novdev2 - Clemson University
Download
Report
Transcript novdev2 - Clemson University
CLEMSON
U N I V E R S I T Y
NDS and
The Computing Infrastructure
January 22, 1998
Division of Computing and Information Technology
Agenda
Background on
Clemson IS
Mission & Support
Structure
Userid Management
Network Design
Server & Network
Access
Public Access Labs
Printing
Electronic Mail
Intranet
Authentication Server
Futures
Background on
Clemson Information
Systems
Background
Large Systems Background
Strong Development Shop
Mainframe and Open Systems Expertise
Departmental LANs ruled 90’s until NDS
NDS populated in Summer 1995 (36,000)
Departmental LANs gone. More centralized
management of the network.
NDS is centerpiece of security and authentication.
Mission
&
Support Structure
Mission
Provide computing infrastructure.
Empower Users and Departments.
Provide guidance in selecting solutions
based on industry standards.
Deploy solutions to meet the needs of
institutional computing.
Provide user support and training.
Defining Groups
Network Services - supports the physical
network…routers, hubs, backbone
LAN Systems - supports application,
group, and personal data servers.
Client Support Group (CSG) - supports
faculty and staff via TSPs.
Systems Integration Group (SIG) - supports
students and departmental labs.
Defining (more) Groups
Computer Resources - assists with user
account problems (DCIT sponsored).
College Consultants - DCIT sponsored
person and college sponsored person(s) that
help support the end users of the college.
Technology Support Provider (TSP) supports faculty/staff end users
Help Desk - sponsored by DCIT to assist
end users.
Support Structure
Support is based on a four tier model.
1
Network
Services
LAN
Systems
Problems
2
3
Computer
Resources
Client
Support
Systems
Integration
TSPs
College
Consultant
HelpDesk
Resources
4
Faculty
Staff
Students
Server Strategy & Management
Novell and NT servers maintained by
Divison of Computing & Info Tech (DCIT).
DCIT provides hardware and Network
Operating System (NOS).
DCIT administers backups.
DCIT performs user administration.
Group maintains data and security with help
of a Tech Support Provider (TSP).
Virus Protection and Software Metering
Userid
Management
Automatic Userid System (AUS)
Personnel
NDS
Other
Other
AUS
Admissions
MVS
Unix
Automating User Maintenance
Personnel
Other
Admissions
Present
AUS
FTP
MVS
TCP/IP
RealTime
• Add Users
• Modify User Attributes
• Delete Users
Daily UIMPORT Run
Summer ‘97
USRMAINT.NLM
NDS
Network Design
Physical Network Design
FDDI
Server
T1
Server
100BT
Server
100BT
Switch
Server
Server
Server
Server
Tree Design
ClemsonU
Users
Organizations
Every Person Has a Place
ClemsonU
Students
Misc
Employee
A to Z
A to Z
A to Z
Organizations
Every Group Has a Place
ClemsonU
Users
Athletics
DCIT
CAFLS
CES
Forestry
Research
Deans Office
Partition Design
ClemsonU
A
B
Athletics
Employee
Students
Z
A
B
Z
DCIT
CSO CSG APS
Use Dedicated “ROOT” Servers
for NDS Replicas
FDDI
(ITC)
CU_ROOT_2
100BT
Switch
R/W for all
Group Server
R/W optional
Master
for all CU_ROOT_1
R/W for users
CU_ROOT_3
“A” to “Z”
Distribute Network Management
Login Script Design
Based on Profile scripts and User scripts.
No container scripts.
Use base profiles: (EMPLOYEE, STUDENT)
Base profile includes high level organizational
scripts based on membership.
Organizational scripts controlled by TSPs.
Organization scripts may include departmental
scripts managed by others.
Script Design & Management
.EMPLOYEE.employee.clemsonu
.GROUPIFS.employee.clemsonu
.ENG.ces.clemsonu
.AG.cafls.clemsonu
.BioE.ces. .Civil.ces.
.Forestry.cafls.
ISALAB
User Script
Server Time Sync Hierarchy
Prim
Server
A
Secon
Server
D
Prim
Server
B
Secon
Server
E
Ref
Server
C
External
Source
Server and Network
Resource Access
Personal Storage
(User Data Servers)
Office, Lab, or DialUp
Any Faculty or
Staff Member
EmployeD
Dorm, Lab, or DialUp
Any Student
StudentD
Personal Data Server
Configuration
Processor
Memory
Disk
Replicas
Homedirs
Base Quota
EmployeD
Dual Pro-166
512MB
50GB -RAID5
None
~11,000
100MB
StudentD
Dual Pro-200
768MB
93GB -RAID5
None
~25,000
25MB
Collaborative Storage - “Group
Servers” (Faculty & Staff)
EmployeD
Group Server1
Group Server2
Collaborative Storage - “App
Servers” (Students)
StudentD
Applications Server(N)
Group/App/Root Server
Average Configuration
Group
App
Root
P200
128MB
8GB
Possible R/W
25-250 Users
SYS,SHARE
P166
64MB
4GB
None
25-250 Users
SYS
Pro-200
256MB
2GB
All Replicas
250-800 Users
SYS
Collaborative Storage
(Faculty and Students)
EmployeD
Group Server1
App Server
StudentD
N
Faculty/Student Collaboration
Faculty member wants to put data on the
network that his students can use.
