WWDC2000 Session 165

Transcript

Kind: captions
Language: en
my name is David O'Rourke I have
texture that Apple's pursuing for its
future development a little later
Michael days and Brock will join me on
stage to talk about something we didn't
talk about last year the presentation
today is going to cover what are the
directory service api's why should you
care why does apple care we're going to
go into how Apple's using the directory
service API we're going to give an
overview of how to write a plug-in this
is one of the key aspects of directory
service API to be mostly hand waved
about last year so this year we're going
to give you some details and then we'll
have a Q&A and answer any questions that
you may have the concept of directory
API is we've heard feedback for years
from Apple that customers want to take
an Apple box out of the box plop it down
and point it at an existing users and
grips database and not have to import or
export their data from an existing
database and maintain separate databases
so this concept that's in with apples
quality of simplifying in that the users
don't have to set up a separate database
and so the concepts just allow Apple
services to use customer data so apples
Mac os10 system software will be based
on a common directory architecture API
this common directory architecture will
allow all a whole system software the
desktop and server to access directory
services via a plug-in architecture so
the architecture is relatively
straightforward we have a directory
access API layer that apple provides and
we're providing some plugins ourselves
this is important because we're using
our own plug-in architecture to deliver
directory access so we know this can be
done this is not something we're doing
special case and then telling you guys
to do plugins we are providing an apple
net info plug-in which is Apple's
director service of choice we're also
providing an LDAP plug-in that's v2 for
those of you don't want to know we might
do these three in the future and one of
the developer opportunities as well as
being on the top with a developer
solution on top of the directory API is
for developers to provide plugins to
other directories that Apple hasn't
chosen to write for that would include
novell that would include l w 3 any
directory that you want possibly an
Oracle database some corporations or
honor
Terry database as we're back in the API
runtime is fairly straightforward a
directory API client makes an API call
the api is dispatched that as a mock IPC
request down to the directory access API
the directory access API looks at the
request determines what plugins best
suited to handle the request dispatches
this to the plug-in the plug-in performs
magic it access to the local file it
goes out on the network the plugins have
full access to the entire Mac OS 10
operating system at that point they
satisfy the reply return status and
return the results up to the client the
directory service configuration is
another part of the directory services
clearly clients need a way to enable and
disable various directory plugins so
allah the extension manager for mac OS 9
we're going to have a mac OS 10
preference which will allow users to
turn directory services on and off the
other thing this will do is if you've
written a plug-in this will be the way
customers will access your custom
configuration will have a configure
button or some menu option or something
like that that the users will click on
we'll turn control over to your code to
put up an H I or do whatever is
necessary to configure your plug in the
directory access api's have been
included in functional since dp3 they
are on DP for they are in flash system /
library / frameworks last directory
service the API manifests itself in five
public see headers directory services H
directory service H directory service
custom h and you can read the rest if
you link with those header files you
have access to the client API the
plug-in API will be made available as an
SDK shortly but also for anybody
adopting the directory API is to do a
plug-in will certainly give you an early
seed the SDK just wasn't quite ready at
the time with DP for but both the client
and the plug-in API would be part of the
final release of necklace 10 so there
will be no SDK or no additional
installation if you want to install a
plug-in on top of macros 10 the api's
offer full support for read/write and
discovery of data in a directory service
read for example would be find me a
record named david of type user right
would be update david's phone number
discovery would be list all the records
present in this directory the API also
offers the ability to publish custom
authentication methods we've defined
some standard authentication methods but
you can extend the API and offer new and
never before implemented authentication
mechanisms and this also allows clients
to discover these authentication
mechanism that's the next bullet the API
allows capabilities for discovering of
what the directory plugins are offering
the directory API is our standard C API
and available from BFC carbon and Coco
on Mac OS 10 so really we're running
more to core OS level and we're not
carving we're not cocoa we're more down
near the filesystem layer the networking
API layer so there's really no runtime
issues and you should be able to access
these api's from pretty much any runtime
environment on top of 10 the API
presents an abstraction model the first
and most important part of the
abstraction model is nodes I thought of
notes two years ago when we were
beginning the early design of this
product probably a better name would
have been scope but really this allows a
plug-in to restrict its damage or how
much data is accessing the nodes are
published by the plugins and Easter and
the directory service represents a
collection of plugins plugins can
register there or more nodes in it's
even up to the plugins as to what the
semantics of the nodes are the notes are
one-to-one mapping to the foreign system
