WWDC2003 Session 610

Transcript

Kind: captions
Language: en
my name is David O'Rourke I'm the
engineering manager of open directory I
have to get my little Q er here how many
people were at last year's presentation
could you raise your hand how many
people actually had a seat at last
year's presentation very cute so they
moved it to a bigger room so I want to
thank you all for overflowing last
year's presentation next year I'm going
to go for the pool in the open bar how
does that sound whatever around okay
also I'd like you to all go out in the
hallway and get a friend I'd like to
pack this room so we're getting the big
one upstairs No okay I think I've
actually be scared of that many people I
my name's Dave work we're here to talk
about open directory what it is what is
directory services we're going to review
directory services 4 10 2 for those of
you are new this year we're going to
talk about our future parents for
panther and then we're going to go into
Q&A so I guess now's as good a time as
any to get into it so first of all open
direct last year we introduced the open
directory technology name and what open
directory is is the technology umbrella
kinda like quick time it covers a lot of
different technologies and our case that
clevers the client access technology and
also covers any servers that we deliver
as part of the Panther server product
Apple strategy in the open director
space is to adopt and promote industry
standard technology such as ldap
Kerberos saffell whatever directly
related technology fits our purpose
we're going to adopt it embrace it and
and promote it on our platform so open
directory is built into both Mac os10
desktops and the clients built in and
it's built in temecula 10 server if you
buy mac OS and server and turn on a
directory server you get open directory
it's been there since 10 point 0 and the
good news is is everything we do is open
source as part of Darwin so no secrets
you can review our implementation see if
it meets your needs see if we're
sometimes passing a password on the wire
in the clear but we try to fix bugs like
that and you can see it in our source
code the directory service history we
started out with mac OS 10 10 0 having
net info and I'll that v2 with the
client within in 10.1 introduced desktop
server with lmv to support and 10.2 we
introduced net info LW to l w 3 we added
NIS
flat file support or yellow pages and i
asked the proper name these days or is
it yellow pages and i thank you we also
introduced service discovery based on
directory services so we have an apple
talk plugin for browsing appletalk
networks we have an SLP plugin we have a
rendezvous plugin and we have a plugin
for browsing windows network so if you
see a Windows Server when you go to
connect to server and Jaguar or splash
network on Panther you're using
directory services Panthers even better
it has all the features of 10.2 and
we're going to go over some of the new
and exciting features right now first I
want to talk about what directory
services is this is the client access
portion of the product it's a standard
box diagram engineers like to draw boxes
i'm an engineer so I drew some boxes
we've got Mac os10 software running on
top of an abstraction API we've got the
abstraction API there in the middle and
the blue box of the blue on your screen
yes it is and at the bottom layer we
have plugins we have a plug-in for net
info we have a plug-in for ldap we now
have a plug-in for Active Directory we
have a plug-in for BFD files and you as
the third party can develop your own
plugin I believe we're still working
with somebody to develop an Oracle
plugin so that their directory system
could be an oracle database directory
services in 10.2 included an ldap v3
read/write plugin and LW read-only
plugin it included net info it includes
NIS bsd flat / SE file and include
service discovery the api's are
documented and the plugin api's are
documented we have an SDK includes
sample code we have sample plugins we
have a stub plugin that you could adopt
and put your code in or you could start
with our own productized l that v3
plugin and gut it and use it for your
own purposes i am the directory services
headers are installed in system flash
library frameworks directory services
framework
how does tend to use directory services
this is a question we're kind of
plumbing if we're doing our job right
you don't even notice the directory
services is working Mike Mike my
management keeps asking me to demo it
and I say did you make a pass login
window and they say yes I said that's
the demo it's a really boring demo but
you know if we're doing our jobs right
you don't really see directory services
because we're just feeding config
information to the system behind the
scene but managed desktop how many of
you use managed desktop managed desktop
sources all of its information out of
directory services so that's one kiev
consumer of the data all the security
framework authentication whenever that
dialogue comes up and asks you to type
of password they ultimately call
directory services to verify that
password and all the legacy tools have
been migrated to pam so if you have
passwd or some password authenticating
tool that's running on the command line
it calls the pam module and that pam
module calls you their security
framework or directory services and that
authenticates your legacy UNIX tool and
all the mac OS x server processes and
administration tools use directory
services connect to server command k in
the finder brings up connect to server
everything everything on the left all
those zones and everything those are all
