Enterprise IT • 55:43
Macs are good corporate network citizens. Learn techniques and real-world solutions for making them full clients on your Microsoft, Novell, IBM, and Sun networks. We'll cover file sharing, directory integration, Exchange integration, backup, collaboration, and productivity.
Speaker: Joel Rennich
Unlisted on Apple Developer site
Transcript
This transcript was generated using Whisper, it has known transcription errors. We are working on an improved version.
Thank you very much for coming. We're going to give you a little bit of time because it's early. It's late in the week and it's early. They seem to give me the big ones, the ones that encompass 1,500 different options they want to put into one session. So a lot of stuff. I'm very confident about the demos, that this all works. So we got some real-world experience that we'll be doing here. It has made me appreciate OS X more to do this. So integrating OS X into a heterogeneous environment.
I'm Joel Rennich, consulting engineer, Apple Enterprise Consulting Services. Introduction. Using OS X with other directory services. This is how to get people to play nice with each other. If you were here on Tuesday, we talked about Active Directory and how to integrate with Active Directory using the AD plugin. This time, we're going to concentrate more on the LDAP side of the house. Using the LDAP plugin, talk a little bit about Novell, talk about the different ways that you can do that.
I've had a number of people over the years ask me about integrating Linux into Open Directory. More and more, we have... I've seen places that want to use the flexibility, the administration tools of Open Directory to run everything. And so how do you get your Linux boxes, your Solaris boxes, and stuff like that integrated in so you can use a common user database? So we'll definitely talk about that. So we'll go both ways. OS X to Linux, Linux to Open Directory, back and forth.
Hopefully you'll pull out of this how to do this on your own, give you some tips and tricks. There's too many different variables for too many different situations to really give you much of a cookbook for this, but at least you'll get an idea of it. I was amazed at how easy and how simple this was the first time I went out with it.
So hopefully that's going to be your experience also when you do this. We'll also talk a little bit about different file sharing, how to integrate file sharing into the network. We'll hit a couple of brief discussion about some of that and also some backup solutions that you might want to take a look at.
So first off, we're going to start with the traditional Mac OS X island. You've got a grouping of machines, maybe a graphic design, maybe a specific department within the university, some other form of island of OS X. So you've got to integrate with other systems. You've got to play nice with others. Active Directory Plugin is one way to do it. The other way is to do some of the stuff that we're going to talk about today.
Just as a side note, it's been very interesting to me as we have progressed into being much more of a good citizen, much more corporate awareness, much more organizational awareness of what OS X can do and how it can interact with others. And when we were with OS 9, we'd almost refuse help. We'd almost refuse the attention of the IT departments because we wanted to stay hidden. We didn't want them to see us. They didn't want to see us. We didn't want to see them. So we stayed secluded away.
More and more, when we go in and I go into clients and I integrate OS X-- OS X into third party directory services, into AD, into LDAP, into Novell, you get pulled into the fold. And at first, the users are a little bit upset at suddenly having all this management, at suddenly being locked down and micromanaged with the MCX preferences and things like that.
But the end result usually is a really corporate organizational awakening that OS X is a valid citizen. OS X does have lots and lots of strengths. And so suddenly, I see IT staff being devoted to it. I see budget being devoted to it because you've suddenly appeared on the radar because you've integrated into the other directory services. Hopefully, something that's what you'll find also.
Key theme to OS X, we've talked about this before, but it plays well with others. We make it very, very easy for you to integrate with unknown third-party directory services. So we'll definitely hit a lot about that. Also with file sharing, we accept a lot of file sharing protocols, and then we have lots and lots of backup client software that we have out there now.
First and probably the most important, because it's maybe the most complex, is the directory services. And that's primarily getting identification and authentication to work from an OS X machine going back to another system. We have a couple of different options for this. Most of these are laid out in the directory access plugins. NIS, LDAP, Active Directory, things like that.
NIST. We only do NIST. We don't do NIST Plus. All right? And I would strongly urge you that if you're in a NIST environment, you're probably already interested in migrating off of it anyway, and that's going to be a better option for you for OS X. We'll play with it, but we don't do it as well as we do a lot of the other directory services. And I can't say that we're probably going to devote a lot of resources to that.
Active Directory. There's the AD plugin. Gets you up and running. Gets a lot of good features. Incredible new features in OS X4 that gets you some new stuff with it. Also, there's Thursby Admin Mac. So if you want the DFS and the signing support and the other things, certainly take a look at their product. And then finally, we've, like I said, we covered this in other sessions, so we're not going to really touch on this much.
Which brings us to LDAP. Lightweight Directory Access Protocol. By far, this is closest to the universal directory service. Active Directory is a form of LDAP. Novell is a form of LDAP. iPlanet, Sun1, they are LDAP. OpenLDAP, it is LDAP. We have a common denominator between all of these modern directory services. And so we can use LDAP to interact with that. In a little bit, we've got a red hat box here running OpenLDAP, and we're going to integrate with that. everything works like we think it should.
