WWDC2003 Session 610

Transcript

Kind: captions Language: en my name is David O'Rourke I'm the engineering manager of open directory I have to get my little Q er here how many people were at last year's presentation could you raise your hand how many people actually had a seat at last year's presentation very cute so they moved it to a bigger room so I want to thank you all for overflowing last year's presentation next year I'm going to go for the pool in the open bar how does that sound whatever around okay also I'd like you to all go out in the hallway and get a friend I'd like to pack this room so we're getting the big one upstairs No okay I think I've actually be scared of that many people I my name's Dave work we're here to talk about open directory what it is what is directory services we're going to review directory services 4 10 2 for those of you are new this year we're going to talk about our future parents for panther and then we're going to go into Q&A so I guess now's as good a time as any to get into it so first of all open direct last year we introduced the open directory technology name and what open directory is is the technology umbrella kinda like quick time it covers a lot of different technologies and our case that clevers the client access technology and also covers any servers that we deliver as part of the Panther server product Apple strategy in the open director space is to adopt and promote industry standard technology such as ldap Kerberos saffell whatever directly related technology fits our purpose we're going to adopt it embrace it and and promote it on our platform so open directory is built into both Mac os10 desktops and the clients built in and it's built in temecula 10 server if you buy mac OS and server and turn on a directory server you get open directory it's been there since 10 point 0 and the good news is is everything we do is open source as part of Darwin so no secrets you can review our implementation see if it meets your needs see if we're sometimes passing a password on the wire in the clear but we try to fix bugs like that and you can see it in our source code the directory service history we started out with mac OS 10 10 0 having net info and I'll that v2 with the client within in 10.1 introduced desktop server with lmv to support and 10.2 we introduced net info LW to l w 3 we added NIS flat file support or yellow pages and i asked the proper name these days or is it yellow pages and i thank you we also introduced service discovery based on directory services so we have an apple talk plugin for browsing appletalk networks we have an SLP plugin we have a rendezvous plugin and we have a plugin for browsing windows network so if you see a Windows Server when you go to connect to server and Jaguar or splash network on Panther you're using directory services Panthers even better it has all the features of 10.2 and we're going to go over some of the new and exciting features right now first I want to talk about what directory services is this is the client access portion of the product it's a standard box diagram engineers like to draw boxes i'm an engineer so I drew some boxes we've got Mac os10 software running on top of an abstraction API we've got the abstraction API there in the middle and the blue box of the blue on your screen yes it is and at the bottom layer we have plugins we have a plug-in for net info we have a plug-in for ldap we now have a plug-in for Active Directory we have a plug-in for BFD files and you as the third party can develop your own plugin I believe we're still working with somebody to develop an Oracle plugin so that their directory system could be an oracle database directory services in 10.2 included an ldap v3 read/write plugin and LW read-only plugin it included net info it includes NIS bsd flat / SE file and include service discovery the api's are documented and the plugin api's are documented we have an SDK includes sample code we have sample plugins we have a stub plugin that you could adopt and put your code in or you could start with our own productized l that v3 plugin and gut it and use it for your own purposes i am the directory services headers are installed in system flash library frameworks directory services framework how does tend to use directory services this is a question we're kind of plumbing if we're doing our job right you don't even notice the directory services is working Mike Mike my management keeps asking me to demo it and I say did you make a pass login window and they say yes I said that's the demo it's a really boring demo but you know if we're doing our jobs right you don't really see directory services because we're just feeding config information to the system behind the scene but managed desktop how many of you use managed desktop managed desktop sources all of its information out of directory services so that's one kiev consumer of the data all the security framework authentication whenever that dialogue comes up and asks you to type of password they ultimately call directory services to verify that password and all the legacy tools have been migrated to pam so if you have passwd or some password authenticating tool that's running on the command line it calls the pam module and that pam module calls you their security framework or directory services and that authenticates your legacy UNIX tool and all the mac OS x server processes and administration tools use directory services connect to server command k in the finder brings up connect to server everything everything on the left all those zones and everything those are all coming from either