Student submission of work to faculty.
Students collaborate on team projects with
assistance from faculty member.
Students and Faculty collaborate on projects
or assignments.
Publish web pages as a team or class.
Faculty and TSP/Client
Support Management
Group Server1
Read
Only
Create
Only
Read
Write
Teams
R/W with
Tgroups
Collaborative Storage and
Network Bandwidth
Group Server1
Public Access Labs
The Virtual PC
Outline
• Environment for the Virtual PC (VPC)
• How the Current VPC Environment Evolved
• Mechanics of the VPC
• Setting up the Computer
• Boot time
• Login and Login Script
• Profiles
• Software Involved
• Future Directions
Standard Lab
• Standard Set of Applications
• Standard Operating System(s)
• Contextless Login
• Standard Drive Mappings
• Identical Hard Drive Contents
The Environment as Seen by the
Machine
• Data Servers
• Application Servers
• Hard Drive Image
• Handling Locations and Hardware
Personal Storage
(User Data Servers)
Office, Lab, or DialUp
Any Faculty or
Staff Member
EmployeD
Dorm, Lab, or DialUp
Any Student
StudentD
Collaborative Storage - “App
Servers” (Students)
StudentD
Applications Server(N)
Goals of the Virtual PC Paradigm
•Easy Maintenance
•Provide Global Access to Password Protected
Network Disk Space
•Allow User to Customize his Desktop
•Same Environment (“look and feel”) Regardless of
Location, Hardware, or Facility Ownership
Evolution
Pre-Netware
Windows 3.11 Under Netware
Windows 95 Under Netware
How it Happens to the User
Constructing the Machine
•The Rebuild Disk
•REBUILD <location> <pctype> {options}
•Importance of VLM Client
Boot Time Events
• Location, PCType, “ISALAB”, and Other
Environment Variables
• Some Registry Updates to Ensure Default Desktop
Appearance and Server Failover Keys
Contextless Login
• Can’t Teach End Users What a Context is
• Using Commercial Product Because Netware SDK
Lacks Information
The Login Script
• Perform Some Basic Actions
• Perform Group-specific Actions
• Perform Lab Actions
• Load Profile
Isitcool - Fail-over Applications
Server Attachment
ISITCOOL
NLM
Workstation
YES!
Lab 1 NO!
Isitcool?
NO!
ISITCOOL
NLM
Applications Server(n)
ISITCOOL
NLM
Workstation
Disk Image
Applications
Applications Server(1)
Applications Server(2)
1. Using IP, get info
from primary app
server ISITCOOL.
2. If attach failure or
ISITCOOL reports
no, try next server.
3. Attach to server using
Netware client.
Loading the Profile
• PCRDist is Called by the Login Script
• PCRDist Imports User Registry Keys from Directory
Mapped to Drive U:
• First Time Lab Users Get Setup
• Printers
Special Mappings and Events
Mapping Shared Disk (most done by Login Scripts)
NAL (will eventually be doing most special mappings)
Collaborative Storage - “Group
Servers” (Faculty & Staff)
EmployeD
Group Server1
Group Server2
Collaborative Storage
(Faculty and Students)
EmployeD
Group Server1
App Server
StudentD
Logout
• Logout Only
• Export User Registry
• Logout and Shutdown
• Export User Registry
• Perform Maintenance
Problems
Present Implementation not Scalable
DCIT Lab Support Must do All Software Installs
DCIT Lab Support Must Handle All Initial Lab Setup
Operations
If Present Trends Continue, Labs of Computers will be
Replaced by Labs of Network Jacks
Image must live in the login directory (not protected)
Metering
Summary of Novell Components
Netware
Client32 (IntraNetware Client)
NAL
VLM Client
Summary of Novell Products We
Can Almost Use
NAL
–
–
SnapShot
–
We can’t distribute apps with NAL, so .AOT files are useless. This
makes SnapShot useless
Client32 (IntraNetware Client) Login
–
Requires execution of some app
Will not permit re-mapping
Need contextless login
NRS: will not allow replication of directories on SYS
(specifically, login)
Summary of 3rd Party Products
SoftTrack
PC Rdist and TRAPSD
–
SFLogin
–
Need a contextless login with event hooks
NWCopy
–
Need a Netware client with integrated profile handling and event
hooks
NRS needs to allow us to replicate specific SYS volume directories
Pcounter
–
Need better auditing tools
CU Products
• cumap
• isitcool
• datacool
• editreg/patch95
• editini
• difrator (in development)
• labstats (in re-development)
Future Directions for Us
Departmental Software (Hardware?) Installations
Remote Control of Workstation
Queuing Users Waiting for a Computer
Move from Lab to Laptop
Future Directions for Novell’s
Products?