So LDAP should be your closest and your easiest way of integrating with these other services. And it's most likely your best chance for interoperability. So definitely take a look at this as you're going through here. A couple of different ways to integrate. One is you can actually use existing attributes.
You can go out, you can find the attributes that are there, you can use them. Two, you can kind of take over unused attributes. You can also go in, and I'll talk about static and variable assignment. Two incredibly powerful ways of extending your directory without actually touching the directory. And finally, extending the schema.
So if you want to use the existing data in schema, hopefully a top priority is to use attributes in the directory as intended. So if you have a UID value in there, go use that UID value. You don't want to go out of your way and use your own stuff.
That's just going to make things a lot harder. In many directory services, you're going to find the basic information that you need. In any directory service that's catering towards a Unix system, a Unix client, you're going to find username, short name, group ID, user ID, that kind of stuff.
And you'll be up and running immediately. I've got OpenLDAP here on a Red Hat box, completely Linux-based. So we're going to integrate with that. It's nothing specific for Apple. I'll show you how easy that is to work with that. So in many cases, a lot of the information that you need for basic integration is already there. You can go in later and backfill with some of the other stuff like network home directory, paths, and things like that.
When you get into LDAP, there's a big temptation to kind of recycle unused attributes. If you remember some of the documentation. There was a presentation that was out around 10.2 about how to integrate OS X into Active Directory with an LDAP client. We talked a lot about using the secondary fax number because precious few people had the primary fax number in their record, let alone a secondary fax number. So you could just go in there and you could put whatever information you wanted in there.
Perhaps a home folder location, maybe a home URL, something along those lines. It's a good idea for testing, but this really can come around and turn and bite you in the rear when you install a piece of software that expects the ability to overwrite that file or overwrite that attribute. So really caution people to stay away from this. If you're going to do this, do it right. Either extend the scheme in the full way or do the static mapping on the client side to get that.
Static assignment. This is a really, really cool thing that we can do on OS X. And it allows us to create entries, to create changes on the OS X client side that reflect how we read or how we pull data out of the LDAP database. For example, perhaps you're integrating with a system that isn't very Unix aware. And you don't have a primary group ID specified with your user record.
If you look on your OS X server, you'll find that every single user on your OS X server has a primary group ID of 20 or the staff group. This is a static attribute that could be associated with every single user that you create. Instead of putting that information inside the LDAP directory, we can actually statically map that on the client side.
We go into directory access-- I'll show you a quick example of this-- and actually use a pound sign and put in that value. Now, directory services on the client machine will no longer go to the LDAP directory to look for that information. Instead, it'll go directly read its local pref file and always return, in this case, the value of 2004 for the primary group ID attribute. But what if that's not enough? What if you have variables that you need dynamic information? Well, that's why we have variable assignment here.
So now we can take a static assignment. We can take a static chunk of information-- and the best example of this is the bottom one on here, where we actually map over a home folder URL there. Notice that we've got a big chunk of static stuff, and there's a little thing in orange there. And that's string UID string. That's our variable.
We now read in the UID attribute, whatever that may be, out of the LDAP database, and we turn that into our string of information. So we look that up on the fly, and that allows us to do things like this home URL very easily. Because this home URL has to have your username in it, because you go directly into that folder.
So now we have a little bit of static assignment with a variable lookup, and we don't have to put that information into the LDAP directory. All right? All your clients have to be mapped the same way, and they have to have this config file, the LDAP P list in library preferences directory services. That's a good way of doing this. And again, makes it really easy for us to integrate. So let me show you a demo of this. I've got an OS X server.
Now I'm just going to CD into my own-- it's a Open Directory master. And you can see we've got a couple of users here in our LDAP database. And we've got a test bunny user. If I read that in, my user shell is /bin/bash. What if I wanted to override that? I can come into here.
If I remember the password. There we go. And I can edit my mappings. Right now we're using the default open directory server mappings, but I can go down here into users. I'm going to pretend this is a third-party directory server. Can I zoom in? That means I'm going to have to remember that key command. Command Option 8. See, always somebody yells it out when that happens.
Command Option 8 not doing anything for me. And now everybody's mumbling. Universal access, we'll do it the old-fashioned way. Seeing Zoom is on. Command. That's on. And zoom in. All right, so plus. There we go. How about that? That's going to make me sick up here. Thank you. Here all week.
So these are our attributes that we're going to be looking for when we go through the system. All right, so these are the attributes that we're associating with the user record. We've got a user shell attribute in here. Right now it's mapped to login shell, but if I put pound bin KSH, right, and hit OK, I've changed that mapping.
If I now go back, Command Option 8, boom, there we go. How about that? Quit out of Diskl. Go back into Diskl. CDL dApp. Users, read Test Bunny. Notice that my user shell has been KSH. All right, so that's a client-side change that I've made. And I didn't have to write that information back to the LDAP directory server.
