

every person has a place
Every Person Has a Place

Organizations

ClemsonU

Students

Misc.

Employee

A

to

Z

A

to

Z

A

to

Z

every group has a place
Every Group Has a Place

ClemsonU

Users

Athletics

DCIT

CAFLS

CES

Forestry

Research

Dean's office

partition design
Partition Design

Students

Employee

Athletics

DCIT

A

CSO

CSG

APS

B

A

B

Z

Z

ClemsonU

use dedicated root servers for nds replicas
Use Dedicated “ROOT” Servers forNDS Replicas

FDDI

(ITC)

CU-ROOT-2

100BT

Switch

R/W for all

Group Server

Master

for all

CU-ROOT-1

R/W optional

CU-ROOT-3

R/W for users

“A” to “Z”

login script design
Login Script Design
  • Based on profile scripts and user scripts
  • No container scripts
  • Use base profiles
    • EMPLOYEE
    • STUDENT
  • Base profile includes high level organizational scripts based on membership
  • Organizational scripts controlled by TSPs
  • Organization scripts may include departmental scripts managed by others
script design management
Script Design & Management

.EMPLOYEE.employee.clemsonu

.GROUPIFS.employee.clemsonu

.AG.cafls.clemsonu

.ENG.ces.clemsonu

.Forestry.cafls.

.BioE.ces.

.Civil.ces.

ISALAB

User Script

server timesync hierarchy
Server Timesync Hierarchy

Server

Server

A

D

Server

C

Server

Server

B

E

External

source

Prim

Secon

Ref

Prim

Secon

personal storage user data servers
Personal Storage (User Data Servers)

Office, lab, or dial-in

Any faculty or

staff member

EmployeDn

Dorm, lab, or dial-in

Any student

StudentDn

personal data server configuration
Personal Data Server Configuration

EmployeD(2)

StudentD(5)

Processor

Dual Pro–200

Pentium II–300

Memory

1024MB

512MB

Disk

90GB (RAID5)

50GB (RAID5)

Replicas

None

None

Home

~11,000

~25,000

directories

Base quota

100MB

25MB

collaborative storage group servers faculty and staff
Collaborative Storage—“Group Servers” (Faculty and Staff)

EmployeD

Group Server1

Group Server2

collaborative storage applications servers students
Collaborative Storage— “Applications Servers” (Students)

StudentD

Applications Server (N)

group app root server average configuration
Group/App/Root Server Average Configuration

Group

App

Root

Pro-200

P-200

P2-300

128MB

64MB

384MB

18GB

9GB

4GB

Possible R/W

None

All replicas

25–250 users

25–250 users

250–800 users*

collaborative storage faculty and students
Collaborative Storage (Faculty and Students)

EmployeD

App server

Group server1

StudentD

faculty student collaboration
Faculty/Student Collaboration
  • Faculty member wants to put data on the network that students can use
  • Student submission of work to faculty
  • Students collaborate on team projects with assistance from faculty member
  • Students and faculty collaborate on projects or assignments
  • Publish web pages as a team or class
faculty and tsp client support management
Faculty and TSP/Client Support Management

Read

Only

Group Server1

Create

Only

Read

Write

Teams

R/W with

Tgroups

outline
Outline
  • Environment for the Virtual PC (VPC)
  • How the current VPC environment evolved
  • Mechanics of the VPC
    • Setting up the computer
    • Boot time
    • Login and login script
    • User Profiles
  • Software involved
  • Future directions
standard lab
Standard Lab
  • Standard set of applications
  • Standard operating system
  • Contextless login
  • Standard drive mappings
  • Identical hard drive contents
the environment as seen by the machine
The Environment as Seen by the Machine
  • Data servers
  • Application servers
  • Hard drive image
  • Handling locations and hardware
goals of the virtual pc paradigm
Goals of the Virtual PC Paradigm
  • Easy maintenance
  • Provide global access to password protected network disk space
  • Allow user to customize his desktop
  • Same environment (“look and feel”) regardless of location, hardware, or facility ownership
evolution
Evolution
  • Pre-NetWare
  • Windows 3.11 under NetWare
  • Windows 95 under NetWare
constructing the machine
Constructing the Machine
  • The rebuild disk
  • REBUILD <location> <pctype> {options}
  • Importance of Virtual Loadable Module (VLM) Client
boot time events
Boot Time Events
  • Location, PC type, “ISALAB”, and other environment variables
  • Some registry updates to ensure default desktop appearance and server failover keys
contextless login
Contextless Login
  • Can’t teach end users what a context is
  • Using commercial product because NetWare Software Developer Kit (SDK) lacks information
the login script
The Login Script
  • Perform some basic actions
  • Perform group-specific actions
  • Perform lab actions
  • Load profile
isitcool failover applications server attachment
Isitcool—Failover Applications Server Attachment

ISITCOOL

NLM

Work-

station

1. Using IP, get info

from primary app

server Isitcool.

