WWDC2004 Session 627

Transcript

Kind: captions Language: en welcome to inside tree services just as a summary how many of you were here last year how many of you had a seat last year okay far fewer they gave us a bigger room thank you for attending last year for those of you who were here last year I promised the pool and open bar they told me they couldn't install a pool on the second floor and the jamba juice bar is apparently the closest I could get for an open bar so please please partake of that so we're going to be talking about directory services this year again my name is David's Michael O'Rourke I'm the engineering manager for open directory and we have an exciting program and a lot of exciting developments so why don't we get started have a lot of material to cover so the overview of what we're going to cover today is Apple's open directory technology what is it for those of you who are not familiar with it what is directory services a review of what we've already accomplished in Panther future plans for tiger and we hope to follow up with some interesting questions and answers so open directory is a technology name it covers both how the clients access directories and it also talks about how we integrate with industry standards we also provide an open directory server which is a combination of ldap and MIT KDC the password server and the samba PDC open directory is built into Mac os10 client and server and it's been there since the original 10 point 0 release and it's open sourced as part of Darwin so we're not keeping anything secret here if you want to see how open directory does its work and may be ported to Linux or something you can go download it from the Darwin website and bring it to that platform this slide is a quick review of the technologies in the timeline of where we're going to be so we started out with Mac os10 point we had only on the server we had ldap be too we then added it to the desktop for 10.1 we everything in blue is the new incremental change for that relief so ldap b3 the NIS and flat file plug-in appletalk SLP rendezvous and SMB for 10.2 and 10.3 we added active directory support as well as firming up the plugins that were there and for tiger we have a whole bunch of new exciting features that we're going to get into later in the presentation what is directory services the first and most important part of directory services is it's an abstraction API for allowing applications to write to one set of api's and not have to care about the backend storage so what and the typical information access to an open directory is users groups mount records and other types of configuration data it also contains the full authentication abstraction to conducting challenge response protocols like a pop ntlm v2 or tram md5 Apple layers all of their software on top of directory services so you so we put all of our Mac os10 software on top of directory services from login window all the server admin tools even System Preferences all use directory services to show you all of that configuration data and on the back end of directory services we have various plugins for net info ldap PSD files and others and we even have some third-party plugins or third parties have extended open directory next slide there we go so what does directory services in 10.3 include it includes an ldap v3 read and write plug-in so that we can work with any ldap v3 server it includes a native Active Directory plugin that was new last year and I believe there was some applause so we have that we have nice we have net info which is Apple's legacy directory server we have support for and we have read-only support for NIS and BSD se file we also adds of Jaguar started adding service discovery so we have service discovery plugins for rendezvous SMB or windows networks appletalk and SLP so / network how many of you browse / network ever ok everything you've seen / network comes out of out of open directory the all that v3 client also supports replication failover so you can set up multiple ldap servers if one goes down the ldap v3 client will find another and your users won't notice that your server crashed documented access api's and plug-in API servers an SDK we have lots of sample code and there are now command line tools that we started including since I believe tiger was the first command line or Jaguar Panther what's the first command line tool and the most popular of these tools is DF CL I actually get a lot of questions what that stands for that stands for directory services command line nothing more nothing less so we call it d f CL and it's our favorite tool because it allows us to debug what's going wrong so tan three uses directory services in the number of manners if any of you log on you're using directory services in fact I told a story last year which made it into a book that my management keeps asking me to demo directory services well so much plumbing is kind of hard to demonstrate so the best demo I can give you a directory services is login window if you type your name and password and it works you've demo directory services so it also uses managed desktop if you attended Michael lots of excellent presentation just before this one all of managed desktop gets all of the management information out of open directory all the security framework authentication so when those dialogues come up and ask you to type your name and password if you're not unlocking a keychain if you're clicking the lock button in the system preferences and you type your username and password that's all the security frame are calling through through directory services to unlock legacy UNIX tools in the Jaguar time frame were modified to use pam that stands for pluggable authentication module it was a linux standard that we brought over to Mac OS 10 and we have Pam modules on Mac OS can that call into directory services to do the password verification so if you have an open source product that does password verification and you don't want to adopt the directory service API you can pan enable Europe your open source application and when running on Mac OS 10 you'll get the benefits of directory services without recoding your application Mack owes tent server process is an administration tools those are kind of