This is killer when dealing with eDirectory. This is killer when dealing with Sun 1. This is killer when dealing with a recalcitrant LDAP admin, right? If you can't get them to change the information, you can change your client machines, and you might be able to work around a lot of this stuff. If I go back into here, Command Option 8, zoom, go back to these mappings.
Let me back it out a little bit there. All right, how about that? Man, people ask for it and then they don't like it. User shell, and I can come into here, and I can map it over just to a value, so string UID, for example, which means it's going to look up whatever the UID attribute is in this user's LDAP record, then going to swap it in here on the fly. Hit OK, hit OK, going to do that, back to here, quit, starting to get good at this. Users, read test bunny, and now my user shell is slash bin slash test bunny.
All right, if I read my Dura Admin, notice it's the same thing, well, with the variable involved at least. So definitely we're getting variable mappings here. We're pulling that information out, and we're changing it on the client side. When you're experimenting with this, it's always nice if you go back in and change it back to open directory server there. All right, that helps us, the rest of the demos go better. Back to the slides, please.
Static and variable mappings. Very, very cool, very, very powerful stuff. Keep this in mind as you're working with the other LDAP directories as you go out there. If that's not enough, or if you really want to do this the right way, and by the right way I mean putting it all where it should be in a central place. Directory services is the whole idea that you don't have to micromanage things anymore. You don't have to do workarounds. You don't have to do hacks to get things to work.
This is a political issue, though. This means going into the LDAP database to add the attribute specific to Apple, specific to OS X. You can do this with AD. You can also do this with LDAP. It's a little easier when you're dealing with an LDAP directory service because most LDAP admins are interested in this kind of thing. They can roll it back.
They're aware of the schema files. That way you go in. You do it the way it was intended. You do it the way it's been QA'd for and everything else. You're going to get a much better experience. That's not to say that static mapping doesn't work. We have lots of places doing that because they have to. However, in a perfect world, you'd be putting it all in the directory service where it should live.
[Transcript missing]
I have a lot of people that have good success with using LDAP, the LDAP plug-in to connect to Novell. Dan Sinema has done a great job of putting out some of this information on how to integrate. MacEnterprise.org has some of this information on there. Also, we have a third-party plug-in now from Condry Consulting called Kanaka, which allows you.
It's an open directory plug-in that integrates with Novell. It makes it a little easier to mount the home folder, do some other things like that, and certainly makes it easier from an administration side. So if you're interested in integrating with Novell, please take a look at this, as it may be very interesting to you.
The thing I like most about OS X as a directory service is the ease of use we have in combining multiple directory services together. We can have an LDAP server hosted on an OS X server, use Open Directory to connect to that. We can have an Open LDAP server, use LDAP to connect to that. We can throw in the AD plugin, connect to that. And if you really enjoy root canals without Novocaine, you could probably go further and throw in NIST and a few other things.
All of that will be useful. All of that will be usable users that we can authenticate from. All at the same time. Your authentication path and directory access determines how you're going to go through that. So it's a really, really cool way of going through combining the best parts.
If you've heard me talk before, you've probably heard me talk about the magic triangle, the reverse magic triangle, things like that. Because of our ability to work with multiple directory servers, we have that ability to combine the best parts of both to get what we need out of it. That and sell more XSERVs. Very important.
Here's an example of using a secondary directory. You have to keep the records together. So, for example, if I have a user record in one, the entire user record has to be there. I'm not going to have lookups from one user record that refer to attributes over here in another LDAP database. Then you just add them both into the LDAP plugin, and then you go to your authentication path, and you'd add them both into there, too. So lots of different options, lots of different flexibilities.
Here's a quick little rundown of them. More information, man. You gotta look it on there. So use this for reference when you're going back through, but it's essentially the stuff that we talked about. NIST being NIST. Active Directory, use the AD plugin. There's a few outliers of why you might wanna use the LDAP plugin for Active Directory, but for the most part, you're gonna be happiest, you're gonna be easiest with the Active Directory plugin for that kind of integration.
LDAP, fully getting into LDAP, fully creating an LDAP server, putting all the information, extending the schema, is probably gonna be your best and your happiest, your most stable system. So I'd push you towards that if at all possible. Third-party plugins, hopefully we come out with more for Open Directory as we mature and grow. That's one of the reasons why I really like to see this one for Novell.
Not so much just because it's a one for Novell, but because it's also a third-party plugin, a third-party developer that's creating commercial software for the plugin like that. And then definitely keep in mind the idea that you can easily use a combination of all this. Alright, so now I want to do an OS X to Linux demo.
If we go back to the... The demo machine here. I've got redhatfedoracore.apple.lan. All right, so that's my LDAP server that I'm going to be connecting to. If I want to, I can do a quick LDAP search and see if I see the information on it. 10.0.0.11, search base. Get an x in there, search base. DC equals redhatfedoracore. This is some information that I would have found out, either from my administrator.