coming from either an Apple talk SLP or
rendezvous plug-in when you click on the
zones so all the service discovery in
Mac OS 10 / network how many of you
played with the new flash networking
feature in Panthers it allows you to
browse that's now all sourcing the same
information that what we call nsl or
connection server was sourcing in 10.2
and you can use directory access as a
system administrator to turn off the
browsing of certain protocols so if you
don't want your customers ever
connecting to your Apple servers over
appletalk you can turn off their
browsing by going to directory access
turn off the appletalk browsing plug-in
and then appletalk zones will no longer
show up and connect to server that does
not turn off the appletalk protocol just
turns off the browsing portion another
way Mac OS tend to use this directory
services this is an architecture diagram
next came to us with next step and they
had already cooked a lot of the BFC
routines to abstract or directory access
through a process called look up D and
so the system is really there's there's
the system's a bit schizophrenic there's
the legacy api's that said access direct
your data and there's new API said
access directory data the way we make
both systems regardless of which API get
the same data is anything that calls
look up d we have a plug-in and look up
d the shunts the requests over to
directory services anybody that's
calling directory services they of
course get what directory services is
configured so this means when you
configure directory access and add an
ldap plug in to your search mode you're
also configuring what the entire system
feeds on the command line side how it
resolves users how it results groups so
this is the real power of the system so
even though there's two different api's
they always return the same set of data
because they're linked Mac os10 to
server includes two choices this is
Jaguar server I want to emphasize that
we're going over history so not the
future 10-2 server included two choices
for a directory server you could
deploying that info which was always
supported that supports mac OS 10.1 and
10.2 we added for the first time in ldap
v3 plugin but it uses the net info
database for its back in so when you
create a record through net info it also
showed up on the ldap slide Luke Howard
did that work for us from paddle he's in
the audience today I'd like to thank
them for that it's really kind of cool
because you can source your data from
one database and serve it up over the
net advil protocol serve it up over ldap
it supports the mac OS 10 to clients and
we introduced the open directory
password server which is the baffle
based network authentication for legacy
authentication protocol I highly
recommend that you go back in time and
go to yesterday's off session because
it's because we talked in detail about
the pasture server actually you can go
back in time I believe we have these
sessions available on DVD later is that
correct can anyone confirm that so if
you didn't catch the off session and
want more details work with apple
developer relations to get this year's
presentation so on 10-2 we made a lot of
progress in the directory space we added
NL that v3 server we added service
discovery and we introduce new
authentication methods with the password
server and the authentication authority
and that's all the product that we're
all using today what I want to talk
about now is what we're planning to do
for directory services this year
and so we're going to move in two
directions services for Panther the
first thing we're doing is we're
substantially enhancing the ldap v3
plugin I'll get into the details of that
we're substantially enhancing enhancing
the open directory password server we're
combine DNS the NIS and flat file
plugging in Jaguar they were two
separate plugins what we've done in
Panthers would combine them as the same
source fed into spot taught them to
share information we're getting rid of
the ldap be to plug in we're enhancing
support for Active Directory and we're
checking we're making changes to local
authentication in addition we're
enhancing the SMB windows network plugin
we can now browse off of the local
subnet next flash network is now based
on nsl which was the mac OS 9 network
service location protocol flash
directory services we that is NaN pages
for directory services and we're going
to be demoing some new command line
tools later in this presentation and
we've made some minor changes for plug
and developers so if you're developing a
plug-in there's some you know gotchas
and some heads up that we need to keep
you informed of all that be three
clients enhancements this is the meat of
the work we're doing for Panther in 10
to ldap v3 was already very robust and
could talk to a lot of different ldap
servers we support a DHCP ldap discovery
through option 95 we supported storing
our configurations or our mappings on
the ldap server itself so you didn't
have to visit each machine to
reconfigure it we integrated support for
the open directory password server so
that ldap would use the password server
when the authentication authority and
the user record told us to so what we're
doing for v3 and Panthers are adding
replication support so you can deploy
multiple ldap servers and our v3 plugin
will fail over there will be client-side
awareness of ldap replicas and if you're
using the DSA p is the failover is
completely transparent to you so you
don't have to do anything you just call
open directory stay open during note I
want to talk to an ldap server that ldap
server goes away we have to find a
replica your code keeps churning along
