No Slide Title - Clemson University

Download Report

Transcript No Slide Title - Clemson University

UNITED
Understanding NDS for
Directory-Enabled Solutions
David Condrey, LAN Systems Manager
[email protected]
Clemson University
Jeremy Campbell, Information Resource Consultant
[email protected]
Clemson University
UNITED STATES
Novell Directory Services (NDS)
and the Computing Infrastructure
A real world example:
CLEMSON
U N I V E R S I T Y
Division of Computing and Information Technology
UNITED
Agenda
 Background on
Clemson information
systems
 Mission and support
structure
 Userid management
 Network design
 Server and network
access
 Public access labs





Printing
Electronic mail
Intranet
Authentication server
Futures
UNITED
Background on
Clemson Information Systems
UNITED STATES
Background
 Large systems background
 Strong development shop
 Mainframe and open systems expertise
 Departmental LANs ruled 90’s until Novell
Directory Services (NDS)
 NDS populated in Summer 1995 (36,000)
 Departmental LANs gone—more centralized
management of the network
 NDS is centerpiece of security and
authentication
UNITED
Mission and Support Structure
UNITED STATES
Mission
 Provide computing infrastructure
 Empower users and departments
 Provide guidance in selecting solutions based
on industry standards
 Deploy solutions to meet the needs of
institutional computing
 Provide user support and training
UNITED
Defining Groups
 Network services
Supports
the physical network (routers, hubs,
backbone)
 LAN systems
Supports
application, group, and personal data
servers
 Client Support Group (CSG)
Supports
faculty and staff via Technology
Support Providers (TSPs)
UNITED
Defining Groups (cont.)
 Systems Integration Group (SIG)
Supports
students and departmental labs
 Computer resources
Assists with user account problems
 Division of Computing and Information Technology
(DCIT) sponsored
 College consultants
DCIT
sponsored person and college sponsored
person(s) that help support the end users of the
college
UNITED
Defining Groups (cont.)
 Technology Support Provider (TSP)
Supports
faculty/staff end users
 Help desk
Sponsored
by DCIT to assist end users
UNITED
Support Structure
 Support is based on a four tier model
Problems
2
1
Network
services
LAN
systems
Computer
resources
Client
support
Systems
integration
3
4
TSPs
Faculty
Staff
College
consultant
Help desk
Students
Resources
UNITED
Server Strategy and Management
 Novell and Windows NT servers maintained
by DCIT
 DCIT provides hardware and Network
Operating System (NOS)
 DCIT administers backups
 DCIT performs user administration
 Group maintains data and security with help
of a TSP
 Virus protection and software metering
UNITED
Userid Management
UNITED STATES
Automatic Userid System (AUS)
Personnel
NDS
Other
Admissions
MVS
AUS
Other
UNIX
UNITED
Automating User Maintenance
Personnel
MVS
Other
AUS
Admissions
FTP
Old Method
TCP/IP
Real-time
Add users
Modify user attributes
Delete users
Daily UIMPORT run
Summer ’97
USRMAINT.NLM
UNITED
NDS
Network Design
UNITED STATES
Physical Network Design
FDDI
Server
T1
Server
100BT
Server
100BT
Switch
Server
Server
Server
Server
Tree Design
ClemsonU
Users
Organizations
UNITED
Every Person Has a Place
ClemsonU
Students
Misc.
