UNITED STATES

UNITED STATES

Understanding NDS forDirectory-Enabled Solutions

Understanding NDS forDirectory-Enabled Solutions

David Condrey, LAN Systems Managerdavidc@clemson.eduClemson University

Jeremy Campbell, Information Resource Consultantjerm@clemson.eduClemson University

UNITED STATES

Novell Directory Services (NDS) and the Computing Infrastructure Novell Directory Services (NDS)

and the Computing Infrastructure

A real world example:

Division of Computing and Information Technology

CLEMSONU N I V E R S I T Y

UNITED STATES

AgendaAgenda

Background on Clemson information systems

Mission and support structure

Userid management Network design Server and network

access Public access labs

Printing Electronic mail Intranet Authentication server Futures

UNITED STATES

Background onClemson Information Systems

Background onClemson Information Systems

UNITED STATES

BackgroundBackground Large systems background Strong development shop Mainframe and open systems expertise Departmental LANs ruled 90’s until Novell

Directory Services (NDS) NDS populated in Summer 1995 (36,000) Departmental LANs gone—more centralized

management of the network NDS is centerpiece of security and authentication

UNITED STATES

Mission and Support StructureMission and Support Structure

UNITED STATES

MissionMission

Provide computing infrastructure Empower users and departments Provide guidance in selecting solutions based

on industry standards Deploy solutions to meet the needs of

institutional computing Provide user support and training

UNITED STATES

Defining GroupsDefining Groups

Network services Supports the physical network (routers, hubs,

backbone)

LAN systems Supports application, group, and personal data

servers

Client Support Group (CSG) Supports faculty and staff via Technology

Support Providers (TSPs)

UNITED STATES

Defining Groups (cont.)Defining Groups (cont.)

Systems Integration Group (SIG) Supports students and departmental labs

Computer resources Assists with user account problems

Division of Computing and Information Technology (DCIT) sponsored

College consultants DCIT sponsored person and college sponsored

person(s) that help support the end users of the college

UNITED STATES

Defining Groups (cont.)Defining Groups (cont.)

Technology Support Provider (TSP) Supports faculty/staff end users

Help desk Sponsored by DCIT to assist end users

UNITED STATES

Support StructureSupport Structure Support is based on a four tier model

Problems

Resources

LANsystems

Networkservices

1Faculty

Staff

Students

4TSPs

Help desk

3

Collegeconsultant

Clientsupport

Systemsintegration

2Computerresources

UNITED STATES

Server Strategy and ManagementServer Strategy and Management

Novell and Windows NT servers maintained by DCIT

DCIT provides hardware and Network Operating System (NOS)

DCIT administers backups DCIT performs user administration Group maintains data and security with help

of a TSP Virus protection and software metering

UNITED STATES

Userid ManagementUserid Management

UNITED STATES

Automatic Userid System (AUS)Automatic Userid System (AUS)

AUS MVS

UNIX

NDS

Personnel AdmissionsOther

Other

UNITED STATES

Automating User MaintenanceAutomating User Maintenance

MVS Old Method

Daily UIMPORT run

Summer ’97

USRMAINT.NLM

FTP

TCP/IPReal-time

NDS

Add usersModify user attributesDelete users

Personnel AdmissionsOther

AUS

UNITED STATES

Network DesignNetwork Design

Physical Network DesignPhysical Network Design

100BTSwitch

FDDI

ServerServer Server

Server

Server

Server

Server

100BT

T1

UNITED STATES

Tree DesignTree Design

U sers O rg an iza tion s

C lem son U

Every Person Has a PlaceEvery Person Has a Place

to ZA ZA to ZA

Students Misc. Employee Organizations

ClemsonU

to

Every Group Has a PlaceEvery Group Has a Place

Users Athletics DCIT

Forestry Research Dean's office

CAFLS CES

ClemsonU

Partition DesignPartition Design

A

Students Employee Athletics

CSO CSG APS

DCIT

A BZ ZB

ClemsonU

Use Dedicated “ROOT” Servers forNDS Replicas

Use Dedicated “ROOT” Servers forNDS Replicas

CU-ROOT-3

100BTSwitch

CU-ROOT-1

CU-ROOT-2

(ITC)

Masterfor all

R/W for all

R/W for users“A” to “Z”

Group Server

R/W optional

FDDI

Distribute Network ManagementDistribute Network Management

UNITED STATES

Login Script DesignLogin Script Design Based on profile scripts and user scripts No container scripts Use base profiles

EMPLOYEE STUDENT

Base profile includes high level organizational scripts based on membership

Organizational scripts controlled by TSPs Organization scripts may include departmental

scripts managed by others

UNITED STATES

Script Design & ManagementScript Design & Management

.EMPLOYEE.employee.clemsonu

.ENG.ces.clemsonu

.BioE.ces.

