WWDC2004 Session 627

Transcript

Kind: captions
Language: en
welcome to inside
tree services just as a summary how many
of you were here last year how many of
you had a seat last year okay far fewer
they gave us a bigger room thank you for
attending last year for those of you who
were here last year I promised the pool
and open bar they told me they couldn't
install a pool on the second floor and
the jamba juice bar is apparently the
closest I could get for an open bar so
please please partake of that so we're
going to be talking about directory
services this year again my name is
David's Michael O'Rourke I'm the
engineering manager for open directory
and we have an exciting program and a
lot of exciting developments so why
don't we get started have a lot of
material to cover so the overview of
what we're going to cover today is
Apple's open directory technology what
is it for those of you who are not
familiar with it what is directory
services a review of what we've already
accomplished in Panther future plans for
tiger and we hope to follow up with some
interesting questions and answers so
open directory is a technology name it
covers both how the clients access
directories and it also talks about how
we integrate with industry standards we
also provide an open directory server
which is a combination of ldap and MIT
KDC the password server and the samba
PDC open directory is built into Mac
os10 client and server and it's been
there since the original 10 point 0
release and it's open sourced as part of
Darwin so we're not keeping anything
secret here if you want to see how open
directory does its work and may be
ported to Linux or something you can go
download it from the Darwin website and
bring it to that platform this slide is
a quick review of the technologies in
the timeline of where we're going to be
so we started out with Mac os10 point we
had only on the server we had ldap be
too we then added it to the desktop for
10.1 we everything in blue is the new
incremental change for that relief so
ldap b3 the NIS and flat file plug-in
appletalk SLP rendezvous and SMB for
10.2 and 10.3 we added active directory
support as well as firming up the
plugins that were there and for tiger we
have a whole bunch of new exciting
features that we're going to get into
later in the presentation what is
directory services the first and most
important part of directory services is
it's an abstraction API for allowing
applications to write to one set of
api's and not have to care about the
backend storage
so what and the typical information
access to an open directory is users
groups mount records and other types of
configuration data it also contains the
full authentication abstraction to
conducting challenge response protocols
like a pop ntlm v2 or tram md5 Apple
layers all of their software on top of
directory services so you so we put all
of our Mac os10 software on top of
directory services from login window all
the server admin tools even System
Preferences all use directory services
to show you all of that configuration
data and on the back end of directory
services we have various plugins for net
info ldap PSD files and others and we
even have some third-party plugins or
third parties have extended open
directory next slide there we go so what
does directory services in 10.3 include
it includes an ldap v3 read and write
plug-in so that we can work with any
ldap v3 server it includes a native
Active Directory plugin that was new
last year and I believe there was some
applause so we have that we have nice we
have net info which is Apple's legacy
directory server we have support for and
we have read-only support for NIS and
BSD se file we also adds of Jaguar
started adding service discovery so we
have service discovery plugins for
rendezvous SMB or windows networks
appletalk and SLP so / network how many
of you browse / network ever ok
everything you've seen / network comes
out of out of open directory the all
that v3 client also supports replication
failover so you can set up multiple ldap
servers if one goes down the ldap v3
client will find another and your users
won't notice that your server crashed
documented access api's and plug-in API
servers an SDK we have lots of sample
code and there are now command line
tools that we started including since I
believe tiger was the first command line
or Jaguar Panther what's the first
command line tool and the most popular
of these tools is DF CL I actually get a
lot of questions what that stands for
that stands for directory services
command line nothing more nothing less
so we call it d f CL and it's our
favorite tool because it allows us to
debug what's going wrong
so tan three uses directory services in
the number of manners if any of you log
on you're using directory services in
fact I told a story last year which made
it into a book that my management keeps
asking me to demo directory services
well so much plumbing is kind of hard to
demonstrate so the best demo I can give
you a directory services is login window
if you type your name and password and
it works you've demo directory services
so it also uses managed desktop if you
attended Michael lots of excellent
presentation just before this one all of
managed desktop gets all of the
management information out of open
directory all the security framework
authentication so when those dialogues
come up and ask you to type your name
and password if you're not unlocking a
keychain if you're clicking the lock
