NDS and The Computing Infrastructure

Division of Computing and Information Technology

CLEMSONU N I V E R S I T Y

January 22, 1998

Agenda

Background on Clemson IS

Mission & Support Structure

Userid Management Network Design Server & Network

Access Public Access Labs

Printing Electronic Mail Intranet Authentication Server Futures

Background onClemson Information

Systems

Background

Large Systems Background Strong Development Shop Mainframe and Open Systems Expertise Departmental LANs ruled 90’s until NDS NDS populated in Summer 1995 (36,000) Departmental LANs gone. More centralized

management of the network. NDS is centerpiece of security and authentication.

Mission &

Support Structure

Mission

Provide computing infrastructure. Empower Users and Departments. Provide guidance in selecting solutions

based on industry standards. Deploy solutions to meet the needs of

institutional computing. Provide user support and training.

Defining Groups

Network Services - supports the physical network…routers, hubs, backbone

LAN Systems - supports application, group, and personal data servers.

Client Support Group (CSG) - supportsfaculty and staff via TSPs.

Systems Integration Group (SIG) - supports students and departmental labs.

Defining (more) Groups

Computer Resources - assists with user account problems (DCIT sponsored).

College Consultants - DCIT sponsored person and college sponsored person(s) that help support the end users of the college.

Technology Support Provider (TSP) - supports faculty/staff end users

Help Desk - sponsored by DCIT to assist end users.

Support Structure

Support is based on a four tier model.Problems

Resources

ClientSupport

SystemsIntegration

LANSystems

NetworkServices

TSPs

HelpDesk

FacultyStaff

Students

1 2 3 4

CollegeConsultant

ComputerResources

Server Strategy & Management Novell and NT servers maintained by Divison of

Computing & Info Tech (DCIT). DCIT provides hardware and Network Operating

System (NOS). DCIT administers backups. DCIT performs user administration. Group maintains data and security with help of a

Tech Support Provider (TSP). Virus Protection and Software Metering

UseridManagement

Automatic Userid System (AUS)

AUS

Personnel Admissions

MVS

Unix

NDS

Other

Other

Automating User Maintenance

MVS

Personnel AdmissionsOther

AUS

Present

Daily UIMPORT Run

Summer ‘97

USRMAINT.NLM

FTP

TCP/IPRealTime

NDS

• Add UsersAdd Users• Modify User AttributesModify User Attributes• Delete UsersDelete Users

Network Design

Physical Network Design

100BTSwitch

FDDI

ServerServer Server

Server

Server

Server

Server

100BT

T1

Tree Design

U se rs O rg an iza tio ns

C le m so nU

Every Person Has a Place

A to Z

S tud en ts

A to Z

M is c

A to Z

E m plo yee O rg an iza tio ns

C le m so nU

Every Group Has a Place

U se rs A th le tics D C IT

F o re s try R e se a rch D e a n s O ffice

C A F LS C E S

C le m so nU

Partition Design

A B Z

S tud en ts

A B Z

E m plo yee A th le tics

C S O C S G A P S

D C IT

C le m so nU

Use Dedicated “ROOT” Servers for NDS Replicas

CU_ROOT_3

100BTSwitch

CU_ROOT_1

CU_ROOT_2

(ITC)

Masterfor all

R/W for all

R/W for users“A” to “Z”

Group Server

R/W optional

FDDI

Distribute Network Management

Login Script Design

Based on Profile scripts and User scripts. No container scripts. Use base profiles: (EMPLOYEE, STUDENT) Base profile includes high level organizational

scripts based on membership. Organizational scripts controlled by TSPs. Organization scripts may include departmental

scripts managed by others.

Script Design & Management

User Script

.EMPLOYEE.employee.clemsonu

.GROUPIFS.employee.clemsonu

.ENG.ces.clemsonu

.BioE.ces.

.AG.cafls.clemsonu

.Forestry.cafls..Civil.ces.

ISALAB

Server Time Sync Hierarchy

ServerC

Ref

ServerA

Prim

ServerB

Prim

ServerD

Secon

ServerE

Secon

ExternalSource

Server and NetworkResource Access

Personal Storage (User Data Servers)

StudentD

EmployeD

Any Faculty or Staff Member

Any Student

Office, Lab, or DialUp

Dorm, Lab, or DialUp

Personal Data Server Configuration

EmployeD StudentDProcessor Dual Pro-166 Dual Pro-200Memory 512MB 768MBDisk 50GB -RAID5 93GB -RAID5Replicas None NoneHomedirs ~11,000 ~25,000Base Quota 100MB 25MB

Collaborative Storage - “Group Servers” (Faculty & Staff)

Group Server2

EmployeD

Group Server1

Collaborative Storage - “App Servers” (Students)

StudentD

Applications Server(N)

Group/App/Root Server Average ConfigurationGroup App RootP200 P166 Pro-200128MB 64MB 256MB8GB 4GB 2GBPossible R/W None All Replicas25-250 Users 25-250 Users 250-800 UsersSYS,SHARE SYS SYS

Collaborative Storage (Faculty and Students)

App ServerEmployeD

Group Server1 StudentDN

Faculty/Student Collaboration

Faculty member wants to put data on the network that his students can use.