it doesn't even know that we switch
network connections now that b3 client
replica picking is quite thorough will
automatically detect and use ldap
replicas we will use any or all of three
replica discovery mechanisms
an existing standard for ldap called all
servers which is stored in the root of
the ldap server if we find that
information we will use the ldap
replicas that are stored in that
information we are adding a new record
to the ldap system that we call a
configuration record that configuration
record is no harder than this list of IP
addresses it has to be well named there
will be documentation server admin but
if that configuration is found and lives
IP addresses for us to contact we will
use that records so you can actually put
the replication table in the ldap server
and we'll use it and there there is an
LDAP replication scheme for DNS service
records so if you've configured DNS to
list multiple ldap servers will use dns
service records all of these methods
require ldap server connectivity at
least once we can't come up and if you
tell us an IP address is the ldap server
that you want us to talk to and that
isn't even reachable we can't discover
the replica so we require connectivity
to the ldap server at least once to
harvest all of these sources of
information but after that you can roam
you can move the ldap servers around
willy-nilly and as long as one is still
up and running we'll contact it and
learn about the new information we put
the failover support in the client
because now mac OS x server ldap
supports replication and clearly we're
going to work with that very well so now
that we have a replicated ldap server we
needed a replication aware client and
we've done that in Panther replica
failover resolution is done in parallel
we will not see really try 20 ldap
servers at two minutes a shot and make
the user wait 40 minutes to find the
replica we try to do the discovery in
parallel we also try to do it in such a
manner that we don't spam the network on
every single open attempt we try to
gradually build we get more and more
aggressive over time when the ldap
servers aren't non-responsive so we
won't bring up unnecessary network
connections if the ldap servers just a
little slow to respond but if it's too
slow to respond will start looking for
replicas and that will cause more
networks in traffic we've also enhanced
the password server new authentication
methods we have some authentication
methods to support the new VPN server
and we support PDC authentication the
PDC needs certain authentication methods
to be able to authenticate windows
clients so we had to add authentication
methods to the password server to
support that
we've added new password policies we
have global and per user policies i went
over these in detail in the
authentication session and we have
secure replication we have true
multi-master replication every single
password server replica can accept a
password change we have clients I
failover so one password server stops
responding we use other password servers
there are more details in session 607
which was yesterday's session but it is
secure and it is multi-master
replication we have global here's a
screenshot of the global policies these
are this is a new h i4 for Panther so we
support a number of policies i won't go
into them in detail right now but i'll
leave it up there just for a bit so you
can look for your favorite feature i
have her dictionaries not here though so
everybody wants dictionary and we're
going to look into that the
authentication methods that the password
server supports our md5 digests which is
used by default if you don't specify an
authentication method this is what login
window uses and if any DS API client
requests clear text authentication we
actually turn around and do an md5
authentication behind-the-scenes cram
md5 is typically used by imap and smtp
we have NTN land manager that's used by
us and be file-sharing we support a pop
which is used by the popular email
protocol we support web dev digest for
web dev apache modules the new
authentication methods we've added is ms
chap two and that supports the VPN
technologies we are retiring to a random
in the Panther time frame jaguar
supports this Panther won't not a lot of
aft clients are still using it if you
are still running on an HP clients it
requires to a random I think we have AFP
clients that are qualified all the way
back to eight dot one leland the eight
dot one that do THX which is the last
authentication methods that we support
so all the way back to mac OS 8 you have
an asd client that doesn't need to to a
random so we're getting rid of that the
authentication Authority matrix the
authentication Authority was introduced
in Jaguar its attributes in the user
record that indicates the Jaguar how the
user record should be authenticated
infamous annotations attempted we had
several values we had basic last year
and that base
indicates the users crypt based we
introduced the Apple password server
authentication Authority this indicates
that the users password server based and
in that Authority's all the information
we need to know to contact the password
server and verify that user this year
we're introducing shadow hash local
users no longer have a readable crypt
password on Panther for those of you who
go rummaging around with ni dump on your
Panther machine looking for your crypt
password isn't there anymore so shadow
hash has indicated shadow hash indicates
that this user record is shadow hash
based instead of local crypt base and
we're introducing the Kerberos off
authority how many people haven't heard
we're making a big push around Kerberos
