No Slide Title - Clemson University
Download
Report
Transcript No Slide Title - Clemson University
UNITED
Understanding NDS for
Directory-Enabled Solutions
David Condrey, LAN Systems Manager
[email protected]
Clemson University
Jeremy Campbell, Information Resource Consultant
[email protected]
Clemson University
UNITED STATES
Novell Directory Services (NDS)
and the Computing Infrastructure
A real world example:
CLEMSON
U N I V E R S I T Y
Division of Computing and Information Technology
UNITED
Agenda
Background on
Clemson information
systems
Mission and support
structure
Userid management
Network design
Server and network
access
Public access labs
Printing
Electronic mail
Intranet
Authentication server
Futures
UNITED
Background on
Clemson Information Systems
UNITED STATES
Background
Large systems background
Strong development shop
Mainframe and open systems expertise
Departmental LANs ruled 90’s until Novell
Directory Services (NDS)
NDS populated in Summer 1995 (36,000)
Departmental LANs gone—more centralized
management of the network
NDS is centerpiece of security and
authentication
UNITED
Mission and Support Structure
UNITED STATES
Mission
Provide computing infrastructure
Empower users and departments
Provide guidance in selecting solutions based
on industry standards
Deploy solutions to meet the needs of
institutional computing
Provide user support and training
UNITED
Defining Groups
Network services
Supports
the physical network (routers, hubs,
backbone)
LAN systems
Supports
application, group, and personal data
servers
Client Support Group (CSG)
Supports
faculty and staff via Technology
Support Providers (TSPs)
UNITED
Defining Groups (cont.)
Systems Integration Group (SIG)
Supports
students and departmental labs
Computer resources
Assists with user account problems
Division of Computing and Information Technology
(DCIT) sponsored
College consultants
DCIT
sponsored person and college sponsored
person(s) that help support the end users of the
college
UNITED
Defining Groups (cont.)
Technology Support Provider (TSP)
Supports
faculty/staff end users
Help desk
Sponsored
by DCIT to assist end users
UNITED
Support Structure
Support is based on a four tier model
Problems
2
1
Network
services
LAN
systems
Computer
resources
Client
support
Systems
integration
3
4
TSPs
Faculty
Staff
College
consultant
Help desk
Students
Resources
UNITED
Server Strategy and Management
Novell and Windows NT servers maintained
by DCIT
DCIT provides hardware and Network
Operating System (NOS)
DCIT administers backups
DCIT performs user administration
Group maintains data and security with help
of a TSP
Virus protection and software metering
UNITED
Userid Management
UNITED STATES
Automatic Userid System (AUS)
Personnel
NDS
Other
Admissions
MVS
AUS
Other
UNIX
UNITED
Automating User Maintenance
Personnel
MVS
Other
AUS
Admissions
FTP
Old Method
TCP/IP
Real-time
Add users
Modify user attributes
Delete users
Daily UIMPORT run
Summer ’97
USRMAINT.NLM
UNITED
NDS
Network Design
UNITED STATES
Physical Network Design
FDDI
Server
T1
Server
100BT
Server
100BT
Switch
Server
Server
Server
Server
Tree Design
ClemsonU
Users
Organizations
UNITED
Every Person Has a Place
ClemsonU
Students
Misc.
Employee
A to Z
A to Z
A to Z
Organizations
Every Group Has a Place
ClemsonU
Users
Athletics
DCIT
CAFLS
CES
Forestry Research Dean's office
Partition Design
ClemsonU
Students
A
B
Employee
Z
A
B
Athletics
Z
DCIT
CSO CSG APS
Use Dedicated “ROOT” Servers for
NDS Replicas
FDDI
(ITC)
CU-ROOT-2
100BT
Switch
R/W for all
Group Server
R/W optional
Master
for all CU-ROOT-1
R/W for users CU-ROOT-3
“A” to “Z”
Distribute Network Management
Login Script Design
Based on profile scripts and user scripts
No container scripts
Use base profiles
EMPLOYEE
STUDENT
Base profile includes high level organizational
scripts based on membership
Organizational scripts controlled by TSPs
Organization scripts may include
departmental scripts managed by others
UNITED
Script Design & Management
.EMPLOYEE.employee.clemsonu
.GROUPIFS.employee.clemsonu
.AG.cafls.clemsonu
.ENG.ces.clemsonu
.BioE.ces.
.Forestry.cafls.
.Civil.ces.