Now I can see a bunch of responses back from there. So now I know I actually have an LDAP database out there. So I just did a quick LDAP search. It's common to maybe use an LDAP browser. There's a Java LDAP browser out there that a lot of people like.
LDAP Manager is a SourceForge project. It's a full-blown Cocoa browser. PHP LDAP Admin is another product that I use quite a bit. Open source web-based LDAP browser. This would give you a good idea of what's in your directory and what you can connect to. We're going to go into directory access here.
Going to the LDAP, now I'm going to add a new one. I can actually use DNS. DNS works. Red Hat Fedora Core dot Apple dot LAN. Go manual. Let's call it Red Hat. From server, we're not going to have the mappings on the server. So we're going to pull down and use the RFC mappings. DC Red Hat Fedora Core, DC Apple.
If you do any LDAP work, you're going to get really used to typing in DC and commas. Hit OK. If I go to authentication, I'm going to add it in. So now I've got this red hat in here. Hit Apply. Immediately go down, go back up to Diskl, Directory Services Command Line.
See the LDAP. In here, I see both my local, my loopback directory server. That's my open directory server. I also see my red hat server. So I can CD into that. See we got some users here. Here's the moment of truth. We can do an LS. We listed that. We're getting user records in here. This is cool, right? That was three minutes, right? Shouldn't really congratulate me. You should congratulate the directory services team that have put all this together. But I'll take it anyway.
All right, so now I can do a read of a user. Read Elvis. Did I put Elvis in here? Typing skills help. So here's Elvis hanging out in the LDAP directory system. If I quit out of this, ID on Elvis, boom. We've got ID user resolution, UID 1000. We're actually going to go in here, and so we don't conflict. We're going to-- I'm going to take myself out of the equation. So I'm not authenticating to there. At which point I can SU. I've got another user in here. If I remember the password.
Here we go. Who am I? I'm me. I can do an ID on myself. I'm pulling this out of the Linux LDAP system. All right. Done. Tea time, 3 o'clock. You'll be there. Some things that we're missing from a setup like this is we'd be missing the network home folders and things like that.
You would have to go in, extend the schema, or go in and do the static and the variable mappings to get that to go through the rest of the way. So keep that in mind. Another thing that I really want to point out, if you go back into LDAP here and we edit this system, notice in security everything's unchecked.
It's best if you go through and you start checking these boxes and make sure that you're using SSL for this kind of stuff. You want to make sure that you're using SSL so you don't leave clear text passwords going through. We do. Let me zoom in on this.
We do have the ability to disable clear text passwords, which means it won't ever try that. This is killer. This prevents us from ever sending that out. Use SSL anyway to make sure that even if you do send a clear text password, that you're going to have a little bit of security wrapped around that. Also, we can bind. We can bind as a user to that directory system. So we now have a machine account that we can create and go through there. So really, really cool stuff. Really, really easy to integrate all these pieces together. Back to the slides.
File sharing. I want to do just a quick rundown of a couple of different file sharing protocols that you might be able to use here and different things that you'll be able to do with them. Our big choices are AFP, SMB, NFS, FTP, WebDAV. I just kind of grabbed everything that Connect2Many can do.
[Transcript missing]
SMB. A very close second to AFP as far as home folders. We do support SMB home folders for users. So if you've got a big NetApp filer or something else like that and you want to do SMB connections to it, we'll be able to do that.
Windows servers we definitely work with. Make sure you disable the security policies so that you disable signing and encrypting, and we don't do DFS. He's always complaining about this up front, but the only one, all right, so that's a wonderful gentleman from the University of Michigan up here. So I'll point them out.
All right, so Samba servers we can also do this for, and NAS devices, right? If you have a NAS device, a filer of some sort, it's many times that you're using SMB to connect to that. Very common in university situations is NFS. Huge amounts of NFS to support the Unix systems that are already in there.
We can use that here. We can use that for home folders. A little bit of an advantage with fast user switching, because we don't have to disconnect and reconnect. So with an NFS home folder mount, you can do fast user switching with network users. We can also use it for serverized supports, fast user switching. Obviously, this is very popular with Linux and Unix environments, and also NAS devices, depending on whether you trust the SMB or the NFS coming out of your NAS device more. You might use one or the other.
FTP is not a home folder system. You're not going to use FTP for home folders. Great for file sharing, but right, FTP's got its own issues with security, or lack thereof. So definitely, and it's read-only in the Finder, so that would really be tough for a home folder to do anything with.
WebDAV, perhaps a nice way to do basic sharing, basic cross-platform sharing, perhaps over web connections with SSL, stuff like that. It's incredibly improved in Tiger. We've got Kerberos support for it. We support SSL for it. Two big things that we really needed, we got those in there. However, you're not going to use it for home directories, and in many times, if you've ever administered a WebDAV server, it's a little weird on the permissions. So depending on which one you use, if you're just using ModDAV on Apache. Definitely, it's probably not going to be a very enjoyable experience for complex permission schemes.