2. If attach failure or

Isitcool reports no,

try next server.

3. Attach to server

using NetWare

client.

YES!

Lab 1

NO!

Isitcool?

NO!

Applications Server(n)

ISITCOOL

NLM

ISITCOOL

NLM

Workstation

Disk Image

Applications

Applications Server(1)

Applications Server(2)

loading the profile
Loading the Profile
  • PC-Rdist is called by the login script
  • PC-Rdist imports user registry keys from directory mapped to drive U:
  • First-time lab users get setup
  • Printers
special mappings and events
Special Mappings and Events
  • Mapping shared disk
    • Most done by login scripts
  • Novell Application Launcher (NAL)
    • Will eventually be doing most special mappings
collaborative storage group servers faculty and staff1
Collaborative Storage—“Group Servers” (Faculty and Staff)

EmployeD

Group Server1

Group Server2

collaborative storage faculty and students1
Collaborative Storage (Faculty and Students)

EmployeD

App Server

Group Server1

StudentD

logout
Logout
  • Logout only
    • Export user registry
  • Logout and shutdown
    • Export user registry
    • Perform maintenance
problems
Problems
  • Present implementation not scalable
  • DCIT lab support must do all software installs
  • DCIT lab support must handle all initial lab setup operations
  • If present trends continue, labs of computers will be replaced by labs of network jacks
  • Image must live in the login directory (not protected)
  • Metering
summary of novell components
Summary of Novell Components
  • NetWare
  • Client 32 (intraNetWare client)
  • NAL
  • VLM client
summary of novell products we can almost use
Summary of Novell Products We Can Almost Use
  • NAL
    • Requires execution of some applications
    • Will not permit re-mapping
  • snAppShot
    • We can’t distribute applications with NAL, so .AOT files are useless; this makes snAppShot useless
  • Client 32 (intraNetWare client) login
    • Need contextless login
summary of novell products we can almost use cont
Summary of Novell Products We Can Almost Use (cont.)
  • Novell Replication Services (NRS)
    • Will not allow replication of directories on SYS (specifically, login)
summary of third party products
Summary of Third-Party Products
  • SofTrack
  • PC-Rdist and TrapSD
    • Need a NetWare client with integrated profile handling and event hooks
  • SFLOGIN
    • Need a contextless login with event hooks
  • NWCopy
    • NRS needs to allow us to replicate specific SYS volume directories
summary of third party products cont
Summary of Third-Party Products (cont.)
  • PCOUNTER
    • Need better auditing tools
clemson university products
Clemson University Products
  • cumap
  • isitcool
  • datacool
  • editreg/patch95
  • editini
  • difrator (in development)
  • labstats (in re-development)
future directions for us
Future Directions for Us
  • Departmental software (hardware?) installations
  • Remote control of workstation
  • Queuing users waiting for a computer
  • Move from lab to laptop
future directions for novell s products
Future Directions forNovell’s Products?
  • Client 32 integrate PROFLOAD stuff
  • Logout exits
  • Client 32 should allow us to customize machine as well as user
    • We can think of a dozen uses for the computer object in NDS!
  • Basically, Novell should handle the profiles (store the sludge in NDS?)
  • Metering
  • Improve auditing tools
printing strategy
Printing Strategy
  • All shared printers are network attached supporting only IPX protocol (HP JetDirect)
  • All printer access is controlled through NDS print queues
  • UNIX print services makes any print queue available to UNIX/Multiple Virtual Storage (MVS)/??? hosts using standard Line Printer Daemon (LPR/LPD) protocols
printing strategy cont
Printing Strategy (cont.)
  • UNIX print services also makes high speed institutional printers on MVS available to both NetWare and UNIX users/applications
printing strategy1
Printing Strategy

Q

Q

OS/390

Q

Q

UNIX

Q

Print

Gateway

???