a give me because I work for the server team so I get to go around and beat them over the head and say adopt open directory in 10 32 finder network browsing was moved on to open directory so this is a typical view of / network that you see on the finder all of the data that's in the middle column there comes from open directory the server list the stuff on the right offer comes from open directory so open directory controls the vertical and the horizontal of what shows up under / network so if you go to directory access and you turn off appletalk all the appletalk zones will disappear from / network if you turn it back on they'll all reappear so you use directory access to control this and so when you're browsing to connect to servers you're using open directory this slide is an old slide any of you seen this before now recognize this but apparently there's some new people in the audience that will go over it so when we started doing open directory we had a problem we didn't want to have to recode all of the open source POSIX or bsd code to use a new set of api's so we had to figure out how to get those tools to use open directory without having to recode them so fortunately the next people had already solved that problem next step and they'd written in module called look up D and they'd already moved all the positive stuff on to look up D so the system already had abstracted where most of those tools get users and groups information so we simply added a plug-in to look up d to call into directory services and voila any plugins you add to directory services you benefit both native applications using directory services and legacy applications using using look up d and the whole system you dinged it's a unified view of what its users groups and mount records are so macros can three server includes a complete directory server it includes ldap v3 based on openldap 2.1 x jason what's the X right now Oh point2 22 thank you we support mac OS 10 2 and 10 3 clients we enhance the open directory password server to support saffell based off authentication and replication we added a fully integrated Kerberos server with the help of MIT and we support windows client integration by a PDC so you can set up an open directory server create users and groups and use them both on windows and on macintosh and if they change the password on windows it reflects on the macintosh and vice versa so you can set up a fully integrated heterogeneous network replication support for ldap on authentication was added this is important so that you don't have a single point of failure on your network thank you so we did the server you have Panther let's talk about what's going on in tiger so we are making changes to directory services for tiger which i believe is why everyone's in the audience so what's new for tiger we have enhancements to the ldap v3 plugin we have enhancements to the Active Directory plugin we have enhancements to the server sweet we have enhancements to the administration tools believe it or not how many of you attended the excellent access control presentation on tuesday well access controls don't come for free without affecting the directory server if you want nested groups you're going to have to have some way to store them in the directory so directory services didn't get off scot-free in the access control model and we have some changes that we're adopting to support another part of the product that's a big big feature here at tiger we have enhancements to network browsing that we call managed network browsing I have a feeling it's going to be very popular and we have some further refinements to local and server authentication that we're going to go over so let's start with the ldap v3 client enhancement in 10 3 we already had a robust failed at v3 client it supports DHCP ldap discovery it supports server based client side mapping so you don't have to visit each client to make changes to your mapping we have integrated support for the open directory password server we have client side awareness of the ldap replicas to support failover and we have API transparency for failover so if you're using the directory service api's and there's a failover you don't have to know as a programmer that that happened underneath you tiger will have a trusted directory binding option this is a very very important feature right now the clients authenticate to ldap but the clients don't authenticate that they're talking to the correct ldap server so under certain circumstances you might be open to man-in-the-middle attacks so we now have the ability to mutually authenticate the client and the server so that when you're roaming or your starbucks and you're binding to a particular ldap server you can actually trust the ldap server that you're talking to so this will in order to implement this we have to provide each computer with an account in the ldap server well this also now provides the ability to lock down your LDAP server to only your trusted clients so coming in tiger or shortly after we'll have options to lock down the directory server so that only the people who have been bound to it or allowed to read the data and this will be the beginning of a very long term transition for Apple to be able to no longer have to have your directory system world readable which has been a historic requirement up until now we also have command line tools to support mass deployment so if you want to we don't want you to have to visit 15,000 machines go to directory access and enter a computer name and ID we're providing a command-line tool along the lines of DF Active Directory configured esad config we're providing DF ldap config is up or work ok so we're providing a config tool which will support mass deployment for you net administrators who want to build a system image Active Directory client changes active directory is continuing to being developed we're not done neither's microsoft we've got to keep up with any changes they add to active directory so we're moving aggressively in that space and making sure that all the work we do is still relevant some ad enhancements have already shipped in 10 dot 3 updates we now support SMB Network home directories in the original release of Panther you couldn't do in SMB home