button in the system preferences and you
type your username and password that's
all the security frame are calling
through through directory services to
unlock legacy UNIX tools in the Jaguar
time frame were modified to use pam that
stands for pluggable authentication
module it was a linux standard that we
brought over to Mac OS 10 and we have
Pam modules on Mac OS can that call into
directory services to do the password
verification so if you have an open
source product that does password
verification and you don't want to adopt
the directory service API you can pan
enable Europe your open source
application and when running on Mac OS
10 you'll get the benefits of directory
services without recoding your
application Mack owes tent server
process is an administration tools those
are kind of a give me because I work for
the server team so I get to go around
and beat them over the head and say
adopt open directory in 10 32 finder
network browsing was moved on to open
directory so this is a typical view of /
network that you see on the finder all
of the data that's in the middle column
there comes from open directory the
server list the stuff on the right offer
comes from open directory so open
directory controls the vertical and the
horizontal of what shows up under /
network so if you go to directory access
and you turn off appletalk all the
appletalk zones will disappear from /
network if you turn it back on they'll
all reappear so you use directory access
to control this and so when you're
browsing to connect to servers you're
using open directory
this slide is an old slide any of you
seen this before now recognize this but
apparently there's some new people in
the audience that will go over it so
when we started doing open directory we
had a problem we didn't want to have to
recode all of the open source POSIX or
bsd code to use a new set of api's so we
had to figure out how to get those tools
to use open directory without having to
recode them so fortunately the next
people had already solved that problem
next step and they'd written in module
called look up D and they'd already
moved all the positive stuff on to look
up D so the system already had
abstracted where most of those tools get
users and groups information so we
simply added a plug-in to look up d to
call into directory services and voila
any plugins you add to directory
services you benefit both native
applications using directory services
and legacy applications using using look
up d and the whole system you dinged
it's a unified view of what its users
groups and mount records are so macros
can three server includes a complete
directory server it includes ldap v3
based on openldap 2.1 x jason what's the
X right now Oh point2 22 thank you we
support mac OS 10 2 and 10 3 clients we
enhance the open directory password
server to support saffell based off
authentication and replication we added
a fully integrated Kerberos server with
the help of MIT and we support windows
client integration by a PDC so you can
set up an open directory server create
users and groups and use them both on
windows and on macintosh and if they
change the password on windows it
reflects on the macintosh and vice versa
so you can set up a fully integrated
heterogeneous network replication
support for ldap on authentication was
added this is important so that you
don't have a single point of failure on
your network thank you
so we did the server you have Panther
let's talk about what's going on in
tiger so we are making changes to
directory services for tiger which i
believe is why everyone's in the
audience so what's new for tiger we have
enhancements to the ldap v3 plugin we
have enhancements to the Active
Directory plugin we have enhancements to
the server sweet we have enhancements to
the administration tools believe it or
not how many of you attended the
excellent access control presentation on
tuesday well access controls don't come
for free without affecting the directory
server if you want nested groups you're
going to have to have some way to store
them in the directory so directory
services didn't get off scot-free in the
access control model and we have some
changes that we're adopting to support
another part of the product that's a big
big feature here at tiger we have
enhancements to network browsing that we
call managed network browsing I have a
feeling it's going to be very popular
and we have some further refinements to
local and server authentication that
we're going to go over so let's start
with the ldap v3 client enhancement in
10 3 we already had a robust failed at
v3 client it supports DHCP ldap
discovery it supports server based
client side mapping so you don't have to
visit each client to make changes to
your mapping we have integrated support
for the open directory password server
we have client side awareness of the
ldap replicas to support failover and we
have API transparency for failover so if
you're using the directory service api's
and there's a failover you don't have to
know as a programmer that that happened
underneath you tiger will have a trusted
directory binding option this is a very
very important feature right now the
clients authenticate to ldap but the
clients don't authenticate that they're
talking to the correct ldap server so
under certain circumstances you might be
open to man-in-the-middle attacks so we
now have the ability to mutually
authenticate the client and the server
so that when you're roaming or your
starbucks and you're binding to a