OS X comes a very, very long ways in terms of backup support from clients. Remember just a short time ago we had one? Now we have many. BRU from the Tolis Group, Retrospect, Atempo, Archea, Tivoli, Veritas, Breezehill, Legato, ArcServe, Backbone. When I did a quick little search and looked at some of our product marketing literature and stuff like that, I found that we have software clients of some sort for these systems, either 10.3 or 10.4. Definitely check with the vendor for what they support, with 10.4 being pretty new out here. So lots and lots of options. Some of these are downstairs in the data center. Take a look at them. See what you need. See what you can use.
So hopefully we can play well with a lot of other systems. Worst comes to worst, right? You go to my scripting session yesterday and you learn how to back it up yourself by sending it off to a file share or something else like that. So it's a lot easier to integrate with these things now.
That's cool, right? But that's last year. That's us integrating with somebody else. What happens if we want to be the top dog? What happens if we want to be the number one directory service and have others be subjugated to us? Part of plans of world domination, I'll admit to them right here, This was an interesting experience for me.
I've been wanting to do this for quite a while and actually sit down and document it. You should see some documentation coming out in a little bit about this. You read on the mailing list kind of whispers here and there of, oh, I integrated my Linux box to open directory and it was great and it all worked. But then they never tell you how. They never tell you the steps they went through.
Joel Rennich Part of that's because every Linux distribution, certainly between Linux and Unix and Solaris, they're all different and they all interact with LDAP directory systems in different ways. So it may or may not be a simple experience for you. was a little more pain for me. Linux, though, was pretty easy. They have a lot of support for this. A lot of clients do this well. So I'll hopefully walk you through how to do this the hard way and the easy way.
When you're dealing with Open Directory, just like I like Open Directory because it plays well with other systems as a client, we also play fairly well with other systems as a server. We use Open LDAP. We use Kerberos. All of these are standards. We use 100% the MIT Kerberos KDC. Open LDAP, very, very much all Open LDAP. So we're supplying this so we can easily integrate with other systems in this way.
In many cases, when you're dealing with LDAP integration, it's the Mac client that needs more information. In Open Directory, we put all the stuff in there, all the stuff that a Linux machine is going to use. So you're going to see how easy it is for us to connect up into that. So again, we play very well with others.
So as far as directory services go, first of all, we can talk about an NTPDC real quick. It's great that we have the PDC. We have a session here right after this one in this room about it. It's great in 10.4 that we now can act, our replicas can act as a backup domain controllers, so it actually becomes very viable in an enterprise and institutional environment.
I wouldn't use it for more than 100 PCs, right? An NT domain is not even last year's technology. So it's going to be hard to convince people to do a lot with that. So if you're moving for more than 100 PCs, I usually suggest if you were in my AD session, we talked about the reverse magic triangle. We did the Kerberos Cross Realm Trust.
That's definitely a good solution for you to go if you've got more than 100 PCs or so. Definitely give it a go. Take a look at it. With the backup domain controller, it becomes a viable solution, especially if you only have a half dozen PCs or something else like that that you want to keep around in your network.
LDAP on Open Directory. Common directory service amongst non-Windows clients. So it's a common denominator for most everything else that's out there. Easy integration with most Linux distributions. This is Red Hat Fedora Core up here. If you've seen me carrying around this laptop for three days, it's really been kind of the bane of my existence. It's rather heavy. It's caused me rather late nights, and like I said, it made me appreciate OS X a lot more.
But I've gone through the pain, so you don't have to. I took that bullet for the team. Happy to do that. So we'll do that in a little bit as we go through there. Key note about group membership. Other systems won't support Tiger's nested groups, just like you can't do this out of Windows when you are an LDAP client. We can't resolve that back many times. Keep that in mind.
Keep your groups flat. That'll make it easier. I had a line up here that's not quite true that we now list group members by full DN. That's I hope we now list group members by full DN. We do it when we start off, but we don't actually keep it up. So if you have questions about that, talk to me afterwards. Couple of files that you need to worry about when you're configuring Linux for open directory.
All right. Etsy, NSSwitch.conf. This is kind of like the authentication path. This is all using the PAM LDAP modules from Paddle, I believe, that gets us. Well, the LDAP.conf and the rest. NSSwitch.conf is on most Linux Unix systems. Allows you to pick where you're pulling your authentication and where you're pulling your users from. So I'll walk you through doing that real quick. LDAP.conf. That sets up where your LDAP directory is, what you're going to be connecting into. PAMD system auth. This is your PAM modules.
We're going to tell you to use LDAP for authentication here. And then finally, if you want to support home folders, that kind of thing, you might want to go into Etsy Fstab and set up an automount for NFS. And that way you can NFS them back from the OS X server as we go through there. as we go through them.
Kerberos. Many of the Linux and Unix distributions very much support Kerberos very well. So you can support single sign-on. We've got a standard MIT KDC setup, so we're going to walk through that real quick, show you how all that works. And there's one config file for that, which is etsykerb5.conf in many cases. Solaris will keep this in slightly different places. Other Linux distributions may also. But that's kind of the file that you're looking for.