an Apple talk SLP or rendezvous plug-in when you click on the zones so all the service discovery in Mac OS 10 / network how many of you played with the new flash networking feature in Panthers it allows you to browse that's now all sourcing the same information that what we call nsl or connection server was sourcing in 10.2 and you can use directory access as a system administrator to turn off the browsing of certain protocols so if you don't want your customers ever connecting to your Apple servers over appletalk you can turn off their browsing by going to directory access turn off the appletalk browsing plug-in and then appletalk zones will no longer show up and connect to server that does not turn off the appletalk protocol just turns off the browsing portion another way Mac OS tend to use this directory services this is an architecture diagram next came to us with next step and they had already cooked a lot of the BFC routines to abstract or directory access through a process called look up D and so the system is really there's there's the system's a bit schizophrenic there's the legacy api's that said access direct your data and there's new API said access directory data the way we make both systems regardless of which API get the same data is anything that calls look up d we have a plug-in and look up d the shunts the requests over to directory services anybody that's calling directory services they of course get what directory services is configured so this means when you configure directory access and add an ldap plug in to your search mode you're also configuring what the entire system feeds on the command line side how it resolves users how it results groups so this is the real power of the system so even though there's two different api's they always return the same set of data because they're linked Mac os10 to server includes two choices this is Jaguar server I want to emphasize that we're going over history so not the future 10-2 server included two choices for a directory server you could deploying that info which was always supported that supports mac OS 10.1 and 10.2 we added for the first time in ldap v3 plugin but it uses the net info database for its back in so when you create a record through net info it also showed up on the ldap slide Luke Howard did that work for us from paddle he's in the audience today I'd like to thank them for that it's really kind of cool because you can source your data from one database and serve it up over the net advil protocol serve it up over ldap it supports the mac OS 10 to clients and we introduced the open directory password server which is the baffle based network authentication for legacy authentication protocol I highly recommend that you go back in time and go to yesterday's off session because it's because we talked in detail about the pasture server actually you can go back in time I believe we have these sessions available on DVD later is that correct can anyone confirm that so if you didn't catch the off session and want more details work with apple developer relations to get this year's presentation so on 10-2 we made a lot of progress in the directory space we added NL that v3 server we added service discovery and we introduce new authentication methods with the password server and the authentication authority and that's all the product that we're all using today what I want to talk about now is what we're planning to do for directory services this year and so we're going to move in two directions services for Panther the first thing we're doing is we're substantially enhancing the ldap v3 plugin I'll get into the details of that we're substantially enhancing enhancing the open directory password server we're combine DNS the NIS and flat file plugging in Jaguar they were two separate plugins what we've done in Panthers would combine them as the same source fed into spot taught them to share information we're getting rid of the ldap be to plug in we're enhancing support for Active Directory and we're checking we're making changes to local authentication in addition we're enhancing the SMB windows network plugin we can now browse off of the local subnet next flash network is now based on nsl which was the mac OS 9 network service location protocol flash directory services we that is NaN pages for directory services and we're going to be demoing some new command line tools later in this presentation and we've made some minor changes for plug and developers so if you're developing a plug-in there's some you know gotchas and some heads up that we need to keep you informed of all that be three clients enhancements this is the meat of the work we're doing for Panther in 10 to ldap v3 was already very robust and could talk to a lot of different ldap servers we support a DHCP ldap discovery through option 95 we supported storing our configurations or our mappings on the ldap server itself so you didn't have to visit each machine to reconfigure it we integrated support for the open directory password server so that ldap would use the password server when the authentication authority and the user record told us to so what we're doing for v3 and Panthers are adding replication support so you can deploy multiple ldap servers and our v3 plugin will fail over there will be client-side awareness of ldap replicas and if you're using the DSA p is the failover is completely transparent to you so you don't have to do anything you just call open directory stay open during note I want to talk to an ldap server that ldap server goes away we have to find a replica your code keeps churning along it doesn't