Student submission of work to faculty. Students collaborate on team projects with

assistance from faculty member. Students and Faculty collaborate on projects

or assignments. Publish web pages as a team or class.

Faculty and TSP/Client Support Management

Group Server1 ReadOnly

CreateOnly

ReadWrite

TeamsR/W withTgroups

Collaborative Storage and Network Bandwidth

Group Server1

Public Access Labs

The Virtual PC

Outline

• Environment for the Virtual PC (VPC)

• How the Current VPC Environment Evolved

• Mechanics of the VPC• Setting up the Computer• Boot time• Login and Login Script• Profiles

• Software Involved

• Future Directions

Standard Lab

• Standard Set of Applications

• Standard Operating System(s)

• Contextless Login

• Standard Drive Mappings

• Identical Hard Drive Contents

The Environment as Seen by the Machine

• Data Servers

• Application Servers

• Hard Drive Image

• Handling Locations and Hardware

Personal Storage (User Data Servers)

StudentD

EmployeD

Any Faculty or Staff Member

Any Student

Office, Lab, or DialUp

Dorm, Lab, or DialUp

Collaborative Storage - “App Servers” (Students)

StudentD

Applications Server(N)

Goals of the Virtual PC Paradigm•Easy Maintenance

•Provide Global Access to Password Protected Network Disk Space

•Allow User to Customize his Desktop

•Same Environment (“look and feel”) Regardless of Location, Hardware, or Facility Ownership

Evolution

Pre-Netware Windows 3.11 Under Netware Windows 95 Under Netware

How it Happens to the User

Constructing the Machine

•The Rebuild Disk

•REBUILD <location> <pctype> {options}

•Importance of VLM Client

Boot Time Events

• Location, PCType, “ISALAB”, and Other Environment Variables

• Some Registry Updates to Ensure Default Desktop Appearance and Server Failover Keys

Contextless Login

• Can’t Teach End Users What a Context is

• Using Commercial Product Because Netware SDK Lacks Information

The Login Script

• Perform Some Basic Actions

• Perform Group-specific Actions

• Perform Lab Actions

• Load Profile

Isitcool - Fail-over Applications Server Attachment

Applications Server(2)

ISITCOOL NLM

Applications Server(n)

ISITCOOL NLM

Applications Server(1)

Work-station

Lab 1

ISITCOOL NLM

WorkstationDisk Image

Applications

1. Using IP, get info from primary app server ISITCOOL.2. If attach failure or ISITCOOL reports no, try next server.3. Attach to server using Netware client.

Isitcool?

NO!NO!

YES!

Loading the Profile

• PCRDist is Called by the Login Script

• PCRDist Imports User Registry Keys from Directory Mapped to Drive U:

• First Time Lab Users Get Setup

• Printers

Special Mappings and Events

Mapping Shared Disk (most done by Login Scripts) NAL (will eventually be doing most special mappings)

Collaborative Storage - “Group Servers” (Faculty & Staff)

Group Server2

EmployeD

Group Server1

Collaborative Storage (Faculty and Students)

App ServerEmployeD

Group Server1 StudentD

Logout

• Logout Only

• Export User Registry

• Logout and Shutdown

• Export User Registry

• Perform Maintenance

Problems

Present Implementation not Scalable DCIT Lab Support Must do All Software Installs DCIT Lab Support Must Handle All Initial Lab Setup

Operations If Present Trends Continue, Labs of Computers will be

Replaced by Labs of Network Jacks

Image must live in the login directory (not protected)

Metering

Summary of Novell Components

Netware Client32 (IntraNetware Client) NAL VLM Client

Summary of Novell Products We Can Almost Use NAL

– Requires execution of some app– Will not permit re-mapping

SnapShot– We can’t distribute apps with NAL, so .AOT files are useless. This

makes SnapShot useless

Client32 (IntraNetware Client) Login– Need contextless login

NRS: will not allow replication of directories on SYS (specifically, login)