And you can copy that direct from library preferences, edu, MIT, Kerberos on the OS X side. I don't like to type, so you're going to see me do that. KAdmin you could use. You could actually create service principles for your Linux servers, for your web servers, for latest versions of Samba and stuff like that.
You could utilize that with our KDC and open directory. So a lot of possibilities for interoperability there. So back to the demos. I'm doing my own stunts on this one, so hopefully it works out okay. Clear this off. First thing that we're going to do, let's exit out back to myself. SSH into the Red Hat box, 10.0.0.11.
Don't do this at home, but we're going to go on his route, so I don't have to worry about that pesky little authentication thing. All right, so pass the hoop over the floating woman here, and you can see that definitely we're on a red hat box. 269 is the kernel. I believe this is Fedora Core 3 right off the distro installed on there.
All right, so all the fun stuff. First thing we do, if we go through the set, you know, we can try, can I find DuraAdmin? Well, that would have been great if it just worked. But no, you're going to have to do some configuration. First step, go through nswitch.conf.
And if we go into here, some danger text and stuff up at the top. You want to go down here, password, shadow, and group. Right now they're set to files. This means we're going to look in the local files, the Etsy password file, the Etsy group file, stuff like that, for our group and for our user membership. We want it to look into LDAP also. So all we have to do, add LDAP at the end.
ID Dura Admin, no such user. Got to do one more thing. We got to tell it where our LDAP server is. So that's etsyldap.conf. All right? Come down here. Now we can look at our host. Just put in an IP address for it or a DNS name. 10.0.0.10.
Then we got to put in our actual LDAP base, which if memory serves is this. All right, let me make sure I got that right. Let me pull off something here. Oh, OS XS. Lookup. Like I said, you're going to type OS XS a lot. Put all that through here.
That wasn't so hard, was it? There's our directory admin. And if I go over here to Workgroup Manager, And now we're going to get crazy. We'll create a new group. See, I've done so many demos, I've run out of the good, funny, witty names to put in here. So I have to think of something. I'll just call it test. That's boring. But we'll save it down. Pull over here. Pull DuraAdmin into there. Pull TestBunny into here. Hit Save. Now I can ID DuraAdmin again. And notice that now we have group membership for 1,025.
The one thing we don't have yet, though, is authentication. We've got the identification half of this, but we don't have the authentication half. For that, we need to go into-- let me clear this out-- etsy/pamd.d/system/auth. And you'll notice there's all kinds of PAM modules that we're going to use to maybe authenticate ourselves with. You would go in here, and you would add in an entry for PAM LDAP.
That's the hard way of doing it. I kind of wanted to draw the demo out a little bit longer. We've still got a half hour. We've still got a lot of things to talk about. So that's doing it by hand. You'd add that in. Many Linux distributions actually have a little bit of a GUI. We'll use GUI in quotes here. is off config and go. There he go. Now, this isn't the Linux side. It looks better on the Red Hat box. The window size is off and curses and whatever. Yeah, I know.
We could use X11 to it or something like that. What I want to show you here, though, is you can go down and you can go, say, select LDAP, use LDAP authentication, then hit next. It's going to ask you real quick what your LDAP server is, and then it's going to ask you what your base DN is. This is just the information that we put in by hand in the config files.
We can do it here through this off config GUI. All right? When we're done, we'll hit return. Now again, ID DuraAdmin. Beautiful. We're going to SU into something else that lives on this box. I think admin is on here. Okay. And then we can go SU into DuraAdmin. Prompt us for a password. There we are.
We've got authentication. We've got everything else. Problem is, we don't actually have a home folder. If I do a CD here, meh. Don't know what to find. OK? So to get around that-- You can just do a mount. Now first, keep in mind the show mount command. That's going to show us the NFS exports that are exported off that server. I've gone in ahead of time and I've exported out /users. All right. So now I can mount.
into /users, only root, ah, sorry. All right. Mount 10.0.0.10:users:users. No news is good news, right? And if I SU into, what's a secondary user? I think Test Bunny I put into there, right? Test Bunny. All right, CD. Ha-ha, look at that. User's Test Bunny. And now you can see that we've got that mount point there in the bottom line. This user's on .10. So now we've got full support for home directories. We've got full support for users. We've got full support for authentication.
Out of the box, this is pretty simplified LDAP. We're just doing simple binds. We're doing unencrypted connections there. So you'd want to beef that up. You'd want to use SSL. You'd want to go through some of those LDAP.com files and stuff like that. I apologize for the demo being entirely text-based. I was really trying hard to come up with good ways to get flashy graphics in here.
But directory services usually isn't flashy graphics. So anyway, so there we go with all that. But we're not done yet, right? Because the next thing you want is you want to be able to Kerberize all of this, right? So we're going to cheat real quick. I'm going to open up a new window.