particular ldap server you can actually
trust the ldap server that you're
talking to so this will
in order to implement this we have to
provide each computer with an account in
the ldap server well this also now
provides the ability to lock down your
LDAP server to only your trusted clients
so coming in tiger or shortly after
we'll have options to lock down the
directory server so that only the people
who have been bound to it or allowed to
read the data and this will be the
beginning of a very long term transition
for Apple to be able to no longer have
to have your directory system world
readable which has been a historic
requirement up until now we also have
command line tools to support mass
deployment so if you want to we don't
want you to have to visit 15,000
machines go to directory access and
enter a computer name and ID we're
providing a command-line tool along the
lines of DF Active Directory configured
esad config we're providing DF ldap
config is up or work ok so we're
providing a config tool which will
support mass deployment for you net
administrators who want to build a
system image Active Directory client
changes active directory is continuing
to being developed we're not done
neither's microsoft we've got to keep up
with any changes they add to active
directory so we're moving aggressively
in that space and making sure that all
the work we do is still relevant some ad
enhancements have already shipped in 10
dot 3 updates we now support SMB Network
home directories in the original release
of Panther you couldn't do in SMB home
directory if you use the command line
active directory configuration tool you
can enable SMB home directories we've
improved compatibility with a wider
range of Active Directory configurations
some customers had configurations we
didn't anticipate they didn't work we
fixed it and tiger server will have
improved Active Directory Integration
you will now be able to take a tiger
server point it to an active directory
system and use the Kerberos services of
the active directory system natively
in addition the development teams been
burning the midnight oil and we figured
out how to do it such that you don't
even have to use the Active Directory
administration tools to do it you can do
everything from within server
administration the ad plugin will also
fully support Active Directory groups
for filesystem ackles so if you have an
active directory system in your network
you can use Tigers new file system
access control support with Active
Directory groups natively including the
nested groups and of course we'll
continue to work with Microsoft and they
will continue to send us bug reports and
we will address them and we want to be
cooperative with Microsoft because
active director is here to stay and
we're going to make sure matt goes tim
is a first-class citizen of those
networks so let's talk about the open
directory server sweet open directory
consists of four servers cleverly hidden
behind a single check box of let's
become an open directory master it
consists of openldap the password server
the MIT KDC with some very minor tweaks
and the samba PDC and now a tiger backup
domain controller so when you say I want
to become an open directory master a
replica what's happening underneath the
covers is we're running out and
configuring for different services to
all work in unison with each other to
provide a single directory experience
the tiger open directory server will
migrate to the newest openldap server
which is currently 227 that will change
because we don't control the openldap
development cycle they will not be on a
newer version if possible will ship the
newest version what's in the tiger CD
today is openldap to 27 that's an
upgrade from 21 22 we'll be adding some
new features which i'll be going to
going over in another slide will have
some minor updates to the password
server will ship the latest MIT KDC and
Samba PDC will be upgraded to offer
backup domain controller functionality
so if you're open directory master has
to be taken offline for backups or some
other reason you can have a backup
domain controller so your Windows users
can still log on most of these changes
will be transparent to the client in
fact I think all of them well I just did
most because you can never prom
all but 10 dot 3 in 10 dot to clients
will continue to work and there should
be no noticeable difference on your
client side so for open directory LDAP
changes so I didn't come up there we go
we are investing in openldap up until
now we've just been compiling and
porting and integrating openldap but
we're beginning an effort of actually
improving openldap has some deficiencies
that we wish to address all of the
changes that we're going to make will be
submitted back to the openldap team as
well as being posted on the Darwin
website so none of these changes would
be secret or proprietary the biggest
changes we're doing is currently right
now openldap keeps all of the schema in
a config file well the problem with that
is is you have a lot of replicas you
have to run around each of the replicas
and manually update the config file we
thought it would be kind of cool to use
the replication technology to actually
migrate or propagate the schema changes
so we're now offering an optional
configuration where all of the ldap
schema is actually stored in the ldap
database so replication and
administrative changes are all
propagated using your existing
replication network but we are also
