Thank you very much for coming. We're going to give you a little bit of time because it's early. It's late in the week and it's early. They seem to give me the big ones, the ones that encompass 1,500 different options they want to put into one session. So a lot of stuff. I'm very confident about the demos, that this all works. So we got some real world experience that we'll be doing here. It has made me appreciate OS X more to do this. So integrating OS X into heterogeneous environments.

I should, I'm Joel Rennich, consulting engineer, Apple Enterprise Consulting Services. So, introduction. Using OS X with other directory services. This is how to get people to play nice with each other. If you were here on Tuesday, we talked about Active Directory and how to integrate with Active Directory using the AD plugin. This time, we're going to concentrate more on the LDAP side of the house. Using the LDAP plugin, talk a little bit about Novell, talk about the different ways that you can do that. I've had a number of people over the years ask me about integrating Linux into Open Directory. More and more, I've seen places that want to use the flexibility, the administration tools of Open Directory to run everything. And so how do you get your Linux boxes, your Solaris boxes, and stuff like that integrated in so you can use a common user database? So we'll definitely talk about that. So we'll go both ways. OS X to Linux, Linux to Open Directory, back and forth.

Hopefully you'll pull out of this how to do this on your own, give you some tips and tricks. There's too many different variables for too many different situations to really give you much of a cookbook for this, but at least you'll get an idea of it. I was amazed at how easy and how simple this was the first time I went out with it. So hopefully that's going to be your experience also when you do this. We'll also talk a little bit about different file sharing, how to integrate file sharing into the network. We'll hit a couple of brief discussion about some of that and also some backup solutions that you might want to take a look at.

So first off, we're going to start with the traditional Mac OS X island. You've got a grouping of machines, maybe a graphic design, maybe a specific department within the university, some other form of island of OS X. So you've got to integrate with other systems. You've got to play nice with others.

Active Directory plugin is one way to do it. The other way is to do some of the stuff that we're going to talk about today. Just as a side note, it's been very interesting to me as we have progressed into being much more of a good citizen, much more corporate awareness, much more organizational awareness of what OS X can do and how it can interact with others. And when we were with OS 9, we'd actually, we'd almost refuse help. We'd almost refuse the attention of the IT departments because we wanted to stay hidden. We didn't want them to see us. They didn't want to see us. We didn't want to see them. So we stayed secluded away. More and more, when we go in and I go into clients and I integrate OS X into third-party directory services, into AD, into LDAP, into Novell, you get pulled into the fold. And at first, the users are a little bit upset at suddenly having all this management, at suddenly being locked down and micromanaged with the MCX preferences and things like that. But the end result usually is a really corporate organizational awakening that OS X is a valid citizen. OS X does have lots and lots of strengths. And so suddenly I see IT staff being devoted to it. I see budget being devoted to it because you've suddenly appeared on the radar because you've integrated into the other directory services. Hopefully something that's what you'll find also.

Key theme to OS X, we've talked about this before, but it plays well with others. We make it very, very easy for you to integrate with unknown third party directory services. So we'll definitely hit a lot about that. Also with file sharing, we accept a lot of file sharing protocols, and then we have lots and lots of backup client software that we have out there now.

First and probably the most important, because it's maybe the most complex, is the directory services. And that's primarily getting identification and authentication to work from an OS X machine going back to another system. I have a couple of different options for this. Most of these are laid out in the directory access plugins. NIS, LDAP, Active Directory, things like that.

NIST. We only do NIST. We don't do NIST Plus. All right? And I would strongly urge you that if you're in a NIST environment, you're probably already interested in migrating off of it anyway, and that's going to be a better option for you for OS X. We'll play with it, but we don't do it as well as we do a lot of the other directory services. And I can't say that we're probably going to devote a lot of resources to that.

Active Directory, there's the AD plugin, gets you up and running, gets a lot of good features. It's incredible new features in OS 10.4 that gets you some new stuff with it. Also, there's Thursby Admin Mac. All right, so if you want the DFS and the signing support and the other things, certainly take a look at their product. And then finally, we've, like I said, we covered this in other sessions, so we're not going to really touch on this much. Which brings us to LDAT, Lightweight Directory Access Protocol. By far, this is closest to the universal directory service. All right? Active Directory is a form of LDAP. Novell is a form of LDAP. iPlanet, Sun1, they are LDAP. OpenLDAP, it is LDAP. All right? We have a common denominator between all of these modern directory services, and so we can use LDAP to interact with that. In a little bit, we've got a red hat box here running OpenLDAP, and we're going to integrate with that and make sure everything works like we think it should.

So LDAP should be your closest and your easiest way of integrating with these other services. And it's most likely your best chance for interoperability. So definitely take a look at this as you're going through here. Couple of different ways to integrate. One is you can actually use existing attributes.

You can go out, you can find the attributes that are there, you can use them. Two, you can kind of take over unused attributes. You can also go in and we'll talk about static and variable assignment. Two incredibly powerful ways of extending your directory actually touching the directory, and finally, extending the schema.