Employee
A to Z
A to Z
A to Z
Organizations
Every Group Has a Place
ClemsonU
Users
Athletics
DCIT
CAFLS
CES
Forestry Research Dean's office
Partition Design
ClemsonU
Students
A
B
Employee
Z
A
B
Athletics
Z
DCIT
CSO CSG APS
Use Dedicated “ROOT” Servers for
NDS Replicas
FDDI
(ITC)
CU-ROOT-2
100BT
Switch
R/W for all
Group Server
R/W optional
Master
for all CU-ROOT-1
R/W for users CU-ROOT-3
“A” to “Z”
Distribute Network Management
Login Script Design
 Based on profile scripts and user scripts
 No container scripts
 Use base profiles
EMPLOYEE
STUDENT
 Base profile includes high level organizational
scripts based on membership
 Organizational scripts controlled by TSPs
 Organization scripts may include
departmental scripts managed by others
UNITED
Script Design & Management
.EMPLOYEE.employee.clemsonu
.GROUPIFS.employee.clemsonu
.AG.cafls.clemsonu
.ENG.ces.clemsonu
.BioE.ces.
.Forestry.cafls.
.Civil.ces.
ISALAB
User Script
UNITED
Server Timesync Hierarchy
Prim
Server
A
Secon
Server
D
Prim
Server
B
Secon
Server
E
Ref
Server
C
External
source
UNITED
Server and Network Resource Access
UNITED STATES
Personal Storage
(User Data Servers)
Office, lab, or dial-in
Any faculty or
staff member
EmployeDn
Dorm, lab, or dial-in
Any student
StudentDn
UNITED
Personal Data Server
Configuration
EmployeD(2)
StudentD(5)
Processor
Dual Pro–200
Pentium II–300
Memory
1024MB
512MB
Disk
90GB (RAID5) 50GB (RAID5)
Replicas
None
None
Home
directories
~11,000
~25,000
Base quota
100MB
25MB
UNITED
Collaborative Storage—“Group
Servers” (Faculty and Staff)
EmployeD
Group Server1
Group Server2
UNITED
Collaborative Storage—
“Applications Servers” (Students)
StudentD
Applications Server (N)
UNITED
Group/App/Root Server
Average Configuration
Group
App
Root
Pro-200
P-200
P2-300
128MB
64MB
384MB
18GB
9GB
4GB
Possible R/W
None
All replicas
25–250 users
25–250 users
250–800 users*
UNITED
Collaborative Storage
(Faculty and Students)
EmployeD
Group server1
App server
StudentD
UNITED
Faculty/Student Collaboration
 Faculty member wants to put data on the
network that students can use
 Student submission of work to faculty
 Students collaborate on team projects with
assistance from faculty member
 Students and faculty collaborate on projects
or assignments
 Publish web pages as a team or class
UNITED
Faculty and TSP/Client Support
Management
Read
Only
Group Server1
Create
Only
Read
Write
Teams
R/W with
Tgroups
UNITED
Collaborative Storage and Network
Bandwidth
Group Server1
UNITED
Public Access Labs:
Home of the Virtual Personal Computer
UNITED STATES
Outline
 Environment for the Virtual PC (VPC)
 How the current VPC environment evolved
 Mechanics of the VPC
Setting
up the computer
Boot time
Login and login script
User Profiles
 Software involved
 Future directions
UNITED
Standard Lab
 Standard set of applications
 Standard operating system
 Standard Context-less login
 Standard drive mappings
 Standard hard drive contents
UNITED
The Environment as Seen by the
Machine
Local Hard
Drive
StudentDn
Local Printer
App server
UNITED
Goals of the Virtual PC Paradigm
 Easy maintenance
 Provide global access to password protected
network disk space
 Allow user to customize his desktop
 Same environment (“look and feel”)
regardless of location, hardware, or facility
ownership
UNITED
Evolution
 Pre-NetWare
 Windows 3.11 under NetWare
 Windows 95 under NetWare
UNITED
How It Happens to the User
VPC = A series of software manipulations
triggered by user login and logout.
StudentDn
UNITED
Constructing the Machine
 The rebuild disk
 REBUILD <location> <pctype> {options}
 VLM Client allows it all on one floppy
UNITED
Boot Time Events
 Location, PC type, “ISALAB”, and other
environment variables
 Some registry updates to ensure default
desktop appearance and server failover keys
UNITED
Contextless Login
 Can’t teach end users what a context is
 Using commercial product because we
needed an immediate solution.