ISALAB

.Civil.ces.

.AG.cafls.clemsonu

.Forestry.cafls.

.GROUPIFS.employee.clemsonu

User Script

UNITED STATES

Server Timesync HierarchyServer Timesync Hierarchy

ServerC

Ref

ServerA

Prim

ServerB

Prim

ServerD

Secon

ServerE

Secon

Externalsource

UNITED STATES

Server and Network Resource AccessServer and Network Resource Access

UNITED STATES

Personal Storage (User Data Servers)Personal Storage

(User Data Servers)

EmployeDn

Any faculty or staff member

Any student

Office, lab, or dial-in

Dorm, lab, or dial-in

StudentDn

UNITED STATES

Personal Data Server Configuration

Personal Data Server Configuration

EmployeD(2) StudentD(5)

Processor Dual Pro–200 Pentium II–300

Memory 1024MB 512MB

Disk 90GB (RAID5) 50GB (RAID5)

Replicas None None

Homedirectories

~11,000 ~25,000

Base quota 100MB 25MB

UNITED STATES

Collaborative Storage—“Group Servers” (Faculty and Staff)

Collaborative Storage—“Group Servers” (Faculty and Staff)

Group Server2

EmployeD

Group Server1

UNITED STATES

Collaborative Storage— “Applications Servers” (Students)

Collaborative Storage— “Applications Servers” (Students)

StudentD

Applications Server (N)

UNITED STATES

Group/App/Root Server Average Configuration

Group/App/Root Server Average Configuration

Group App Root

Pro-200 P-200 P2-300

128MB 64MB 384MB

18GB 9GB 4GB

Possible R/W None All replicas

25–250 users 25–250 users 250–800 users*

UNITED STATES

Collaborative Storage (Faculty and Students)Collaborative Storage (Faculty and Students)

EmployeD

Group server1 StudentD

App server

UNITED STATES

Faculty/Student CollaborationFaculty/Student Collaboration

Faculty member wants to put data on the network that students can use

Student submission of work to faculty Students collaborate on team projects with

assistance from faculty member Students and faculty collaborate on projects

or assignments Publish web pages as a team or class

UNITED STATES

Faculty and TSP/Client Support Management

Faculty and TSP/Client Support Management

Group Server1 ReadOnly

TeamsR/W withTgroups

CreateOnly

ReadWrite

UNITED STATES

Collaborative Storage and Network Bandwidth

Collaborative Storage and Network Bandwidth

Group Server1

UNITED STATES

Public Access Labs:Home of the Virtual Personal Computer

Public Access Labs:Home of the Virtual Personal Computer

UNITED STATES

OutlineOutline

Environment for the Virtual PC (VPC) How the current VPC environment evolved Mechanics of the VPC

Setting up the computer Boot time Login and login script User Profiles

Software involved Future directions

UNITED STATES

Standard LabStandard Lab

Standard set of applications Standard operating system Standard Context-less login Standard drive mappings Standard hard drive contents

UNITED STATES

The Environment as Seen by the Machine

The Environment as Seen by the Machine

StudentDn

App server

Local HardDrive

Local Printer

UNITED STATES

Goals of the Virtual PC ParadigmGoals of the Virtual PC Paradigm

Easy maintenance Provide global access to password protected

network disk space Allow user to customize his desktop Same environment (“look and feel”)

regardless of location, hardware, or facility ownership

UNITED STATES

EvolutionEvolution

Pre-NetWare Windows 3.11 under NetWare Windows 95 under NetWare

UNITED STATES

StudentDn

How It Happens to the UserHow It Happens to the User

VPC = A series of software manipulations triggered by user login and logout.