even know that we switch network connections now that b3 client replica picking is quite thorough will automatically detect and use ldap replicas we will use any or all of three replica discovery mechanisms an existing standard for ldap called all servers which is stored in the root of the ldap server if we find that information we will use the ldap replicas that are stored in that information we are adding a new record to the ldap system that we call a configuration record that configuration record is no harder than this list of IP addresses it has to be well named there will be documentation server admin but if that configuration is found and lives IP addresses for us to contact we will use that records so you can actually put the replication table in the ldap server and we'll use it and there there is an LDAP replication scheme for DNS service records so if you've configured DNS to list multiple ldap servers will use dns service records all of these methods require ldap server connectivity at least once we can't come up and if you tell us an IP address is the ldap server that you want us to talk to and that isn't even reachable we can't discover the replica so we require connectivity to the ldap server at least once to harvest all of these sources of information but after that you can roam you can move the ldap servers around willy-nilly and as long as one is still up and running we'll contact it and learn about the new information we put the failover support in the client because now mac OS x server ldap supports replication and clearly we're going to work with that very well so now that we have a replicated ldap server we needed a replication aware client and we've done that in Panther replica failover resolution is done in parallel we will not see really try 20 ldap servers at two minutes a shot and make the user wait 40 minutes to find the replica we try to do the discovery in parallel we also try to do it in such a manner that we don't spam the network on every single open attempt we try to gradually build we get more and more aggressive over time when the ldap servers aren't non-responsive so we won't bring up unnecessary network connections if the ldap servers just a little slow to respond but if it's too slow to respond will start looking for replicas and that will cause more networks in traffic we've also enhanced the password server new authentication methods we have some authentication methods to support the new VPN server and we support PDC authentication the PDC needs certain authentication methods to be able to authenticate windows clients so we had to add authentication methods to the password server to support that we've added new password policies we have global and per user policies i went over these in detail in the authentication session and we have secure replication we have true multi-master replication every single password server replica can accept a password change we have clients I failover so one password server stops responding we use other password servers there are more details in session 607 which was yesterday's session but it is secure and it is multi-master replication we have global here's a screenshot of the global policies these are this is a new h i4 for Panther so we support a number of policies i won't go into them in detail right now but i'll leave it up there just for a bit so you can look for your favorite feature i have her dictionaries not here though so everybody wants dictionary and we're going to look into that the authentication methods that the password server supports our md5 digests which is used by default if you don't specify an authentication method this is what login window uses and if any DS API client requests clear text authentication we actually turn around and do an md5 authentication behind-the-scenes cram md5 is typically used by imap and smtp we have NTN land manager that's used by us and be file-sharing we support a pop which is used by the popular email protocol we support web dev digest for web dev apache modules the new authentication methods we've added is ms chap two and that supports the VPN technologies we are retiring to a random in the Panther time frame jaguar supports this Panther won't not a lot of aft clients are still using it if you are still running on an HP clients it requires to a random I think we have AFP clients that are qualified all the way back to eight dot one leland the eight dot one that do THX which is the last authentication methods that we support so all the way back to mac OS 8 you have an asd client that doesn't need to to a random so we're getting rid of that the authentication Authority matrix the authentication Authority was introduced in Jaguar its attributes in the user record that indicates the Jaguar how the user record should be authenticated infamous annotations attempted we had several values we had basic last year and that base indicates the users crypt based we introduced the Apple password server authentication Authority this indicates that the users password server based and in that Authority's all the information we need to know to contact the password server and verify that user this year we're introducing shadow hash local users no longer have a readable crypt password on Panther for those of you who go rummaging around with ni dump on your Panther machine looking for your crypt password isn't there anymore so shadow hash has indicated shadow hash indicates that this user record is shadow hash based instead of local crypt base and we're introducing the Kerberos off authority how many people haven't heard we're making a big push