okay so we're going to indicate that
users or Kerberos base by actually
putting a Kerberos authentication
authority in the user record and that
helps us know that we should attempt to
do Kerberos authentication so local
authentication changes crypt is dead the
default local authentication is stored
in a shadow file for all local users
crypt is still supported but none of the
Mac os10 tools will create a creek user
if you want to do it yourself through DF
api's or legacy tools it still works it
will still function the OS will still
verify the users password but none of
our administration tools will create a
creek user your application should not
be relying on crypt password Panther
will break any application that has not
adopted security framework directory
services or Pam or some other Patrick
verification abstraction API this is not
a bug in the operating system in order
to make the OS more secure and move
forward we have to break this so if you
have an application that is doing
authentication and you're calling get pw
name or some other API that returns a
crypt passwords and you're relying on
that to behave in Panther it will break
and we're not going to fix it because
it's a security problem so we need you
to adopt a password verification
abstraction there are three major
abstractions you can adopt you can adopt
Pam which is a cross-platform pluggable
authentication method for Linux you can
adopt a security framework to do your
password verification in your
application if you need to do
authentication you should probably be
seriously looking at the authorization
framework
because that's probably the more
appropriate way for a GUI application to
go forward or you can use the down and
dirty directory service kpi's and do the
authentication yourself I want to
emphasize if your applications not using
one of these api's it will break when
running on Panther you will not be able
to authenticate your user records this
is if your server a client process
whatever and just for emphasis and with
color so we've gotten rid of crypt sorry
about breaking your app but it's a
necessary evil so here's a quick
timeline of password server histories
and future we had Kristen ten-point oh
we supported crypt and all that bind in
10.1 we support crypt ldap buying
Kerberos the d/s api's pastor server Pam
and security framework and tend to we've
gotten rid of crip support in Panther we
now support all that buying Kerberos
tsap aight a switchover Pam and security
framework and moving out into the future
Kerberos was going to get spots going to
get bigger and it's going to get a more
impressive color so authentication
long-term apples investing heavily in
Kerberos this means if we're investing
heavily in Kerberos so should you either
as a customer or as a developer we are
aggressively aggressively migrating all
of our networking products to be
Kerberos based if there's a favorite
protocol of yours that does the
syndication and we ship a client and we
ship a server we're probably going to
Kerber eyes it we will ship the MIT KDC
we already shipped the MIT kerberos
client and session 607 and 108 or must
attend for any network service people
108 is the Kerberos session done by
Marshall veil and his team all Kerberos
all the time is in Apple's future and
yours so get used to it plan for next
year's presentation we combine the NS
and flat file plug in Mac OS 10 25 added
in an is plug in Mac OS 10.2 supports
flash SD config files Panthers
implementation combines the NIS flat
file support into a single code base and
now there's a unified configuration a
chai so it's really easy to configure
this this is the configuration a chai
the BFC local doesn't require any
configuration because we know where all
the local files are so that's just kind
of there for documentation and then the
lower half of the configuration sheet
is the domain name of your NIS server or
list of alternative NIS servers and if
you go to directory access click on the
NIS plugin this is the configuration a
chai you're going to see ldap v2 is
being retired the ldap v3 plugin has all
the LW two features l w 3 is more robust
and has more features Elda be two
configurations will automatically be
migrated when you upgrade to Panther for
the first time but and we're so we're
we're going to make that transition
seamless but there's no reason for
customers to continue to use v2 so you
could move to ldap v3 today on Jaguar
you don't need to continue using v2 so
you can move ahead of us or you can wait
for Panther to migrate your
configuration file for you but either
way all that be two plugins going away
we are providing an Active Directory
plugin this plugin is a native client of
ldap in Kerberos we're holding Microsoft
to their words that active directory is
nothing more than an LDAP and Kerberos
server so we're holding them to that and
we use nothing but openldap and the
Kerberos api's to interact with Active
Directory we don't use any proprietary
our pcs no scam and modifications are
required to use this plug-in the plugin
generates any missing mac OS 10
attributes that we generate you IDs we
generate home lopes we generate all the
missing mac OS 10 attributes we can't
generate managed desktop data I can't
fabricate dock preferences out of thin
air so really this is a this is a
baseline level of compatibility with
Active Directory if you just want users
to be able to log on get their name and
passwords and stuff like that the ad
plugins and excellent thing if you want
to actually use some of the unique
features of Mac OS 10 you have to modify
the ad Skinner and add the information
we need but that's above and beyond the