or if one node represents an entire
directory which is actually hierarchical
on the back end up to the plug-in to
interpret the scope of the nodes nodes
contain records records reside Hanna
directory nodes they consist of at least
one name and at least there is a keyword
because records can have multiple names
i'm known as david O'Rourke i'm known as
dave oh I'm known as david m O'Rourke we
want the directory API to be able to
accommodate the national multiple names
mapping that's the same record and at
most one type types of records our
example is users groups printers servers
whatever you want for a type of records
so you have a notion of name and you
have the notion of category to deal with
with record name
type records contain attributes and
values attribute types of the example of
unique ID name phone number social
security number they and then attribute
types contain values so an attribute
like social security number would be a
single value to attribute whereas an
actually like phone number would be
multi valued you have work home fax
those sorts of examples the API
accommodates that sort of flexibility
inside the system values come from
attributes and they're contained within
attribute type values are blobs with
data the directory services data
agnostics so the data is formatted in
whatever way the foreign system
formatted or whatever way they attribute
type dictate that should be formatted
the directory service does no policy
implementation in that particular area
Apple's adoption this is very important
we're not telling you to do this and
adopt it for yourself than going off and
doing your own thing our server software
as well as our desktop soccer will be
based on the directory API the
administration soccer for Apple service
software is directory API based and the
Apple service locker products are
already entirely based on the directory
service API so those of you fortunate
enough to pass perhaps participated in
some early seeds server software I've
already used offer on directory service
API third-party enhancements or
replacements of services can leverage
Apple's work in this area this means you
don't need to provide your own
administration tool to create a user you
can simply add an attribute to a user
but use apples tools to setup and
populate the directory you don't have to
provide the full administration sweet
you could we're not saying you shouldn't
we're saying you don't have to know what
you don't want to have to deliver the
complete solution because you can
leverage Apple software and the work
that we're going to be doing using the
directory API Apple software products
will be configurable as to what nodes
are used what does that statement means
that the brief aside to get first of all
Apple software will request standard
record types which are documented part
of the API so we will request kdf
standard user or kdf standard printer
record this will enable directory note
plugins to map our standards requests on
to their foreign system the next thing
we do is the customers can configure
directory access by the search note one
of our plugins is a search notice I
could have an hour-long conversation
just on this but in essence the search
mode allows the customer to choose which
directory notes the services are going
to use so the idea is if you've added a
directory for XYZ you can go to the
search node configuration panel and you
can say I want to use active directory I
want to then consult net info and then I
want to consult ldap in that order when
anywhere ever anybody wants to find a
record administrators can use the search
node to control data access access
controls as well as bring new
directories online AP i plug in usage
and development we've developed three
basic plugins we built a plug-in for
Apple's own directory service net info
now this really gives you a dual API to
use on Mac OS 10 you can either use a
native net info api's to access and edit
or you can use the directory API if use
the directory API is your insulated for
much changing directory service access
if you use the net info API so they work
with net info we've developed an ldap
plug-in so you can access any ldap due
to system and we've developed a search
policy plugin and that's what implements
the system's policy about how it goes
about finding user records finding group
records so on and so forth Apple
software products would be tested with
these three plugins if you have a plugin
you want us to test with you need to
contact us but if you can make your
plug-in behave like any one of these
three plugins you're very close to being
able to have your plugin be able to work
with any Apple software out of the box
the apple desktop and server software
uses this architecture to provide
customers directly choice that's the
whole point and that goes back to slide
number one we are actively looking for
developers to develop a plug-in we are
not going to do plug into every single
directory system on the planet if you
have a custom directory you'd like to
access we encourage you to contact us
develop a plug-in if you have a standard
director you want to develop access to
there's a product opportunity there for
you to sell the product Apple
at this point in time has been straight
from what we covered last year and last
year's session and we're going to give
you some details on how actually write a
plug-in and I'd like to invite Michael
dejan Brock up on stage at this time and
I'll be back later thank you David my
name is Michael days and Brock I am the
lead engineer on Apple spectra service
project and what I'm going to go over
today is I'm going to talk about how to
build a directory service plugin
basically I'm going to give you a
high-level overview of the plug-in
itself its structure some of the entry
points and the callback mechanisms that
are in each plug-in okay first of all
what our plugins plugins are code
loadable modules that use apple's core
foundations c f load function they have
seven different entry points which are