And I'm just going to cat library preferences, edgumit-kirberos. Here's our file. We'll get rid of the warnings about open directory, since that's obviously not going to happen on the Linux box. So we're just copying directly from this file on the OS X server. Now I'm going to go in here, exit out of that, and we're going to edit etsy-kirb5.conf. Here's some default stuff that are in here. This is just an example. Notice that it looks amazingly similar to what we have. So we're going to delete all those, put our new stuff in, make sure we actually get the whole bit. Lib defaults, I believe.
Alright, SU back to this user. Do a K init. We're thinking, we're thinking, we're thinking. Maybe I copied it wrong. It should have it by now. This is where the demos break. Preferences, MIT Kerberos. I was hoping so much. Let's try this again. Knit test bunny and domain realm osxs.apple.lan.
We'll figure this out. Usually, that's all you need to do. I'll check what we're missing on there. And then the KNIT would allow you to go through and do that connection. I might have gotten-- I got the right file. And I'll have to think about this a little bit.
What? You shouldn't have to restart the Kerberos server. Just adding in Kerberos clients, meaning restarting the server, that'd be bad. Not good at all. So anyway, this will work. The problem is, once you get this, you can do a K in it, you can do a K list, everything else is going to be groovy with that. However... You're going to run into an issue where you can't SSH over. Linux ships-- hey! Came back with something.
[Transcript missing]
That's bad. So you either have to downgrade one, upgrade the other, and then you'll get the single sign-on. Otherwise, all your other stuff works. Your mod SP Nego, if you can get all that going. Beautiful stuff with that. So go through some of the Kerberos documentation and get all those pieces together. Hoo-hoo-hoo. No news is good news. K-List, hey, we've got tickets.
All right, so that's the final piece there doing this. You could then go through and actually use mod Kerberos instead of mod, instead of the Pam Eldap, excuse me, Pam Kerberos instead of Pam Eldap, which is going to increase your security for your authentication and things like that a little bit.
It was like 15 minutes, right? It was not hard at all to do this. You just got to find these different little pieces. This is a Red Hat box. I kind of picked Red Hat because I thought it was the easiest. I've found out that's not the case.
Plugging in a thumb drive into this thing was amazing. We had four people over at Dave's last night, a large number of empty glasses, a pager, a cell phone, a hip-top mobile, and we were still unable to get the thumb drive to mount. So, I'm not switching anytime soon, but my Linux box at home now, I can use all the same users and passwords and all the other stuff. So, really, really cool stuff that we integrate this easily with it. All right, back to the slides.
Something that I got turned on to very recently by Michael Bartosz, who had done this out at Indiana University. That was easy, so I had to fill a little time here. So I wanted to throw in something that was a bit of a think piece. I was hoping to get a demo up. If I get some chance in the IT Enterprise Admin Lab or whatever over here on the second floor, I might try it a little bit too, get a couple of machines together.
In Open Directory, we're presenting you with a flat directory space. We're presenting you with just one container where all your users go into. It's got its benefits, because it's really simple. It's really easy. We don't have to worry about the complexities of where our users are, how to put them there, where places to put them, that kind of stuff. So for smaller and medium environments, it really has a lot of value. It's very simple now for an admin who's never dealt with LDAP before to use Workgroup Manager to be productive with it out of the box very quickly.
As OS X grows, as more people pick it up, we find more and more people using this for larger and larger and larger environments. And as they go into larger environments, we need more flexibility. So one of the things that I'd like all of us to start doing, because where we lead, a lot of times engineering and everything else follows.
So we can lead with this and start really getting into LDAP and using LDAP for the flexibility that it is. And one of the concepts that we have here is the idea of distributed authorization. So we can delegate administrative tasks to certain users. You've got machines in New York.
You've got machines in Chicago. You want admins in New York that can only administer those machines in New York. To do that, we've got to do a little bit of mapping and some other stuff. In open directory out of the box, you just have users that are admins.
Once they're an admin, they're an admin on all the machines. And we'd like to break that down a little bit and delegate administration privileges to other users. So we're doing this by a little bit of bait and switch under the covers. Allowing open directory to be flexible and to not just follow into the predefined stuff that open directory gives us, but to take our life in our own hands and to play around with this a little bit. So it's really cool what you can do with this. The idea is first that we can create actual OUs.
Little known fact, open directory fully supports OUs. All right, OpenLDAP supports OUs. So you can just create one and put it in there. You can either do this with an LDF file or you can go into PHP LDAP admin. Go into that, run that as a web server, a web service, put that in there. It's a really nice tool for doing this kind of stuff. Once you have an OU in there, we can now put collections of groups, collections of machines in there. And the second big deal of this is actually putting an access control in there.
You can put an access control list directly into the OU. You can put an access control list directly into LDAP and we replicate that out. We're using OpenLDAP 2.2 now that supports this. This means that I can set up a group of users that aren't admins that can write to the records.