around Kerberos okay so we're going to indicate that users or Kerberos base by actually putting a Kerberos authentication authority in the user record and that helps us know that we should attempt to do Kerberos authentication so local authentication changes crypt is dead the default local authentication is stored in a shadow file for all local users crypt is still supported but none of the Mac os10 tools will create a creek user if you want to do it yourself through DF api's or legacy tools it still works it will still function the OS will still verify the users password but none of our administration tools will create a creek user your application should not be relying on crypt password Panther will break any application that has not adopted security framework directory services or Pam or some other Patrick verification abstraction API this is not a bug in the operating system in order to make the OS more secure and move forward we have to break this so if you have an application that is doing authentication and you're calling get pw name or some other API that returns a crypt passwords and you're relying on that to behave in Panther it will break and we're not going to fix it because it's a security problem so we need you to adopt a password verification abstraction there are three major abstractions you can adopt you can adopt Pam which is a cross-platform pluggable authentication method for Linux you can adopt a security framework to do your password verification in your application if you need to do authentication you should probably be seriously looking at the authorization framework because that's probably the more appropriate way for a GUI application to go forward or you can use the down and dirty directory service kpi's and do the authentication yourself I want to emphasize if your applications not using one of these api's it will break when running on Panther you will not be able to authenticate your user records this is if your server a client process whatever and just for emphasis and with color so we've gotten rid of crypt sorry about breaking your app but it's a necessary evil so here's a quick timeline of password server histories and future we had Kristen ten-point oh we supported crypt and all that bind in 10.1 we support crypt ldap buying Kerberos the d/s api's pastor server Pam and security framework and tend to we've gotten rid of crip support in Panther we now support all that buying Kerberos tsap aight a switchover Pam and security framework and moving out into the future Kerberos was going to get spots going to get bigger and it's going to get a more impressive color so authentication long-term apples investing heavily in Kerberos this means if we're investing heavily in Kerberos so should you either as a customer or as a developer we are aggressively aggressively migrating all of our networking products to be Kerberos based if there's a favorite protocol of yours that does the syndication and we ship a client and we ship a server we're probably going to Kerber eyes it we will ship the MIT KDC we already shipped the MIT kerberos client and session 607 and 108 or must attend for any network service people 108 is the Kerberos session done by Marshall veil and his team all Kerberos all the time is in Apple's future and yours so get used to it plan for next year's presentation we combine the NS and flat file plug in Mac OS 10 25 added in an is plug in Mac OS 10.2 supports flash SD config files Panthers implementation combines the NIS flat file support into a single code base and now there's a unified configuration a chai so it's really easy to configure this this is the configuration a chai the BFC local doesn't require any configuration because we know where all the local files are so that's just kind of there for documentation and then the lower half of the configuration sheet is the domain name of your NIS server or list of alternative NIS servers and if you go to directory access click on the NIS plugin this is the configuration a chai you're going to see ldap v2 is being retired the ldap v3 plugin has all the LW two features l w 3 is more robust and has more features Elda be two configurations will automatically be migrated when you upgrade to Panther for the first time but and we're so we're we're going to make that transition seamless but there's no reason for customers to continue to use v2 so you could move to ldap v3 today on Jaguar you don't need to continue using v2 so you can move ahead of us or you can wait for Panther to migrate your configuration file for you but either way all that be two plugins going away we are providing an Active Directory plugin this plugin is a native client of ldap in Kerberos we're holding Microsoft to their words that active directory is nothing more than an LDAP and Kerberos server so we're holding them to that and we use nothing but openldap and the Kerberos api's to interact with Active Directory we don't use any proprietary our pcs no scam and modifications are required to use this plug-in the plugin generates any missing mac OS 10 attributes that we generate you IDs we generate home lopes we generate all the missing mac OS 10 attributes we can't generate managed desktop data I can't fabricate dock preferences out of thin air so really this is a this is a baseline level of compatibility with Active Directory if you just want users to be able to log on get their name and passwords and stuff like that the ad plugins and excellent thing if you want to actually use some of the unique features of Mac OS 10 you have to modify the ad Skinner and add the information we need but that's above