Upload
kristopher-mcdaniel
View
215
Download
0
Embed Size (px)
Citation preview
NDS and The Computing Infrastructure
Division of Computing and Information Technology
CLEMSONU N I V E R S I T Y
January 22, 1998
Agenda
Background on Clemson IS
Mission & Support Structure
Userid Management Network Design Server & Network
Access Public Access Labs
Printing Electronic Mail Intranet Authentication Server Futures
Background onClemson Information
Systems
Background
Large Systems Background Strong Development Shop Mainframe and Open Systems Expertise Departmental LANs ruled 90’s until NDS NDS populated in Summer 1995 (36,000) Departmental LANs gone. More centralized
management of the network. NDS is centerpiece of security and authentication.
Mission &
Support Structure
Mission
Provide computing infrastructure. Empower Users and Departments. Provide guidance in selecting solutions
based on industry standards. Deploy solutions to meet the needs of
institutional computing. Provide user support and training.
Defining Groups
Network Services - supports the physical network…routers, hubs, backbone
LAN Systems - supports application, group, and personal data servers.
Client Support Group (CSG) - supportsfaculty and staff via TSPs.
Systems Integration Group (SIG) - supports students and departmental labs.
Defining (more) Groups
Computer Resources - assists with user account problems (DCIT sponsored).
College Consultants - DCIT sponsored person and college sponsored person(s) that help support the end users of the college.
Technology Support Provider (TSP) - supports faculty/staff end users
Help Desk - sponsored by DCIT to assist end users.
Support Structure
Support is based on a four tier model.Problems
Resources
ClientSupport
SystemsIntegration
LANSystems
NetworkServices
TSPs
HelpDesk
FacultyStaff
Students
1 2 3 4
CollegeConsultant
ComputerResources
Server Strategy & Management Novell and NT servers maintained by Divison of
Computing & Info Tech (DCIT). DCIT provides hardware and Network Operating
System (NOS). DCIT administers backups. DCIT performs user administration. Group maintains data and security with help of a
Tech Support Provider (TSP). Virus Protection and Software Metering
UseridManagement
Automatic Userid System (AUS)
AUS
Personnel Admissions
MVS
Unix
NDS
Other
Other
Automating User Maintenance
MVS
Personnel AdmissionsOther
AUS
Present
Daily UIMPORT Run
Summer ‘97
USRMAINT.NLM
FTP
TCP/IPRealTime
NDS
• Add UsersAdd Users• Modify User AttributesModify User Attributes• Delete UsersDelete Users
Network Design
Physical Network Design
100BTSwitch
FDDI
ServerServer Server
Server
Server
Server
Server
100BT
T1
Tree Design
U se rs O rg an iza tio ns
C le m so nU
Every Person Has a Place
A to Z
S tud en ts
A to Z
M is c
A to Z
E m plo yee O rg an iza tio ns
C le m so nU
Every Group Has a Place
U se rs A th le tics D C IT
F o re s try R e se a rch D e a n s O ffice
C A F LS C E S
C le m so nU
Partition Design
A B Z
S tud en ts
A B Z
E m plo yee A th le tics
C S O C S G A P S
D C IT
C le m so nU
Use Dedicated “ROOT” Servers for NDS Replicas
CU_ROOT_3
100BTSwitch
CU_ROOT_1
CU_ROOT_2
(ITC)
Masterfor all
R/W for all
R/W for users“A” to “Z”
Group Server
R/W optional
FDDI
Distribute Network Management
Login Script Design
Based on Profile scripts and User scripts. No container scripts. Use base profiles: (EMPLOYEE, STUDENT) Base profile includes high level organizational
scripts based on membership. Organizational scripts controlled by TSPs. Organization scripts may include departmental
scripts managed by others.
Script Design & Management
User Script
.EMPLOYEE.employee.clemsonu
.GROUPIFS.employee.clemsonu
.ENG.ces.clemsonu
.BioE.ces.
.AG.cafls.clemsonu
.Forestry.cafls..Civil.ces.