ISALAB
User Script
UNITED
Server Timesync Hierarchy
Prim
Server
A
Secon
Server
D
Prim
Server
B
Secon
Server
E
Ref
Server
C
External
source
UNITED
Server and Network Resource Access
UNITED STATES
Personal Storage
(User Data Servers)
Office, lab, or dial-in
Any faculty or
staff member
EmployeDn
Dorm, lab, or dial-in
Any student
StudentDn
UNITED
Personal Data Server
Configuration
EmployeD(2)
StudentD(5)
Processor
Dual Pro–200
Pentium II–300
Memory
1024MB
512MB
Disk
90GB (RAID5) 50GB (RAID5)
Replicas
None
None
Home
directories
~11,000
~25,000
Base quota
100MB
25MB
UNITED
Collaborative Storage—“Group
Servers” (Faculty and Staff)
EmployeD
Group Server1
Group Server2
UNITED
Collaborative Storage—
“Applications Servers” (Students)
StudentD
Applications Server (N)
UNITED
Group/App/Root Server
Average Configuration
Group
App
Root
Pro-200
P-200
P2-300
128MB
64MB
384MB
18GB
9GB
4GB
Possible R/W
None
All replicas
25–250 users
25–250 users
250–800 users*
UNITED
Collaborative Storage
(Faculty and Students)
EmployeD
Group server1
App server
StudentD
UNITED
Faculty/Student Collaboration
Faculty member wants to put data on the
network that students can use
Student submission of work to faculty
Students collaborate on team projects with
assistance from faculty member
Students and faculty collaborate on projects
or assignments
Publish web pages as a team or class
UNITED
Faculty and TSP/Client Support
Management
Read
Only
Group Server1
Create
Only
Read
Write
Teams
R/W with
Tgroups
UNITED
Collaborative Storage and Network
Bandwidth
Group Server1
UNITED
Public Access Labs:
Home of the Virtual Personal Computer
UNITED STATES
Outline
Environment for the Virtual PC (VPC)
How the current VPC environment evolved
Mechanics of the VPC
Setting
up the computer
Boot time
Login and login script
User Profiles
Software involved
Future directions
UNITED
Standard Lab
Standard set of applications
Standard operating system
Standard Context-less login
Standard drive mappings
Standard hard drive contents
UNITED
The Environment as Seen by the
Machine
Local Hard
Drive
StudentDn
Local Printer
App server
UNITED
Goals of the Virtual PC Paradigm
Easy maintenance
Provide global access to password protected
network disk space
Allow user to customize his desktop
Same environment (“look and feel”)
regardless of location, hardware, or facility
ownership
UNITED
Evolution
Pre-NetWare
Windows 3.11 under NetWare
Windows 95 under NetWare
UNITED
How It Happens to the User
VPC = A series of software manipulations
triggered by user login and logout.
StudentDn
UNITED
Constructing the Machine
The rebuild disk
REBUILD <location> <pctype> {options}
VLM Client allows it all on one floppy
UNITED
Boot Time Events
Location, PC type, “ISALAB”, and other
environment variables
Some registry updates to ensure default
desktop appearance and server failover keys
UNITED
Contextless Login
Can’t teach end users what a context is
Using commercial product because we
needed an immediate solution.
UNITED
The Login Script
Perform some basic
actions
Perform groupspecific actions
Perform lab actions
Load profile
UNITED
Isitcool—Failover Applications
Server Attachment
ISITCOOL
NLM
Workstation
1. Using IP, get info
from primary app
server Isitcool.
YES!
Lab 1
NO!
Isitcool?
NO!
ISITCOOL
NLM
2. If attach failure or
Applications Server(n)
Isitcool reports no,
try next server.
ISITCOOL
NLM
3. Attach to server
using NetWare
client.
Workstation
Disk Image
Applications
Applications Server(1)
Applications Server(2)
UNITED
Loading the Profile
PC-Rdist is called by
the login script
PC-Rdist imports user
registry keys from
directory mapped to
drive U:
First-time lab users get
setup
Printers
UNITED
Special Mappings and Events
Mapping shared disk
Most
done by login scripts
Novell Application Launcher (NAL)
Will
eventually be doing most special mappings
UNITED
Logout
Logout and
shutdown
Export
user
registry
Perform
maintenance
Logout only
Export
user
registry
UNITED
Problems
Present implementation not easily scaled
DCIT lab support must do all software installs
DCIT lab support must handle all initial lab
setup operations
If present trends continue, labs of computers
will be replaced by labs of network jacks
Image must live in the login directory (not
protected)
Metering
UNITED
Summary of Novell Components
NetWare
Client 32 (intraNetWare client)
NAL
VLM client
Novell Replication Services (testing)
UNITED
Summary of Third-Party Products
SofTrack
PC-Rdist and TrapSD
Need
a NetWare client with integrated profile
handling and event hooks
SFLOGIN
NWCopy
PCOUNTER
Need
better auditing tools
UNITED
Clemson University Products
cumap
isitcool
datacool
editreg/patch95
editini
difrator/TED (in development)
labstats (in re-development)
UNITED
Future Directions for Us
Departmental software (hardware?)
installations
Remote control of workstation
Queuing users waiting for a computer
Move from lab to laptop
UNITED
Printing
UNITED STATES
Printing Strategy
All shared printers are network attached
supporting only IPX protocol (HP JetDirect)
All printer access is controlled through NDS
print queues
UNIX print services makes any print queue
available to UNIX/Multiple Virtual Storage
(MVS)/??? hosts using standard Line Printer
Daemon (LPR/LPD) protocols
UNITED
Printing Strategy (cont.)