moving the ldap access control model to
be stored in the directory so through
workgroup manager inspector you'll be
able to add new skim into the ldap
server change the access control model
hit save and you don't have to visit
each of the replicas and manually update
the config file we think this will be a
huge feature and should really ease the
administration load and as it says
they're all the changes will be open
source and given to the openldap project
as well as posted on darwin open
directory will also expose support for
ldap organizational units we've received
a lot of requests to be able to set up
folders in the ldap server i want to set
up a single ldap server have a group of
users from marketing a group of users
for engineering and a group of users for
finance will now offer direct support
for structuring your LDAP server into
subgroups through LDAP existing an
excellent support for the oh you or
organizational unit scheme this will
allow a single ldap server to host
multiple multiple groups of users or
mount records or preference data or
whatever stored in open directory we
think this will be a wonderful feature
we're looking forward to it
unfortunately nothing comes for free
because of all the changes we're putting
an ldap it's just impossible to mix
older ldap servers with newer ldap
servers because the old ldap servers
don't know to look for the schema in the
directory the old ldap servers don't
know that there's organizational units
therefore it will not be possible to mix
10-3 servers for open directory with 10
for servers so you're open directory
system will either have to be content on
Panther or you'll have to move the
entire system with all of its replicas
up to Tiger we tried it's just not
possible to mix with all the changes
we're putting an openldap so this should
make it easier for an administration
load because they needed change any of
the options we explored around mixing
the two would be an administrative
nightmare so we'll provide migration
tools or the clear documentation it
should be pretty simple there's not that
many open directory masters and replicas
on your networks only those machines
will need to be all the same version of
the OS I want to be clear tiger client
can use either it's just the servers
that you can't mix mac OS x server
administration tools are also being
enhanced these are worker manager server
admin the two major features in
workgroup manager are ones that have
been done as a direct result of customer
feedback therefore you can applaud if
you want but we already know you've been
begging us for these for years so we're
finally going to address them the first
one is a gui-based import tool currently
if you want to do import you have to
specify this rather archaic first line
in the import file and people told us
they don't like to do that their
Macintosh users they don't want to have
to learn archaic first lines of import
file so we're doing a picker which lets
you browse the import file and pick
fields and say this field is the UID
field this field is the record name
field it's not any different than what
Excel or FileMaker does for an invoice
just a bit each piece
the next features in my mind the most
exciting feature search and apply
currently we have a relatively
simplistic search function but what if
you have a directory is 500,000 users
and you want to find all the 3rd graders
and move them from one file server to
another you can do that with thatch edit
if you command click each of the
individual entries but that gets kind of
laborious I tried doing it for 50 and I
just couldn't get the 50th click right
so we've added search and apply this is
the ability to specify arbitrary queries
and then we can also make changes it's
akin to find and replace in a developer
tool so what you can do with search and
apply is they find me all the user
records to have a keyword of third grade
and for every record that meets that
criteria make this change and it will
run in the background and generate a
report when it's done telling you what
it did to your directory system so
search and applies a new change and it
should greatly simplify the management
of large-scale directories we also have
a new command line tool for creating
group records in the new schema we are
changing the group schema the group's
kimmel will be good based instead of
short name base it also has nested
groups which unit has no since its goods
i don't think how many of you can type
128 bit UID off the top of your head I
didn't think so so we will have a new
command line tool which is in Tiger
today with a man page called DF edit
group the ascetic group is a
command-line tool which lets you compose
the new group schema it's very simple
you specify a group name you specify a
user name and it will add and remove
users to the groups and compose them
correctly I encourage you to check it
out workgroup manager has already been
updated to compose groups and so a
hidden feature and workgroup managers if
you take the tiger version that you have
in your up in your in your goodie bags
you can take a group and drag it in and
drag it in using workhard manager today
the operating system doesn't yet have
the kernel changes for for recognizing
that but you can go ahead and compose
the group's gimmeh using the
administration tools and the open
directory administration will offer one
click backup and restore what we will do
in serve our admin there will be a
backup button it will back up your
Kerberos data your password server data