ISALAB
Server Time Sync Hierarchy
ServerC
Ref
ServerA
Prim
ServerB
Prim
ServerD
Secon
ServerE
Secon
ExternalSource
Server and NetworkResource Access
Personal Storage (User Data Servers)
StudentD
EmployeD
Any Faculty or Staff Member
Any Student
Office, Lab, or DialUp
Dorm, Lab, or DialUp
Personal Data Server Configuration
EmployeD StudentDProcessor Dual Pro-166 Dual Pro-200Memory 512MB 768MBDisk 50GB -RAID5 93GB -RAID5Replicas None NoneHomedirs ~11,000 ~25,000Base Quota 100MB 25MB
Collaborative Storage - “Group Servers” (Faculty & Staff)
Group Server2
EmployeD
Group Server1
Collaborative Storage - “App Servers” (Students)
StudentD
Applications Server(N)
Group/App/Root Server Average ConfigurationGroup App RootP200 P166 Pro-200128MB 64MB 256MB8GB 4GB 2GBPossible R/W None All Replicas25-250 Users 25-250 Users 250-800 UsersSYS,SHARE SYS SYS
Collaborative Storage (Faculty and Students)
App ServerEmployeD
Group Server1 StudentDN
Faculty/Student Collaboration
Faculty member wants to put data on the network that his students can use.
Student submission of work to faculty. Students collaborate on team projects with
assistance from faculty member. Students and Faculty collaborate on projects
or assignments. Publish web pages as a team or class.
Faculty and TSP/Client Support Management
Group Server1 ReadOnly
CreateOnly
ReadWrite
TeamsR/W withTgroups
Collaborative Storage and Network Bandwidth
Group Server1
Public Access Labs
The Virtual PC
Outline
• Environment for the Virtual PC (VPC)
• How the Current VPC Environment Evolved
• Mechanics of the VPC• Setting up the Computer• Boot time• Login and Login Script• Profiles
• Software Involved
• Future Directions
Standard Lab
• Standard Set of Applications
• Standard Operating System(s)
• Contextless Login
• Standard Drive Mappings
• Identical Hard Drive Contents
The Environment as Seen by the Machine
• Data Servers
• Application Servers
• Hard Drive Image
• Handling Locations and Hardware
Personal Storage (User Data Servers)
StudentD
EmployeD
Any Faculty or Staff Member
Any Student
Office, Lab, or DialUp
Dorm, Lab, or DialUp
Collaborative Storage - “App Servers” (Students)
StudentD
Applications Server(N)
Goals of the Virtual PC Paradigm•Easy Maintenance
•Provide Global Access to Password Protected Network Disk Space
•Allow User to Customize his Desktop
•Same Environment (“look and feel”) Regardless of Location, Hardware, or Facility Ownership
Evolution
Pre-Netware Windows 3.11 Under Netware Windows 95 Under Netware
How it Happens to the User
Constructing the Machine
•The Rebuild Disk
•REBUILD <location> <pctype> {options}
•Importance of VLM Client
Boot Time Events
• Location, PCType, “ISALAB”, and Other Environment Variables
• Some Registry Updates to Ensure Default Desktop Appearance and Server Failover Keys
Contextless Login
• Can’t Teach End Users What a Context is
• Using Commercial Product Because Netware SDK Lacks Information
The Login Script
• Perform Some Basic Actions
• Perform Group-specific Actions
• Perform Lab Actions
• Load Profile
Isitcool - Fail-over Applications Server Attachment
Applications Server(2)
ISITCOOL NLM
Applications Server(n)
ISITCOOL NLM
Applications Server(1)
Work-station
Lab 1
ISITCOOL NLM
WorkstationDisk Image
Applications
1. Using IP, get info from primary app server ISITCOOL.2. If attach failure or ISITCOOL reports no, try next server.3. Attach to server using Netware client.
Isitcool?
NO!NO!
YES!
Loading the Profile
• PCRDist is Called by the Login Script
• PCRDist Imports User Registry Keys from Directory Mapped to Drive U:
• First Time Lab Users Get Setup
• Printers
Special Mappings and Events
Mapping Shared Disk (most done by Login Scripts) NAL (will eventually be doing most special mappings)
Collaborative Storage - “Group Servers” (Faculty & Staff)
Group Server2
EmployeD
Group Server1
Collaborative Storage (Faculty and Students)
App ServerEmployeD
Group Server1 StudentD
Logout
• Logout Only
• Export User Registry
• Logout and Shutdown
• Export User Registry
• Perform Maintenance
Problems
Present Implementation not Scalable DCIT Lab Support Must do All Software Installs DCIT Lab Support Must Handle All Initial Lab Setup
Operations If Present Trends Continue, Labs of Computers will be
Replaced by Labs of Network Jacks
Image must live in the login directory (not protected)
Metering
Summary of Novell Components
Netware Client32 (IntraNetware Client) NAL VLM Client
Summary of Novell Products We Can Almost Use NAL
– Requires execution of some app– Will not permit re-mapping
SnapShot– We can’t distribute apps with NAL, so .AOT files are useless. This
makes SnapShot useless
Client32 (IntraNetware Client) Login– Need contextless login
NRS: will not allow replication of directories on SYS (specifically, login)
Summary of 3rd Party Products
SoftTrack PC Rdist and TRAPSD
– Need a Netware client with integrated profile handling and event hooks
SFLogin– Need a contextless login with event hooks
NWCopy– NRS needs to allow us to replicate specific SYS volume directories
Pcounter– Need better auditing tools
CU Products
• cumap
• isitcool
• datacool
• editreg/patch95
• editini
• difrator (in development)
• labstats (in re-development)
Future Directions for Us
Departmental Software (Hardware?) Installations Remote Control of Workstation Queuing Users Waiting for a Computer Move from Lab to Laptop
Future Directions for Novell’s Products? Client integrate profload stuff Logout exits Client should allow us to customize machine as well as
user. We can think of a dozen uses for the Computer object in NDS!