baseline feature set so the Active
Directory plugin support all the ad
features supports the baseline ad
Skinner and still supports our
extensions if they're present so that we
can get additional feature set out of
the ad plugin it supports the main
controllers authentication policies
replication all the features are there
Erik Clements has done the ad plugin
course he's done a fantastic job and we
look forward to your feedback on the
product if Mac os10 data skin is present
this ad plugin will work with
as well so this is the configuration I
don't think we could have made it much
simpler you don't need the Advanced
Options most of the time you enter the
forest the domain you enter a computer
ID you hit bind we create a computer
record in the ad system we use that
computer record to bind to the active
directory system you then go to
directory access and add the ad plug
into the search policy you log out to
log on the window and you can log on as
an ad user that's it we do automatic
multidomain authentication you can force
it to use a particular server you can
force us to use a unique ID attribute
that's present you can cash the last
user login for network disconnect so
when your users go home and they aren't
connected to an ad system they can still
log on to their power book with the same
name and password they use for their
network account this feature will be
covered more at the mobile managed
desktop session later today and it's for
any directory services plugin so if you
have an ldap user if you have a crypt
users or you have an NIS user we now
support offline caching of local of
network user records and you can set up
a number of groups for the ad plugin to
administrate which ad users should be
considered local administrators on this
system so we have service discovery in
Panther we still have apple talk we
still have SLP we still have a
rendezvous and we still have SMB we have
rewritten the SMB plug-in from scratch
it has the same functionality of bracket
as Jaguar but we can now browse off of
subnets that's the major feature we
still have rendezvous appletalk and SLP
SLP will be retired in a future OS
release I don't know when maybe next
year maybe the year after it will at
least be made an optional install in a
future OS so if you have any
applications that are relying on SLT I
highly encourage you to move on to
rendezvous because Apple is going to
start deprecating this service over the
next few years we have some command line
tools and man pages we now have man
pages for directory services we have a
suite of tools for directory services we
have DSD el which stands for directory
services command line we have the pw
policy tool which lets you from the
command line set password policies on
the passwords
River passwd Nina uses directory
services we have des perf monitor and we
add es air which will convert the
numeric error codes to a display string
we have API profiling we're going to
demo that later and we have server tools
and worker manager now includes a new
feature called the inspector how many of
you are used to read it remember
resident for mac OS 9 days inspector is
res edit for directory services it's a
raw editor you can really shoot yourself
in the foot if you want to have a really
good time I really recommend you go into
the inspector you mess with your home
loke you change the user's office ority
and paste in a random string into the
Crypt password again that'll just you'll
have a great time with that so the
inspector is a new feature and we think
it's quite useful we already used it
internally to debug our buoys so what
I'd like to do with this time is invite
my coworker adjacent towns enough on
stage and he's going to give you some
really cool demo thank
[Applause]
thanks Dave so I'd like to go over to
demo machine number two and show you
some of the stuff that we've added in in
Panther should we switch the demo to all
right and I'm going to be looking at
what we've done from the command line
slide so you heard Dave mentioned that
we've added some new command line tools
one of those is called dstl and if any
of you familiar with net info you may
have used nickel before the sdl is kind
of like nickel except that it uses
directory services so i can just say
dstl localhost and i have an interactive
prompt that i can use to do a wide
variety of directory service operations
so at the top level I can see all the
plugins that I have for example I can i
go to net info for the local domain and
i can see various record types are there
let's take a look at my users another
thing is we have tab completion in here
which nickel doesn't have so any of you
who use this will appreciate that and
I'll go ahead and look at the user i'm
logged in as i can just read that record
and you'll notice where the password
attribute used to be there's just eight
stars and we have the shadow hash off
authority so there is no readable crypt
password alright so and i can use in
addition to reading data with the scl i
can also make changes so for example I
could change my authentication hint I
could say change that to the usual and
oh ok i forgot to authenticate first so
you can also authenticate as your
administrator and then I have history as
well so I can replay those commands and
now if I reread that record you can see
that I've changed the authentication
hint
so we've also got a man page for DSC l
talks about all the things you can do
and there's there's a lot of stuff there
we've also added the man page 44
directory service so we should have you
know any of the the command line tools
that we've got there are going to be
going to have man pages you can look at