UNITED
The Login Script
 Perform some basic
actions
 Perform groupspecific actions
 Perform lab actions
 Load profile
UNITED
Isitcool—Failover Applications
Server Attachment
ISITCOOL
NLM
Workstation
1. Using IP, get info
from primary app
server Isitcool.
YES!
Lab 1
NO!
Isitcool?
NO!
ISITCOOL
NLM
2. If attach failure or
Applications Server(n)
Isitcool reports no,
try next server.
ISITCOOL
NLM
3. Attach to server
using NetWare
client.
Workstation
Disk Image
Applications
Applications Server(1)
Applications Server(2)
UNITED
Loading the Profile
 PC-Rdist is called by
the login script
 PC-Rdist imports user
registry keys from
directory mapped to
drive U:
 First-time lab users get
setup
 Printers
UNITED
Special Mappings and Events
 Mapping shared disk
Most
done by login scripts
 Novell Application Launcher (NAL)
Will
eventually be doing most special mappings
UNITED
Logout
 Logout and
shutdown
Export
user
registry
Perform
maintenance
 Logout only
Export
user
registry
UNITED
Problems
 Present implementation not easily scaled
 DCIT lab support must do all software installs
 DCIT lab support must handle all initial lab
setup operations
 If present trends continue, labs of computers
will be replaced by labs of network jacks
 Image must live in the login directory (not
protected)
 Metering
UNITED
Summary of Novell Components
 NetWare
 Client 32 (intraNetWare client)
 NAL
 VLM client
 Novell Replication Services (testing)
UNITED
Summary of Third-Party Products
 SofTrack
 PC-Rdist and TrapSD
Need
a NetWare client with integrated profile
handling and event hooks
 SFLOGIN
 NWCopy
 PCOUNTER
Need
better auditing tools
UNITED
Clemson University Products
 cumap
 isitcool
 datacool
 editreg/patch95
 editini
 difrator/TED (in development)
 labstats (in re-development)
UNITED
Future Directions for Us
 Departmental software (hardware?)
installations
 Remote control of workstation
 Queuing users waiting for a computer
 Move from lab to laptop
UNITED
Printing
UNITED STATES
Printing Strategy
 All shared printers are network attached
supporting only IPX protocol (HP JetDirect)
 All printer access is controlled through NDS
print queues
 UNIX print services makes any print queue
available to UNIX/Multiple Virtual Storage
(MVS)/??? hosts using standard Line Printer
Daemon (LPR/LPD) protocols
UNITED
Printing Strategy (cont.)
 UNIX print services also makes high speed
institutional printers on MVS available to both
NetWare and UNIX users/applications
UNITED
Printing Strategy
Q
Q
Q
OS/390
Q
UNIX
Q
Print
Gateway
???
PC
Mac
PC
PC
UNITED
NDS Design for Printing
clemsonu
Employees
Students
A
A
B
B
Printers
Printers
PrtDev
CAFLS
CES
Civil
Poole
Library
ITC
...
UNITED
Mechanical
Electronic Mail
UNITED STATES
Electronic Mail Server
 Based on Sun Solaris
 No user accounts required on Solaris
 Server software developed at Clemson
 Multiple recipients/one copy of message
 Server based on Post Office Protocol/
Multipurpose Internet Mail Extensions
(POP/MIME) Internet standard protocols
Internet
Messaging Access Protocol 4 (IMAP 4)
coming?
