Integrating Apple Macs Using Novell Technologies
Upcoming SlideShare
Loading in...5
×
 

Integrating Apple Macs Using Novell Technologies

on

  • 6,530 views

Apple Macs continue to increase in popularity and make up an increasingly large percentage of enterprise desktops. In this session, we'll explore the various Novell products and technologies that can ...

Apple Macs continue to increase in popularity and make up an increasingly large percentage of enterprise desktops. In this session, we'll explore the various Novell products and technologies that can be used to integrate Macs into your environment. You'll leave with a clear understanding of the issues involved and the options available to support the Mac user community in a Novell environment. You'll also have a chance to discuss suggestions for improving on this support.

Statistics

Views

Total Views
6,530
Views on SlideShare
6,478
Embed Views
52

Actions

Likes
1
Downloads
148
Comments
0

1 Embed 52

http://www.slideshare.net 52

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Integrating Apple Macs Using Novell Technologies Integrating Apple Macs Using Novell Technologies Presentation Transcript

  • Integrating Apple Macs Using Novell technologies ® Taking it to the Macs! Simon Flood Systems & Networks Specialist University of Cambridge S.M.Flood@ucs.cam.ac.uk
  • Macs • Should we care? • Why integrate? • Options? • The administrative experience • Other Novell products? ® • Open discussion 2 © Novell, Inc. All rights reserved.
  • Should we care? • Increasing Mac usage at work and home • ITIC's 2009 Global IT and Technology Trends Survey “... 68% [respondents] … likely to allow ... Macs as their corporate ... desktops in the next 12 months” “... 23% have a significant number of Macs … in their organizations” www.itic-corp.com/blog/2009/02/apple-gets-more-entrenched-in-the- enterprise/ • Macs can (legally) triple-boot Mac OS X, Windows and Linux! 3 © Novell, Inc. All rights reserved.
  • Why integrate? • Unified experience – Seamless access to same information, regardless of platform • Choice – Best of breed • Ease of administration • Ease of use • Making IT work as one! 4 © Novell, Inc. All rights reserved.
  • Options?
  • What options do Macs support? • File services – AFP – SMB – NFS – WebDAV • Directory services – LDAPv3 > Open Directory > RFC 2307-compliant system – Active Directory > Magic triangles 6 © Novell, Inc. All rights reserved.
  • What options does Novell offer? ® • Novell Open Enterprise Server 2 SP2 – AFP (or CIFS/Samba) + Novell eDirectory (LDAP) ™ – Domain Services for Windows • Microsoft Windows Server – Dynamic File Services for Windows • SUSE Linux Enterprise Server ® • Novell Identity Manager • Kanaka (Condrey Corporation) 7 © Novell, Inc. All rights reserved.
  • What is missing? • NetWare Client for Mac OS X (Prosoft Engineering) ® – Mac OS X 10.3.9 or 10.4.2 and later (including Snow Leopard) – Novell NetWare 5 and 6 – No planned support for Novell Open Enterprise Server (Linux) ® 8 © Novell, Inc. All rights reserved.
  • Let's Take a Closer Look
  • Mac OS X Snow Leopard support 10 © Novell, Inc. All rights reserved.
  • Novell Open Enterprise Server 2 SP2 ® • Includes all you need to support Mac users – AFP (or CIFS/Samba) – Novell eDirectory ™ > LDAP – iPrint – Novell iFolder ® – NetStorage – Cluster Services > All of the above components can be clustered 11 © Novell, Inc. All rights reserved.
  • File and print services • AFP (and CIFS) – Requires Universal Password – Cross-protocol file locking between AFP, CIFS and NCP – Does not support Dynamic Storage Technology • Novell iFolder ® – Client for Mac OS X available with Novell iFolder 3.7 and later • NetStorage – Safari is not a supported browser! – WebDAV via Finder is broken • iPrint – Not suited to multi-user clients (stuck print jobs) 12 © Novell, Inc. All rights reserved.
  • Novell Open Enterprise Server 2 SP2 ®
  • Before you start • Ensure AFP is installed, configured and working – Universal Password must be configured! • Ensure Mac can resolve server's hostname – With Leopard, simply adding entries to /etc/hosts will not work! > # dscl localhost -create /Local/Default/Hosts/oeslinux. example.com IPAddress 192.168.10.101 14 © Novell, Inc. All rights reserved.