your PDC data your open directory data
and dump it all into an encrypted disk
image on the server you can then move
that disk image wherever you want
and you'll be able to restore the data
with another single click right Steve
okay so there's been lots of talk this
week about Apple's file system access
control implementation this impacts
directory services you don't get nested
groups without impacting the directory
service you don't get hundred and twenty
bit goods without impacting the
directory service so we've added 128 bit
goods and the file access controls are
based 128 bit goods this means if you
have an external hard drive with file
access controls on them can you take
that hard drive from one machine to
another you won't accidentally map your
access controls on to a user that just
happens to have the same you ID on the
local system so we move to 128 bit goods
because we feel they're more portable
and if you actually look an inspector in
tiger or in Panther in 10 3 you already
see a field called generated UID we've
already been populating the directory
schema last year with the hundred and
twenty big goods in anticipation of what
we'd need to do with the file system
ankles so all users and groups will have
an assigned hundred and twenty eight bit
good that's actually an understatement
I'm moving the directory services
skimmer so that every directory object
has hundreds in twenty a bit good
because in the future there might be
more expressive and more realist and not
more realistic but but more interesting
access control models that wouldn't be
based on users and groups to do that
we'd need to express them in the group
structure so actually a secret of WWDC
is the group's gamma for unix is not
being upgraded just a handle nested
group it's being upgraded to be able to
describe arbitrary relationships of
Directory objects through the inclusion
of goods look forward to next year for
us to talk about how we're going to use
that functionality the new schema will
be part of Tiger server all the
administration tools are being updated
to support the new schema and again
there's the new command line tool di
setec group to create and edit the new
groups gamma so what I'd like to do at
this time is invite jason townsend up on
stage so that he can show you some of
the cool directory services tools that
we're shipping as part of Tiger
thanks a all right can we go over to
demo one thank you so I want to show you
a few things with the directory service
tools some of you might be already
familiar with the scl but go ahead and
look at that one change that we made in
Tiger is that you can start the SEL
without giving it any parameters and
that just puts it in our interactive
mode so it's just as if you type of
actually well it's yeah so some reason
that's not coming up it it's the same as
if doing this the SEO localhost but yeah
okay so that would be what okay well
hold on a second let me see you son yeah
ok so give me a moment here right okay
okay can we let's see I'm just going to
go ahead and reboot
yeah it's so it's the apparently
directory services stuck at the moment I
just just want to mention everything
went just fine when I ran through this
about 20 minutes ago so I don't know
what happens between then and now but
anyway what I was going to show you and
I will show you in just a moment d SEL
has an interactive mode where you can
explore your directory hierarchy so you
can do basically anything you could do
through the directory services API at
the command line and it's a good way of
seeing what's going on at the lowest
level or testing out for example the
like to get your note info you can you
can do a read command and see all the
attributes on a particular node so if
you're developing a directory service
plug and it's very useful to be able to
do things that at a low level
accidentally glued it off the wrong
partition so anyway uh so the other
thing you can you can actually use de
sel to make modifications so you can you
can edit any attribute you can create
records and delete records basically
anything you would want to do there's
also a one-shot mode there which allows
you to create scripts so for example a
lot of people may have used nickel in
the past or NIU till to create scripts
to create records or you know set up
something in the directory you can do
all the same stuff that used to do with
those tools using de sel and it's
possible to use that against LDAP or
Active Directory or whatever whatever
directory service plugin is available
it's not limited to just met info
Oh
oh just do everything ok we'll have a
combined demo yes jason'll finished
rebooting the machine and we'll do the
combined Emma there's another demo the
other the other thing that I'm going to
show you is a little bit about the
managed network browsing which i think
is going to be really beneficial just to
give you some control over what shows up
under splash network let's see what else
yeah basically if you if you've used /
network on a big big corporate network
you you end up with hundreds of items in
there and it's just really confusing so
we want to give you a way to avoid that
okay can we go back to the demo machine
please
okay I'm just logging in right now all
right so let's start with DSC oh okay so
juicy oh so I can just type de sel go
straight an interactive mode so just
just to tell you there's because of all
the changes we've been doing we've run
into some problems like this but this is
the sort of thing that's not going to be