UNITED
Electronic Mail Server
 Eudora site license purchased by DCIT
 List server gaining wide spread acceptance
and use
Class/section
list automated
UNITED
Mail Server
mainframePOPc
UNIX POPc
Mac POPc
popD ListD
Mail
Server
DOS POPc
Windows POPc
? POPc
OS/2POPc
Mail Server: Statistics
1995
14K
1996
46K
1997* Category
85K
Daily average POP
connections
13K
36K
62K
Daily average messages
retrieved from server
27K
48K
92K
Average messages sent
using server per day
*based on partial year statistics through May 26, 1997
UNITED
Automated Distribution Lists
ListMGR
MVS OS/390
Class Roles
Departments
TCP/IP
Mail
popDListD
Server
UNITED
Automated NDS Group
Membership
popD ListD
Mail
Server
ListMGR
MVS OS/390
Class Roles
TCP/IP
Departments
TCP/IP
NDS
GroupMGR
NLM
UNITED
Student Interface to
Collaborative Storage
 Use DMOs along with a graphical tool to have
users select and map network resources to
make them available
UNITED
Managing Distribution Lists with
NDS
Mail
popD ListD
Server
NDS
TCP/IP
GroupMGR.NLM
1. Membership
2. See also
Monitor group membership
modifications
RegisterForEvent()
UNITED
NDS Interface to the List Server
 Enabler for collaborative work between faculty
and students
 Uses data from employee system on MVS to
keep department NDS groups correct
 Lets users use NWAdmin to administer E-mail
lists
 Eliminates need to make changes to NDS
and the list server
 Ensures that data is correct everywhere
UNITED
Intranet
UNITED STATES
Web Serving
 Institutional servers
 Department or group servers
 Organizational page servers
 Personal page servers
 Administrative and student application page
servers
UNITED
NDS Web Security via
Windows NT/UNIX/???
Authentication Server
UNITED STATES
Authentication Server
 Too many userid/password combinations for
each user to remember
 Need central set of secure servers that all
systems use for authentication
 Clemson University Personal ID (CUPID)
 Based on Automatic Userid System (AUS)
 Idea born in interdepartmental task force
 Production on July 1, 1996
UNITED
Authentication Server
Mail
authC
UNIX
authC
Web
authC
Sun
authC
Oracle
authC
mainframe authC
Windows NT authC
NetWare
UNITED
authC
intraNetWare Server A
intraNetWare Server B
AUTHSERV.NLM
AUTHSERV.NLM
MAIL (Solaris)
Mainframe (MVS)
NTServer (4.0)
intraNetWare Server C
AUTHSERV.NLM
OpenLinux
AuthClient
AuthClient
AuthClient
AuthClient
POPd
RACF
Application
Application
Website
Apache
VTAM
Onlines
Eudora TN3270 Netscape Login.exe
User Workstation (Windows 95/NT and MAC Workstation)
N
D
S
Authentication Server
 NetWare Loadable Module (NLM) is
multithreaded
 Clients use common code base
 Clients have built in failover capability
 Communication based on TCP/IP sockets
 > 90% successful password checks complete
in less than 0.1 seconds
 > 2 million requests serviced by primary
server over a 6 week period (50,000/day)
UNITED
Back to
Intranet
UNITED STATES
NDS Authentication through
Windows NT/UNIX/??? to the Web
Application:
Employee Information
System (EIS)
Type:
Web
Server OS:
Windows NT 4.0
Server Enabling App:
Website/Visual Basic
UNITED
Using NDS Security Across the
Intranet
Authenticated
Client
Server
Auth
Client
Authentication
Server
NDS
AUTHSERV
.NLM
NDS
NT 4.0
Netscape
Page request
IIS
32-bit
DLL
CheckEquiv
Check Security
Equivalence
Locate user object
and run equivalence
list.