directory if you use the command line active directory configuration tool you can enable SMB home directories we've improved compatibility with a wider range of Active Directory configurations some customers had configurations we didn't anticipate they didn't work we fixed it and tiger server will have improved Active Directory Integration you will now be able to take a tiger server point it to an active directory system and use the Kerberos services of the active directory system natively in addition the development teams been burning the midnight oil and we figured out how to do it such that you don't even have to use the Active Directory administration tools to do it you can do everything from within server administration the ad plugin will also fully support Active Directory groups for filesystem ackles so if you have an active directory system in your network you can use Tigers new file system access control support with Active Directory groups natively including the nested groups and of course we'll continue to work with Microsoft and they will continue to send us bug reports and we will address them and we want to be cooperative with Microsoft because active director is here to stay and we're going to make sure matt goes tim is a first-class citizen of those networks so let's talk about the open directory server sweet open directory consists of four servers cleverly hidden behind a single check box of let's become an open directory master it consists of openldap the password server the MIT KDC with some very minor tweaks and the samba PDC and now a tiger backup domain controller so when you say I want to become an open directory master a replica what's happening underneath the covers is we're running out and configuring for different services to all work in unison with each other to provide a single directory experience the tiger open directory server will migrate to the newest openldap server which is currently 227 that will change because we don't control the openldap development cycle they will not be on a newer version if possible will ship the newest version what's in the tiger CD today is openldap to 27 that's an upgrade from 21 22 we'll be adding some new features which i'll be going to going over in another slide will have some minor updates to the password server will ship the latest MIT KDC and Samba PDC will be upgraded to offer backup domain controller functionality so if you're open directory master has to be taken offline for backups or some other reason you can have a backup domain controller so your Windows users can still log on most of these changes will be transparent to the client in fact I think all of them well I just did most because you can never prom all but 10 dot 3 in 10 dot to clients will continue to work and there should be no noticeable difference on your client side so for open directory LDAP changes so I didn't come up there we go we are investing in openldap up until now we've just been compiling and porting and integrating openldap but we're beginning an effort of actually improving openldap has some deficiencies that we wish to address all of the changes that we're going to make will be submitted back to the openldap team as well as being posted on the Darwin website so none of these changes would be secret or proprietary the biggest changes we're doing is currently right now openldap keeps all of the schema in a config file well the problem with that is is you have a lot of replicas you have to run around each of the replicas and manually update the config file we thought it would be kind of cool to use the replication technology to actually migrate or propagate the schema changes so we're now offering an optional configuration where all of the ldap schema is actually stored in the ldap database so replication and administrative changes are all propagated using your existing replication network but we are also moving the ldap access control model to be stored in the directory so through workgroup manager inspector you'll be able to add new skim into the ldap server change the access control model hit save and you don't have to visit each of the replicas and manually update the config file we think this will be a huge feature and should really ease the administration load and as it says they're all the changes will be open source and given to the openldap project as well as posted on darwin open directory will also expose support for ldap organizational units we've received a lot of requests to be able to set up folders in the ldap server i want to set up a single ldap server have a group of users from marketing a group of users for engineering and a group of users for finance will now offer direct support for structuring your LDAP server into subgroups through LDAP existing an excellent support for the oh you or organizational unit scheme this will allow a single ldap server to host multiple multiple groups of users or mount records or preference data or whatever stored in open directory we think this will be a wonderful feature we're looking forward to it unfortunately nothing comes for free because of all the changes we're putting an ldap it's just impossible to mix older ldap servers with newer ldap servers because the old ldap servers don't know to look for the schema in the directory the old ldap servers don't know that there's organizational units therefore it will not be possible to mix 10-3 servers for open directory with 10 for servers so you're open directory system will either have to be content on Panther or you'll have to move the entire system with all of its replicas up to Tiger we tried it's just not possible to mix with all the changes we're putting an openldap so this should make it easier for an administration load because they needed change any of the options we explored around mixing the two would be an administrative nightmare so we'll provide migration tools or the clear documentation it should be pretty simple there's not that many open directory masters and replicas on your networks only those machines will need to be all the same version of the OS I want to be clear tiger client can use either it's just the servers that you can't mix mac OS x server administration tools are also being enhanced these are worker manager