Mac

PC

PC

PC

nds design for printing
NDS Design for Printing

clemsonu

Employees

Students

PrtDev

CAFLS

CES

A

A

Civil

Mechanical

B

B

Printers

Printers

Poole

Library

ITC

...

electronic mail server
Electronic Mail Server
  • Based on Sun Solaris
  • No user accounts required on Solaris
  • Server software developed at Clemson
  • Multiple recipients/one copy of message
  • Server based on Post Office Protocol/ Multipurpose Internet Mail Extensions (POP/MIME) Internet standard protocols
    • Internet Messaging Access Protocol 4 (IMAP 4) coming?
electronic mail server1
Electronic Mail Server
  • Eudora site license purchased by DCIT
  • List server gaining wide spread acceptance and use
    • Class/section list automated
mail server
Mail Server

mainframe

POPc

UNIX

POPc

ListD

Mail

Server

popD

Mac

POPc

DOS

POPc

Windows

POPc

OS/2

POPc

?

POPc

mail server statistics
Mail Server: Statistics

*based on partial year statistics through May 26, 1997

automated distribution lists
Automated Distribution Lists

Employee

Database

Student

Database

ListD

Mail

Server

popD

MVS OS/390

ListMGR

Class Roles

Departments

TCP/IP

automated nds group membership
Automated NDS Group Membership

Employee

Database

Student

Database

ListD

Mail

Server

popD

MVS OS/390

ListMGR

Class Roles

TCP/IP

Departments

TCP/IP

NDS

GroupMGR

NLM

student interface to collaborative storage
Student Interface toCollaborative Storage
  • Use DMOs along with a graphical tool to have users select and map network resources to make them available
managing distribution lists with nds
Managing Distribution Lists with NDS

ListD

Mail

Server

popD

NDS

TCP/IP

GroupMGR.NLM

Monitor group membership

modifications

RegisterForEvent()

1. Membership

2. See also

nds interface to the list server
NDS Interface to the List Server
  • Enabler for collaborative work between faculty and students
  • Uses data from employee system on MVS to keep department NDS groups correct
  • Lets users use NWAdmin to administer E-mail lists
  • Eliminates need to make changes to NDS and the list server
  • Ensures that data is correct everywhere
web serving
Web Serving
  • Institutional servers
  • Department or group servers
  • Organizational page servers
  • Personal page servers
  • Administrative and student application page servers
authentication server1
Authentication Server
  • Too many userid/password combinations for each user to remember
  • Need central set of secure servers that all systems use for authentication
  • Clemson University Personal ID (CUPID)
  • Based on Automatic Userid System (AUS)
  • Idea born in interdepartmental task force
  • Production on July 1, 1996
authentication server2
Authentication Server

UNIX

authC

Sun

authC

Windows NT

authC

NetWare

authC

Mail

authC

Web

authC

Oracle

authC

mainframe

authC

slide86

N

D

S

intraNetWare Server A

intraNetWare Server B

intraNetWare Server C

AUTHSERV.NLM

AUTHSERV.NLM

AUTHSERV.NLM

MAIL (Solaris)

NTServer (4.0)

OpenLinux

Mainframe (MVS)

AuthClient

AuthClient

AuthClient

AuthClient

RACF

Application

Application

POPd

Onlines

VTAM

Apache

Website

TN3270

Netscape

Login.exe

Eudora

User Workstation (Windows 95/NT and MAC Workstation)

authentication server3
Authentication Server
  • NetWare Loadable Module (NLM) is multithreaded
  • Clients use common code base
  • Clients have built in failover capability
  • Communication based on TCP/IP sockets
  • > 90% successful password checks complete in less than 0.1 seconds
  • > 2 million requests serviced by primary server over a 6 week period (50,000/day)
nds authentication through windows nt unix to the web
NDS Authentication through Windows NT/UNIX/??? to the Web

Application:

Employee Information

System (EIS)

Type:

Web

Server OS:

Windows NT 4.0

Server Enabling App:

Website/Visual Basic

using nds security across the intranet
Using NDS Security Across the Intranet

Server

Auth

Client

Authentication

Server

NDS

Authenticated

Client

NT 4.0

AUTHSERV

.NLM

NDS

Netscape

IIS

32-bit

DLL

Page request

CheckEquiv

Check Security

Equivalence

Locate user object

and run equivalence

list.