So if you want to use the existing data in schema, hopefully a top priority is to use attributes in the directory as intended. So if you have a UID value in there, go use that UID value. You don't want to go out of your way and use your own stuff. That's just going to make things a lot harder. In many directory services, you're going to find the basic information that you need. In any directory service that's catering towards a Unix system, a Unix client, you're going to find username, short name, group ID, user ID, that kind of stuff. and you'll be up and running immediately. I've got OpenLDAP here on a Red Hat box, completely Linux-based. All right, so we're gonna integrate with that. It's nothing specific for Apple. I'll show you how easy that is to work with that. So in many cases, a lot of the information that you need for basic integration is already there. You can go in later and backfill with some of the other stuff like network home directory, PaaS, and things like that. When you get into LDAP, there's a big temptation to kind of recycle unused attributes. If you remember some of the documentation that was out around 10.2 about how to integrate OS X into Active Directory with an LDAP client, we talked a lot about using the secondary fax number because precious few people had the primary fax number in their record, let alone a secondary fax number.

So you could just go in there and you could put whatever information you wanted in there, perhaps a home folder location, maybe a home URL, something along those lines. It's a good idea for testing, but this really can come around and turn and bite you in the when you install a piece of software that expects the ability to overwrite that file, or overwrite that attribute. So, really caution people to stay away from this. If you're going to do this, do it right. Either extend the scheme in the full way, or do the static mapping on the client side to get that.

Static assignment. This is a really, really cool thing that we can do on OS X. And it allows us to create entries, to create changes on the OS X client side that reflect how we read or how we pull data out of the LDAP database. For example, perhaps you're integrating with a system that isn't very Unix aware. And you don't have a primary group ID specified with your user record.

If you look on your OS X server, you'll find that every single user on your OS X server has a primary group ID of 20 or the staff group. This is a static attribute that could be associated with every single user that you create. Instead of putting that information inside the LDAP directory, we can actually statically map that on the client side. We go into directory access-- I'll show you a quick example of this-- and actually use a pound sign and put in that value. Now directory services on the client machine will no longer go to the LDAP directory to look for that information. Instead, it'll go directly, read its local pref file, and always return, in this case, the value of 2004 for the primary group ID attribute. But what if that's not enough? What if you have variables that you need dynamic information? Well, that's why we have variable assignment here. So now we can take a static assignment. We can take a static chunk of information. And the best example of this is the bottom one on here, where we actually map over a home folder URL there.

Notice that we've got a big chunk of static stuff, and there's a little thing in orange there, and that's string UID string. That's our variable. We now read in the UID attribute, whatever that may be, out of the LDAP database, and we turn that into our string of information. So we look that up on the fly, and that allows us to do things like this home URL very easily, 'cause this home URL has to have your username in it, 'cause you go directly into that folder.

So now we have a little bit of static assignment with a variable lookup, and we don't have to put that information into the LDAP directory. All your clients have to be mapped the same way, and they have to have this config file, the LDAP P list and library preferences directory services. But it's a good way of doing this. And again, makes it really easy for us to integrate. So let me show you a demo of this. I've got an OS X server.

Now I'm just going to cd into my own-- it's a Open Directory master. And you can see we've got a couple of users here in our LDAP database. And we've got a test bunny user. And if I read that in, my user shell is /bin/bash. What if I wanted to override that? I can come into here. If I remember the password. There we go. And I can edit my mappings. Right now we're using the default open directory server mappings, but I can go down here into users. I'm going to pretend this is a third-party directory server and shell.

Can I zoom in? That means I'm going to have to remember that key command. Command option 8. See, always somebody yells it out when that happens. Command option 8 not doing anything for me. And now everybody's mumbling. Universal access, we'll do it the old-fashioned way. Seeing Zoom is on. Command... that's on and zoom in. All right, it's a plus. There we go, how about that? That's gonna make me sick up here. Thank you. Here all week.

So these are our attributes that we're going to be looking for when we go through the system. All right, so these are the attributes that we're associating with the user record. We've got a user shell attribute in here. Right now it's mapped to login shell, but if I put pound bin KSH, right, and hit OK, I've changed that mapping. If I now go back, command option eight, boom, there we go.

How about that? Quit out of Discl, go back into Discl, cdldap. Users, read test bunny. Notice that my user shell has been KSH. So that's a client side change that I've made. And I didn't have to write that information back to the LDAP directory server. This is killer when dealing with e-directory. This is killer when dealing with Sun1. This is killer when dealing with a recalcitrant LDAP admin. If you can't get them to change the information, you can change your client machines, and you might be able to work around a lot of this stuff. If I go back into here, command option eight, zoom, go back to these mappings, Let me back it out a little bit there. All right, how about that? Man, people ask for it and then they don't like it.

User shell, and I can come into here, and I can map it over just to a value, so string UID, for example, which means it's going to look up whatever the UID attribute is in this user's LDAP record, then going to swap it in here on the fly. Hit OK, hit OK. Going to do that. Back to here, quit. Starting to get good at this. Users, read test bunny, and now my user shell is slash bin slash test bunny. All right? If I read my Dura Admin, notice it's the same thing, well, with the variable involved at least. So definitely we're getting variable mappings here. We're pulling that information out, and we're changing it on the client side. When you're experimenting with this, it's always nice if you go back in and change it back to Open Directory Server there. All right. That helps us-- the rest of the demos go better. Back to the slides, please.