and beyond the baseline feature set so the Active Directory plugin support all the ad features supports the baseline ad Skinner and still supports our extensions if they're present so that we can get additional feature set out of the ad plugin it supports the main controllers authentication policies replication all the features are there Erik Clements has done the ad plugin course he's done a fantastic job and we look forward to your feedback on the product if Mac os10 data skin is present this ad plugin will work with as well so this is the configuration I don't think we could have made it much simpler you don't need the Advanced Options most of the time you enter the forest the domain you enter a computer ID you hit bind we create a computer record in the ad system we use that computer record to bind to the active directory system you then go to directory access and add the ad plug into the search policy you log out to log on the window and you can log on as an ad user that's it we do automatic multidomain authentication you can force it to use a particular server you can force us to use a unique ID attribute that's present you can cash the last user login for network disconnect so when your users go home and they aren't connected to an ad system they can still log on to their power book with the same name and password they use for their network account this feature will be covered more at the mobile managed desktop session later today and it's for any directory services plugin so if you have an ldap user if you have a crypt users or you have an NIS user we now support offline caching of local of network user records and you can set up a number of groups for the ad plugin to administrate which ad users should be considered local administrators on this system so we have service discovery in Panther we still have apple talk we still have SLP we still have a rendezvous and we still have SMB we have rewritten the SMB plug-in from scratch it has the same functionality of bracket as Jaguar but we can now browse off of subnets that's the major feature we still have rendezvous appletalk and SLP SLP will be retired in a future OS release I don't know when maybe next year maybe the year after it will at least be made an optional install in a future OS so if you have any applications that are relying on SLT I highly encourage you to move on to rendezvous because Apple is going to start deprecating this service over the next few years we have some command line tools and man pages we now have man pages for directory services we have a suite of tools for directory services we have DSD el which stands for directory services command line we have the pw policy tool which lets you from the command line set password policies on the passwords River passwd Nina uses directory services we have des perf monitor and we add es air which will convert the numeric error codes to a display string we have API profiling we're going to demo that later and we have server tools and worker manager now includes a new feature called the inspector how many of you are used to read it remember resident for mac OS 9 days inspector is res edit for directory services it's a raw editor you can really shoot yourself in the foot if you want to have a really good time I really recommend you go into the inspector you mess with your home loke you change the user's office ority and paste in a random string into the Crypt password again that'll just you'll have a great time with that so the inspector is a new feature and we think it's quite useful we already used it internally to debug our buoys so what I'd like to do with this time is invite my coworker adjacent towns enough on stage and he's going to give you some really cool demo thank [Applause] thanks Dave so I'd like to go over to demo machine number two and show you some of the stuff that we've added in in Panther should we switch the demo to all right and I'm going to be looking at what we've done from the command line slide so you heard Dave mentioned that we've added some new command line tools one of those is called dstl and if any of you familiar with net info you may have used nickel before the sdl is kind of like nickel except that it uses directory services so i can just say dstl localhost and i have an interactive prompt that i can use to do a wide variety of directory service operations so at the top level I can see all the plugins that I have for example I can i go to net info for the local domain and i can see various record types are there let's take a look at my users another thing is we have tab completion in here which nickel doesn't have so any of you who use this will appreciate that and I'll go ahead and look at the user i'm logged in as i can just read that record and you'll notice where the password attribute used to be there's just eight stars and we have the shadow hash off authority so there is no readable crypt password alright so and i can use in addition to reading data with the scl i can also make changes so for example I could change my authentication hint I could say change that to the usual and oh ok i forgot to authenticate first so you can also authenticate as your administrator and then I have history as well so I can replay those commands and now if I reread that record you can see that I've changed the authentication hint so we've also got a man page for DSC l talks about all the things you can do and there's there's a lot of stuff there we've also added the man page 44 directory service so we should have you know any of the the command line tools that we've got there are going to be going to have man