server admin the two major features in workgroup manager are ones that have been done as a direct result of customer feedback therefore you can applaud if you want but we already know you've been begging us for these for years so we're finally going to address them the first one is a gui-based import tool currently if you want to do import you have to specify this rather archaic first line in the import file and people told us they don't like to do that their Macintosh users they don't want to have to learn archaic first lines of import file so we're doing a picker which lets you browse the import file and pick fields and say this field is the UID field this field is the record name field it's not any different than what Excel or FileMaker does for an invoice just a bit each piece the next features in my mind the most exciting feature search and apply currently we have a relatively simplistic search function but what if you have a directory is 500,000 users and you want to find all the 3rd graders and move them from one file server to another you can do that with thatch edit if you command click each of the individual entries but that gets kind of laborious I tried doing it for 50 and I just couldn't get the 50th click right so we've added search and apply this is the ability to specify arbitrary queries and then we can also make changes it's akin to find and replace in a developer tool so what you can do with search and apply is they find me all the user records to have a keyword of third grade and for every record that meets that criteria make this change and it will run in the background and generate a report when it's done telling you what it did to your directory system so search and applies a new change and it should greatly simplify the management of large-scale directories we also have a new command line tool for creating group records in the new schema we are changing the group schema the group's kimmel will be good based instead of short name base it also has nested groups which unit has no since its goods i don't think how many of you can type 128 bit UID off the top of your head I didn't think so so we will have a new command line tool which is in Tiger today with a man page called DF edit group the ascetic group is a command-line tool which lets you compose the new group schema it's very simple you specify a group name you specify a user name and it will add and remove users to the groups and compose them correctly I encourage you to check it out workgroup manager has already been updated to compose groups and so a hidden feature and workgroup managers if you take the tiger version that you have in your up in your in your goodie bags you can take a group and drag it in and drag it in using workhard manager today the operating system doesn't yet have the kernel changes for for recognizing that but you can go ahead and compose the group's gimmeh using the administration tools and the open directory administration will offer one click backup and restore what we will do in serve our admin there will be a backup button it will back up your Kerberos data your password server data your PDC data your open directory data and dump it all into an encrypted disk image on the server you can then move that disk image wherever you want and you'll be able to restore the data with another single click right Steve okay so there's been lots of talk this week about Apple's file system access control implementation this impacts directory services you don't get nested groups without impacting the directory service you don't get hundred and twenty bit goods without impacting the directory service so we've added 128 bit goods and the file access controls are based 128 bit goods this means if you have an external hard drive with file access controls on them can you take that hard drive from one machine to another you won't accidentally map your access controls on to a user that just happens to have the same you ID on the local system so we move to 128 bit goods because we feel they're more portable and if you actually look an inspector in tiger or in Panther in 10 3 you already see a field called generated UID we've already been populating the directory schema last year with the hundred and twenty big goods in anticipation of what we'd need to do with the file system ankles so all users and groups will have an assigned hundred and twenty eight bit good that's actually an understatement I'm moving the directory services skimmer so that every directory object has hundreds in twenty a bit good because in the future there might be more expressive and more realist and not more realistic but but more interesting access control models that wouldn't be based on users and groups to do that we'd need to express them in the group structure so actually a secret of WWDC is the group's gamma for unix is not being upgraded just a handle nested group it's being upgraded to be able to describe arbitrary relationships of Directory objects through the inclusion of goods look forward to next year for us to talk about how we're going to use that functionality the new schema will be part of Tiger server all the administration tools are being updated to support the new schema and again there's the new command line tool di setec group to create and edit the new groups gamma so what I'd like to do at this time is invite jason townsend up on stage so that he can show you some of the cool directory services tools that we're shipping as part of Tiger thanks a all right can we go over to demo one thank you so I want to show you a few things with the directory service tools some of you might be already familiar with the scl but go ahead and look at that one change that we made in Tiger is that you can start the SEL without giving it any parameters and that just puts it in our interactive mode so it's just as if you type of actually well it's yeah so some reason that's not coming up it it's the same as if doing this the SEO localhost but yeah okay so that would be what okay well hold on a second let me see you son yeah ok so give me a moment here right okay okay can we let's see I'm just going to go ahead and reboot yeah it's so it's the apparently directory services stuck at the moment I just just want to mention everything