Static and variable mappings. Very, very cool, very, very powerful stuff. Keep this in mind as you're working with the other LDAP directories as you go out there. If that's not enough, or if you really want to do this the right way, and by the right way I mean putting it all where it should be in a central place. Directory services is the whole idea that you don't have to micromanage things anymore. You don't have to do workarounds. You don't have to do hacks to get things to work. This is a political issue, though.

This means going into the LDAP database to add the attribute specific to Apple, specific to OS X. You can do this with AD. You can also do this with LDAP. It's a little easier when you're dealing with an LDAP directory service, because most LDAP admins are interested in this kind of thing. They can roll it back. They're aware of the schema files. That way you go in, you do it the way it was intended, you do it the way it's been QA'd for and everything else, you're going to get a much better experience. That's not to say that static mapping doesn't work. We have lots of places doing that because they have to. However, in a perfect world, you'd be putting it all in the directory service where it should live.

A little bit about Novell. There is a-- I have a lot of people that have good success with using LDAP, the LDAP plug-in to connect to Novell. Dan Sinema has done a great job of putting out some of this information on how to integrate. MacEnterprise.org has some of this information on there. Also, we have a third-party plug-in now from Condry Consulting called Kanaka, which allows you. It's an open directory plug-in that integrates with Novell. It makes it a little easier to mount the home folder, do some other things like that, and certainly makes it easier from an administration side. So if you're interested in integrating with Novell, please take a look at this, as it may be very interesting to you.

The thing I like most about OS X as a directory service is the ease of use we have in combining multiple directory services together. We can have an LDAP server hosted on an OS X server, use Open Directory to connect to that. We can have an Open LDAP server, use LDAP to connect to that. We can throw in the AD plug-in, connect to that. And if you really enjoy root canals without Novocaine, you could probably go further and throw in this and a few other things. All of that will be useful. all of that will be usable users that we can authenticate from, all at the same time. Your authentication path and directory access determines how you're going to go through that.

So it's a really, really cool way of going through, combining the best parts. If you've heard me talk before, you've probably heard me talk about the magic triangle, the reverse magic triangle, things like that. Because of our ability to work with multiple directory servers, we have that ability to combine the best parts of both to get what we need out of it. That and sell more XSERVs. Very important. Here's an example of using a secondary directory.

You have to keep the records together. So for example, if I have a user record in one, the entire user record has to be there. I'm not gonna have lookups from one user record that refer to attributes over here in another LDAP database. Then you just add 'em both into the LDAP plugin, and then you go to your authentication path, and you'd add 'em both into there too. So lots of different options, lots of different flexibilities.

Here's a quick little rundown of them. More information, man. You got to look it on there. So use this for reference when you're going back through, but it's essentially the stuff that we talked about. NIST being NIST. Active Directory, use the AD plugin. There's a few outliers of why you might want to use the LDAP plugin for Active Directory. But for the most part, you're going to be happiest. You're going to be easiest with the Active Directory plugin for that kind of integration. LDAP, fully getting into LDAP, fully creating an LDAP server, putting all the information, extending the schema, is probably going to be your best and your happiest, your most stable system. So I'd push you towards that if at all possible. Third party plugins, hopefully we come out with more for Open Directory as we mature and grow.

That's one of the reasons why I really like to see this one for Novell. Not so much just because it's a one for Novell, but because it's also a third party plugin, a third party developer that's creating commercial software to plug in like that. And then definitely keep in mind the idea that you can easily use a combination of all this.

All right, so now I want to do an OS X to Linux demo. If we go back to the-- the demo machine here. I've got redhatfedoracore.apple.lan. All right, so that's my LDAP server that I'm gonna be connecting to. If I want to, I can do a quick LDAP search and see if I see the information on it. 10.0.0.11, search base, get an X in there, search base. DC equals redhatfedoracore. This is some information that I would have found out either from my administrator, Now I can see a bunch of responses back from there. So now I know I actually have an LDAP database out there. So I just did a quick LDAP search.

It's common to maybe use an LDAP browser. There's a Java LDAP browser out there that a lot of people like. LDAP Manager is a SourceForge project. It's a full-blown Cocoa browser. PHP LDAP Admin is another product that I use quite a bit. Open source web-based LDAP browser. This would give you a good idea of what's in your directory and what you can connect to. We're gonna go into directory access here.

Go into the LDAP, now I'm going to add a new one. I can actually use DNS, DNS works. Red Hat Fedora Core dot Apple dot LAN. Go manual. Let's call it Red Hat. From server, we're not gonna have the mappings on the server, so we're gonna pull down and use the RFC mappings. DC Red Hat Fedora Core, DC Apple, If you do any LDAP work, you're going to get really used to typing in DC and commas.

Hit OK. If I go to authentication, I'm going to add it in. So now I've got this red hat in here. Hit Apply. Immediately go down, go back up to Diskl, Directory Services Command Line. See the LDAP. In here, I see both my local, my loopback directory server. That's my open directory server. I also see my red hat server. So I can CD into that. See we got some users here. Here's the moment of truth. All right? We can do an LS. We listed that. We're getting user records in here. This is cool, right? I mean, that was three minutes, right?