User Profile

Logout

User Profile

Login

UNITED STATES

Constructing the MachineConstructing the Machine

The rebuild disk REBUILD <location> <pctype> {options} VLM Client allows it all on one floppy

rebuild

UNITED STATES

Boot Time EventsBoot Time Events

Location, PC type, “ISALAB”, and other environment variables

Some registry updates to ensure default desktop appearance and server failover keys

UNITED STATES

Contextless LoginContextless Login

Can’t teach end users what a context is Using commercial product because we

needed an immediate solution.

UNITED STATES

The Login ScriptThe Login Script

Perform some basic actions

Perform group-specific actions

Perform lab actions Load profile

UNITED STATES

Isitcool—Failover Applications Server Attachment

Isitcool—Failover Applications Server Attachment

Applications Server(2)

ISITCOOL NLM

Applications Server(n)

ISITCOOL NLM

Applications Server(1)

Work-station

Lab 1

ISITCOOL NLM

WorkstationDisk Image

Applications

1. Using IP, get info from primary app server Isitcool.

2. If attach failure or Isitcool reports no, try next server.

3. Attach to server using NetWare client.

Isitcool?NO!

NO!

YES!

UNITED STATES

Loading the ProfileLoading the Profile

PC-Rdist is called by the login script

PC-Rdist imports user registry keys from directory mapped to drive U:

First-time lab users get setup

Printers

UNITED STATES

Special Mappings and EventsSpecial Mappings and Events

Mapping shared disk Most done by login scripts

Novell Application Launcher (NAL) Will eventually be doing most special mappings

UNITED STATES

LogoutLogout

Logout only Export user

registry

Logout and shutdown Export user

registry Perform

maintenance

UNITED STATES

ProblemsProblems

Present implementation not easily scaled DCIT lab support must do all software installs DCIT lab support must handle all initial lab

setup operations If present trends continue, labs of computers

will be replaced by labs of network jacks Image must live in the login directory (not

protected) Metering

UNITED STATES

Summary of Novell ComponentsSummary of Novell Components

NetWare Client 32 (intraNetWare client) NAL VLM client Novell Replication Services (testing)

UNITED STATES

Summary of Third-Party ProductsSummary of Third-Party Products

SofTrack PC-Rdist and TrapSD

Need a NetWare client with integrated profile handling and event hooks

SFLOGIN NWCopy PCOUNTER

Need better auditing tools

UNITED STATES

Clemson University ProductsClemson University Products

cumap isitcool datacool editreg/patch95 editini difrator/TED (in development) labstats (in re-development)

UNITED STATES

Future Directions for UsFuture Directions for Us

Departmental software (hardware?) installations

Remote control of workstation Queuing users waiting for a computer Move from lab to laptop

UNITED STATES

PrintingPrinting

UNITED STATES

Printing StrategyPrinting Strategy

All shared printers are network attached supporting only IPX protocol (HP JetDirect)

All printer access is controlled through NDS print queues

UNIX print services makes any print queue available to UNIX/Multiple Virtual Storage (MVS)/??? hosts using standard Line Printer Daemon (LPR/LPD) protocols

UNITED STATES

Printing Strategy (cont.)Printing Strategy (cont.)

UNIX print services also makes high speed institutional printers on MVS available to both NetWare and UNIX users/applications

UNITED STATES

Printing StrategyPrinting Strategy

OS/390

UNIX

???

PrintGateway

PC PC PCMac

Q

Q

Q

Q

Q

UNITED STATES

NDS Design for PrintingNDS Design for Printing

B

Library

ITC

...

Printers

Employees

B

Printers

Civil Mechanical

CES

A

Students PrtDev CAFLS

clemsonu

A

Poole

UNITED STATES

Electronic MailElectronic Mail

UNITED STATES

Electronic Mail ServerElectronic Mail Server

Based on Sun Solaris No user accounts required on Solaris Server software developed at Clemson Multiple recipients/one copy of message Server based on Post Office Protocol/

Multipurpose Internet Mail Extensions (POP/MIME) Internet standard protocols Internet Messaging Access Protocol 4 (IMAP 4)

coming?