went just fine when I ran through this about 20 minutes ago so I don't know what happens between then and now but anyway what I was going to show you and I will show you in just a moment d SEL has an interactive mode where you can explore your directory hierarchy so you can do basically anything you could do through the directory services API at the command line and it's a good way of seeing what's going on at the lowest level or testing out for example the like to get your note info you can you can do a read command and see all the attributes on a particular node so if you're developing a directory service plug and it's very useful to be able to do things that at a low level accidentally glued it off the wrong partition so anyway uh so the other thing you can you can actually use de sel to make modifications so you can you can edit any attribute you can create records and delete records basically anything you would want to do there's also a one-shot mode there which allows you to create scripts so for example a lot of people may have used nickel in the past or NIU till to create scripts to create records or you know set up something in the directory you can do all the same stuff that used to do with those tools using de sel and it's possible to use that against LDAP or Active Directory or whatever whatever directory service plugin is available it's not limited to just met info Oh oh just do everything ok we'll have a combined demo yes jason'll finished rebooting the machine and we'll do the combined Emma there's another demo the other the other thing that I'm going to show you is a little bit about the managed network browsing which i think is going to be really beneficial just to give you some control over what shows up under splash network let's see what else yeah basically if you if you've used / network on a big big corporate network you you end up with hundreds of items in there and it's just really confusing so we want to give you a way to avoid that okay can we go back to the demo machine please okay I'm just logging in right now all right so let's start with DSC oh okay so juicy oh so I can just type de sel go straight an interactive mode so just just to tell you there's because of all the changes we've been doing we've run into some problems like this but this is the sort of thing that's not going to be in the shipping version of tiger this is just a transitional kind of problem but we debug things like that all the time with all the different threads going on in directory service it's possible to get deadlox so i can i can go into net info and like i was saying i can i can see all the attributes on the node just by doing a read command at that level i can see all the authentication methods and the record types the read write node there's all kinds of information there I could go into groups and I can actually even do tab completion of what I'm changing to different levels in the hierarchy which is pretty convenient if you're if you use using nickel that's sort of a new feature in de sel over nickel and I have a group here called engineering actually going to see all my groups I've got a group called engineering and you see in this group that there are in addition to the normal list of short names there that you're used to there are these group members goods the global unique identifiers and so if I decided well actually there's a new a new guy just started a name Mike and we want to put Mike into this group I don't know if I can do that properly with DSC l you know I'm not really confident in doing that so actually what I could do is I could just go to worker manager and uh bringing that up and then maybe maybe do it from working manager if it there we go once I login I can go look at the groups and I see all the members there I can just I could just drag my kin but actually I wanted to do it from the command line so let's go back to the command line since you can see how that would work in workgroup manager pretty obviously so i can use GS edit group which is our this new tool we added in tiger and i'm going to use the user admin i'm going to do an edit operation and then just add mike to engineering and then it prompts me for my password and this point it should be done so go ahead and refresh that and there's Mike in the group okay so you can do all kinds of things with this tool i'm not going to go through i'm not going to go through all of them but you can remove users you can read the group and you can create groups change the GID all kinds of things like that it's all in the man page if you want to look at it and so it we're hoping that that will make scripting of setting up these new groups really easy for you guys and the other thing I wanted to show you this was actually there in tiger or a man in Panther already is the inspector so you can see all the same stuff that you see in d scl right there and worker manager and if if you don't see the inspector tab and you don't see this little target icon you can go into the preferences and just turn on show all records tab an inspector to get that feature and you can edit things in a raw mode if you know what exactly what you want to change alright so for part two of the demo since we're doing the extended demo will go to look at / network so let's take a look at what that what that looks like right now so network we've got finder will react here oh that's interesting okay there okay little finder bug there so in flash network we've got over a hundred of these groups here and it's really confusing I don't know I don't know what I really want here probably most of this stuff doesn't apply to me but I see it all so it's not really that useful when you once you try to scale it up like that so what we can do in worker manager is actually there's this new icon in the toolbar called network you may have noticed if you've been playing with the seed so i go there i can go ahead and create a default view and then i can i can add whatever i want to that view for example i could add a neighborhood so let's say I wanted to put a core or server engineering on there maybe I'll put the chorus engineering actually I think I one of those in the other order but okay there we go that's it's going alphabetical so I can go ahead and