Shouldn't really congratulate me. You should congratulate the directory services team that have put all this together. But I'll take it anyway. All right, so now I can do a read of a user. Read Elvis. Did I put Elvis in here? Typing skills help. So here's Elvis hanging out in the LDAP directory system. If I quit out of this, ID on Elvis, boom. We've got ID user resolution, UID 1000. We're actually going to go in here, and so we don't conflict. We're going to-- I'm going to take myself out of the equation. So I'm not authenticating to there. At which point I can SU. I've got another user in here. If I remember the password.

Here we go. Who am I? I'm me. I can do an ID on myself. I'm pulling this out of the Linux LDAP system. All right? Done. Tea time, 3:00. You'll be there. Some things that we're missing from a setup like this is we'd be missing the network home folders and things like that. You would have to go in, extend the schema, or go in and do the static and the variable mappings to get that to go through the rest of the way. So keep that in mind. Another thing that I really want to point out, if you go back into LDAP here and we edit this system, notice in security everything's unchecked. All right? It's best if you go through and you start checking these boxes and make sure that you're using SSL for this kind of stuff. You want to make sure that you're using SSL so you don't leave clear text passwords going through. We do. Let me zoom in on this. Thank you.

We do have the ability to disable clear text passwords, which means it won't ever try that. This is killer. This prevents us from ever sending that out. Use SSL anyway to make sure that even if you do send a clear text password, that you're going to have a little bit of security wrapped around that. Also, we can bind. We can bind as a user to that directory system. So we now have a machine account that we can create and go through there. So really, really cool stuff. Really, really easy to integrate all these pieces together. Back to the slides. Thank you.

File sharing. I want to do just a quick rundown of a couple of different file sharing protocols that you might be able to use here and different things that you'll be able to do with them. Our big choice is AFP, SMB, NFS, FTP, WebDAV, right? I just kind of grabbed everything that Connect Too Many can do.

Apple filing protocol, by far the most preferred. If you can get AFP working, please try to get AFP working. It's the most tested. It's the most used for Apple environments. So you're going to get the most QA. You're going to get the most interaction. You're going to get the most feedback on it. So it's going to hopefully be the most robust environment for you. That's not to say that the others won't work and the others won't work well. Just to say that if you have a choice, I would go with AFP first. Now, AFP does not mean services for Macintosh. Services for Macintosh, it's a little long in the tooth. Please don't use that. SMB is better. So that's on your Windows boxes. If you want to serve from Windows boxes, go use Extreme ZIP. Their products, really great AFP servers. Net-a-Talk on the Linux and the Unix side. Novell, native file access on Novell is really, really nice. Allows you to easily integrate into your Novell servers in that way. Cool thing, and we don't talk about this much here.

I've just started playing around with it. In Tiger, we also do transparent failover support. I believe this requires a 10-4 server, but if you have a 10-4 client and your AFP connection is broken because that server goes down, the connection goes down, we should transparently reconnect for you, which means your users aren't going to be presented with a spinning beach ball.

They're not going to be presented with a reconnect dialog box, or since it's their home folder, most likely, they're not going to come knocking on your door. All right, so very cool stuff there that we're starting to work with some server load balancers and some clustered file systems to really do some cool work with.

SMB. A very close second to AFP as far as home folders. All right? We do support SMB home folders for users. So if you've got a big NetApp filer or something else like that and you want to do SMB connections to it, we'll be able to do that. Windows servers we definitely work with. Make sure you disable the security policies so that you disable signing and encrypting, and we don't do DFS. He's always complaining about this up front, but the only one, all right? So that's a wonderful gentleman from the University of Michigan up here. So I'll point them out.

All right, so Samba servers we can also do this for, and NAS devices, right? If you have a NAS device, a filer of some sort, it's many times that you're using SMB to connect to that. Very common in university situations is NFS. Huge amounts of NFS to support the Unix systems that are already in there. We can use that here. We can use that for home folders. A little bit of an advantage with fast user switching because we don't have to disconnect and reconnect. So with an NFS home folder mount, you can do fast user switching with network users. Kerberize supports fast user switching. Obviously, this is very popular with Linux and Unix environments. And also NAS devices, depending on whether you trust the SMB or the NFS coming out of your NAS device more, you might use one or the other.

FTP is not a home folder system. You're not going to use FTP for home folders. Great for file sharing, but right, FTP's got its own issues with security or lack thereof. So definitely, and it's read-only in the Finder, so that would really be tough for a home folder to do anything with. WebDev, perhaps a nice way to do basic sharing, basic cross-platform sharing, perhaps over web connections with SSL, stuff like that. It's incredibly improved in Tiger. We've got Kerberos support for it. We support SSL for it. All right, two big things that we really needed. We got those in there. However, you're not going to use it for home directories. And in many times, if you've ever administered a WebDAV server, it's a little weird on the permissions, all right? So depending on which one you use, if you're just using mod DAV on Apache, definitely it's probably not going to be a very enjoyable experience for complex permission schemes.