in the shipping version of tiger this is
just a transitional kind of problem but
we debug things like that all the time
with all the different threads going on
in directory service it's possible to
get deadlox so i can i can go into net
info and like i was saying i can i can
see all the attributes on the node just
by doing a read command at that level i
can see all the authentication methods
and the record types the read write node
there's all kinds of information there I
could go into groups and I can actually
even do tab completion of what I'm
changing to different levels in the
hierarchy which is pretty convenient if
you're if you use using nickel that's
sort of a new feature in de sel over
nickel and I have a group here called
engineering actually going to see all my
groups I've got a group called
engineering and you see in this group
that there are in addition to the normal
list of short names there that you're
used to there are these group members
goods the global unique identifiers and
so if I decided well actually there's a
new a new guy just started a name Mike
and we want to put Mike into this group
I don't know if I can do that properly
with DSC l you know I'm not really
confident in doing that so actually what
I could do is I could just go to worker
manager and
uh bringing that up and then maybe maybe
do it from working manager if it there
we go once I login I can go look at the
groups and I see all the members there I
can just I could just drag my kin but
actually I wanted to do it from the
command line so let's go back to the
command line since you can see how that
would work in workgroup manager pretty
obviously so i can use GS edit group
which is our this new tool we added in
tiger and i'm going to use the user
admin i'm going to do an edit operation
and then just add mike to engineering
and then it prompts me for my password
and this point it should be done so go
ahead and refresh that and there's Mike
in the group okay so you can do all
kinds of things with this tool i'm not
going to go through i'm not going to go
through all of them but you can remove
users you can read the group and you can
create groups change the GID all kinds
of things like that it's all in the man
page if you want to look at it and so it
we're hoping that that will make
scripting of setting up these new groups
really easy for you guys and the other
thing I wanted to show you this was
actually there in tiger or a man in
Panther already is the inspector so you
can see all the same stuff that you see
in d scl right there and worker manager
and if if you don't see the inspector
tab and you don't see this little target
icon you can go into the preferences and
just turn on show all records tab an
inspector to get that feature and you
can edit things in a raw mode if you
know what exactly what you want to
change alright so for part two of the
demo since we're doing the extended demo
will go to look at / network so let's
take a look at what that what that looks
like right now so network we've got
finder will react here oh that's
interesting okay there okay little
finder bug there so in flash network
we've got over a hundred of these groups
here and it's really confusing I don't
know I don't know what I really want
here probably most of this stuff doesn't
apply to me but I see it all so it's not
really that useful when you once you try
to scale it up like that so what we can
do in worker manager is actually there's
this new icon in the toolbar called
network you may have noticed if you've
been playing with the seed so i go there
i can go ahead and create a default view
and then i can i can add whatever i want
to that view for example i could add a
neighborhood so let's say I wanted to
put a core or server engineering on
there maybe I'll put the chorus
engineering actually I think I one of
those in the other order but okay there
we go that's it's going alphabetical so
I can go ahead and put inside the inside
core server engineering I wanted to put
some some computers I've got some
computers over here which i can bring up
actually with the show or hide computers
command there I can just take those and
drag them in to a neighborhood and then
the it's a normal tree view like you're
used to but computers in there I could
also put another neighborhood inside of
a neighborhood like say core server
members for example and another thing
that really I think makes this very
useful is the fact that you're not
limited to just manually putting all
these computers in to the neighborhoods
and doing everything by hand you can
actually say that you want to add a
directory service node path in there so
anything that was already showing up in
flash network before i could go ahead
and put in wherever in the hierarchy i
want it to go so for example let's say
these two are zones that I know apply to
me
me or neighborhoods that apply to me
knows that apply to me i should say i'll
just add those in in there oh and one
other thing i can actually add a
computer right on the spot if i wanted
to put in just type in what the computer
is and give it some kind of URL to go
with it and then that'll just drop it
right in there and maybe i'll put that
up here okay so that looks pretty good
actually i'm going to take a look at the
settings as well so right now you can
see it it's set to add it to the network
view you can also replace that's really
what i want i want to see it just what i
have set up and and not see all the
dynamic stuff so i get a very simplified
