Welcome to Inside Directory Services. Just as a summary, how many of you were here last year? How many of you had a seat last year? OK, far fewer. They gave us a bigger room. Thank you for attending last year. For those of you who were here last year, I promised a pool, an open bar. They told me they couldn't install a pool on the second floor. And the Jamba Juice bar is apparently the closest I could get for an open bar. So please, please partake of that.

So we're going to be talking about Directory Services this year. Again, my name is David Michael O'Rourke. I'm the engineering manager for Open Directory. And we have an exciting program and a lot of exciting developments. So why don't we get started? I have a lot of material to cover.

So the overview of what we're going to cover today is Apple's Open Directory technology. What is it for those of you who are not familiar with it? What is Directory Services? A review of what we've already accomplished in Panther, future plans for Tiger, and we hope to follow up with some interesting questions and answers.

So Open Directory is a technology name. It covers both how the clients access directories, and it also talks about how we integrate with industry standards. We also provide an Open Directory server, which is a combination of LDAP and MIT KDC, the password server, and the Samba PDC. Open Directory is built into Mac OS X client and server, and it's been there since the original 10.0 release, and it's open sourced as part of Darwin. So we're not keeping anything secret here.

If you want to see how Open Directory does its work and maybe port it to Linux or something, you can go download it from the Darwin website and bring it to that platform. This slide is a quick review of the technologies and the timeline of where we're going to be. So we started out with Mac OS 10.0. We had it only on the server. We had LDAP v2. We then added to 10.0.

We then added to the desktop for 10.1. Everything in blue is the new incremental change for that release. So LDAP v3, the NIS and flat file plugin, Apple Talk, SLP, Rendezvous, and SMB for 10.2. In 10.3, we added Active Directory support as well as firming up the plugins that were there. And for Tiger, we have a whole bunch of new exciting features that we're going to get into later in the presentation.

What is Directory Services? The first and most important part of Directory Services is it's an abstraction API for allowing applications to write to one set of APIs and not have to care about the back-end storage. And the typical information access to an Open Directory is users, groups, mount records, and other types of configuration data. It also contains a full authentication abstraction to conducting challenge response protocols like APOP, NTLMv2, or CRAMv5.

Apple layers all of their software on top of Directory Services. So we put all of our Mac OS X software on top of Directory Services from login window, all the server admin tools, even system preferences, all use Directory Services to show you all of that configuration data. And on the back-end of Directory Services, we have various plug-ins for NetInfo, LDAP, BSD files, and others. And we even have some third-party plug-ins where third parties have extended Open Directory.

What does Directory Services in 10.3 include? It includes an LDAPv3 read and write plugin so that we can work with any LDAPv3 server. It includes a native Active Directory plugin that was new last year and I believe there was some applause. We have NetInfo, which is Apple's legacy directory server, and we have read-only support for NIS and BSD/SE files. We also, as of Jaguar, started adding service discovery. So we have service discovery plugins for Rendezvous, SMB or Windows networks, AppleTalk, and SLP. So, /network, how many of you browse /network ever? Okay. Everything you see in /network comes out of Open Directory.

The LDAPv3 client also supports replication failover, so you can set up multiple LDAP servers. If one goes down, the LDAPv3 client will find another and your users won't notice that your server crashed. Documented access APIs and plugin APIs, there's an SDK, we have lots of sample code, and there are now command line tools that we started including since, I believe Tiger was the first command line, or Jaguar, Panther was the first command line tool.

And the most popular of these tools is DSCL. I actually get a lot of questions what that stands for. That stands for Directory Services Command Line. Nothing more, nothing less. So we call it DSCL and it's our favorite tool because it allows us to debug what's going wrong. wrong.

In 10.3, the Finder network browsing was moved on to Open Directory, so this is a typical view of Slash Network that you see on the Finder. All of the data that's in the middle column there comes from Open Directory. The server list, the stuff on the right, also comes from Open Directory. So Open Directory controls the vertical and the horizontal of what shows up under Slash Network.

So if you go to Directory Access and you turn off Apple Talk, all the Apple Talk zones will disappear from Slash Network. If you turn it back on, they'll all reappear. So you use Directory Access to control this, and so when you're browsing to connect to servers, you're using Open Directory.