Client integrate profload stuff
Logout exits
Client should allow us to customize machine as well as
user. We can think of a dozen uses for the Computer object
in NDS!
Basically, Novell should handle the profiles (store the
sludge in NDS?)
Metering
Improve Auditing Tools
Printing
Printing Strategy
All shared printers are network attach supporting
only IPX protocol (HP-Jetdirect)
All printer access is controlled through NDS print
queues.
Unix Print Services makes any print queue
available to Unix/MVS/??? hosts using standard
LPR/LPD protocols.
Unix Print Services also makes high speed
institutional printers on MVS available to both
Netware and Unix users/applications.
Printing Strategy
Q
Q
Q
OS/390
Q
Unix
Q
Print
Gateway
???
PC
Mac
PC
PC
NDS Design for Printing
clemsonu
Employee
Students
A
A
B
B
Printers
Printers
Poole
Library
ITC
...
PrtDev
CAFLS
CES
Civil
Mechanical
Electronic
Mail
Electronic Mail Server:
Based on Sun Solaris.
No user accounts required on Solaris.
Server software developed at Clemson.
Multiple recipients / one copy of message.
Server based on POP/MIME Internet
standard protocols. IMAP4 coming?
Eudora site license purchased by DCIT.
Listserver gaining wide spread acceptance
and use. Class/section list automated.
Mail Server
mainframe POPc
UNIX POPc
Mac POPc
popD ListD
Mail
Server
DOS POPc
Windows POPc
OS/2 POPc
?
POPc
Mail Server: Statistics
1995
14k
1996
46k
1997*
85k
Category
Daily Average POP Connections
13k
36k
62k
Daily Average Msgs Retrieved from Server
27k
48k
92k
Average Msgs Sent using Server per day
*based on partial year statistics through May 26, 1997.
Automated Distribution Lists
ListMGR
MVS OS/390
Class Roles
Departments
TCP/IP
popD ListD
Mail
Server
Automated NDS Group
Membership
popD ListD
Mail
Server
ListMGR
MVS OS/390
Class Roles
Departments
TCP/IP
TCP/IP
NDS
GroupMGR
NLM
Student Interface to Collaborative
Storage
Use DMO’s along with a graphical tool to have
users select and map network resources to make
them available.
Managing Distribution Lists with
NDS
popD ListD
NDS
Mail
Server
TCP/IP
GroupMGR.NLM
1. Membership
2. See Also
Monitor group membership
modifications
RegisterForEvent()
NDS Interface to the List Server
Enabler for collaborative work between
Faculty and Students.
Uses data from employee system on MVS
to keep department NDS groups correct.
Lets users use NWAdmin to administer email lists
Eliminates need to make changes to NDS
and the list server.
Ensures that data is correct everywhere.
Intranet
WEB Serving
Institutional Servers
Department or Group Servers
Organizational Page Servers
Personal Page Servers
Administrative and Student Application
Page Servers
NDS web Security via NT/Unix/?
Authentication
Server
Authentication Server
Too many userid/password combinations for
each user to remember.
Need central set of secure servers that all
systems use for authentication.
Clemson University Personal ID (CUPID).
Based on Automatic Userid System (AUS).
Idea born in interdepartmental task force.
Production on July 1, 1996.
Authentication Server
MAIL
authC
Unix
authC
WEB
authC
Sun
authC
Oracle
authC
NT
authC
mainframe authC
Netware authC
IntranetWare Server A
IntranetWare Server B
AUTHSERV.NLM
MAIL(solaris)
IntranetWare Server C
AUTHSERV.NLM
AUTHSERV.NLM
Mainframe(MVS)
NTServer(4.0)
Linux
AuthClient
AuthClient
AuthClient
AuthClient
POPd
RACF
Application
Application
VTAM Onlines
Website
Apache
Eudora
TN3270
Netscape
Login.exe
User Workstation (‘95/Mac/NT Workstation)
N
D
S
Authentication Server
NLM is multithreaded.
Clients use common code base.