  • Fix SSL certificates • With Leopard OpenLDAP trusts no one! (TLS_REQCERT demand) – ldapsearch -b cn=admin,o=example -H ldaps:// oeslinux.example.com -v -x will error with 'certificate verify failed' • Grab and edit the certificate – # echo | openssl s_client -connect oeslinux example.com:636 -showcerts > /System/Library/ OpenSSL/certs/example.cert – # vi /System/Library/OpenSSL/certs/example. cert > Delete everything except the second certificate (2x Organizational CA) > So just left with section -----BEGIN CERTIFICATE----- through to and including -----END CERTIFICATE----- 15 © Novell, Inc. All rights reserved.
  • Fix SSL certificates (continued) • If only ever one tree – # vi /etc/openldap/ldap.conf > Add TLS_CACERT /System/Library/OpenSSL/certs/example.cert • If multiple trees – # vi /etc/openldap/ldap.conf > Add TLS_CACERTDIR /System/Library/OpenSSL/certs – For each tree > # openssl x509 -noout -in example.cert -hash » This will return a hexadecimal hash value > # ln -s example.cert <hash value>.0 16 © Novell, Inc. All rights reserved.
  • Extend the Novell eDirectory Schema ® ™ • LDIF for Mac OS X 10.3 is available from MacEnterprise.org – LDIFs for 10.5 & 10.6 will be available via Cool Solutions – Macs include schema files in /etc/openldap/schema > … and iManager can apparently handle .schema files – Make sure macAddress attribute type is pre-defined > ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26{128} ) 17 © Novell, Inc. All rights reserved.
  • Extend the Novell eDirectory Schema . ™ (continued) • Extend schema – Can use iManager > Schema | Extend Schema | Add schema from a file – Or ConsoleOne ® > Wizards | NDS Import/Export... |  Import LDIF file – But quicker via LDAP! > ldapmodify -D cn=admin,o=example -f applev2.ldf -h oeslinux.example.com -v -W -x -Z • Check schema – ldapsearch -b cn=schema -D cn=admin,o=example -h oeslinux.example.com -s base -W -x -Z objectClass=* 18 © Novell, Inc. All rights reserved.
  • Extend user objects • Can use iManager (make sure you Apply before Edit) – Schema | Object Extensions | select user object(s) | [Add] | select apple-user | [OK] | [Close] • Or ConsoleOne ® – Right-click on user and choose 'Extensions of this object...' – Click 'Add Extension...', select 'apple-user' and click [OK] • Or LDAP (LDIF file) – assumes LUM-enabled – objectClass: apple-user – apple-user-homeDirectory: /Network/Servers/ oeslinux.example.com/oeslinux.USER/Users/user1 – apple-user-homeurl: <home_dir><url>afp:// oeslinux.example.com/oeslinux.USER</url><path> Users/user1</path></home_dir> 19 © Novell, Inc. All rights reserved.
  • Extend user objects (continued) • If users are not LUM-enabled – objectClass: posixAccount – uidNumber: <integer> – gidNumber: <integer> – homeDirectory: /home/user1 – loginShell: /bin/bash > unless you don't want users to be able to access Terminal! 20 © Novell, Inc. All rights reserved.
  • Create mount objects • Create container to store them • Mount object per server/volume – name is unimportant • Using iManager (similar for ConsoleOne ) ® – Directory Administration | Create Object |  Show all object classes | select 'mount' • Using LDAP (LDIF file) – objectClass: mount – apple-mountDirectory: /Network/Servers – apple-mountOption: net – apple-mountOption: url==afp://;AUTH=NO%20USER %20AUTHENT@oeslinux.example.com/oeslinux.USER – apple-mountType: url 21 © Novell, Inc. All rights reserved.
  • Connect Mac to Novell eDirectory ® ™ • Launch Directory Utility and click Services – Leopard and earlier - /Applications/Utilities – Snow Leopard – /System/Library/Core Services • Configure the LDAPv3 plug-in – Create and edit a new LDAP connection (Manual) – Set up Search & Mappings > Mappings equate to LDAP queries – default is to match all (AND) > Start with Open Directory Server > Delete shadowAccount from Users and extensibleObject from Users, Groups, ComputerGroups and People > Change User NFSHomeDirectory to map to apple-homeDirectory > Prefix Mount mappings with apple- (so mountDirectory becomes apple-mountDirectory) > Check search bases for Users, Groups, Computers and Computer Groups (or Lists) 22 © Novell, Inc. All rights reserved.