This slide is an old slide. Any of you who have seen this before now recognize this, but apparently there's some new people in the audience that will go over it. So when we started doing Open Directory, we had a problem. We didn't want to have to recode all of the open source POSIX or BSD code to use a new set of APIs. So we had to figure out how to get those tools to use Open Directory without having to recode them.

So fortunately, the Next people had already solved that problem on Next Step, and they had written in a module called LookUpD. And they had already moved all the POSIX stuff onto LookUpD. So the system already had abstracted where most of those tools get users and groups information. So we simply added a plugin to LookUpD to call into Directory Services, and voila, any plugins you add to Directory Services, you benefit both native applications using Directory Services and legacy applications using LookUpD. And the whole system then gets a unified view of what its users, groups, and mount records are.

So Mac OS X 3 server includes a complete directory server. It includes LDAP v3 based on OpenLDAP 2.1.x. Jason, what's the x right now? Point two? 22, thank you. We support Mac OS 10.2 and 10.3 clients. We enhanced the Open Directory password server to support SASL-based authentication and replication. We added a fully integrated Kerberos server with the help of MIT, and we support Windows client integration by PDC. So you can set up an Open Directory server, create users and groups, and use them both on Windows and on Macintosh, and if they change their password on Windows, it reflects on the Macintosh and vice versa. So you can set up a fully integrated heterogeneous network.

Replication support for LDAP and authentication was added. This is important so that you don't have a single point of failure on your network. Thank you. So we did the server. You have Panther. Let's talk about what's going on in Tiger. So we are making changes to Directory Services for Tiger, which I believe is why everyone's in the audience.

So what's new for Tiger? We have enhancements to the LDAPv3 plugin. We have enhancements to the Active Directory plugin. We have enhancements to the server suite. We have enhancements to the administration tools. Believe it or not, how many of you attended the excellent Access Control presentation on Tuesday?

Well, Access Controls don't come for free without affecting the Directory Server. If you want nested groups, you're going to have to have some way to store them in the Directory. So Directory Services didn't get off scot-free in the Access Control model, and we have some changes that we're adopting to support another part of the product that's a big feature here at Tiger. We have enhancements to network browsing that we call Managed Network Browsing. I have a feeling that's going to be very popular. And we have some further refinements to local and server authentication that we're going to go over.

In order to implement this, we have to provide each computer with an account in the LDAP server. Well, this also now provides the ability to lock down your LDAP server to only your trusted clients. So, coming in Tiger or shortly after, we'll have options to lock down the directory server so that only the people who have been bound to it are allowed to read the data. And this will be the beginning of a very long transition for Apple to be able to no longer have to have your directory system world readable, which has been a historic requirement up until now.

We also have command line tools to support mass deployment. So, if you want to, we don't want you to have to visit 15,000 machines, go to directory access, and enter a computer name and ID. We're providing a command line tool along the lines of DS Active Directory Config or DSAD Config. We're providing DS LDAP Config. Is that where we're? Okay. So, we're providing a config tool which will support mass deployment for you net administrators who want to build a system image.

Active Directory client changes. Active Directory is continuing to be developed. We're not done. Neither is Microsoft. We've got to keep up with any changes they add to Active Directory. So we're moving aggressively in that space and making sure that all the work we do is still relevant. Some AD enhancements have already shipped in 10.3 updates. We now support SMB network home directories. In the original release of Panther, you couldn't do SMB home directories. If you use the command line Active Directory Configuration tool, you can enable SMB home directories.

We've improved compatibility with a wider range of Active Directory configurations. Some customers had configurations we didn't anticipate. They didn't work. We fixed it. and Tiger Server will have improved Active Directory integration. You will now be able to take a Tiger Server, point it to an Active Directory system, and use the Kerberos services of the Active Directory system natively.

In addition, the development team has been burning the midnight oil, and we figured out how to do it such that you don't even have to use the Active Directory administration tools to do it. You can do everything from within server administration. The AD plugin will also fully support Active Directory groups for file system ACLs. So if you have an Active Directory system in your network, you can use Tiger's new file system access control support with Active Directory groups natively, including the nested groups.