Because what's the point of having a system if you don't have a backup, right? OS 10 has come a very, very long ways in terms of backup support from clients. Remember just a short time ago we had one? Now we have many. BRU from the TOLUS group, Retrospect, A-Tempo, Archaea, Tivoli, Veritas, Breeze Hill, Legato, ArcServe, Backbone. When I did a quick little search and looked at some of our product marketing literature and stuff like that, I found that we have clients, software clients of some sort for these systems, either 10.3 or 10.4. Definitely check with the vendor for what they support, with 10.4 being pretty new out here. So lots and lots of options. Some of these are downstairs in the data center. Take a look at them, see what you need, see what you can use. So hopefully we can play well with a lot of other systems. Worst comes to worst, right? You go to my scripting session yesterday, and you learn how to back it up yourself by sending it off to a file share or something else like that. So it's a lot easier to integrate with these things now.

That's cool, right? But that's last year. That's us integrating with somebody else. What happens if we want to be the top dog? What happens if we want to be the number one directory service and have others be subjugated to us? All right. Part of plans of world domination, I'll admit to them right here, This was an interesting experience for me. I've been wanting to do this for quite a while and actually sit down and document it, and you should see some documentation coming out in a little bit about this. You read on the mailing list kind of whispers here and there of, oh, I integrated my Linux box to Open Directory, and it was great, and it all worked, but then they never tell you how. They never tell you the steps they went through. Part of that's because every Linux distribution, certainly between Linux and Unix and Solaris, they're all different, and they all interact with LDAP directory systems in different ways. So it may or may not be a simple experience for you. Solaris... It was a little more pain for me. Linux, though, was pretty easy. They have a lot of support for this. A lot of clients do this well. So I'll hopefully walk you through how to do this the hard way and the easy way.

When you're dealing with Open Directory, just like I like Open Directory because it plays well with other systems as a client, we also play fairly well with other systems as a server. We use Open LDAP. We use Kerberos. All of these are standards. We use 100% the MIT Kerberos KDC. Open LDAP, very, very much all Open LDAP. So we're supplying this so we can easily integrate with other systems in this way.

In many cases, when you're dealing with LDAP integration, it's the Mac client that needs more information. All right, in Open Directory, we put all the stuff in there, all the stuff that a Linux machine is gonna use. So you're gonna see how easy it is for us to connect up into that. All right, so again, we play very well with others.

So as far as directory services go, first of all, we can talk about an NTPDC real quick. It's great that we have the PDC. We have a session here right after this one in this room about it. It's great in 10.4 that we now can act-- our replicas can act as a backup domain controllers. So it actually becomes very viable in an enterprise and institutional environment.

I wouldn't use it for more than 100 PCs, right? An NT domain is not even last year's technology. So it's going to be hard to convince people to do a lot with that. So if you're moving for more than 100 PCs, I usually suggest if you were in my AD session, we talked about the reverse magic triangle we did at Kerberos Cross Realm Trust. That's definitely a good solution for you to go if you've got more than 100 PCs or so. Definitely give it a go, take a look at it. With the backup domain controller, it becomes a viable solution, especially if you only have a half dozen PCs or something else like that that you want to keep around in your network.

LDAP on open directory. Common directory service amongst non-Windows clients. So it's a common denominator for most everything else that's out there. Easy integration with most Linux distributions. This is Red Hat Fedora Core up here. If you've seen me carrying around this laptop for three days, it's really been kind of the bane of my existence. It's rather heavy.

It's caused me rather late nights, and like I said, it made me appreciate OS X a lot more. But I've gone through the pain, so you don't have to. I took that bullet for the team. Happy to do that. So we'll do that in a little bit as we go through there. Keynote about group membership. Other systems won't support Tiger's nested groups, just like you can't do this out of Windows when you are an LDAP client. We can't resolve that back many times. Keep that in mind. Keep your groups flat. All right? That'll make it easier. I had a line up here that's not quite true that we now list group members by full DN. That's, I hope we now list group members by full DN. We do it when we start off, but we don't actually keep it up. So if you have questions about that, talk to me afterwards. Couple of files that you need to worry about when you're configuring Linux for open directory. All right, etsy nswitch.conf. This is kind of like the authentication path. This is all using the Pam LDAP modules from Paddle, I believe that gets us, well, the ldap.conf and the rest. nswitch.conf is on most Linux Unix systems, allows you to pick where you're pulling your authentication and where you're pulling your users from. So I'll walk you through doing that real quick. LDAP.conf, that sets up where your LDAP directory is, what you're gonna be connecting into. PAMD, system auth, this is your PAM modules. We're gonna tell you to use LDAP for authentication here. And then finally, if you wanna support home folders, that kind of thing, you might wanna go into Etsy Fstab and set up an auto-mount for NFS. And that way you can NFS them back from the OS X server as we go through them.

Kerberos, many of the Linux and Unix distributions very much support Kerberos very well. So you can support single sign-on. We've got a standard MIT KDC setup, so we're going to walk through that real quick, show you how all that works. And there's one config file for that, which is etsykerb5.conf in many cases. Solaris will keep this in slightly different places.