  • Connect Mac to Novell eDirectory ® ™ (continued) • Add LDAPv3 to Search Policy • Prefix with # to use a local static mapping • Use $variable$ to use a local variable mapping • Can also use dsconfigldap and dscl to set up • Use dscl to test – dscl /LDAPv3/oeslinux.example.com read Users/user1 23 © Novell, Inc. All rights reserved.
  • Extend or create other objects • Groups (Workgroups) – objectClass: apple-group • Computers – objectClass: apple-computer – macAddress: 01:23:45:67:89:ab • Computer Groups – Introduced in Leopard > objectClass: apple-group – Previously Computer Lists > objectClass: apple-computer-list 24 © Novell, Inc. All rights reserved.
  • Managing preferences • Can be applied to Users, Computers, Computer Groups and Workgroups • Extend relevant objects - can't currently use iManager – apple-mcxflags: <leave blank> – apple-mcxsettings: <leave blank> – apple-mcxsettings2: <leave blank> > Optional – continuation of apple-mcxsettings • Use Workgroup Manager – Command+D to skip initial authentication dialog – Enable the Inspector to allow you to see raw directory data > Workgroup Manager | Preferences... |  Show “All records” tab and inspector 25 © Novell, Inc. All rights reserved.
  • Demonstration
  • Issues • For Administrators – Fiddly to set up – Tricky to manage, especially from a Mac • For Users – Finder does not understand NSS rights > “iManager is the recommended method for managing rights” ! » Novell AFP for Linux Administration Guide (section 9.2.4) ® – Changing password via System Preferences has not always worked > Can also change password via Finder > Or create custom script to change password via LDAP 27 © Novell, Inc. All rights reserved.
  • Suggestions • Rename your AFP volumes to remove server element – So server.VOLUME becomes VOLUME – Normally suggested for cluster environments – Will then match CIFS experience – easier for users • Create a LoginHook that runs a script to set up a user's home directory when they log in – The ? icon in Dock might alarm some users – When user logs in for the first time Desktop, Downloads and Library folders are created in home directory > Documents, Music and Pictures folders are initially missing and are created as necessary – /System/Library/User Template/<Language>.lproj/ is not used 28 © Novell, Inc. All rights reserved.
  • Other Options?
  • Domain Services for Windows • Directory Utility includes an Active Directory plug-in • No need to make schema changes to the AD domain to get basic user account information • Samba access to NSS volumes • Configure Macs using Directory Utility or dsconfigad – Change Mappings under Advanced Settings and Options > UID: uidNumber > user GID: gidNumber > group GID: groupMembership? • Time is important (as always!) – Beware Mac helpfully rewrites server lines in /etc/ntp.conf 30 © Novell, Inc. All rights reserved.
  • Kanaka (Condrey Corporation) • Current version requires a Novell NetWare server ® ® – Version 2 will not • Supports AFP and CIFS (SMB) • Simple or Universal Password • Windows-based install of server component ... • Web interface via Novell Remote Manager (port 8009) – As per DocXchanger • Minimal additions to Novell eDirectory schema ™ • Mac clients can receive MCX Settings from Kanaka – Or from Mac OS X Server 31 © Novell, Inc. All rights reserved.
  • Dynamic File Services for Windows • Perhaps you're already running Microsoft Windows Servers … ? • We already know Macs like Windows Servers • Connect to network shares (SMB) • Use a third-party AFP product? 32 © Novell, Inc. All rights reserved.
  • SUSE Linux Enterprise Server ® • Netatalk (or Samba) – Spotlight can index volumes – Can use volume as Backup Disk for Time Machine > Version 2.0.5 – Question about scalability • OpenLDAP – Extend schema by copying files to /etc/openldap/schema – Create objects as per Novell Open Enterprise Server process ® 33 © Novell, Inc. All rights reserved.