And of course, we'll continue to work with Microsoft, and they will continue to send us bug reports, and we will address them. And we want to be cooperative with Microsoft because Active Directory is here to stay, and we're going to make sure Mac OS X is a first-class citizen of those networks.

So let's talk about the Open Directory Server Suite. Open Directory consists of four servers cleverly hidden behind a single checkbox of let's become an Open Directory master. It consists of OpenLDAP, the password server, the MIT KDC with some very minor tweaks, and the Samba PDC, and now with Tiger, a backup domain controller. So when you say I want to become an Open Directory master or replica, what's happening underneath the covers is we're running out and configuring four different services to all work in unison with each other to provide a single directory experience.

The Tiger Open Directory Server will migrate to the newest OpenLDAP server, which is currently 2.2.7. That will change because we don't control the OpenLDAP development cycle. They'll be on a newer version. If possible, we'll ship the newest version. What's in the Tiger CD today is OpenLDAP 2.2.7. That's an upgrade from 2.1.22. We'll be adding some new features, which I'll be going over in another slide. We'll have some minor updates to the password server. We'll ship the latest MIT KDC.

Samba PDC will be upgraded to offer backup domain controller functionality. If your Open Directory master has to be taken offline for backups or some other reason, you can have a backup domain controller so your Windows users can still log on. Most of these changes will be transparent to the client. In fact, I think all of them will. I just did most because you can never promise all. But 10.3 and 10.2 clients will continue to work, and there should be no noticeable difference on your client side.

So for Open Directory LDAP changes, we are investing in Open LDAP. Up until now, we've just been compiling, importing, and integrating Open LDAP, but we're beginning an effort of actually improving it. Open LDAP has some deficiencies that we wish to address. All of the changes that we're going to make will be submitted back to the Open LDAP team as well as being posted on the Darwin website, so none of these changes will be secret or proprietary.

The biggest changes we're doing is currently right now, Open LDAP keeps all of the schema in a config file. Well, the problem with that is if you have a lot of replicas, you have to run around each of the replicas and manually update the config file. We thought it would be kind of cool to use the replication technology to actually migrate or propagate the schema changes, so we're now offering an optional configuration where all of the LDAP schema is actually stored in the LDAP database. So replication and administrative changes are all propagated.

We're also moving the LDAP access control model to be stored in the directory. So through Workgroup Manager and Spectre, you'll be able to add new schema to the LDAP server, change the access control model, hit save, and you don't have to visit each of the replicas and manually update the config file. We think this will be a huge feature and should really ease the administration load. And as it says there, all the changes will be open source and given to the Open LDAP project as well as posted on Darwin.

Open Directory will also expose support for LDAP's organizational units. We've received a lot of requests to be able to set up folders in the LDAP server. I want to set up a single LDAP server, have a group of users for marketing, a group of users for engineering, and a group of users for finance.

We'll now offer direct support for structuring your LDAP server into subgroups through LDAP's existing and excellent support for the OU, or Organizational Unit, scheme. This will allow a single LDAP server to host multiple groups of users or mount records or preference data or whatever is stored in Open Directory. We think this will be a wonderful feature and we're looking forward to it.

Unfortunately, nothing comes for free. Because of all the changes we're putting in LDAP, it's just impossible to mix older LDAP servers with newer LDAP servers, because the old LDAP servers don't know to look for the schema in the directory. The old LDAP servers don't know that there's organizational units.

Therefore, it will not be possible to mix 10.3 servers for Open Directory with 10.4 servers. So your Open Directory system will either have to be based on Panther, or you'll have to move the entire system with all of its replicas up to Tiger. We tried, it's just not possible to mix with all the changes we're putting in Open LDAP. So this should make it easier for an administration load, because any of the options we explored around mixing the two would be an administrative nightmare. So we'll provide migration tools.

There will be clear documentation. It should be pretty simple. There's not that many Open Directory masters and replicas on your networks. Only those machines will need to be all the same version of the OS. I want to be clear, Tiger Client can use either. It's just the servers that you can't mix.