put inside the inside core server engineering I wanted to put some some computers I've got some computers over here which i can bring up actually with the show or hide computers command there I can just take those and drag them in to a neighborhood and then the it's a normal tree view like you're used to but computers in there I could also put another neighborhood inside of a neighborhood like say core server members for example and another thing that really I think makes this very useful is the fact that you're not limited to just manually putting all these computers in to the neighborhoods and doing everything by hand you can actually say that you want to add a directory service node path in there so anything that was already showing up in flash network before i could go ahead and put in wherever in the hierarchy i want it to go so for example let's say these two are zones that I know apply to me me or neighborhoods that apply to me knows that apply to me i should say i'll just add those in in there oh and one other thing i can actually add a computer right on the spot if i wanted to put in just type in what the computer is and give it some kind of URL to go with it and then that'll just drop it right in there and maybe i'll put that up here okay so that looks pretty good actually i'm going to take a look at the settings as well so right now you can see it it's set to add it to the network view you can also replace that's really what i want i want to see it just what i have set up and and not see all the dynamic stuff so i get a very simplified view and you can see in the finder there it is now under splash network I just have only those two neighborhood so that's quite a bit easier for me to deal with I can see only the stuff that I want it and actually here in the core server members neighborhood here's all the computers in those two directory service nodes that I added so but it's quite a bit less noise for me to deal with and if I'm already binding to an ldap server all this can be in the ldap server so I just pick it up based on what the network administrator wanted me to get and the other thing of course in the settings you could actually add it so if i wanted to merge the two I could get all the dynamics stuff plus some manage stuff up at the top there so I can I can kind of see the stuff I'm more likely to want but all the other stuff is still available and that that's up to the to the network administrator of how they want to set it up all right go back to the flights now big round of applause we've all dealt with pre-release software Jason that did very well thank you so Jason previewed the next topics of tiger which is service discovery and tiger tiger already supports rendezvous windows appletalk and SLP you all know that you use it in Panther today we're giving our yearly warning that SLP may be retired in a future or less release or at least made an optional install so you really should be moving your applications off of SLP and on to rendezvous there's many sessions about how to do that there's lots of sample code it's really a better way to go new features and so we have a new feature which jason is a demo called managed network browsing this allows you to completely customize the next of the browsing of your network and it allows mixing and static and dynamic data so you can take two appletalk zones and present them as a single folder called the pubs group rather than as their geographic names which they might be in the appletalk routers and so this is very powerful feature basically customers have been requesting this feature for years and so you know how do i we always receive reports how do I control what shows up under / network and up until now it's been some very archaic mount records there's never a way to create directly a structure well I want to folder structure that looks like this and so we've now given you complete and total control over which flows up under / network tiger offers that and workers managers through the administration tools and the feature implementation consists of three changes a new schema in the open directory server to store the view data changes to mac OS 10 server admin tools to create the view data and changes in the mac OS 10 client to use the view data should it be present because if the data is there and the client didn't pay attention to it it wouldn't do it any good so what can you do with this to summarize administrators can control the structure of an arbitrary hierarchy and name so you can name them anything you want you can put them in any order you want you can add static entries for servers on your networks or your partner's Network this is a very very interesting feature in my opinion we have it running at home and all my engineers have their home servers entered into apple / network view even though they're not part of apple's network so by creating a static entry you could point to a customer who you're working with and have their file servers show up in your / network view this is not been possible up until now you can manage or you can merge and rename dynamic service discovery so you can effectively rename your SLP scopes your windows neighborhoods or your Apple talk zones through managed network browsing so you can create a new folder and add as many static servers as you want and automatically also include all the servers found in a particular SLP scope or in your local rendezvous zone you can control it clients see the raw Network the managed network or both so I can for some clients turn off the raw Network view and only show them a customized view with three folders of the servers that they want to work with for power users on my network I can leave the structured view present and also still let them see the raw of you and all view and browsing data is stored in the open directory server so this all replicates out to all of your replica so you make the change in one place all of your machines that are bound to open directory immediately see the change replication and global access is the other feature so we're now going to do the managed network browsing demo okay we're done we'll move on so the managed network browsing summary it's new open directory schema those client changes and there's administration