UNIX print services also makes high speed
institutional printers on MVS available to both
NetWare and UNIX users/applications
UNITED
Printing Strategy
Q
Q
Q
OS/390
Q
UNIX
Q
Print
Gateway
???
PC
Mac
PC
PC
UNITED
NDS Design for Printing
clemsonu
Employees
Students
A
A
B
B
Printers
Printers
PrtDev
CAFLS
CES
Civil
Poole
Library
ITC
...
UNITED
Mechanical
Electronic Mail
UNITED STATES
Electronic Mail Server
Based on Sun Solaris
No user accounts required on Solaris
Server software developed at Clemson
Multiple recipients/one copy of message
Server based on Post Office Protocol/
Multipurpose Internet Mail Extensions
(POP/MIME) Internet standard protocols
Internet
Messaging Access Protocol 4 (IMAP 4)
coming?
UNITED
Electronic Mail Server
Eudora site license purchased by DCIT
List server gaining wide spread acceptance
and use
Class/section
list automated
UNITED
Mail Server
mainframePOPc
UNIX POPc
Mac POPc
popD ListD
Mail
Server
DOS POPc
Windows POPc
? POPc
OS/2POPc
Mail Server: Statistics
1995
14K
1996
46K
1997* Category
85K
Daily average POP
connections
13K
36K
62K
Daily average messages
retrieved from server
27K
48K
92K
Average messages sent
using server per day
*based on partial year statistics through May 26, 1997
UNITED
Automated Distribution Lists
ListMGR
MVS OS/390
Class Roles
Departments
TCP/IP
Mail
popDListD
Server
UNITED
Automated NDS Group
Membership
popD ListD
Mail
Server
ListMGR
MVS OS/390
Class Roles
TCP/IP
Departments
TCP/IP
NDS
GroupMGR
NLM
UNITED
Student Interface to
Collaborative Storage
Use DMOs along with a graphical tool to have
users select and map network resources to
make them available
UNITED
Managing Distribution Lists with
NDS
Mail
popD ListD
Server
NDS
TCP/IP
GroupMGR.NLM
1. Membership
2. See also
Monitor group membership
modifications
RegisterForEvent()
UNITED
NDS Interface to the List Server
Enabler for collaborative work between faculty
and students
Uses data from employee system on MVS to
keep department NDS groups correct
Lets users use NWAdmin to administer E-mail
lists
Eliminates need to make changes to NDS
and the list server
Ensures that data is correct everywhere
UNITED
Intranet
UNITED STATES
Web Serving
Institutional servers
Department or group servers
Organizational page servers
Personal page servers
Administrative and student application page
servers
UNITED
NDS Web Security via
Windows NT/UNIX/???
Authentication Server
UNITED STATES
Authentication Server
Too many userid/password combinations for
each user to remember
Need central set of secure servers that all
systems use for authentication
Clemson University Personal ID (CUPID)
Based on Automatic Userid System (AUS)
Idea born in interdepartmental task force
Production on July 1, 1996
UNITED
Authentication Server
Mail
authC
UNIX
authC
Web
authC
Sun
authC
Oracle
authC
mainframe authC
Windows NT authC
NetWare
UNITED
authC
intraNetWare Server A
intraNetWare Server B
AUTHSERV.NLM
AUTHSERV.NLM
MAIL (Solaris)
Mainframe (MVS)
NTServer (4.0)
intraNetWare Server C
AUTHSERV.NLM
OpenLinux
AuthClient
AuthClient
AuthClient
AuthClient
POPd
RACF
Application
Application
Website
Apache
VTAM
Onlines
Eudora TN3270 Netscape Login.exe
User Workstation (Windows 95/NT and MAC Workstation)
N
D
S
Authentication Server
NetWare Loadable Module (NLM) is
multithreaded
Clients use common code base
Clients have built in failover capability
Communication based on TCP/IP sockets
> 90% successful password checks complete
in less than 0.1 seconds
> 2 million requests serviced by primary
server over a 6 week period (50,000/day)
UNITED
Back to
Intranet
UNITED STATES
NDS Authentication through
Windows NT/UNIX/??? to the Web
Application:
Employee Information
System (EIS)
Type:
Web
Server OS:
Windows NT 4.0
Server Enabling App:
Website/Visual Basic
UNITED
Using NDS Security Across the
Intranet
Authenticated
Client
Server
Auth
Client
Authentication
Server
NDS
AUTHSERV
.NLM
NDS
NT 4.0
Netscape
Page request
IIS
32-bit
DLL
CheckEquiv
Check Security
Equivalence
Locate user object
and run equivalence
list.