Mac OS X Server Administration tools are also being enhanced. These are Workgroup Manager, Server Admin. The two major features in Workgroup Manager are ones that have been done as a direct result of customer feedback. Therefore, you can applaud if you want, but we already know you've been begging us for these for years, so we're finally going to address them. The first one is a GUI-based import tool. Currently, if you want to do import, you have to specify this rather archaic first line in the import file, and people have told us they don't like to do that.

They're Macintosh users. They don't want to have to learn archaic first lines of import files. So we're doing a picker, which lets you browse the import file and pick fields and say this field is the UID field, this field is the record name field. It's not any different than what Excel or FileMaker does for an import. This will be a huge feature.

The next feature is, in my mind, the most exciting feature, Search and Apply. Currently, we have a relatively simplistic search function. But what if you have a directory with 500,000 users, and you want to find all the third graders and move them from one file server to another? You can do that with Batch Edit if you command-click each of the individual entries, but that gets kind of laborious. I tried doing it for 50, and I just couldn't get the 50th click right.

So we've added Search and Apply. This is the ability to specify arbitrary queries, and then we can also make changes. It's akin to Find and Replace in a developer tool. So what you can do with Search and Apply is say, find me all the user records who have a keyword of third grade, and for every record that meets that criteria, make this change.

And it will run in the background and generate a report when it's done, telling you what it did to your directory system. So Search and Apply is a new change, and it should greatly support the new directory system. We also have a new command line tool for creating group records in the new schema. We are changing the group schema.

The group schema will be GUID-based instead of short-name-based. It also has nested groups, which Unix has no. Since it's GUIDs, I don't think, how many of you can type 128-bit UID off the top of your head? I didn't think so. So we will have a new command line tool, which is in Tiger today, with a man page called DSEditGroup. DSEditGroup is a command line tool which lets you compose the new directory. It's very simple.

You specify a group name, you specify a user name, and it will add and remove users to the groups and compose them correctly. I encourage you to check it out. Workgroup Manager has already been updated to compose groups. So a hidden feature in Workgroup Manager is if you take the Tiger version that you have in your goodie bags, you can take a group and drag it in using Workgroup Manager today. The operating system doesn't yet have the kernel changes for recognizing that, but you can go ahead and compose the group schema using the administration tools.

And the Open Directory administration will offer one-click backup and restore. What we will do in Server Admin, there will be a backup button. It will backup your Kerberos data, your password server data, your PDC data, your Open Directory data, and dump it all into an encrypted disk image on the server. You can then move that disk image wherever you want.

And you'll be able to restore the data with another single click, right Steve?

So what I'd like to do at this time is invite Jason Townsen up on stage so that he can show you some of the cool directory services tools that we're shipping as part of Tiger. Thanks, Steve.

All right, can we go over to demo one? Thank you. So I want to show you-- A few things with the Directory Service tools. Some of you might be already familiar with DSCL, but go ahead and look at that. One change that we made in Tiger is that you can start DSCL without giving it any parameters, and that just puts it in interactive mode. So it's just as if you typed... Well, it's, yeah, so for some reason that's not coming up. It's the same as if doing this, DSCO local host.

and David O'Rourke, Jason Townsend,

Okay, can we... Let's see.

I'm just going to go ahead and reboot.

I just want to mention everything went just fine when I ran through this about 20 minutes ago, so I don't know what happened between then and now. But anyway, what I was going to show you, and I will show you in just a moment, DSCL has an interactive mode where you can explore your directory hierarchy.

So you can do basically anything you could do through the Directory Services API at the command line, and it's a good way of seeing what's going on at the lowest level or testing out, for example, Like the get-dir-node-info, you can do a read command and see all the attributes on a particular node. So if you're developing a directory service plugin, it's very useful to be able to do things at a low level. I accidentally booted off the wrong partition.

Anyway, so the other thing, you can actually use DSCL to make modifications. So you can edit any attribute. You can create records and delete records. Basically anything you would want to do. There's also a one-shot mode there, which allows you to create scripts. So for example, a lot of people may have used Nickel in the past or NIUtil to create scripts, to create records or, you know, set up something in the directory. You can do all the same stuff that you used to do with those tools using DSCL. And it's possible to use that against LDAP or Active Directory or whatever directory service plugin is available. It's not limited to just NetInfo.