Summary of 3rd Party Products

SoftTrack PC Rdist and TRAPSD

– Need a Netware client with integrated profile handling and event hooks

SFLogin– Need a contextless login with event hooks

NWCopy– NRS needs to allow us to replicate specific SYS volume directories

Pcounter– Need better auditing tools

CU Products

• cumap

• isitcool

• datacool

• editreg/patch95

• editini

• difrator (in development)

• labstats (in re-development)

Future Directions for Us

Departmental Software (Hardware?) Installations Remote Control of Workstation Queuing Users Waiting for a Computer Move from Lab to Laptop

Future Directions for Novell’s Products? Client integrate profload stuff Logout exits Client should allow us to customize machine as well as

user. We can think of a dozen uses for the Computer object in NDS!

Basically, Novell should handle the profiles (store the sludge in NDS?)

Metering Improve Auditing Tools

Printing

Printing Strategy

All shared printers are network attach supporting only IPX protocol (HP-Jetdirect)

All printer access is controlled through NDS print queues.

Unix Print Services makes any print queue available to Unix/MVS/??? hosts using standard LPR/LPD protocols.

Unix Print Services also makes high speed institutional printers on MVS available to both Netware and Unix users/applications.

Printing Strategy

OS/390

Unix

???

PrintGateway

PC PC PCMac

Q

Q

Q

Q

Q

NDS Design for Printing

A

B

P o o le

L ib ra ry

IT C

...

P rin te rs

E m plo yee

A

B

P rin te rs

S tud en ts P rtD ev C A F LS

C iv i l M e cha n ica l

C E S

c le m so nu

ElectronicMail

Electronic Mail Server: Based on Sun Solaris. No user accounts required on Solaris. Server software developed at Clemson. Multiple recipients / one copy of message. Server based on POP/MIME Internet standard

protocols. IMAP4 coming? Eudora site license purchased by DCIT. Listserver gaining wide spread acceptance and use.

Class/section list automated.

Mail Server

DOSDOS POPcPOPc

mainframemainframe POPcPOPc

WindowsWindows POPcPOPc

MacMac POPcPOPc

UNIXUNIX POPcPOPc

OS/2OS/2 POPcPOPc ?? POPcPOPc

popDpopD ListDListD MailServer

MailServer

Mail Server: Statistics

1995 1996 1997* Category14k 46k 85k Daily Average POP Connections

13k 36k 62k Daily Average Msgs Retrieved from Server

27k 48k 92k Average Msgs Sent using Server per day

*based on partial year statistics through May 26, 1997.

Automated Distribution Lists

MVS OS/390

ListMGR

popDpopD ListDListD MailServer

MailServer

TCP/IP

Class RolesDepartments

Automated NDS Group Membership

MVS OS/390

ListMGR

popDpopD ListDListD MailServer

MailServer

TCP/IP

Class RolesDepartments

NDSGroupMGR

NLM

TCP/IP

Student Interface to Collaborative Storage Use DMO’s along with a graphical tool to have

users select and map network resources to make them available.

Managing Distribution Lists with NDS

popDpopD ListDListD MailServer

MailServer

GroupMGR.NLM

Monitor group membershipmodifications

RegisterForEvent()

TCP/IPNDS

1. Membership2. See Also

NDS Interface to the List Server Enabler for collaborative work between Faculty

and Students. Uses data from employee system on MVS to keep

department NDS groups correct. Lets users use NWAdmin to administer e-mail lists Eliminates need to make changes to NDS and the

list server. Ensures that data is correct everywhere.

Intranet

WEB Serving

Institutional Servers Department or Group Servers Organizational Page Servers Personal Page Servers Administrative and Student Application

Page Servers

NDS web Security via NT/Unix/?

AuthenticationServer

Authentication Server

Too many userid/password combinations for each user to remember.

Need central set of secure servers that all systems use for authentication.

Clemson University Personal ID (CUPID). Based on Automatic Userid System (AUS). Idea born in interdepartmental task force. Production on July 1, 1996.

Authentication Server

MAILMAIL authCauthC

WEBWEB authCauthC

mainframemainframe authCauthC

UnixUnix authCauthC

NetwareNetware authCauthC

SunSun authCauthC

NTNT authCauthCOracleOracle authCauthC

NDS

IntranetWare Server BIntranetWare Server A

AUTHSERV.NLM

IntranetWare Server C

Mainframe(MVS)

VTAM

RACF

AuthClient

Onlines

MAIL(solaris)

AuthClient

POPd

NTServer(4.0)

AuthClient

Website

Application

User Workstation (‘95/Mac/NT Workstation)

Eudora TN3270 Netscape Login.exe

Linux

AuthClient

Apache

Application

AUTHSERV.NLM AUTHSERV.NLM

Authentication Server

NLM is multithreaded. Clients use common code base. Clients have builtin failover capability. Communication based on TCP/IP sockets. >90% successful password checks complete in

less than 0.1 seconds. >2 million requests serviced by primary server

over a 6 week period. 50,000/day

(Back to)

Intranet

NDS Authentication through NT/Unix/other To the WEB?