Basically, Novell should handle the profiles (store the sludge in NDS?)
Metering Improve Auditing Tools
Printing
Printing Strategy
All shared printers are network attach supporting only IPX protocol (HP-Jetdirect)
All printer access is controlled through NDS print queues.
Unix Print Services makes any print queue available to Unix/MVS/??? hosts using standard LPR/LPD protocols.
Unix Print Services also makes high speed institutional printers on MVS available to both Netware and Unix users/applications.
Printing Strategy
OS/390
Unix
???
PrintGateway
PC PC PCMac
Q
Q
Q
Q
Q
NDS Design for Printing
A
B
P o o le
L ib ra ry
IT C
...
P rin te rs
E m plo yee
A
B
P rin te rs
S tud en ts P rtD ev C A F LS
C iv i l M e cha n ica l
C E S
c le m so nu
ElectronicMail
Electronic Mail Server: Based on Sun Solaris. No user accounts required on Solaris. Server software developed at Clemson. Multiple recipients / one copy of message. Server based on POP/MIME Internet standard
protocols. IMAP4 coming? Eudora site license purchased by DCIT. Listserver gaining wide spread acceptance and use.
Class/section list automated.
Mail Server
DOSDOS POPcPOPc
mainframemainframe POPcPOPc
WindowsWindows POPcPOPc
MacMac POPcPOPc
UNIXUNIX POPcPOPc
OS/2OS/2 POPcPOPc ?? POPcPOPc
popDpopD ListDListD MailServer
MailServer
Mail Server: Statistics
1995 1996 1997* Category14k 46k 85k Daily Average POP Connections
13k 36k 62k Daily Average Msgs Retrieved from Server
27k 48k 92k Average Msgs Sent using Server per day
*based on partial year statistics through May 26, 1997.
Automated Distribution Lists
MVS OS/390
ListMGR
popDpopD ListDListD MailServer
MailServer
TCP/IP
Class RolesDepartments
Automated NDS Group Membership
MVS OS/390
ListMGR
popDpopD ListDListD MailServer
MailServer
TCP/IP
Class RolesDepartments
NDSGroupMGR
NLM
TCP/IP
Student Interface to Collaborative Storage Use DMO’s along with a graphical tool to have
users select and map network resources to make them available.
Managing Distribution Lists with NDS
popDpopD ListDListD MailServer
MailServer
GroupMGR.NLM
Monitor group membershipmodifications
RegisterForEvent()
TCP/IPNDS
1. Membership2. See Also
NDS Interface to the List Server Enabler for collaborative work between Faculty
and Students. Uses data from employee system on MVS to keep
department NDS groups correct. Lets users use NWAdmin to administer e-mail lists Eliminates need to make changes to NDS and the
list server. Ensures that data is correct everywhere.
Intranet
WEB Serving
Institutional Servers Department or Group Servers Organizational Page Servers Personal Page Servers Administrative and Student Application
Page Servers
NDS web Security via NT/Unix/?
AuthenticationServer
Authentication Server
Too many userid/password combinations for each user to remember.
Need central set of secure servers that all systems use for authentication.
Clemson University Personal ID (CUPID). Based on Automatic Userid System (AUS). Idea born in interdepartmental task force. Production on July 1, 1996.