UNITED STATES

Electronic Mail ServerElectronic Mail Server

Eudora site license purchased by DCIT List server gaining wide spread acceptance

and use Class/section list automated

Mail ServerMail Server

DOSDOS POPcPOPc

mainframemainframe POPcPOPc

WindowsWindows POPcPOPc

MacMac POPcPOPc

UNIXUNIX POPcPOPc

OS/2OS/2 POPcPOPc?? POPcPOPc

popDListDMail

Server

UNITED STATES

Mail Server: StatisticsMail Server: Statistics

1995 1996 1997* Category

14K 46K 85K Daily average POPconnections

13K 36K 62K Daily average messagesretrieved from server

27K 48K 92K Average messages sentusing server per day

*based on partial year statistics through May 26, 1997

UNITED STATES

Automated Distribution ListsAutomated Distribution Lists

MVS OS/390

ListMGR

popDpopD ListDListD MailServer

MailServer

TCP/IP

Class RolesDepartments

UNITED STATES

Automated NDS Group Membership

Automated NDS Group Membership

MVS OS/390

ListMGR

popDpopD ListDListD MailServer

MailServer

TCP/IP

Class RolesDepartments

NDS GroupMGRNLM

TCP/IP

UNITED STATES

Student Interface toCollaborative StorageStudent Interface to

Collaborative Storage

Use DMOs along with a graphical tool to have users select and map network resources to make them available

UNITED STATES

Managing Distribution Lists with NDS

Managing Distribution Lists with NDS

popDpopD ListDListD MailServer

MailServer

GroupMGR.NLM

Monitor group membershipmodifications

RegisterForEvent()

TCP/IPNDS

1. Membership2. See also

UNITED STATES

NDS Interface to the List ServerNDS Interface to the List Server

Enabler for collaborative work between faculty and students

Uses data from employee system on MVS to keep department NDS groups correct

Lets users use NWAdmin to administer E-mail lists

Eliminates need to make changes to NDS and the list server

Ensures that data is correct everywhere

UNITED STATES

IntranetIntranet

UNITED STATES

Web ServingWeb Serving

Institutional servers Department or group servers Organizational page servers Personal page servers Administrative and student application page

servers

NDS Web Security viaWindows NT/UNIX/???NDS Web Security viaWindows NT/UNIX/???

UNITED STATES

Authentication ServerAuthentication Server

UNITED STATES

Authentication ServerAuthentication Server

Too many userid/password combinations for each user to remember

Need central set of secure servers that all systems use for authentication

Clemson University Personal ID (CUPID) Based on Automatic Userid System (AUS) Idea born in interdepartmental task force Production on July 1, 1996

UNITED STATES

Authentication ServerAuthentication Server

MailMail authCauthC

WebWeb authCauthC

mainframemainframe authCauthC

UNIXUNIX authCauthC

NetWareNetWare authCauthC

SunSun authCauthC

Windows NTWindows NT authCauthCOracleOracle authCauthC

NDS

intraNetWare Server BintraNetWare Server A

AUTHSERV.NLM

intraNetWare Server C

Mainframe (MVS)

VTAM

RACF

AuthClient

Onlines

MAIL (Solaris)

AuthClient

POPd

NTServer (4.0)

AuthClient

Website

Application

User Workstation (Windows 95/NT and MAC Workstation)

Eudora TN3270 Netscape Login.exe

OpenLinux

AuthClient

Apache

Application

AUTHSERV.NLM AUTHSERV.NLM

UNITED STATES

Authentication ServerAuthentication Server

NetWare Loadable Module (NLM) is multithreaded

Clients use common code base Clients have built in failover capability Communication based on TCP/IP sockets > 90% successful password checks complete

in less than 0.1 seconds > 2 million requests serviced by primary

server over a 6 week period (50,000/day)

UNITED STATES

Back toIntranetBack toIntranet

UNITED STATES

NDS Authentication through Windows NT/UNIX/??? to the Web

NDS Authentication through Windows NT/UNIX/??? to the Web

Application:Employee InformationSystem (EIS)

Type:Web

Server OS:Windows NT 4.0

Server Enabling App:Website/Visual Basic

UNITED STATES

Using NDS Security Across the Intranet

Using NDS Security Across the Intranet

AuthenticatedClient

ServerAuthClient

AuthenticationServer

NDS

Netscape IIS32-bitDLL

AUTHSERV.NLM

NDS

Page requestCheckEquiv

Check SecurityEquivalence

Locate user objectand run equivalencelist.