Other Linux distributions may also. But that's kind of the file that you're looking for. And you can copy that direct from library preferences, edumit, Kerberos. on the OS 10 side. I don't like to type, so you're going to see me do that. KAdmin you could use. You could actually create service principles for your Linux servers, for your web servers, for latest versions of Samba and stuff like that. You could utilize that with our KDC and open directory. So a lot of possibilities for interoperability there. So back to the demos. I'm doing my own stunts on this one, so hopefully it works out okay. Clear this off. First thing that we're gonna do, let's exit out back to myself. SSH into the red hat box, 10, 0, 0, 11.

Don't do this at home, but we're going to go on his route, so I don't have to worry about that pesky little authentication thing. All right, so pass the hoop over the floating woman here, and you can see that definitely we're on a red hat box. 269 is the kernel. I believe this is Fedora core 3 right off the distro installed on there. So all the fun stuff. First thing we do, if we go through the set, we can try-- can I find DuraAdmin? Ha. Well, that would have been great if it just worked. But no, you're going to have to do some configuration. First step, go through nswitch.conf.

And if we go into here, some danger text and stuff up at the top, you want to go down here, password, shadow, and group. Right now they're set to files. This means we're going to look in the local files, the Etsy password file, the Etsy group file, stuff like that, for our group and for our user membership. We want it to look into LDAP also. So all we have to do, add LDAP at the end, ID Dura Admin, no such user. Got to do one more thing. We got to tell it where our LDAP server is. So that's etsyldap.conf.

Come down here. Now we can look at our host. Just put in an IP address for it or a DNS name. 10.0.0.10. And then we gotta put in our actual LDAP base, which if memory serves is this. All right, now. All right, let me make sure I got that right. Let me pull off something here. Oh, OS XS, look up. Like I said, you're gonna type OS XS a lot. Put all that through here.

That wasn't so hard, was it? There's our directory admin. And if I go over here to Workgroup Manager, And now we're going to get crazy. We'll create a new group. See, I've done so many demos, I've run out of the good, funny, witty names to put in here. So I have to think of something. I'll just call it test. That's boring. But we'll save it down. Pull over here. Pull DuraAdmin into there. Pull TestBunny into here. Hit Save. Now I can ID DuraAdmin again. And notice that now we have group membership for 1,025.

The one thing we don't have yet, though, is authentication. We've got the identification half of this, but we don't have the authentication half. For that, we need to go into, let me clear this out, etsy/pamd.d/system-auth. And you'll notice there's all kinds of PAM modules that we're gonna use to maybe authenticate ourselves with. You would go in here and you would add in an entry for PAM LDAP.

That's the hard way of doing it. I kind of wanted to draw the demo out a little bit longer. We've still got a half hour. Still got a lot of things to talk about. So that's doing it by hand. You'd add that in. Many Linux distributions actually have a little bit of a GUI. We'll use GUI in quotes here. is off config and go. There we go. Ha-ha. Now, this isn't the Linux side. It looks better on the Red Hat box. The window size is off and curses and, you know, whatever. So, yeah, I know. We could use X11 to it or something like that.

What I want to show you here, though, is you can go down. You can go, say, select LDAP, use LDAP authentication, then hit next. It's going to ask you real quick what your LDAP server is, and then it's going to ask you what your base DN is. This is just the information that we put in by hand in the config files.

We can do it here through this off config GUI. When we're done we'll hit return. Now again, ID DuraAdmin, beautiful. We're going to SU into something else that lives on this box. I think admin is on here. Okay. And then we can go SU into DuraAdmin, prompt us for a password. There we are.

We've got authentication. We've got everything else. Problem is, we don't actually have a home folder. If I do a CD here, meh. Don't know what to find. OK? So to get around that-- You can just do a mount. Now first, keep in mind the show mount command. That's going to show us the NFS exports that are exported off that server. I've gone in ahead of time and I've exported out slash users. So now I can mount.

Into slash users, only root, ah sorry. All right, mount 10.0.0.10:users:users. No news is good news, right? And if I su into-- what's a secondary user? I think test bunny I put into there, right? Test bunny. All right, cd. Ha ha, look at that. User's test bunny. And now you can see that we've got that mount point there in the bottom line to users on.10. So now we've got full support for home directories. We've got full support for users. We've got full support for authentication. Out of the box, this is pretty simplified LDAP. We're just doing simple binds.

We're doing unencrypted connections there. So you'd want to beef that up. You'd want to use SSL. You'd want to go through some of those LDAP.com files and stuff like that. I apologize for the demo being entirely text-based. I was really trying hard to come up with good ways to get flashy graphics in here, but directory services usually isn't flashy graphics. So anyway, so there we go with all that. But we're not done yet, right? Because the next thing you want is you want to be able to Kerberize all of this, right? So we're going to cheat real quick. I'm going to open up a new window.

And I'm just going to cat library preferences edgumit-kirberos. Here's our file. We'll get rid of the warnings about open directory, since that's obviously not going to happen in the Linux box. So we're just copying directly from this file on the OS X server. Now I'm going to go in here, exit out of that, and we're going to edit etsy-kirb5.conf. Here's some default stuff that are in here. This is just an example. Notice that it looks amazingly similar to what we have. So we're going to delete all those, put our new stuff in, make sure we actually get the whole bit. Lib defaults, I believe.