pages you can look at on the system to figure out what you can do with them another feature i'd like to show you is called the psap I logging this is something that we had in Mac OS 10 too but we've made it a little bit better in Panther and if you haven't used it before and you're doing any work with directory services either developing a plug-in or writing an app that's using directory services you're definitely going to want to check this out so as root I can do a kill all user to on directory service and that's we're just going to send a user to signal that will turn on the API logging and then for example I could go ahead and bring up directory access that will cause some directory service calls to happen and if I go look in console I've got my system log up here I can see a whole bunch of calls coming through from from directory access like there's actually a really cool feature in console if you haven't seen this this is really awesome you can filter based on any string and it'll show you only the lines that match that so I can't take credit for that but I use that I use that thing every day so so you can filter to just the app and we're showing also the app name here if you've used this feature before we used to show the pit which we still show but now you can get an idea of well which client is coming in talking to directory service without having to go look at top or to give those things out on your own so that's API logging another thing that we've added in Panther is called des perf monitor and what that does is it allows you to collect data on how long are the various ap Alex called taking how many calls are happening and put that into a table form that you could bring into itself example so the way that I would do that is I've used the so I'll go ahead and do a kill user to again that will turn off the API logging or if you wait five minutes it turns off on its own and if i do GS perf monitor dash a that starts the des perf monitor so it's gathering statistics now and i could go ahead and do something else with de sel for example actually another thing any of you who like to write command line scripts if you know nickel you know how nickel has the one shot mode where you can do a single command you can do the exact same thing with the sdl so i'll go ahead and do a DSD el command there that'll just run one command and then complete and that actually is doing a get der note info on my local domain and showing me the off methadone and that it's read write and that sort of thing so now if I go back dude es por monitor dash D then it will dump the API statistics into VAR log system log and let's see i can go ahead and turn off my filter here and you'll see a bunch of tab delimited data here at the bottom that we could go ahead and bring in to to excel or whatever whatever spreadsheet you want to put it into and take a look at it alright so I'd like to go back to the slides now okay so there's some other changes I want to tell you about if you're doing any plugin development or if you're using the directory service API there's lazy plug-in loading we've added some new standard record and attribute types you want to take a look at there's also support for plugins and directory access and I'll get into that a little later and I'll also tell you a date about our our open source code so lazy plug-in loading this is a feature that we've added in Panther and the main goal here is to improve the boot time and reduce the memory footprint of directory service and the way we do this is we only load the plugins that we need so for backward compatibility this is an opt-in system so you have to make a change to your plug-in to be lazily loaded but if your plug-in is installed and the user isn't using it this is going to help them out because then it's not going to impact the format performance of the system it's very simple to do this and if you are working on a plug-in please let us know we'd love to work with you so there's two keys you'll want to add to your your plugins info.plist the first one is des ok to load lazily and that's going to tell us yes this plug-in wants to opt in for lazy loading the other one is an optional one which is called des nodes to register and that allows you to specify a list of nodes that directory service will register for you without you actually even running so I have an example of that on the next slide here this is from the the combined vsd flat file and n is plug in it registers flash PSD flash local you can see there so that's this array of dictionaries going on there and the des ok to load lazily is at the bottom so there's some API editions the first one hopefully you'll be excited about is we have an umbrella header so anyone who's ever programmed with directory service before you had to include probably four different files to do anything and it was a little confusing and the names were hard to remember so now you just include directory service / directory service at h and everything works if you're developing on Panther we've added some new standard record an attribute type there's a few examples there there's a lot more but you can check out the header files on your Panther developer tools for example we have people which is for contact information this is if you want to have that contact information but not attach it to a user record we also have a record for the auto server setup maybe you've seen the demos of automatic server setup on mac OS x server we store those in auto server setup records we've also added keywords and XML plist is one we use in the auto server setup we've added one new API call which is