WWDC2000 Session 165

Transcript

Kind: captions Language: en my name is David O'Rourke I have texture that Apple's pursuing for its future development a little later Michael days and Brock will join me on stage to talk about something we didn't talk about last year the presentation today is going to cover what are the directory service api's why should you care why does apple care we're going to go into how Apple's using the directory service API we're going to give an overview of how to write a plug-in this is one of the key aspects of directory service API to be mostly hand waved about last year so this year we're going to give you some details and then we'll have a Q&A and answer any questions that you may have the concept of directory API is we've heard feedback for years from Apple that customers want to take an Apple box out of the box plop it down and point it at an existing users and grips database and not have to import or export their data from an existing database and maintain separate databases so this concept that's in with apples quality of simplifying in that the users don't have to set up a separate database and so the concepts just allow Apple services to use customer data so apples Mac os10 system software will be based on a common directory architecture API this common directory architecture will allow all a whole system software the desktop and server to access directory services via a plug-in architecture so the architecture is relatively straightforward we have a directory access API layer that apple provides and we're providing some plugins ourselves this is important because we're using our own plug-in architecture to deliver directory access so we know this can be done this is not something we're doing special case and then telling you guys to do plugins we are providing an apple net info plug-in which is Apple's director service of choice we're also providing an LDAP plug-in that's v2 for those of you don't want to know we might do these three in the future and one of the developer opportunities as well as being on the top with a developer solution on top of the directory API is for developers to provide plugins to other directories that Apple hasn't chosen to write for that would include novell that would include l w 3 any directory that you want possibly an Oracle database some corporations or honor Terry database as we're back in the API runtime is fairly straightforward a directory API client makes an API call the api is dispatched that as a mock IPC request down to the directory access API the directory access API looks at the request determines what plugins best suited to handle the request dispatches this to the plug-in the plug-in performs magic it access to the local file it goes out on the network the plugins have full access to the entire Mac OS 10 operating system at that point they satisfy the reply return status and return the results up to the client the directory service configuration is another part of the directory services clearly clients need a way to enable and disable various directory plugins so allah the extension manager for mac OS 9 we're going to have a mac OS 10 preference which will allow users to turn directory services on and off the other thing this will do is if you've written a plug-in this will be the way customers will access your custom configuration will have a configure button or some menu option or something like that that the users will click on we'll turn control over to your code to put up an H I or do whatever is necessary to configure your plug in the directory access api's have been included in functional since dp3 they are on DP for they are in flash system / library / frameworks last directory service the API manifests itself in five public see headers directory services H directory service H directory service custom h and you can read the rest if you link with those header files you have access to the client API the plug-in API will be made available as an SDK shortly but also for anybody adopting the directory API is to do a plug-in will certainly give you an early seed the SDK just wasn't quite ready at the time with DP for but both the client and the plug-in API would be part of the final release of necklace 10 so there will be no SDK or no additional installation if you want to install a plug-in on top of macros 10 the api's offer full support for read/write and discovery of data in a directory service read for example would be find me a record named david of type user right would be update david's phone number discovery would be list all the records present in this directory the API also offers the ability to publish custom authentication methods we've defined some standard authentication methods but you can extend the API and offer new and never before implemented authentication mechanisms and this also allows clients to discover these authentication mechanism that's the next bullet the API allows capabilities for discovering of what the directory plugins are offering the directory API is our standard C API and available from BFC carbon and Coco on Mac OS 10 so really we're running more to core OS level and we're not carving we're not cocoa we're more down near the filesystem layer the networking API layer so there's really no runtime issues and you should be able to access these api's from pretty much any runtime environment on top of 10 the API presents an abstraction model the first and most important part of the abstraction model is nodes I thought of notes two years ago when we were beginning the early design of this product probably a better name would have been scope but really this allows a plug-in to restrict its damage or how much data is accessing the nodes are published by the plugins and Easter and the directory service represents a collection of plugins plugins can register there or more nodes in it's even up to the plugins as to what the semantics of the nodes are the notes are one-to-one mapping to the foreign