All right, su back to this user, do a knit. We're thinking, we're thinking, we're thinking. Maybe I copied it wrong. It should have it by now. This is where the demos break. preferences, MIT Kerberos. I was hoping so much. Let's try this again. Knit test bunny at domain realm osxs.apple.lan.

We'll figure this out. Usually that's all you need to do. I'll check what we're missing on there. And then the KNIT would allow you to go through and do that connection. All right, I might've gotten, I got the right file. And I'll have to think about this a little bit.

what you shouldn't have to restart the Kerberos server just adding in Kerberos clients meaning restarting the server that'd be bad um not good at all so anyway this will work the problem is once you get this you can do a k in it you can do a k list everything else is going to be groovy with that however You're going to run into an issue where you can't SSH over. Linux ships-- hey! Came back with something.

Thinking, thinking, thinking, thinking. If I had to guess, I'd say this was DNS. If I had to guess, but I could be wrong. The problem is after you get tickets, if we get tickets, I hope we get tickets, you won't be able to SSH over. Issue is Linux uses OpenSSH 3.8 for the most case. We on OS X use OpenSSH 3.6 with the security patches and we can't negotiate Kerberos that way.

That's bad. So you either have to downgrade one, upgrade the other, and then you'll get the single sign-on. Otherwise, all your other stuff works. Your mod SP Nago, if you can get all that going. Beautiful stuff with that. So go through some of the Kerberos documentation and get all those pieces together. Hoo-hoo-hoo. No news is good news. K-List, hey, we've got tickets. Thank you.

All right, so that's the final piece there doing this. You could then go through and actually use mod Kerberos instead of mod-- instead of the Pam LDAP-- excuse me, Pam Kerberos instead of Pam LDAP, which is gonna increase your security for your authentication and things like that a little bit. It was like 15 minutes, right?

It was not hard at all to do this, right? You just got to find these different little pieces. This is a Red Hat box. I kind of picked Red Hat because I thought it was the easiest. I've found out that's not the case, all right? I had some, man, plugging in a thumb drive into this thing was amazing. We had four people over at Dave's last night, a large number of empty glasses, A pager, a cell phone, a hip-top mobile, and we were still unable to get the thumb drive to mount. So, I'm not switching anytime soon, but my Linux box at home, now I can use all the same users and passwords and all the other stuff. So really, really cool stuff that we integrate this easily with it. All right, back to the slides.

Something that I got turned on to very recently by Michael Bartosh, who had done this out at Indiana University. That was easy, so I had to fill a little time here. So I wanted to throw in something that was a bit of a think piece. I was hoping to get a demo up, if I get some chance in the IT Enterprise Admin Lab or whatever over here on the second floor, I might try it a little bit too, get a couple of machines together. In Open Directory, we're presenting you with a flat directory space. We're presenting you with just one container where all your users go into. It's got its benefits, because it's really simple. It's really easy. We don't have to worry about the complexities of where our users are, how to put them there, where places to put them, that kind of stuff. So for smaller and medium environments, it really has a lot of value. It's very simple now for an admin who's never dealt with LDAP before to use Workgroup Manager to be productive with it out of the box very quickly.

As OS X grows, as more people pick it up, we find more and more people using this for larger and larger and larger environments. And as they go into larger environments, we need more flexibility. So one of the things that I'd like all of us to start doing, because where we lead, a lot of times engineering and everything else follows.

So we can lead with this and start really getting into LDAP and using LDAP for the flexibility that it is. And one of the concepts that we have here is the idea of distributed authorization. So we can delegate administrative tasks to certain users. You've got machines in New York. You've got machines in Chicago. You want admins in New York that can only administer those machines in New York. To do that, we've got to do a little bit of mapping and some other stuff. In open directory out of the box, you just have users that are admins. Once they're an admin, they're an admin on all the machines. And we'd like to break that down a little bit and delegate administration privileges to other users. So we're doing this by a little bit of bait and switch under the covers. Allowing Open Directory to be flexible and to not just follow into the predefined stuff that Open Directory gives us, but to take our life in our own hands and to play around with this a little bit. So it's really cool what you can do with this. The idea is first that we can create actual OUs. little-known fact open directory fully supports OU's all right open LDAP supports OU's so you can just create one and put it in there you can either do this with an LDF file or you can go into PHP LDAP admin go into that run that as a web server a web service put that in there it's really nice tool for doing this kind of stuff once you have an OU in there we can now put collections of groups collections of machines in there and the second big deal of this is actually putting an access control in there you can put an access control list directly into LDAP, and we replicate that out. We're using OpenLDAP 2.2 now that supports this. This means that I can set up a group of users that aren't admins that can write to the records all right that can write to the records within an ou can manage machines can manage groups within that all right here's an example of an access control list it's really really long hopefully find some documentation on this before i get into this so you can able to enable this it's going to involve a little bit of custom mappings obviously we can't do this right out of the box you can push those custom mappings back into open ldap and so we can actually pull from open directory like the like the Directory Access client is very good about doing. Key thing to keep in mind-- so Workgroup Manager, when you click that lock in the upper right hand corner, it's really not authenticating you back to the Directory service. Workgroup Manager is checking that you entered in the correct password and you actually exist in a group called Admin.