listed here and they also have a series
of callbacks which we'll get into more
detail later okay where do you load a
plug-in from right now there's two
standard locations for loading directory
plugins we do this for two reasons we
allow you to load into the system half
or into the local tab the system path is
somewhat sacred and you generally don't
want to be modifying that while you're
doing development also it may be a
read-only copy of the OS and you may not
be able to modify that particular pass
well you load from the local path to
allow you to develop that you can blow
it away when you're done and you won't
be harming the system each plug-in that
you develop requires it has a BF plug
extension on it to get loaded by the
server here's an example structure what
the directory service plugin is going to
look like the one that you're going to
write as I stated before it's loaded in
one of the two directly past and as you
can see here what's going to be inside
that is going to be your plug-in with a
DSP extension inside that is your
plug-in it's basically it's your
executable the one that you are going to
ride so that's what gets loaded by the
directory server also inside there is a
resources folder inside this resources
folder is a required property list I'll
get into more detail about what could be
in that as well as any additional
information that you may want for your
plugins say for example you want some
configuration information or runtime
files that you need to have that's
guaranteed to go along with your plugin
that's a great place to put them okay
now here's that property loose what I
was talking about earlier the oddities
see in blue are the keys those are
required and they need to be in each
field and as you can see you can see
that in the green those are the items
that you're going to provide and the
reason why I brought this slide up is
the one issue this can be most
particular to those plugger developers
is the plug-in uuid that uuid needs to
be unique to your plugin on the system
that it's loaded too if there's a
conflict during load time the plugin
will not get load and the first ones the
same you eid is loaded the other ones
not there'll be ways to detect this and
I'll get into that later there will also
be on the SDK this would be provided
later tools to generate a uuid okay how
to make a directory plugin first of all
best place to start start with the
sample source code that we're going to
provide on the upcoming SDK you can
build and install this plugin once
you've built this plugin installed it it
gives you an idea of how to pick you yet
you can look at the entry point you can
look at the callback mechanisms this is
a working plugin it does nothing more
than stub out all the calls that you're
going to be expected to process from
client data as well as it registers a
single node after you've got your
plug-in built you're going to want to
test it testing it is also going to be
through some tools that we're going to
provide we have we're going to provide a
test app on the developer SDK you again
install it in the the locations where I
spoke about earlier to load your plug-in
you need to first stop the directory
service sir
then relaunch it because the plugins are
loaded at launch time right now they're
not loadable on demand that may change
in the future we have decided yet and
then you can verify that your plugin is
imploded by looking into a log file okay
again you can compile and build a
directory service api test client that
we have it will allow you to do two
things allow you to test your plugin as
well give you an idea of what clients
are going to be requesting from your
plugin so that you can get an idea of
how to write your plug into service
requests for data and it gives you an
idea of how to use it callbacks okay
here I'll just talk a little bit now
about the seven every points or do you
the plug-in first ones validate
validates called once at load time it's
basically kind of a handshaking are
usually you say you are are you the kind
of plug-in I'm looking for ok I'm going
to load you now for all the plugins have
been loaded your plug-in then gets
called with initialize this is no time
for you to go and do any startup
information or startup routines that you
need like open up networking ports open
up a database file spawn off threads
once initialization has been
successfully completed then plugins that
state gets ekta at set to active and
that gets done through the plug-in set
plugging state call administrators can
take plugins on and off line through the
directory service with control panel and
when they are taken offline or online
become it comes through this set plug-in
state and that allows you to either once
you've been made active to again bring
things online that we're performing
offline and again kick things off line
want you to become inactive process
requests this is where all the
heavy-lifting gets done your plug-in is
going to probably do ninety nine percent
of its its data handling through this
particular call this is where you're
going to handle just again all of the
look up information and all the Gatun
set shut down this is called just before
directory service server shutdown get
your plug-in chance to clean up close
some files shut down some networking
configure we allow all the plugins to
configure themselves again we don't know
what you're going to write we don't know
anything about your plug-in what happens
is in the directory services control
town the administrator can select your
plug-in and click on the configure
button the servers in contacts you're
plugging through this this API and it is
a sentry point and then it's up to you
you can configure your rap in any way
you want you can simply read a simple
XML file or you can launch an elaborate
application with a grade a chive and
then periodic task for those of you who
don't want to manage threads you just
want a simple process that gets called
when you get called to the entry points
that's great will also call you