DF duder note off on record type this is pretty much the same thing as a dude or note off except you specify which record type so that lets you work with records other than users and the main the main thing we do this with now is the computer records when you have a PDC setup that uses this API so directory access plugins we actually had support for directory access plugins beginning in 10 2 and for those of you that aren't familiar directory access is the tool that you use to configure open directory which is an applications utilities this allows you to provide a custom interface when someone clicks on the configure button for your plug for your open directory plug-in and we actually use the system for all of the UI that you see in directory access for ldap v3n is active directory all those have plugins and directory access we're going to be documenting that in a update to our developer documentation and if you want to do this essentially what you need to do is factor your configuration so that all of the UI is going to be in your directory access plugin and the back end of it will be in your your directory services plugin so you'll use the directory services API to actually make your configuration changes normally this is done by a plugin custom calls and packing up your your configuration in the in the d/s buffer as an xml p list or something like that so why why do we suggest that you do that it's because directory access is a remote tool it can actually be used for example to connect from a powerbook to a headless xserve over the d/s proxy so if you go to the server menu in directory access you can connect to whatever whatever server machine you want and configure it so the only way for you to get from the machine running directory access to the appropriate place to put those config files is using the API because we have a reference for you that allows you to use that remote connection you need to keep in mind because of this that there there may be different versions on both sides of that connection and we actually support pants are connecting to jaguar so we actually keep around some of our old plugins for example ldap be too even though the directory service plugin is gone there's still a directory access plugin for that so you can continue to configure that if you want to work on a directory access plugin or directory service plug and let us know that it should be pretty easy to do the stuff in directory access the it's all using objective-c and there's only a few methods you need to implement so open source update actually we had some new source code posted on monday and for those of you that have been following this for a while there are a few changes as to how the projects are laid out so we have taken the ldap v3 plugin and merge that into the main directory service project and we have the DSN is plug-in available some of the other projects we used to have are now obsolete which is the PSFS plugin that's the flat file which has been merged into the same project as the NIS plugin and then the ldap v2 project because that's no longer in Panther and ldap v3 isn't directory service we're also going to be open sourcing DS tools which includes dstl some of our other command line tools later in the Panther I'm frame this point I'd like to hand it back to dave for a wrap-up so we've done a lot for Panther we've enhanced the ldap v3 plugin we've enhanced pastor server support with off methods and replication support we have a combined in is and flat file plugin for those of you of legacy UNIX configuration information l dot b 2 is being retired we have a brand new plugin for supporting Active Directory that doesn't require any schema changes and we've been changes to local authentication Kerberos is dead and curb our crypt is dead and kerberos is coming we've enhanced the SMB windows network plugin / network is now based on directory services directory services has man pages it has a command line tool suite and there are some very very minor changes if you're developing a plugin but there's only a handful of people developing a plugin so this doesn't affect a lot of people here's a road map of some interesting sessions we have the security session Kerberos necklace conserve our review server in-depth authentication desktop technologies and network security best practices on Friday I'll be here all week I'll be at that presentation you can contact myself or skip Levin's or Jason Townsend if you want but our email addresses are up there and for more information there's a lot of documentation we have the directory services API documentation posted to decile so I've heard these I heard we renamed all these URLs and I didn't get them updated so go to the developer website and we're under networking wherever they've moved that too we have a darwin open directory we have the open directory sdk the server documentation surprisingly is very good and in particular the open directory technical brief now it's a fantastic tutorial on directories just in general conceptually high level stuff i really recommend anyone doing directory work read that the Mac os10 ldap gamma everyone last year said where do you document the ldap scam I will attend the openldap config file we aren't keeping secrets but we're going to pull that out into one of the new 12 manuals for this release of 10 server but you can always go to the openldap configuration and see what our skin is Mac os10 security AP is or another excellent reference and then there's the openldap project the sasal project the fam project and kerberos are also related technologies that are available to you you