UNITED
AUTHSERV Client Functions
Password check
Password change
Resolve to fully distinguished name
Check security equivalence
Return group membership
Miscellaneous administrative functions
UNITED
Authentication Server as an NDS
Data Gateway
Application:
Call tracking system
Type:
Web
Not Assigned
BILL
BROYLES
CCR
DAVE
DAVIDC
DON
JAMBO
YATES
Server OS:
Windows NT 4.0
Server Enabling App:
Website/Visual Basic
UNITED
Caldera OpenLinux and Apache
Web gateway to NetWare file system
File
Server
Browser
Browser
Browser
Browser
Caldera
OpenLinux
File
Server
AuthC
AuthServer
File
Server
File
Server
UNITED
File
Server
Caldera OpenLinux and Apache
First attempt to provide web services via
Novell made use of Novell’s intraNetWare
Web Server 1.0 which simply was not reliable
Caldera OpenLinux provided robust UNIX
connectivity to NDS and supported the
industry standard Apache web server
Out of the box Caldera/Apache did not
provide home directory redirection and/or
authentication
It
did however provide the source code needed
to make these modifications
UNITED
Caldera OpenLinux and Apache
Modifications
Added a module that would link Apache’s
user directory directive to the user’s Novell
home directory
Making http://www.clemson.edu/~erich point to
EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
Since Caldera is NDS aware, this also allows
us to serve group web sites via their own
group servers
UNITED
Web Interface to Home Directories
via AUTHSERV NDS Gateway
http://www.clemson.edu/~acollin
Application:
Personal pages
Type:
Web
Server OS:
Linux
Server Enabling App:
Apache/Caldera
UNITED
Web Interface to
Department Pages
Application:
Departmental pages
http://dcitnds.clemson.edu/CSO/depts/maint
Type:
Web
Server OS:
Linux
Server Enabling App:
Apache/Caldera
UNITED
Caldera OpenLinux and Apache
Modifications
Added another module using the previously
mentioned Authentication Server routines to
provide both user and group authentication
Makes
use of standard HTACCESS format with
additional Novell directives
UNITED
Using NDS to Secure Web Pages
NovellAuth on
AuthName Novell Tree
AuthType Basic
<Limit GET POST>
require user gmcochr
require user kellen
require group .resadmin.groups.employee.clemsonu
</Limit>
UNITED
WebAuth: Web Single Sign-On
Only trusted web servers prompt for userid password and set cookie in
browser. Other web servers must use the cookie to determine the user.
CHECK
Workstation
Web
Browser
1
Web
Browser
2
3rd Party WebAuth
WebServer Client
Redirect
WebAuth
NLM
STORE
Auth
Client
WebAuth
DCIT
Authentication Trusted
Client
WebServer
AuthServ
NLM
NDS
Auditing NDS Connections
Have not had much luck with standard
auditing in 4.x
Hook login/logout in AUDITLGN.NLM
Writes easy to manipulate log files
Data logged includes fully distinguished
object name, login time, logout time, and
MAC address
Monitor file server and print server as well as
user connections
UNITED
Dial-In
Mostly rely on contract between users and
Internet Service Providers (ISPs) for dial-in
access
Campus-MCI
Some PPP connectivity through Livingston
server with Remote Authentication Dial-In
User Service (RADIUS) modified to use NDS
via the Authentication Server
UNITED
Dial-In (cont.)
Attempting to get NetWare/IP deployed this
summer for file server connectivity via PPP
Starting to deploy Dynamic Host
Configuration Protocol (DHCP) for dial-in and
dorm usage only
UNITED
Server Growth
Split user data servers
e.g.,
StudentD1 and StudentD2
Common access server for both students and
faculty/staff (scratch disk)
Develop tools for user disk clean up
Develop more tools to help end users get
more out of NDS and the network in general
UNITED
What We Need
Web interface to unresolved as well as
resolved issues at Novell
More out of Simple Management Protocol
(SMP)
NDS on Windows NT (no replicas required)
Help from Novell on resolving “Windows NT
Server” marketing-through-documentation
issues
UNITED
What We Need (cont.)
Code exits in Novell products such as Client
32, RADIUS, FTP server, Web server
Good performance monitoring (SMP) tools
UNITED
Questions and Answers
UNITED
UNITED