on the system to figure out what you can
do with them another feature i'd like to
show you is called the psap I logging
this is something that we had in Mac OS
10 too but we've made it a little bit
better in Panther and if you haven't
used it before and you're doing any work
with directory services either
developing a plug-in or writing an app
that's using directory services you're
definitely going to want to check this
out so as root I can do a kill all user
to on directory service and that's we're
just going to send a user to signal that
will turn on the API logging and then
for example I could go ahead and bring
up directory access that will cause some
directory service calls to happen and if
I go look in console I've got my system
log up here I can see a whole bunch of
calls coming through from from directory
access like there's actually a really
cool feature in console if you haven't
seen this this is really awesome you can
filter based on any string and it'll
show you only the lines that match that
so I can't take credit for that but I
use that I use that thing every day so
so you can filter to just the app and
we're showing also the app name here if
you've used this feature before we used
to show the pit which we still show but
now you can get an idea of well which
client is coming in talking to directory
service without having to go look at top
or to give those things out on your own
so that's API logging another thing that
we've added in Panther is called des
perf monitor and what that does is it
allows you to collect data on how long
are the various ap Alex called taking
how many calls are happening and put
that into a table form that you could
bring into itself
example so the way that I would do that
is I've used the so I'll go ahead and do
a kill user to again that will turn off
the API logging or if you wait five
minutes it turns off on its own and if i
do GS perf monitor dash a that starts
the des perf monitor so it's gathering
statistics now and i could go ahead and
do something else with de sel for
example actually another thing any of
you who like to write command line
scripts if you know nickel you know how
nickel has the one shot mode where you
can do a single command you can do the
exact same thing with the sdl so i'll go
ahead and do a DSD el command there
that'll just run one command and then
complete and that actually is doing a
get der note info on my local domain and
showing me the off methadone and that
it's read write and that sort of thing
so now if I go back dude es por monitor
dash D then it will dump the API
statistics into VAR log system log and
let's see i can go ahead and turn off my
filter here and you'll see a bunch of
tab delimited data here at the bottom
that we could go ahead and bring in to
to excel or whatever whatever
spreadsheet you want to put it into and
take a look at it alright so I'd like to
go back to the slides now
okay so there's some other changes I
want to tell you about if you're doing
any plugin development or if you're
using the directory service API there's
lazy plug-in loading we've added some
new standard record and attribute types
you want to take a look at there's also
support for plugins and directory access
and I'll get into that a little later
and I'll also tell you a date about our
our open source code so lazy plug-in
loading this is a feature that we've
added in Panther and the main goal here
is to improve the boot time and reduce
the memory footprint of directory
service and the way we do this is we
only load the plugins that we need so
for backward compatibility this is an
opt-in system so you have to make a
change to your plug-in to be lazily
loaded but if your plug-in is installed
and the user isn't using it this is
going to help them out because then it's
not going to impact the format
performance of the system it's very
simple to do this and if you are working
on a plug-in please let us know we'd
love to work with you so there's two
keys you'll want to add to your your
plugins info.plist the first one is des
ok to load lazily and that's going to
tell us yes this plug-in wants to opt in
for lazy loading the other one is an
optional one which is called des nodes
to register and that allows you to
specify a list of nodes that directory
service will register for you without
you actually even running so I have an
example of that on the next slide here
this is from the the combined vsd flat
file and n is plug in it registers flash
PSD flash local you can see there so
that's this array of dictionaries going
on there and the des ok to load lazily
is at the bottom so there's some API
editions the first one hopefully you'll
be excited about is we have an umbrella
header so anyone who's ever programmed
with directory service before you had to
include probably four different
files to do anything and it was a little
confusing and the names were hard to
remember so now you just include
directory service / directory service at
h and everything works if you're
developing on Panther we've added some
new standard record an attribute type
there's a few examples there there's a
lot more but you can check out the
header files on your Panther developer
tools for example we have people which
is for contact information this is if
you want to have that contact
information but not attach it to a user
record we also have a record for the
auto server setup maybe you've seen the
demos of automatic server setup on mac
OS x server we store those in auto
server setup records we've also added
keywords and XML plist is one we use in
the auto server setup we've added one
new API call which is DF duder note off