That admin group does not necessarily have to be the admin group that exists where we would normally find it. All right? So we can do a little mover around with that. This is kind of like a think piece. And so hopefully this will give you a little better idea. Wow, they made this look beautiful. I had big white boxes in OmniGraffle before this hit the graphics people here. So now they're beautiful colored and all the rest. Idea here is, if you take just the users, the groups, the machines, and access controls up at the top, that's what we have in our normal open directory kind of flat directory space. All right?

We can go in there, and I can add in OUs. We've got an orange New York and an orange Chicago in there. All right? Within those OUs, I can put containers of machines, containers of groups. On my client machines in New York, I'm going to go into the open directory access, And I'm going to map through the group and the machine mappings through OU equals Chicago into CN equals machines and into CN equals groups. This allows my clients then to pull the groups and the machines out of that particular OU. I'll go into access controls. I'll create an access control that allows a group, not the admin group, but a group perhaps called Chicago admins.

a group called Chicago Admins to write to that OU. Now I can give a user in Chicago, put them into that group, put them into a group called Admin within CN equals groups, OU equals Chicago, DC equals example, DC equals com. That local client, when I'm running Work Group Manager, will think they're an admin for all intents and purposes, will allow them to write back using our GUI tools to create group membership, to create machine accounts, to manage those machine accounts with MCX, to manage those groups with MCX. Again, all through the GUI tools. Put that back into those containers within that OU. That user picks up, hops on a plane, flies to New York. In New York, the accounts are mapped through to CN equals groups, OU equals New York, DC equals example, DC equals com. I'm not an admin anymore.

All right? I go back to the data center in Champaign, Illinois. I put my world headquarters data center in there. That was funny. This is where I'm from, and if you've been there, that would be a little funnier. Okay. Nice place. Good to get out. Nice place. So if you go to your world headquarters data center there and you go in and you log in, you're not an admin either. Because you don't exist in the admin group in CN equals user or CN equals groups comma DC equals example comma DC equals com. All right?

So now I've subjugated you just to being an admin for the Chicago OU and just that position within there. All right? This really opens up a lot of possibilities, a lot of things that we can do within Open Directory. It's not crazy voodoo stuff. This is LDAP stuff. This is what the big boys have been doing for a long time. We're coming of age. We're moving into that space where we can finally be a true directory service for lots of different users, providing lots of different services, providing lots of different control for that. I need a cool name for this. We've got a reverse triangle. We've got a magic triangle. So I'm thinking maybe an inverted magic triangle. I've got to work on that a little bit. Bermuda triangle, exactly. Things are getting a little weirder with this. This is a big chunk to bite off. I understand that, especially coming from just using worker manager and stuff like that. But some very cool possibilities, some very cool opportunities that you can do with this. And like I said, this is all just LDAP. This is what LDAP can do. It's what LDAP was designed for. and it's what LDAP is very good at. So definitely take a look at this when you're planning out large deployments. Like I said, I hope to get it up in the Enterprise IT Lab in a little bit. Thank you.

All right. I like directory services more than I like file sharing. And file sharing is boring, right? It's been doing well for a while. There's nothing sexy about file sharing. Pulling users out of LDAP directories, though, that is. That's cool. So but a little bit about file sharing and what we support.

If you're running an OS X server and you want to provide services to non-Apple clients, AFP is probably not going to be a very good option for you. Very, very few AFP clients on other systems. So you can probably just leave this one alone and move on to the next one. SMB is great. We use Samba 3.0.12. We've got support for single sign-on. We've pushed ACLs into this. So supporting Windows clients, supporting Unix clients, that kind of stuff. SMB sharing is probably a very, very good way to go for you with Tiger, all right, to provide home directories.

NFS, much improved in speed and flexibility within Tiger. This is also a very easy Linux Unix path. They're used to this. That's what I did here with this red hat box when I mapped over the user's folder to that. So Linux Unix, I can do a lot of NFS work with. FTP, again, great for sharing files. Not going to work for home folders, although I'm sure there's a project on SourceForge that does that for you, if not about five. So there's basic options with the built-in FTP server in OS X. Pure FTP, Pro FTP, other ones, all these other open source servers and commercial ones you can put in to get you more flexibility with.

Backup. It was really exciting last year or the year before to get all these new backup clients that we have so we can interact with others. It's really great now to have more than two backup servers that run natively on OS X server or OS X. These people are also downstairs in the data center. BRU in no particular order here, not even alphabetical order. BRU, Retrospect, ATempo, Breeze Hill, Backbone. I believe Backbone announced some new products. ATempo also did this week, if I remember correctly. So definitely take a look at those. You can back up all kinds of other clients using an OS X system as the backup server for that. Buy lots of fiber channel, get lots of fiber channel drives, get lots of fiber channel RAIDs, put lots of fiber channel shape drives out there. Good stuff.