Just to give you some control over what shows up under /network. Let's see, what else? Yeah, basically, if you've used /Network on a big corporate network, you end up with hundreds of items in there, and it's just really confusing. So we want to give you a way to avoid that. Okay, can we go back to the demo machine, please?

Okay, I'm just logging in right now. All right, so let's start with DSCL. So, DSCL. So I can just type DSCL, go straight into interactive mode. So just to tell you, because of all the changes we've been doing, we've run into some problems like this, but this is the sort of thing that's not going to be in the shipping version of Tiger.

This is just a transitional kind of problem. But we debug things like that all the time. With all the different threads going on in Directory Service, it's possible to get deadlocks. So I can go into NetInfo, and like I was saying, I can see all the attributes on the node just by doing a read command at that level. I can see all the authentication methods and the record types. It's a read-write node. There's all kinds of information there.

I could go into groups, and I can actually even do tab completion when I'm changing to different levels in the hierarchy, which is pretty convenient. If you're used to using Nickel, that's sort of a new feature in DSCL over Nickel. And I have a group here called Engineering, actually. So I can see all my groups. I've got a group called Engineering.

And you see in this group that there are, in addition to the normal list of short names there that you're used to, there are these group members, GUIDs, the Global Unique Identifiers. And so if I decided, well, actually, there's a new guy just started. - I'm not really confident in doing that, so actually what I could do is I could just go to Workgroup Manager and bring that up, and then, you know, I could just go to Workgroup Manager and say, "Hey, I'm going to do this."

I'm going to go ahead and do a quick test. I'm going to go ahead and do a quick test. Maybe do it from Workgroup Manager. There we go. Once I log in, I can go look at the groups. And I see all the members there. I can just drag Mike in. But actually I wanted to do it from the command line. So let's go back to the command line. You can see how that would work in Workgroup Manager pretty obviously.

Which is this new tool we added in Tiger. And I'm gonna use the user admin. I'm gonna do an edit operation and then just add Mike to engineering. And then it prompts me for my password. And at this point, it should be done. So go ahead and refresh that.

And there's Mike in the group. Okay. So you can do all kinds of things with this tool. I'm not going to go through all of them, but you can remove users, you can read the group, and you can create groups, change the GID, all kinds of things like that. It's all in the man page if you want to look at it. And so we're hoping that that will make scripting of setting up these new groups really easy for you guys.

And the other thing I wanted to show you, this was actually there in Tiger, or in Panther already, is the inspector. So you can see all the same stuff that you see in DSCL right there in Workgroup Manager. And if you don't see the inspector tab and you don't see this little target, you're going to have to go back and look at it. And if you don't see the target icon, you can go into the preferences and just turn on show all records tab and inspector to get that feature.

And you can edit things in a raw mode if you know exactly what you want to change. All right, so for part two of the demo, since we're doing the extended demo, we'll go to look at /network. So let's take a look at what that looks like right now.

So network, we've got--

There's this new icon in the toolbar called Network. You may have noticed if you've been playing with the seed. So I go there. I can go ahead and create a default view. And then--

CoreOS Engineering. Actually, I think I wanted those in the other order, but okay, there we go. It's going alphabetical. So I can go ahead and put inside Core Server Engineering, I wanted to put some computers.

I've got some computers over here, which I can bring up actually with the show or hide computers command there. I can just take those and drag them in to a neighborhood, and then it's a normal tree view like you're used to, put computers in there. I could also put another neighborhood inside of a neighborhood. So I could say Core Server members, for example.

Another thing that really, I think, makes this very useful is the fact that you're not limited to just manually putting all these computers in to the neighborhoods and doing everything by hand. You can actually say that you want to add a Directory Service node path in there. So anything that was already showing up in slash network before, I could go ahead and put in wherever in the hierarchy I want it to go. So for example, let's say these two are zones that I know apply to me, or neighborhoods that apply to me, nodes that apply to me, I should say. I'll just add those in.

And then that'll just drop it right in there. And maybe I'll put that up here. Okay, so that looks pretty good. Actually, I'm gonna take a look at the settings as well. So right now you can see it's set to add it to the network view. You can also replace, that's really what I want. I wanna see just what I have set up and not all the dynamic stuff.