periodically to do some housekeeping and
this guarantees that you'll get some
processor time ok now here's those
callbacks that I was talking about
before right now we have for callbacks
what the plugins need to do is they need
to register their notes making their
notes or their domains available to the
directrix server as well as taking them
offline when they've been made inactive
because they will no longer be able to
accept or they will be on no longer be
given any processing requests as long as
they're inactive so this allows the node
to bring them on an offline unregister
all's convenience called a light take
them all off line without having to do
them individually and then there's a
logging callback which you can put in
debugging information as well as when
time information into the directory
service vlog ok just a word to the wise
remember that your plugins are going to
be loaded by the directory service
server the directory service servers
running is a root process therefore your
plugins can be running as a root process
so you should do all your development is
root and then test as a non-root so you
know that it's doing the right thing
it's not getting non-root owners root
access and doing bad things as a system
that you normally wouldn't do as a non
lead owner right now I believe the
directory services locked down to read
only by administrator or we'd lead
everyone right only by administrator I
believe that will be the same with post
it before
okay to sum up what you need to do next
is contact your wter representative if
you're interested in doing any directive
service development please come and talk
to us after so we can hopefully get you
we can get you on the contact list for
early seeds of the SDK as well as get
the copies of the directory service
documentation as well as the plug-in API
documentation in with that I'll turn it
back to David totally sir the directory
services and other Apple technology the
directory services are really a low
level access technology they don't
necessarily dictate an HR browser or
anything like that so we complement some
other Apple technologies we provide a
common framework for higher level
software be insulated from the
particular of the particular directory
service one technology that we do
compliments at work service location
which does have a directory service
plug-in under development so if you do a
directory service plug in nsl will be
able to browse your directory service by
its directory service plugin so now you
don't have to do two plugins 14 nsl and
14 directory service is doing it in one
place the whole system benefits what are
the opportunities for use developers
because we're all here to make money
directory enabled client software these
include Tim email applications basically
your product can now leverage apples
directory service in order to provide a
user and group database anything that
needs data that's an essential remote or
authoritative database you can provide
alternative example soccer if you think
you can do the AP server better go for
it this actually makes it easier for you
because now you don't have to do your
own users and groups database you can
use the one that our administration tool
sets up for you and you can add value by
leveraging directory data we need
reports we need administrators want
reports they want data they want to know
how many pieces of data are in each
record so you can leverage the directory
data by either mining it for the
administrator you could report on it you
could modify it you could fix it there
are pointers and directories for those
of you familiar with directory systems
sometimes need to be updated or can
become dang
pointers so there's a lot of
opportunities to sit on top of the
directory API and doing useful
opportunity without actually having to
do a plug in the second opportunity is
what Michael just been talking about is
doing a plug-in to bring an Oracle
database online or FileMaker Pro
database online or a flat file that you
have it's a personal favourite file
format some of these are going to be for
sale some of these are going to be the
custom developed at institutions we
really want to see a lot of plugins
developed but you know just work with us
to develop the plug in x 500 would be
one directory plug in Windows NT or
Windows 2000 the Active Directory plugin
would be a good one and at this time I'd
like to say that Nobel has find us to
work with us to develop a directory
plugin so those of you who want to take
the mac OS 10 system use your existing
novell directory service will be able to
do that shortly and again the last
bullet just emphasizes why we did this
at all we want to be able to integrate
necklace can both client and server into
an existing infrastructure and not
require them to set up a whole new
infrastructure to use our products what
did some additional resources we have
the Apple Developer connection we're
going to have our PDFs up there we have
documentation for the API and we have
documentation for the plugin will be
posting those pdfs to apple developer
resources michael is the api
documentation in the framework
subdirectory it will be in future builds
or in wherever documentation goes in
that goes ten directory service api
documentation will be available to
director at the apple developer website
and the api and the headers are
installed with deep before you have the
directory service client api you had is
in DP three if you didn't know it and
you currently have it in deep before so
if you want to play with it give us some
feedback tell us about some bugs would
love to see anyone playing with the
directory client API who would you
contact if you're interested in
developing and need apples assistant
Thomas wire is your friends in this
particular case so contact Tom pester
him tell him that you need access to de
veau or Michael and that you desperately
want to develop the world's next
greatest plug-in and
you need David's time now and we'll be
happy to work with you
you