Authentication Server
MAILMAIL authCauthC
WEBWEB authCauthC
mainframemainframe authCauthC
UnixUnix authCauthC
NetwareNetware authCauthC
SunSun authCauthC
NTNT authCauthCOracleOracle authCauthC
NDS
IntranetWare Server BIntranetWare Server A
AUTHSERV.NLM
IntranetWare Server C
Mainframe(MVS)
VTAM
RACF
AuthClient
Onlines
MAIL(solaris)
AuthClient
POPd
NTServer(4.0)
AuthClient
Website
Application
User Workstation (‘95/Mac/NT Workstation)
Eudora TN3270 Netscape Login.exe
Linux
AuthClient
Apache
Application
AUTHSERV.NLM AUTHSERV.NLM
Authentication Server
NLM is multithreaded. Clients use common code base. Clients have builtin failover capability. Communication based on TCP/IP sockets. >90% successful password checks complete in
less than 0.1 seconds. >2 million requests serviced by primary server
over a 6 week period. 50,000/day
(Back to)
Intranet
NDS Authentication through NT/Unix/other To the WEB?
Application:Employee InfoSystem (EIS)
Type:WEB
Server OS:Windows NT 4.0
Server Enabling App:Website/Visual Basic
Using NDS Security Across the Intranet
AuthenticatedClient
ServerAuthClient
AuthenticationServer
NDS
Netscape IIS32bitDLL
AUTHSERVNLM
NDS
Page requestCheckEquiv
Check SecurityEquivalence
Locate user objectand run equivalencelist.
NT 4.0
AUTHSERV Client Functions
Password Check Password Change Resolve to Fully Distinguished Name Check Security Equivalence Return Group Membership Misc Administrative Functions
Authentication Server as an NDS Data Gateway
Application:Call Tracking System
Type:WEB
Server OS:Windows NT 4.0
Server Enabling App:Website/Visual Basic
Not AssignedBILLBROYLESCCRDAVEDAVIDCDONJAMBOYATES
DAVIDC
Caldera OpenLinux and Apache
Caldera OpenLinux
FileServer
FileServer
FileServer
AuthC
Browser
Browser
Browser
Browser
AuthServer
FileServer
FileServer
WEB gateway to Netware File System.
Caldera OpenLinux and Apache First attempt to provide web services via Novell made use of Novell’s IntranetWare Web Server 1.0 which simply was not reliable.
Caldera OpenLinux provided robust unix connectivity to NDS and supported the industry standard Apache web server.
Out of the box Caldera/Apache did not provide home directory redirection and/or authentication. It did however provide the source code needed to make these modifications.
Caldera OpenLinux and ApacheModifications Added a module that would link Apache’s UserDir directive to the user’s Novell home directory.
Making http://www.clemson.edu/~erich point to EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW
Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers.
Web Interface to Home Directories via Authserv NDS Gateway
Application:Personal Pages
Type:WEB
Server OS:Linux
Server Enabling App:Apache/Caldera
http://www.clemson.edu/~acollin
Web Interface to Department Pages
Application:Departmental Pages
Type:WEB
Server OS:Linux
Server Enabling App:Apache/Caldera
http://dcitnds.clemson.edu/CSO/depts/maint
Caldera OpenLinux and ApacheModifications Added another module using the previously mentioned Authentication Server routines to provide both user and group authentication.
Makes use of standard HTACCESS format with additional Novell Directives.
Using NDS to Secure Web Pages
NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>
WebAuth: Web Single Signon
Workstation 3rd PartyWebServer
WebAuthClient
AuthServNLM
NDS
WebAuthNLM
AuthClient
WebBrowser
1
WebBrowser
2
DCITAuthentication
WebServer
WebAuthTrustedClient
CHECK
STORE
Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.
Redirect
Auditing NDS Connections Have not had much luck with standard auditing
in 4.x Hook login/logout in AUDITLGN.NLM Writes easy to manipulate log files Data logged includes fully distinguished object
name, login time, logout time, and MAC address Monitor file server and print server as well as
user connections.
Dialin Mostly Rely on contract between users and ISPs
for dialin access. Campus-MCI. Some PPP connectivity through Livingston server
with Radius modified to use NDS via the Authentication Server.
Attempting to get Netware/IP deployed this summer for file server connectivity via PPP.
Starting to deploy DHCP for dialin and dorm usage only.
Server Growth
Split User Data Servers (ie: StudentD1 and StudentD2)
Common access server for both Students and Faculty/Staff (scratch disk)
Develop tools for user disk cleanup. Develop more tools to help end users get
more out of NDS and the network in general.
What We Need Web interface to unresolved as well as resolved
issues at Novell. More out of SMP. NDS on NT (no replicas required). Help from Novell on resolving “NT Server”
marketing-through-documentation issues. Code Exits in Novell Products such as client32,
Radius, FTP server, Web server. Good performance monitoring (SMP) tools.
That’s It!
(that’s enough..)