system or if one node represents an entire directory which is actually hierarchical on the back end up to the plug-in to interpret the scope of the nodes nodes contain records records reside Hanna directory nodes they consist of at least one name and at least there is a keyword because records can have multiple names i'm known as david O'Rourke i'm known as dave oh I'm known as david m O'Rourke we want the directory API to be able to accommodate the national multiple names mapping that's the same record and at most one type types of records our example is users groups printers servers whatever you want for a type of records so you have a notion of name and you have the notion of category to deal with with record name type records contain attributes and values attribute types of the example of unique ID name phone number social security number they and then attribute types contain values so an attribute like social security number would be a single value to attribute whereas an actually like phone number would be multi valued you have work home fax those sorts of examples the API accommodates that sort of flexibility inside the system values come from attributes and they're contained within attribute type values are blobs with data the directory services data agnostics so the data is formatted in whatever way the foreign system formatted or whatever way they attribute type dictate that should be formatted the directory service does no policy implementation in that particular area Apple's adoption this is very important we're not telling you to do this and adopt it for yourself than going off and doing your own thing our server software as well as our desktop soccer will be based on the directory API the administration soccer for Apple service software is directory API based and the Apple service locker products are already entirely based on the directory service API so those of you fortunate enough to pass perhaps participated in some early seeds server software I've already used offer on directory service API third-party enhancements or replacements of services can leverage Apple's work in this area this means you don't need to provide your own administration tool to create a user you can simply add an attribute to a user but use apples tools to setup and populate the directory you don't have to provide the full administration sweet you could we're not saying you shouldn't we're saying you don't have to know what you don't want to have to deliver the complete solution because you can leverage Apple software and the work that we're going to be doing using the directory API Apple software products will be configurable as to what nodes are used what does that statement means that the brief aside to get first of all Apple software will request standard record types which are documented part of the API so we will request kdf standard user or kdf standard printer record this will enable directory note plugins to map our standards requests on to their foreign system the next thing we do is the customers can configure directory access by the search note one of our plugins is a search notice I could have an hour-long conversation just on this but in essence the search mode allows the customer to choose which directory notes the services are going to use so the idea is if you've added a directory for XYZ you can go to the search node configuration panel and you can say I want to use active directory I want to then consult net info and then I want to consult ldap in that order when anywhere ever anybody wants to find a record administrators can use the search node to control data access access controls as well as bring new directories online AP i plug in usage and development we've developed three basic plugins we built a plug-in for Apple's own directory service net info now this really gives you a dual API to use on Mac OS 10 you can either use a native net info api's to access and edit or you can use the directory API if use the directory API is your insulated for much changing directory service access if you use the net info API so they work with net info we've developed an ldap plug-in so you can access any ldap due to system and we've developed a search policy plugin and that's what implements the system's policy about how it goes about finding user records finding group records so on and so forth Apple software products would be tested with these three plugins if you have a plugin you want us to test with you need to contact us but if you can make your plug-in behave like any one of these three plugins you're very close to being able to have your plugin be able to work with any Apple software out of the box the apple desktop and server software uses this architecture to provide customers directly choice that's the whole point and that goes back to slide number one we are actively looking for developers to develop a plug-in we are not going to do plug into every single directory system on the planet if you have a custom directory you'd like to access we encourage you to contact us develop a plug-in if you have a standard director you want to develop access to there's a product opportunity there for you to sell the product Apple at this point in time has been straight from what we covered last year and last year's session and we're going to give you some details on how actually write a plug-in and I'd like to invite Michael dejan Brock up on stage at this time and I'll be back later thank you David my name is Michael days and Brock I am the lead engineer on Apple spectra service project and what I'm going to go over today is I'm going to talk about how to build a directory service plugin basically I'm going to give you a high-level overview of the plug-in itself its structure some of the entry points and the callback mechanisms that are in each plug-in okay first of all what our plugins plugins are code loadable modules that use apple's core foundations c f load function they have seven different entry points which