Application:Employee InfoSystem (EIS)

Type:WEB

Server OS:Windows NT 4.0

Server Enabling App:Website/Visual Basic

Using NDS Security Across the Intranet

AuthenticatedClient

ServerAuthClient

AuthenticationServer

NDS

Netscape IIS32bitDLL

AUTHSERVNLM

NDS

Page requestCheckEquiv

Check SecurityEquivalence

Locate user objectand run equivalencelist.

NT 4.0

AUTHSERV Client Functions

Password Check Password Change Resolve to Fully Distinguished Name Check Security Equivalence Return Group Membership Misc Administrative Functions

Authentication Server as an NDS Data Gateway

Application:Call Tracking System

Type:WEB

Server OS:Windows NT 4.0

Server Enabling App:Website/Visual Basic

Not AssignedBILLBROYLESCCRDAVEDAVIDCDONJAMBOYATES

DAVIDC

Caldera OpenLinux and Apache

Caldera OpenLinux

FileServer

FileServer

FileServer

AuthC

Browser

Browser

Browser

Browser

AuthServer

FileServer

FileServer

WEB gateway to Netware File System.

Caldera OpenLinux and Apache First attempt to provide web services via Novell made use of Novell’s IntranetWare Web Server 1.0 which simply was not reliable.

Caldera OpenLinux provided robust unix connectivity to NDS and supported the industry standard Apache web server.

Out of the box Caldera/Apache did not provide home directory redirection and/or authentication. It did however provide the source code needed to make these modifications.

Caldera OpenLinux and ApacheModifications Added a module that would link Apache’s UserDir directive to the user’s Novell home directory.

Making http://www.clemson.edu/~erich point to EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW

Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers.

Web Interface to Home Directories via Authserv NDS Gateway

Application:Personal Pages

Type:WEB

Server OS:Linux

Server Enabling App:Apache/Caldera

http://www.clemson.edu/~acollin

Web Interface to Department Pages

Application:Departmental Pages

Type:WEB

Server OS:Linux

Server Enabling App:Apache/Caldera

http://dcitnds.clemson.edu/CSO/depts/maint

Caldera OpenLinux and ApacheModifications Added another module using the previously mentioned Authentication Server routines to provide both user and group authentication.

Makes use of standard HTACCESS format with additional Novell Directives.

Using NDS to Secure Web Pages

NovellAuth onAuthName Novell TreeAuthType Basic <Limit GET POST>require user gmcochrrequire user kellenrequire group .resadmin.groups.employee.clemsonu</Limit>

WebAuth: Web Single Signon

Workstation 3rd PartyWebServer

WebAuthClient

AuthServNLM

NDS

WebAuthNLM

AuthClient

WebBrowser

1

WebBrowser

2

DCITAuthentication

WebServer

WebAuthTrustedClient

CHECK

STORE

Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user.

Redirect

Auditing NDS Connections Have not had much luck with standard auditing

in 4.x Hook login/logout in AUDITLGN.NLM Writes easy to manipulate log files Data logged includes fully distinguished object

name, login time, logout time, and MAC address Monitor file server and print server as well as

user connections.

Dialin Mostly Rely on contract between users and ISPs

for dialin access. Campus-MCI. Some PPP connectivity through Livingston server

with Radius modified to use NDS via the Authentication Server.

Attempting to get Netware/IP deployed this summer for file server connectivity via PPP.

Starting to deploy DHCP for dialin and dorm usage only.

Server Growth

Split User Data Servers (ie: StudentD1 and StudentD2)

Common access server for both Students and Faculty/Staff (scratch disk)

Develop tools for user disk cleanup. Develop more tools to help end users get

more out of NDS and the network in general.

What We Need Web interface to unresolved as well as resolved

issues at Novell. More out of SMP. NDS on NT (no replicas required). Help from Novell on resolving “NT Server”

marketing-through-documentation issues. Code Exits in Novell Products such as client32,

Radius, FTP server, Web server. Good performance monitoring (SMP) tools.

That’s It!

(that’s enough..)