Clients have builtin failover capability.
Communication based on TCP/IP sockets.
>90% successful password checks complete
in less than 0.1 seconds.
>2 million requests serviced by primary
server over a 6 week period. 50,000/day
(Back to)
Intranet
NDS Authentication through
NT/Unix/other To the WEB?
Application:
Employee Info
System (EIS)
Type:
WEB
Server OS:
Windows NT 4.0
Server Enabling App:
Website/Visual Basic
Using NDS Security Across the
Intranet
Authenticated
Client
Server
Auth
Client
Authentication
Server
NDS
AUTHSERV
NLM
NDS
NT 4.0
Netscape
Page request
IIS
32bit
DLL
CheckEquiv
Check Security
Equivalence
Locate user object
and run equivalence
list.
AUTHSERV Client Functions
Password Check
Password Change
Resolve to Fully Distinguished Name
Check Security Equivalence
Return Group Membership
Misc Administrative Functions
Authentication Server as an NDS
Data Gateway
Application:
Call Tracking System
Type:
WEB
Server OS:
Windows NT 4.0
Not Assigned
BILL
BROYLES
CCR
DAVE
DAVIDC
DON
JAMBO
YATES
Server Enabling App:
Website/Visual Basic
Caldera OpenLinux and Apache
WEB gateway to Netware File System.
File
Server
Browser
Browser
Browser
Caldera
OpenLinux
AuthC
Browser
AuthServer
File
Server
File
Server
File
Server
File
Server
Caldera OpenLinux
and Apache
First attempt to provide web services via Novell made
use of Novell’s IntranetWare Web Server 1.0 which
simply was not reliable.
Caldera OpenLinux provided robust unix connectivity
to NDS and supported the industry standard Apache web
server.
Out of the box Caldera/Apache did not provide home
directory redirection and/or authentication. It did
however provide the source code needed to make these
modifications.
Caldera OpenLinux and Apache
Modifications
Added a module that would link Apache’s
UserDir directive to the user’s Novell home
directory.
Making http://www.clemson.edu/~erich
point to
EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
Since Caldera is NDS aware, this also allows us
to serve group web sites via their own group
servers.
Web Interface to Home Directories
via Authserv NDS Gateway
http://www.clemson.edu/~acollin
Application:
Personal Pages
Type:
WEB
Server OS:
Linux
Server Enabling App:
Apache/Caldera
Web Interface to Department Pages
http://dcitnds.clemson.edu/CSO/depts/maint
Application:
Departmental Pages
Type:
WEB
Server OS:
Linux
Server Enabling App:
Apache/Caldera
Caldera OpenLinux and Apache
Modifications
Added another module using the previously mentioned
Authentication Server routines to provide both user and
group authentication.
Makes use of standard HTACCESS format with
additional Novell Directives.
Using NDS to Secure Web Pages
NovellAuth on
AuthName Novell Tree
AuthType Basic
<Limit GET POST>
require user gmcochr
require user kellen
require group .resadmin.groups.employee.clemsonu
</Limit>
WebAuth: Web Single Signon
Only trusted web servers prompt for userid password and set cookie in
browser. Other web servers must use the cookie to determine the user.
CHECK
Workstation
Web
Browser
1
Web
Browser
2
3rd Party WebAuth
WebServer Client
Redirect
STORE
WebAuth
NLM
Auth
Client
WebAuth
DCIT
Authentication Trusted
Client
WebServer
AuthServ
NLM
NDS
Auditing NDS Connections
Have not had much luck with standard
auditing in 4.x
Hook login/logout in AUDITLGN.NLM
Writes easy to manipulate log files
Data logged includes fully distinguished
object name, login time, logout time, and
MAC address
Monitor file server and print server as well
as user connections.
Dialin
Mostly Rely on contract between users and
ISPs for dialin access. Campus-MCI.
Some PPP connectivity through Livingston
server with Radius modified to use NDS via
the Authentication Server.
Attempting to get Netware/IP deployed this
summer for file server connectivity via PPP.
Starting to deploy DHCP for dialin and
dorm usage only.
Server Growth
Split User Data Servers (ie: StudentD1 and
StudentD2)
Common access server for both Students
and Faculty/Staff (scratch disk)
Develop tools for user disk cleanup.
Develop more tools to help end users get
more out of NDS and the network in
general.
What We Need
Web interface to unresolved as well as
resolved issues at Novell.
More out of SMP.
NDS on NT (no replicas required).
Help from Novell on resolving “NT Server”
marketing-through-documentation issues.
Code Exits in Novell Products such as
client32, Radius, FTP server, Web server.
Good performance monitoring (SMP) tools.
That’s It!
(that’s enough..)