are listed here and they also have a series of callbacks which we'll get into more detail later okay where do you load a plug-in from right now there's two standard locations for loading directory plugins we do this for two reasons we allow you to load into the system half or into the local tab the system path is somewhat sacred and you generally don't want to be modifying that while you're doing development also it may be a read-only copy of the OS and you may not be able to modify that particular pass well you load from the local path to allow you to develop that you can blow it away when you're done and you won't be harming the system each plug-in that you develop requires it has a BF plug extension on it to get loaded by the server here's an example structure what the directory service plugin is going to look like the one that you're going to write as I stated before it's loaded in one of the two directly past and as you can see here what's going to be inside that is going to be your plug-in with a DSP extension inside that is your plug-in it's basically it's your executable the one that you are going to ride so that's what gets loaded by the directory server also inside there is a resources folder inside this resources folder is a required property list I'll get into more detail about what could be in that as well as any additional information that you may want for your plugins say for example you want some configuration information or runtime files that you need to have that's guaranteed to go along with your plugin that's a great place to put them okay now here's that property loose what I was talking about earlier the oddities see in blue are the keys those are required and they need to be in each field and as you can see you can see that in the green those are the items that you're going to provide and the reason why I brought this slide up is the one issue this can be most particular to those plugger developers is the plug-in uuid that uuid needs to be unique to your plugin on the system that it's loaded too if there's a conflict during load time the plugin will not get load and the first ones the same you eid is loaded the other ones not there'll be ways to detect this and I'll get into that later there will also be on the SDK this would be provided later tools to generate a uuid okay how to make a directory plugin first of all best place to start start with the sample source code that we're going to provide on the upcoming SDK you can build and install this plugin once you've built this plugin installed it it gives you an idea of how to pick you yet you can look at the entry point you can look at the callback mechanisms this is a working plugin it does nothing more than stub out all the calls that you're going to be expected to process from client data as well as it registers a single node after you've got your plug-in built you're going to want to test it testing it is also going to be through some tools that we're going to provide we have we're going to provide a test app on the developer SDK you again install it in the the locations where I spoke about earlier to load your plug-in you need to first stop the directory service sir then relaunch it because the plugins are loaded at launch time right now they're not loadable on demand that may change in the future we have decided yet and then you can verify that your plugin is imploded by looking into a log file okay again you can compile and build a directory service api test client that we have it will allow you to do two things allow you to test your plugin as well give you an idea of what clients are going to be requesting from your plugin so that you can get an idea of how to write your plug into service requests for data and it gives you an idea of how to use it callbacks okay here I'll just talk a little bit now about the seven every points or do you the plug-in first ones validate validates called once at load time it's basically kind of a handshaking are usually you say you are are you the kind of plug-in I'm looking for ok I'm going to load you now for all the plugins have been loaded your plug-in then gets called with initialize this is no time for you to go and do any startup information or startup routines that you need like open up networking ports open up a database file spawn off threads once initialization has been successfully completed then plugins that state gets ekta at set to active and that gets done through the plug-in set plugging state call administrators can take plugins on and off line through the directory service with control panel and when they are taken offline or online become it comes through this set plug-in state and that allows you to either once you've been made active to again bring things online that we're performing offline and again kick things off line want you to become inactive process requests this is where all the heavy-lifting gets done your plug-in is going to probably do ninety nine percent of its its data handling through this particular call this is where you're going to handle just again all of the look up information and all the Gatun set shut down this is called just before directory service server shutdown get your plug-in chance to clean up close some files shut down some networking configure we allow all the plugins to configure themselves again we don't know what you're going to write we don't know anything about your plug-in what happens is in the directory services control town the administrator can select your plug-in and click on the configure button the servers in contacts you're plugging through this this API and it is a sentry point and then it's up to you you can configure your rap in any way you want you can simply read a simple XML file or you can launch an elaborate application with a grade a chive and then periodic task for those of you who don't want to manage threads you just want a simple process that gets called when you get called to the entry points that's great will also