on record type this is pretty much the
same thing as a dude or note off except
you specify which record type so that
lets you work with records other than
users and the main the main thing we do
this with now is the computer records
when you have a PDC setup that uses this
API so directory access plugins we
actually had support for directory
access plugins beginning in 10 2 and for
those of you that aren't familiar
directory access is the tool that you
use to configure open directory which is
an applications utilities this allows
you to provide a custom interface when
someone clicks on the configure button
for your plug for your open directory
plug-in and we actually use the system
for all of the UI that you see in
directory access for ldap v3n is active
directory all those have plugins and
directory access we're going to be
documenting that in a update to our
developer documentation and if you want
to do this essentially what you need to
do is factor your configuration so that
all of the UI is going to be in your
directory access plugin and the back end
of it will be in your your directory
services plugin so you'll use the
directory services API to actually make
your configuration changes normally this
is done by
a plugin custom calls and packing up
your your configuration in the in the
d/s buffer as an xml p list or something
like that so why why do we suggest that
you do that it's because directory
access is a remote tool it can actually
be used for example to connect from a
powerbook to a headless xserve over the
d/s proxy so if you go to the server
menu in directory access you can connect
to whatever whatever server machine you
want and configure it so the only way
for you to get from the machine running
directory access to the appropriate
place to put those config files is using
the API because we have a reference for
you that allows you to use that remote
connection you need to keep in mind
because of this that there there may be
different versions on both sides of that
connection and we actually support pants
are connecting to jaguar so we actually
keep around some of our old plugins for
example ldap be too even though the
directory service plugin is gone there's
still a directory access plugin for that
so you can continue to configure that if
you want to work on a directory access
plugin or directory service plug and let
us know that it should be pretty easy to
do the stuff in directory access the
it's all using objective-c and there's
only a few methods you need to implement
so open source update actually we had
some new source code posted on monday
and for those of you that have been
following this for a while there are a
few changes as to how the projects are
laid out so we have taken the ldap v3
plugin and merge that into the main
directory service project and we have
the DSN is plug-in available some of the
other projects we used to have are now
obsolete which is the PSFS plugin that's
the flat file which has been merged into
the same project as the NIS plugin and
then the ldap v2 project because that's
no longer in Panther and ldap v3 isn't
directory service we're also going to be
open sourcing DS tools which includes
dstl some of our other command line
tools later in the Panther
I'm frame this point I'd like to hand it
back to dave for a wrap-up so we've done
a lot for Panther we've enhanced the
ldap v3 plugin we've enhanced pastor
server support with off methods and
replication support we have a combined
in is and flat file plugin for those of
you of legacy UNIX configuration
information l dot b 2 is being retired
we have a brand new plugin for
supporting Active Directory that doesn't
require any schema changes and we've
been changes to local authentication
Kerberos is dead and curb our crypt is
dead and kerberos is coming we've
enhanced the SMB windows network plugin
/ network is now based on directory
services directory services has man
pages it has a command line tool suite
and there are some very very minor
changes if you're developing a plugin
but there's only a handful of people
developing a plugin so this doesn't
affect a lot of people here's a road map
of some interesting sessions we have the
security session Kerberos necklace
conserve our review server in-depth
authentication desktop technologies and
network security best practices on
Friday I'll be here all week I'll be at
that presentation you can contact myself
or skip Levin's or Jason Townsend if you
want but our email addresses are up
there and for more information there's a
lot of documentation we have the
directory services API documentation
posted to decile so I've heard these I
heard we renamed all these URLs and I
didn't get them updated so go to the
developer website and we're under
networking wherever they've moved that
too we have a darwin open directory we
have the open directory sdk the server
documentation surprisingly is very good
and in particular the open directory
technical brief now it's a fantastic
tutorial on directories just in general
conceptually high level stuff i really
recommend anyone doing directory work
read that the Mac os10 ldap gamma
everyone last year said where do you
document the ldap scam I will attend the
openldap config file we aren't keeping
secrets but we're going to pull that out
into one of the new 12 manuals for this
release of 10 server but you can always
go to the openldap configuration and see
what our skin is
Mac os10 security AP is or another
excellent reference and then there's the
openldap project the sasal project the
fam project and kerberos are also
related technologies that are available
to you
you