view and you can see in the finder there
it is now under splash network I just
have only those two neighborhood so
that's quite a bit easier for me to deal
with I can see only the stuff that I
want it and actually here in the core
server members neighborhood here's all
the computers in those two directory
service nodes that I added so but it's
quite a bit less noise for me to deal
with and if I'm already binding to an
ldap server all this can be in the ldap
server so I just pick it up based on
what the network administrator wanted me
to get and the other thing of course in
the settings you could actually add it
so if i wanted to merge the two I could
get all the dynamics stuff plus some
manage stuff up at the top there so I
can I can kind of see the stuff I'm more
likely to want but all the other stuff
is still available and that that's up to
the to the network administrator of how
they want to set it up all right go back
to the flights now
big round of applause we've all dealt
with pre-release software Jason that did
very well thank you so Jason previewed
the next topics of tiger which is
service discovery and tiger tiger
already supports rendezvous windows
appletalk and SLP you all know that you
use it in Panther today we're giving our
yearly warning that SLP may be retired
in a future or less release or at least
made an optional install so you really
should be moving your applications off
of SLP and on to rendezvous there's many
sessions about how to do that there's
lots of sample code it's really a better
way to go new features and so we have a
new feature which jason is a demo called
managed network browsing this allows you
to completely customize the next of the
browsing of your network and it allows
mixing and static and dynamic data so
you can take two appletalk zones and
present them as a single folder called
the pubs group rather than as their
geographic names which they might be in
the appletalk routers and so this is
very powerful feature basically
customers have been requesting this
feature for years and so you know how do
i we always receive reports how do I
control what shows up under / network
and up until now it's been some very
archaic mount records there's never a
way to create directly a structure well
I want to folder structure that looks
like this and so we've now given you
complete and total control over which
flows up under / network tiger offers
that and workers managers through the
administration tools and the feature
implementation consists of three changes
a new schema in the open directory
server to store the view data changes to
mac OS 10 server admin tools to create
the view data and changes in the mac OS
10 client to use the view data should it
be present because if the data is there
and the client didn't pay attention to
it it wouldn't do it any good so what
can you do with this to summarize
administrators can control the structure
of an arbitrary hierarchy and name so
you can name them anything you want you
can put them in any order you want you
can add static entries for servers on
your networks or your partner's Network
this is a very very interesting feature
in my opinion we have it running at home
and all my engineers have their home
servers entered into apple / network
view even though they're not part of
apple's network
so by creating a static entry you could
point to a customer who you're working
with and have their file servers show up
in your / network view this is not been
possible up until now you can manage or
you can merge and rename dynamic service
discovery so you can effectively rename
your SLP scopes your windows
neighborhoods or your Apple talk zones
through managed network browsing so you
can create a new folder and add as many
static servers as you want and
automatically also include all the
servers found in a particular SLP scope
or in your local rendezvous zone you can
control it clients see the raw Network
the managed network or both so I can for
some clients turn off the raw Network
view and only show them a customized
view with three folders of the servers
that they want to work with for power
users on my network I can leave the
structured view present and also still
let them see the raw of you and all view
and browsing data is stored in the open
directory server so this all replicates
out to all of your replica so you make
the change in one place all of your
machines that are bound to open
directory immediately see the change
replication and global access is the
other feature so we're now going to do
the managed network browsing demo okay
we're done we'll move on so the managed
network browsing summary it's new open
directory schema those client changes
and there's administration tool changes
the ability for network administrators
to tailor the network for their for
their view and it's a powerful new tool
included a tiger client and server the
one thing I do want to go over that's
not clear is you can have different
views in the directory so I can target a
view at a machine's particular MAC
address and have a general view for
everybody else so I can have multiple
views in open directory and completely
customize it to the CEOs machines he's a
simpler view than the IT administrators
so authentication changes tiger server
has some changes to authentication
they're not major the tiger server now
supports ntlm v2 so you can play better
with windows network the tiger SMB
server can now support Kerberos
authentication with the better Active
Directory support but that extends to