NT 4.0

UNITED STATES

AUTHSERV Client FunctionsAUTHSERV Client Functions

Password check Password change Resolve to fully distinguished name Check security equivalence Return group membership Miscellaneous administrative functions

UNITED STATES

Authentication Server as an NDS Data Gateway

Authentication Server as an NDS Data Gateway

Application:Call tracking system

Type:Web

Server OS:Windows NT 4.0

Server Enabling App:Website/Visual Basic

Not AssignedBILLBROYLESCCRDAVEDAVIDCDONJAMBOYATES

DAVIDC

UNITED STATES

Caldera OpenLinux and ApacheCaldera OpenLinux and Apache

Web gateway to NetWare file system

Caldera OpenLinux

FileServer

FileServer

FileServer

AuthC

Browser

Browser

Browser

BrowserAuthServer

FileServer

FileServer

UNITED STATES

Caldera OpenLinux and ApacheCaldera OpenLinux and Apache First attempt to provide web services via Novell

made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable

Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server

Out of the box Caldera/Apache did not provide home directory redirection and/or authentication It did however provide the source code needed to

make these modifications

UNITED STATES

Caldera OpenLinux and ApacheModifications

Caldera OpenLinux and ApacheModifications

Added a module that would link Apache’s user directory directive to the user’s Novell home directory Making http://www.clemson.edu/~erich point to

EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW

Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers

UNITED STATES

Web Interface to Home Directories via AUTHSERV NDS Gateway

Web Interface to Home Directories via AUTHSERV NDS Gateway

Application:Personal pages

Type:Web

Server OS:Linux

Server Enabling App:Apache/Caldera

http://www.clemson.edu/~acollin

UNITED STATES

Web Interface toDepartment PagesWeb Interface to

Department Pages

Application:Departmental pages

Type:Web

Server OS:Linux

Server Enabling App:Apache/Caldera

http://dcitnds.clemson.edu/CSO/depts/maint

UNITED STATES

Caldera OpenLinux and ApacheModifications

Caldera OpenLinux and ApacheModifications

Added another module using the previously mentioned Authentication Server routines to provide both user and group authentication Makes use of standard HTACCESS format with

additional Novell directives

UNITED STATES

Using NDS to Secure Web PagesUsing NDS to Secure Web Pages

NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>

WebAuth: Web Single Sign-OnWebAuth: Web Single Sign-On

Workstation 3rd PartyWebServer

WebAuthClient

AuthServNLM

NDS

WebAuthNLM

AuthClient

WebBrowser

1

WebBrowser

2

DCITAuthentication

WebServer

WebAuthTrustedClient

CHECK

STORE

Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.

Redirect

UNITED STATES

Auditing NDS ConnectionsAuditing NDS Connections

Have not had much luck with standard auditing in 4.x

Hook login/logout in AUDITLGN.NLM Writes easy to manipulate log files Data logged includes fully distinguished

object name, login time, logout time, and MAC address

Monitor file server and print server as well as user connections

UNITED STATES

Dial-InDial-In

Mostly rely on contract between users and Internet Service Providers (ISPs) for dial-in access Campus-MCI

Some PPP connectivity through Livingston server with Remote Authentication Dial-In User Service (RADIUS) modified to use NDS via the Authentication Server

UNITED STATES

Dial-In (cont.)Dial-In (cont.)

Attempting to get NetWare/IP deployed this summer for file server connectivity via PPP

Starting to deploy Dynamic Host Configuration Protocol (DHCP) for dial-in and dorm usage only

UNITED STATES

Server GrowthServer Growth

Split user data servers e.g., StudentD1 and StudentD2

Common access server for both students and faculty/staff (scratch disk)

Develop tools for user disk clean up Develop more tools to help end users get

more out of NDS and the network in general

UNITED STATES

What We NeedWhat We Need

Web interface to unresolved as well as resolved issues at Novell

More out of Simple Management Protocol (SMP)

NDS on Windows NT (no replicas required) Help from Novell on resolving “Windows NT

Server” marketing-through-documentation issues

UNITED STATES

What We Need (cont.)What We Need (cont.)

Code exits in Novell products such as Client 32, RADIUS, FTP server, Web server

Good performance monitoring (SMP) tools

UNITED STATES

Questions and AnswersQuestions and Answers

UNITED STATES