call you periodically to do some housekeeping and this guarantees that you'll get some processor time ok now here's those callbacks that I was talking about before right now we have for callbacks what the plugins need to do is they need to register their notes making their notes or their domains available to the directrix server as well as taking them offline when they've been made inactive because they will no longer be able to accept or they will be on no longer be given any processing requests as long as they're inactive so this allows the node to bring them on an offline unregister all's convenience called a light take them all off line without having to do them individually and then there's a logging callback which you can put in debugging information as well as when time information into the directory service vlog ok just a word to the wise remember that your plugins are going to be loaded by the directory service server the directory service servers running is a root process therefore your plugins can be running as a root process so you should do all your development is root and then test as a non-root so you know that it's doing the right thing it's not getting non-root owners root access and doing bad things as a system that you normally wouldn't do as a non lead owner right now I believe the directory services locked down to read only by administrator or we'd lead everyone right only by administrator I believe that will be the same with post it before okay to sum up what you need to do next is contact your wter representative if you're interested in doing any directive service development please come and talk to us after so we can hopefully get you we can get you on the contact list for early seeds of the SDK as well as get the copies of the directory service documentation as well as the plug-in API documentation in with that I'll turn it back to David totally sir the directory services and other Apple technology the directory services are really a low level access technology they don't necessarily dictate an HR browser or anything like that so we complement some other Apple technologies we provide a common framework for higher level software be insulated from the particular of the particular directory service one technology that we do compliments at work service location which does have a directory service plug-in under development so if you do a directory service plug in nsl will be able to browse your directory service by its directory service plugin so now you don't have to do two plugins 14 nsl and 14 directory service is doing it in one place the whole system benefits what are the opportunities for use developers because we're all here to make money directory enabled client software these include Tim email applications basically your product can now leverage apples directory service in order to provide a user and group database anything that needs data that's an essential remote or authoritative database you can provide alternative example soccer if you think you can do the AP server better go for it this actually makes it easier for you because now you don't have to do your own users and groups database you can use the one that our administration tool sets up for you and you can add value by leveraging directory data we need reports we need administrators want reports they want data they want to know how many pieces of data are in each record so you can leverage the directory data by either mining it for the administrator you could report on it you could modify it you could fix it there are pointers and directories for those of you familiar with directory systems sometimes need to be updated or can become dang pointers so there's a lot of opportunities to sit on top of the directory API and doing useful opportunity without actually having to do a plug in the second opportunity is what Michael just been talking about is doing a plug-in to bring an Oracle database online or FileMaker Pro database online or a flat file that you have it's a personal favourite file format some of these are going to be for sale some of these are going to be the custom developed at institutions we really want to see a lot of plugins developed but you know just work with us to develop the plug in x 500 would be one directory plug in Windows NT or Windows 2000 the Active Directory plugin would be a good one and at this time I'd like to say that Nobel has find us to work with us to develop a directory plugin so those of you who want to take the mac OS 10 system use your existing novell directory service will be able to do that shortly and again the last bullet just emphasizes why we did this at all we want to be able to integrate necklace can both client and server into an existing infrastructure and not require them to set up a whole new infrastructure to use our products what did some additional resources we have the Apple Developer connection we're going to have our PDFs up there we have documentation for the API and we have documentation for the plugin will be posting those pdfs to apple developer resources michael is the api documentation in the framework subdirectory it will be in future builds or in wherever documentation goes in that goes ten directory service api documentation will be available to director at the apple developer website and the api and the headers are installed with deep before you have the directory service client api you had is in DP three if you didn't know it and you currently have it in deep before so if you want to play with it give us some feedback tell us about some bugs would love to see anyone playing with the directory client API who would you contact if you're interested in developing and need apples assistant Thomas wire is your friends in this particular case so contact Tom pester him tell him that you need access to de veau or Michael and that you desperately want to develop the world's next greatest plug-in and you need David's time now and we'll be happy to work with you you