  • Novell Identity Manager ® • Can be used to provision users in Novell eDirectory ™ – or Active Directory (free Novell Identity Manager Bundle Edition) – or Open Directory > Scripting Driver is supported on Mac OS X (Intel) • Can be used to extend user and other objects 34 © Novell, Inc. All rights reserved.
  • The Administrative Experience
  • iManager for Mac OS X … ! 36 © Novell, Inc. All rights reserved.
  • Administration • iManager – Safari is not a supported web browser! – No version of iManager Workstation for Mac OS X • ConsoleOne ® – Unsupported except for Novell GroupWise 8 and ZENworks 7 ® ® – No version for Mac OS X • LDAP – Use LDIF files • Apple Workgroup Manager – Included with Server Admin Tools available for free from Apple – Use for managing MCX settings 37 © Novell, Inc. All rights reserved.
  • Administration (continued) • Novell Identity Manager ® – Designer can be made to run on Mac OS X > Limited functionality (missing JClient so no NCP access) > www.novell.com/communities/node/9637/idm-designer-your-macintosh • Novell Support Advisor – Linux install can be copied to Mac OS X and run > Limited functionality > Plans to produce Mac installable version • Apache Directory Studio – Use to test LDAP and create LDIF files – directory.apache.org 38 © Novell, Inc. All rights reserved.
  • What else can you do? • NetBoot Server (bootp/dhcp, tftp and nfs/http) – Apple's use of dhcp does not quite observe RFC 2131! • Bonjour – Avahi added in Novell Open Enterprise Server 2 SP2 ® – … but January 2010 Scheduled Maintenance 20100130 patch breaks AFP on 32-bit servers > See TID 7005351 – By default only Apple File Sharing, Workgroup Manager and SSH services advertised > Can easily advertise additional services (e.g. for iPrint) 39 © Novell, Inc. All rights reserved.
  • Other Novell Products? ®
  • Other Novell products? ® • Access Manager (BorderManager replacement?) ® – Includes SSL VPN client for Mac (PowerPC 10.4, Intel 10.5) • GroupWise ® – Includes client for Mac (but Snow Leopard not officially supported until Novell GroupWise 8.0 Support Pack 2) – Safari is a supported web browser for WebAccess client • Teaming – Safari is a supported web browser • ZENworks ® – Asset Management can inventory Mac OS X clients (10.2.4 +) – Patch Management supports Mac OS X clients and servers (10.2.8 - 10.4.7) 41 © Novell, Inc. All rights reserved.
  • Other Apple devices? • Specifically iPad, iPhone and iPod Touch • ITIC's 2009 Global IT and Technology Trends Survey – “... 50% [respondents] ... plan to increase integration with ... products such as the iPhone to allow users to access corporate Email and other applications” • ActiveSync Connector (Datasync) • MonoTouch – Allows developers to create C# and .NET based applications – Requires an Intel-based Mac, Apple's iPhone SDK and membership of Apple's iPhone Developer Program 42 © Novell, Inc. All rights reserved.
  • Discussion
  • Some ideas • Novell Client for Mac? ™ • Directory Services for Mac? – Since we have Domain Services for Windows ... • ZENworks Configuration Management ® – Allow us to manage Mac OS X clients (MCX?) • Novell GroupWise vs. Exchange ® ® – Snow Leopard has built-in support for Microsoft Exchange Server 2007 ... • Novell Open Enterprise Server – Add support for Dynamic Storage Technology, Spotlight and Time Machine to AFP • Support Safari! 44 © Novell, Inc. All rights reserved.
  • Mac community support from Novell ® Good? Bad? Ugly? 45 © Novell, Inc. All rights reserved.
  • Log enhancement requests www.novell.com/rms 46 © Novell, Inc. All rights reserved.
  • Other Sessions • CL115 Novell Open Enterprise Server: ® Roadmap and Futures • CL116 File Access in Novell Open Enterprise Server 2 SP2 47 © Novell, Inc. All rights reserved.
  • Resources • MacEnterprise.org • AFP548.com • www.novell.com/communities/coolsolutions/ (smflood) • forums.novell.com – Native File Access • www.apple.com/business/resources/ • support.apple.com/kb/HT3186 – Enabling Directory Service debug logging in Mac OS X 10.5+ 48 © Novell, Inc. All rights reserved.
  • And finally ... Apple once urged us to think different Simon says think Novell ! ® 49 © Novell, Inc. All rights reserved.
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.