tool changes the ability for network administrators to tailor the network for their for their view and it's a powerful new tool included a tiger client and server the one thing I do want to go over that's not clear is you can have different views in the directory so I can target a view at a machine's particular MAC address and have a general view for everybody else so I can have multiple views in open directory and completely customize it to the CEOs machines he's a simpler view than the IT administrators so authentication changes tiger server has some changes to authentication they're not major the tiger server now supports ntlm v2 so you can play better with windows network the tiger SMB server can now support Kerberos authentication with the better Active Directory support but that extends to all the curb right services on Mac OS 10 and the password server and MIT KDC will offer tighter password policy integration for example the KDC has no notion of the last successful authentication so we're adding some codes so that the last successful authentication get synchronized with the password servers notion of that and some other minor changes the tiger client will also offer better support for kerberos only environments some customers have really liked the integration we've done that they have an existing Kerberos infrastructure on their network and what they wanted to do was be able to hit login window and log on with just Kerberos there's some bugs in that we're going to fix that for client for tiger so that you can have a pure Kerberos environment with no password server if you want password server will no longer be running by default on all tiger servers this is if you want to harden the server and not have any ports open that you don't need it will be running on an open directory master but it will not be running on servers that are not hosting open directory so you can bring the server up and there's no extra network ports open password server is no longer required in standalone mode so that's an excellent feature the password server authentication methods and tiger they remain largely the same with the addition of the one on the bottom for SMB file-sharing we support in teal and v2 so other than that'll give you time to look over this but these are the authentication methods that the bastards River currently supports and you can see for tiger we're just simply adding the smc file sharing so local authentication requirements for the developers in the audience I want to remind you the crypt is still dead default default local identification is now stored in a shadow hash you probably have already found out if your application relied on crypt because we broke you and in Panther crip still works but none of the system administration tools will create a crypt user if you know what you're doing with the fcl or nickel you can still create a crypt user but we don't recommend it there's security problems with it just don't do it so your application if it hasn't already been broken I don't know how but if it's not you should be moving on to either Pam security framework or directory services or an authentication abstraction again I want to emphasize this was not a bug in Panther this was a design decision it was a necessary migration for security so if your network application though we want you to adopt Kerberos and attend the authentication sessions after lunch for those of you who don't know from last year's session we're investing heavily in Kerberos we're aggressively migrating all of our networking products to use kerberos and apples already shipped the MIT KDC with mac OS 10 3 and we already ship a Kerberos client and have since Jaguar all Kerberos all the time is an apple future in yours so you guys can make your planning today because eventually we hope to do away with any challenge response based password authentication methods so if you're interested in authentication there's a session following lunch with no demos that will talk to you about everything you need to know about network authentication a session 640 in closing there's a lot of reference documentation on open directory we have Mac liftin server resources we have openldap configuration files everyone always asked me where do we document the ldap schemas we don't keep them secret in the openldap config files for anybody to inspect the ldap server has to be told what they are but we are providing documentation the written in print documentation as well but sometimes the print documentation goes to press before we finish the final schema changes the actual config files for openldap are the most authoritative reference because the ldap server has to implement the schema so those are always correct and the macros 10 security AP is also there's this little window here at the bottom there's a lot of very good technical briefs if you need to educate your co-workers at your site or something like that what is open directory why is it Apple's done some wonderful work on setting up some technical briefs and some white papers those are on the mac OS x server website i recommend you read them we use a lot of open source so these are some of the open source lights so you can get more information we have the openldap site we use vaseline the password server we use pam for all of our command line tools and we use kerberos so as a wrap-up open directory is Apple's integration solution for directory systems it's a robust client as many many directory systems you can work with n is SD files Active Directory ldap I planet Novell through ldap integration we can interconnect with virtually anything that's a major deployed directory system open directory mac OS x server offers a complete directory server for those of you who haven't already deployed a directory system it's easy it's three or four clicks and you can have a a world-class scalable directory server up running Kerberos in less than two minutes Tiger has many exciting enhancements at least we think so manage network browsing is perhaps one of the one of the most exciting forts and it offers you as an administrator unprecedented control over your network browsing experience and the open directory administration tools are being enhanced to make your lives easier on a daily basis