UNITED
AUTHSERV Client Functions
 Password check
 Password change
 Resolve to fully distinguished name
 Check security equivalence
 Return group membership
 Miscellaneous administrative functions
UNITED
Authentication Server as an NDS
Data Gateway
Application:
Call tracking system
Type:
Web
Not Assigned
BILL
BROYLES
CCR
DAVE
DAVIDC
DON
JAMBO
YATES
Server OS:
Windows NT 4.0
Server Enabling App:
Website/Visual Basic
UNITED
Caldera OpenLinux and Apache
 Web gateway to NetWare file system
File
Server
Browser
Browser
Browser
Browser
Caldera
OpenLinux
File
Server
AuthC
AuthServer
File
Server
File
Server
UNITED
File
Server
Caldera OpenLinux and Apache
 First attempt to provide web services via
Novell made use of Novell’s intraNetWare
Web Server 1.0 which simply was not reliable
 Caldera OpenLinux provided robust UNIX
connectivity to NDS and supported the
industry standard Apache web server
 Out of the box Caldera/Apache did not
provide home directory redirection and/or
authentication
It
did however provide the source code needed
to make these modifications
UNITED
Caldera OpenLinux and Apache
Modifications
 Added a module that would link Apache’s
user directory directive to the user’s Novell
home directory
Making http://www.clemson.edu/~erich point to
EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
 Since Caldera is NDS aware, this also allows
us to serve group web sites via their own
group servers
UNITED
Web Interface to Home Directories
via AUTHSERV NDS Gateway
http://www.clemson.edu/~acollin
Application:
Personal pages
Type:
Web
Server OS:
Linux
Server Enabling App:
Apache/Caldera
UNITED
Web Interface to
Department Pages
Application:
Departmental pages
http://dcitnds.clemson.edu/CSO/depts/maint
Type:
Web
Server OS:
Linux
Server Enabling App:
Apache/Caldera
UNITED
Caldera OpenLinux and Apache
Modifications
 Added another module using the previously
mentioned Authentication Server routines to
provide both user and group authentication
Makes
use of standard HTACCESS format with
additional Novell directives
UNITED
Using NDS to Secure Web Pages
NovellAuth on
AuthName Novell Tree
AuthType Basic
<Limit GET POST>
require user gmcochr
require user kellen
require group .resadmin.groups.employee.clemsonu
</Limit>
UNITED
WebAuth: Web Single Sign-On
Only trusted web servers prompt for userid password and set cookie in
browser. Other web servers must use the cookie to determine the user.
CHECK
Workstation
Web
Browser
1
Web
Browser
2
3rd Party WebAuth
WebServer Client
Redirect
WebAuth
NLM
STORE
Auth
Client
WebAuth
DCIT
Authentication Trusted
Client
WebServer
AuthServ
NLM
NDS
Auditing NDS Connections
 Have not had much luck with standard
auditing in 4.x
 Hook login/logout in AUDITLGN.NLM
 Writes easy to manipulate log files
 Data logged includes fully distinguished
object name, login time, logout time, and
MAC address
 Monitor file server and print server as well as
user connections
UNITED
Dial-In
 Mostly rely on contract between users and
Internet Service Providers (ISPs) for dial-in
access
Campus-MCI
 Some PPP connectivity through Livingston
server with Remote Authentication Dial-In
User Service (RADIUS) modified to use NDS
via the Authentication Server
UNITED
Dial-In (cont.)
 Attempting to get NetWare/IP deployed this
summer for file server connectivity via PPP
 Starting to deploy Dynamic Host
Configuration Protocol (DHCP) for dial-in and
dorm usage only
UNITED
Server Growth
 Split user data servers
e.g.,
StudentD1 and StudentD2
 Common access server for both students and
faculty/staff (scratch disk)
 Develop tools for user disk clean up
 Develop more tools to help end users get
more out of NDS and the network in general
UNITED
What We Need
 Web interface to unresolved as well as
resolved issues at Novell
 More out of Simple Management Protocol
(SMP)
 NDS on Windows NT (no replicas required)
 Help from Novell on resolving “Windows NT
Server” marketing-through-documentation
issues
UNITED
What We Need (cont.)
 Code exits in Novell products such as Client
32, RADIUS, FTP server, Web server
 Good performance monitoring (SMP) tools
UNITED
Questions and Answers
UNITED
UNITED