[Transcript missing]
That admin group does not necessarily have to be the admin group that exists where we would normally find it. All right, so we can do a little mover around with that. This is kind of like, this is a think piece. And so hopefully, this will give you a little better idea. Wow, they made this look beautiful. I had big white boxes in OmniGraffle before this hit the graphics people here. So now they're beautiful colored and all the rest.
Idea here is, if you take just the users, the groups, the machines, and access controls up at the top, that's what we have in our normal open directory kind of flat directory space. All right? We can go in there, and I can add in OUs. We've got an orange New York and an orange Chicago in there.
All right? Within those OUs, I can put containers of machines, containers of groups. On my client machines in New York, I'm going to go into the open directory access, or directory access, and I'm going to map through the group and the machine mappings through OU equals Chicago into CN equals machines and into CN equals groups. This allows my clients then to pull the groups and the machines out of that particular OU. I'll go into access controls. I'll create an access control that allows a group, not the admin group, but a group perhaps called Chicago admins.
A group called Chicago Admins to write to that OU. Now I can give a user in Chicago, put them into that group, put them into a group called Admin within CN equals groups, OU equals Chicago, DC equals example, DC equals com. That local client, when I'm running Workgroup Manager, will think they're an admin for all intents and purposes, will allow them to write back using our GUI tools, all right, to create group membership, to create machine accounts, to manage those machine accounts with MCX, to manage those groups with MCX. All right, again, all through the GUI tools. Put that back into those containers within that OU. That user picks up, hops on a plane, flies to New York. In New York, the accounts are mapped through to CN=groups, OU=New York, DC=example, DC=com. I'm not an admin anymore.
All right. I go back to the data center in Champaign, Illinois. I put my world headquarters data center in there. That was funny. This is where I'm from, and if you've been there, that would be a little funnier. But, okay. Nice place. Good to get out. Nice place.
So if you go to your world headquarters data center there, and you go in, and you log in, you're not an admin either, because you don't exist in the admin group in CN equals user, or CN equals groups, DC equals example, DC equals com. All right? So now I've subjugated you just to being an admin for the Chicago OU, and just that position within there. All right? This really opens up a lot of possibilities, a lot of things that we can do within Microsoft. open directory. It's not crazy voodoo stuff. This is LDAP stuff. This is what the big boys have been doing for a long time.
We're coming of age, we're moving into that space where we can finally be a true directory service for lots of different users, providing lots of different services, providing lots of different control for them. I need a cool name for this. We've got a reverse triangle. We've got a magic triangle. So I'm thinking maybe an inverted magic triangle.
I've got to work on that a little bit. Bermuda triangle, exactly. Things getting a little weirder with this. This is a big chunk to bite off, I understand that, especially coming from just using worker manager and stuff like that. But some very cool possibilities, some very cool opportunities that you can do with this.
And like I said, this is all just LDAP. All right? This is what LDAP can do. It's what LDAP was designed for, and it's what LDAP is very good at. So definitely take a look at this when you're planning out large deployments. And like I said, I hope to get it up in the enterprise IT lab in a little bit.
All right. I like directory services more than I like file sharing. File sharing is boring, right? It's been doing well for a while. There's nothing sexy about file sharing. Pulling users out of LDAP directories, though, that is. That's cool. So, but a little bit about file sharing and what we support. If you're running an OS X server and you want to provide services to non-Apple clients, AFP is probably not going to be a very good option for you. All right.
Very, very few AFP clients on other systems. So you can probably just leave this one alone and move on to the next one. SMB is great. We use Samba 3012. We've got support for single sign-on. We've pushed ACLs into this. So supporting Windows clients, supporting Unix clients, that kind of stuff. SMB sharing is probably a very, very good way to go for you with Tiger, all right, to provide home directories.
NFS, much improved in speed and flexibility within Tiger. This is also a very easy Linux/UNIX path. They're used to this. That's what I did here with this red hat box when I mapped over the users folder to that. So Linux/UNIX, I can do a lot of NFS work with. FTP, again, great for sharing files.
Not going to work for home folders, although I'm sure there's a project on SourceForge that does that for you, if not about five. So there's basic options with the built-in FTP server in OS X. Pure FTP, Pro FTP, other ones, all these other open source servers and commercial ones you can put in to get you more flexibility with.
Backup. It was really exciting last year or the year before to get all these new backup clients that we have so we can interact with others. It's really great now to have more than two backup servers that run natively on OS X server or OS X. These people are also downstairs in the data center. BRU and in no particular order here. Not even alphabetical order.
BRU, Retrospect, Atempo, Breezehill, Backbone. I believe Backbone announced some new products. Atempo also did this week if I remember correctly. So definitely take a look at those. You can backup all kinds of other clients using an OS X system as the backup server for that. Buy lots of Fiber Channel. Get lots of Fiber Channel drives. Get lots of Fiber Channel RAIDs. Put lots of Fiber Channel Chape drives out there. Good stuff.