So I get a very simplified view. And you can see in the finder, there it is. Now under /network, I just have only those two neighborhoods. So that's quite a bit easier for me to deal with. I can see only the stuff that I wanted. And actually, here in the core server members neighborhood, here's all the computers in those two directory service nodes that I added. But it's quite a bit less noise for me to deal with. And if I'm already binding to an LDAP server, all this can be in the LDAP server. So I just pick it up based on what the network administrator wanted me to get.

And the other thing, of course, in the settings, you could actually add it. So if I wanted to merge the two, I could get all the dynamic stuff plus some managed stuff up at the top there. So I can kind of see the stuff I'm more likely to want, but all the other stuff is still available. And that's up to the network administrator of how they want to set it up. All right. We can go back to the slides now. Thank you.

Big round of applause. We've all dealt with pre-release software. Jason, I thought, did very well. Thank you. So Jason previewed the next topics of Tiger, which is Service Discovery in Tiger. Tiger already supports Rendezvous, Windows, AppleTalk, and SLP. You all know that. You use it in Panther today.

We're giving our yearly warning that SLP may be retired in a future OS release, or at least made an optional install. So you really should be moving your applications off of SLP and onto Rendezvous. There's many sessions about how to do that. There's lots of sample code. It's really a better way to go.

New features, and so we have a new feature which Jason just demoed called Managed Network Browsing. This allows you to completely customize the browsing of your network, and it allows mixing of static and dynamic data so you can take two Apple Talk zones and present them as a single folder called the pubs group rather than as their geographic names, which they might be in the Apple Talk routers. So this is a very powerful feature.

Basically, customers have been requesting this feature for years, and so how do I -- we always receive reports, how do I control what shows up under /network? And up until now, it's been some very archaic mount records. There's never a way to create directly a structure. Well, I want a folder structure that looks like this. And so we've now given you complete and total control over what shows up under /network. Tiger offers that in Workgroup Manager through the administration tools.

And the feature implementation consists of three changes. A new schema in the Open Directory server to store the Vue data, changes to Mac OS X server admin tools to create the Vue data, and changes in the Mac OS X client to use the Vue data should it be present. Because if the data's there and the client didn't pay attention to it, it wouldn't do it any good.

So what can you do with this? To summarize, administrators can control the structure of an arbitrary hierarchy and name. So you can name them anything you want. You can put them in any order you want. You can add static entries for servers on your networks or your partner's network.

This is a very, very interesting feature in my opinion. We have it running at home, and all my engineers have their home servers entered into Apple's slash network Vue, even though they're not part of Apple's network. So by creating a static entry, you could point to a customer who you're working with.

You can have their file servers show up in your slash network Vue. This has not been possible up until now. You can manage, or you can merge and rename dynamic service discovery. So you can effectively rename your SLP scopes, your Windows neighborhoods, or your Apple Talk zones through managed network browsing.

So you can create a new folder and add as many static servers as you want, and automatically also include all the servers found in a particular SLP scope or in your local rendezvous zone. You can control if clients see the raw data, and if they see the data that's not there, you can control the data. The data is either the raw network, the managed network, or both.

So I can, for some clients, turn off the raw network Vue and only show them a customized Vue with three folders of the servers that they want to work with. For power users on my network, I can leave the structured Vue present and also still let them see the raw Vue.

and all view and browsing data stored in the Open Directory server. So this all replicates out all of your replicas. So you make the change in one place, all of your machines that are bound to Open Directory immediately see the change. Replication and Global Access is the other feature.

So we're now going to do the Managed Network Browsing demo. Okay, we're done. We'll move on. So the Managed Network Browsing summary, it's new Open Directory schema. There's client changes and there's administration tool changes. The ability for network administrators to tailor the network for their view. And it's a powerful new tool included with Tiger Client and Server.

The one thing I do want to go over that's not clear is you can have different views in the directory. So I can target a view at a machine's particular MAC address and have a general view for everybody else. So I can have multiple views in Open Directory and completely customize it to the CEO's machine sees a simpler view than the IT administrator's.

So authentication changes. Tiger Server has some changes to authentication. They're not major. The Tiger Server now supports NTL and V2, so you can play better with Windows networks. The Tiger S&B server can now support Kerberized authentication with the better Active Directory support, but that extends to all the Kerberized services on Mac OS X. And the password server in MIT KDC will offer tighter password policy integration.