authserv client functions
AUTHSERV Client Functions
  • Password check
  • Password change
  • Resolve to fully distinguished name
  • Check security equivalence
  • Return group membership
  • Miscellaneous administrative functions
authentication server as an nds data gateway
Authentication Server as an NDS Data Gateway

Not Assigned

BILL

BROYLES

CCR

DAVE

DAVIDC

DON

JAMBO

YATES

DAVIDC

Application:

Call tracking system

Type:

Web

Server OS:

Windows NT 4.0

Server Enabling App:

Website/Visual Basic

caldera openlinux and apache
Caldera OpenLinux and Apache
  • Web gateway to NetWare file system

File

Server

File

Server

Browser

Caldera

OpenLinux

Browser

File

Server

AuthC

Browser

File

Server

File

Server

Browser

AuthServer

caldera openlinux and apache1
Caldera OpenLinux and Apache
  • First attempt to provide web services via Novell made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable
  • Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server
  • Out of the box Caldera/Apache did not provide home directory redirection and/or authentication
    • It did however provide the source code needed to make these modifications
caldera openlinux and apache modifications
Caldera OpenLinux and ApacheModifications
  • Added a module that would link Apache’s user directory directive to the user’s Novell home directory
    • Making http://www.clemson.edu/~erich point to EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
  • Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers
web interface to home directories via authserv nds gateway
Web Interface to Home Directories via AUTHSERV NDS Gateway

Application:

Personal pages

Type:

Web

Server OS:

Linux

Server Enabling App:

Apache/Caldera

http://www.clemson.edu/~acollin

web interface to department pages
Web Interface toDepartment Pages

Application:

Departmental pages

Type:

Web

Server OS:

Linux

Server Enabling App:

Apache/Caldera

http://dcitnds.clemson.edu/CSO/depts/maint

caldera openlinux and apache modifications1
Caldera OpenLinux and ApacheModifications
  • Added another module using the previously mentioned Authentication Server routines to provide both user and group authentication
    • Makes use of standard HTACCESS format with additional Novell directives
using nds to secure web pages
Using NDS to Secure Web Pages

NovellAuth on

AuthName Novell Tree

AuthType Basic

<Limit GET POST>

require user gmcochr

require user kellen

require group .resadmin.groups.employee.clemsonu

</Limit>

webauth web single sign on
WebAuth: Web Single Sign-On

Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.

CHECK

WebAuth

NLM

Workstation

3rd Party

WebServer

WebAuth

Client

Web

Browser

1

Auth

Client

STORE

Redirect

Web

Browser

2

DCIT

Authentication

WebServer

WebAuth

Trusted

Client

AuthServ

NLM

NDS

auditing nds connections
Auditing NDS Connections
  • Have not had much luck with standard auditing in 4.x
  • Hook login/logout in AUDITLGN.NLM
  • Writes easy to manipulate log files
  • Data logged includes fully distinguished object name, login time, logout time, and MAC address
  • Monitor file server and print server as well as user connections
dial in
Dial-In
  • Mostly rely on contract between users and Internet Service Providers (ISPs) for dial-in access
    • Campus-MCI
  • Some PPP connectivity through Livingston server with Remote Authentication Dial-In User Service (RADIUS) modified to use NDS via the Authentication Server
dial in cont
Dial-In (cont.)
  • Attempting to get NetWare/IP deployed this summer for file server connectivity via PPP
  • Starting to deploy Dynamic Host Configuration Protocol (DHCP) for dial-in and dorm usage only
server growth
Server Growth
  • Split user data servers
    • e.g., StudentD1 and StudentD2
  • Common access server for both students and faculty/staff (scratch disk)
  • Develop tools for user disk clean up
  • Develop more tools to help end users get more out of NDS and the network in general
what we need
What We Need
  • Web interface to unresolved as well as resolved issues at Novell
  • More out of Simple Management Protocol (SMP)
  • NDS on Windows NT (no replicas required)
  • Help from Novell on resolving “Windows NT Server” marketing-through-documentation issues
what we need cont
What We Need (cont.)
  • Code exits in Novell products such as Client 32, RADIUS, FTP server, Web server
  • Good performance monitoring (SMP) tools