all the curb right services on Mac OS 10
and the password server and MIT KDC will
offer tighter password policy
integration for example the KDC has no
notion of the last successful
authentication so we're adding some
codes so that the last successful
authentication get synchronized with the
password servers notion of that and some
other minor changes the tiger client
will also offer better support for
kerberos only environments some
customers have really liked the
integration we've done that they have an
existing Kerberos infrastructure on
their network and what they wanted to do
was be able to hit login window and log
on with just Kerberos there's some bugs
in that we're going to fix that for
client for tiger so that you can have a
pure Kerberos environment with no
password server if you want password
server will no longer be running by
default on all tiger servers this is if
you want to harden the server and not
have any ports open that you don't need
it will be running on an open directory
master but it will not be running on
servers that are not hosting open
directory so you can bring the server up
and there's no extra network ports open
password server is no longer required in
standalone mode so that's an excellent
feature the password server
authentication methods and tiger they
remain largely the same with the
addition of the one on the bottom for
SMB file-sharing we support in teal and
v2 so other than that'll give you time
to look over this but these are the
authentication methods that the bastards
River currently supports and you can see
for tiger we're just simply adding the
smc file sharing so local authentication
requirements for the developers in the
audience I want to remind you the crypt
is still dead default default local
identification is now stored in a shadow
hash you probably have already found out
if your application relied on crypt
because we broke you and in Panther crip
still works but none of the system
administration tools will create a crypt
user if you know what you're doing with
the fcl or nickel you can still create a
crypt user but we don't recommend it
there's security problems with it just
don't do it
so your application if it hasn't already
been broken I don't know how but if it's
not you should be moving on to either
Pam security framework or directory
services or an authentication
abstraction again I want to emphasize
this was not a bug in Panther this was a
design decision it was a necessary
migration for security so if your
network application though we want you
to adopt Kerberos and attend the
authentication sessions after lunch for
those of you who don't know from last
year's session we're investing heavily
in Kerberos we're aggressively migrating
all of our networking products to use
kerberos and apples already shipped the
MIT KDC with mac OS 10 3 and we already
ship a Kerberos client and have since
Jaguar all Kerberos all the time is an
apple future in yours so you guys can
make your planning today because
eventually we hope to do away with any
challenge response based password
authentication methods so if you're
interested in authentication there's a
session following lunch with no demos
that will talk to you about everything
you need to know about network
authentication a session 640 in closing
there's a lot of reference documentation
on open directory we have Mac liftin
server resources we have openldap
configuration files everyone always
asked me where do we document the ldap
schemas we don't keep them secret in the
openldap config files for anybody to
inspect the ldap server has to be told
what they are but we are providing
documentation the written in print
documentation as well but sometimes the
print documentation goes to press before
we finish the final schema changes the
actual config files for openldap are the
most authoritative reference because the
ldap server has to implement the schema
so those are always correct and the
macros 10 security AP is also there's
this little window here at the bottom
there's a lot of very good technical
briefs if you need to educate your
co-workers at your site or something
like that what is open directory why is
it Apple's done some wonderful work on
setting up some technical briefs and
some white papers those are on the mac
OS x server website i recommend you read
them we use a lot of open source so
these are some of the open source lights
so you can get more information we have
the openldap site we use vaseline the
password server we use pam for all of
our command line
tools and we use kerberos so as a
wrap-up open directory is Apple's
integration solution for directory
systems it's a robust client as many
many directory systems you can work with
n is SD files Active Directory ldap I
planet Novell through ldap integration
we can interconnect with virtually
anything that's a major deployed
directory system open directory mac OS x
server offers a complete directory
server for those of you who haven't
already deployed a directory system it's
easy it's three or four clicks and you
can have a a world-class scalable
directory server up running Kerberos in
less than two minutes Tiger has many
exciting enhancements at least we think
so manage network browsing is perhaps
one of the one of the most exciting
forts and it offers you as an
administrator unprecedented control over
your network browsing experience and the
open directory administration tools are
being enhanced to make your lives easier
on a daily basis