For example, the KDC has no notion of the last successful authentication, so we're adding some codes so that the last successful authentication gets synchronized with the password server's notion of that, and some other minor changes. The Tiger client will also offer better support for Kerberos-only environments. Some customers have really liked the integration we've done, but they have an existing Kerberos infrastructure on their network. And what they wanted to do was be able to hit login window and log on with just Kerberos. There's some bugs in that. We're going to fix that for client for Tiger so that you can have a pure Kerberos environment with no password server if you want.

Password server will no longer be running by default on all Tiger servers. This is if you want to harden a server and not have any ports open that you don't need. It will be running on an Open Directory master, but it will not be running on servers that are not hosting Open Directory. So you can bring the server up and there's no extra network ports open. Password server is no longer required in a standalone mode, so that's an excellent feature.

Password Server Authentication Methods in Tiger, they remain largely the same with the addition of the one on the bottom for SMB file sharing we support in TLMv2. So other than that, I'll give you time to look over this. But these are the authentication methods that the password server currently supports. And you can see for Tiger, we're just simply adding the SMB file sharing.

So, local authentication requirements. For the developers in the audience, I want to remind you that Crypt is still dead. Default local authentication is now stored in a shadow hash. You probably have already found out if your application relied on Crypt because we broke you in Panther. Crypt still works, but none of the system administration tools will create a Crypt user. If you know what you're doing with DSCL or Nickel, you can still create a Crypt user, but we don't recommend it. There are security problems with it. Just don't do it.

So, your application, if it hasn't already been broken, I don't know how, but if it's not, you should be moving on to either PAM, Security Framework or Directory Services, or an authentication abstraction. Again, I want to emphasize this was not a bug in Panther. This was a design decision. It was a necessary migration for security. So, if you're a network application, though, we want you to adopt Kerberos.

and attend the authentication session after lunch. For those of you who don't know from last year's session, we're investing heavily in Kerberos. We're aggressively migrating all of our networking products to use Kerberos, and Apple has already shipped the MIT KDC with Mac OS 10.3, and we already ship a Kerberos client and have since Jaguar.

All Kerberos all the time is in Apple's future and yours. So you guys can make your planning today because eventually we hope to do away with any challenge response based password authentication methods. So if you're interested in authentication, there's a session following lunch with no demos that will talk to you about everything you need to know about network authentication, session 640.

In closing, there's a lot of reference documentation on Open Directory. We have Mac OS X server resources. We have Open LDAP configuration files. Everyone always asks me, where do we document the LDAP schemas? We don't keep them secret in the Open LDAP config files for anybody to inspect. The LDAP server has to be told what they are.

But we are providing documentation, the written and print documentation as well. But sometimes the print documentation goes to press before we finish the final schema changes. The actual config files for Open LDAP are the most authoritative reference because the LDAP server has to implement the schema. So those are always correct.

And the Mac OS X security APIs. Also, there's this little window here at the bottom. There's a lot of very good technical briefs. If you need to educate your coworkers at your site or something like that, what is Open Directory, why is it? Apple's done some wonderful work on setting up some technical briefs and some white papers. Those are on the Mac OS X server website. I recommend you read them.

We use a lot of open source, so these are some of the open source sites that you can get more information. We have the OpenLDAP site, we use SASL and the password server, we use PAM for all of our command line tools, and we use Kerberos. So as a wrap-up, Open Directory is Apple's integration solution for directory systems. It's a robust client of many, many directory systems. You can work with NIS, Etsy files, Active Directory, LDAP, iPlanet, Novell through LDAP integration. We can interconnect with virtually anything that's a major deployed directory system.

Open Directory and Mac OS X Server offers a complete directory server for those of you who haven't already deployed a directory system. It's easy. It's three or four clicks, and you can have a world-class, scalable directory server up running Kerberos in less than two minutes. Tiger has many exciting enhancements, at least we think so. Managed network browsing is perhaps one of the most exciting for us, and it offers you as an administrator unprecedented control over your network browsing experience. And the Open Directory administration tools are being enhanced to make your lives easier on a daily basis.