Apple Macs continue to increase in popularity and make up an increasingly large percentage of enterprise desktops. In this session, we'll explore the various Novell products and technologies that can be used to integrate Macs into your environment. You'll leave with a clear understanding of the issues involved and the options available to support the Mac user community in a Novell environment. You'll also have a chance to discuss suggestions for improving on this support.

1. Integrating Apple Macs
Using Novell technologies ®
Taking it to the Macs!
Simon Flood
Systems & Networks Specialist
University of Cambridge
S.M.Flood@ucs.cam.ac.uk

2. Macs
• Should we care?
• Why integrate?
• Options?
• The administrative experience
• Other Novell products? ®
• Open discussion
2 © Novell, Inc. All rights reserved.

3. Should we care?
• Increasing Mac usage at work and home
• ITIC's 2009 Global IT and Technology Trends Survey
“... 68% [respondents] … likely to allow ... Macs as their
corporate ... desktops in the next 12 months”
“... 23% have a significant number of Macs … in their
organizations”
www.itic-corp.com/blog/2009/02/apple-gets-more-entrenched-in-the-
enterprise/
• Macs can (legally) triple-boot Mac OS X, Windows
and Linux!
3 © Novell, Inc. All rights reserved.

4. Why integrate?
• Unified experience
– Seamless access to same information, regardless
of platform
• Choice
– Best of breed
• Ease of administration
• Ease of use
• Making IT work as one!
4 © Novell, Inc. All rights reserved.

5. Options?

6. What options do Macs support?
• File services
– AFP
– SMB
– NFS
– WebDAV
• Directory services
– LDAPv3
> Open Directory
> RFC 2307-compliant system
– Active Directory
> Magic triangles
6 © Novell, Inc. All rights reserved.

7. What options does Novell offer? ®
• Novell Open Enterprise Server 2 SP2
– AFP (or CIFS/Samba) + Novell eDirectory (LDAP)
™
– Domain Services for Windows
• Microsoft Windows Server
– Dynamic File Services for Windows
• SUSE Linux Enterprise Server
®
• Novell Identity Manager
• Kanaka (Condrey Corporation)
7 © Novell, Inc. All rights reserved.

8. What is missing?
• NetWare Client for Mac OS X (Prosoft Engineering)
®
– Mac OS X 10.3.9 or 10.4.2 and later (including Snow Leopard)
– Novell NetWare 5 and 6
– No planned support for Novell Open Enterprise Server (Linux)
®
8 © Novell, Inc. All rights reserved.

9. Let's Take a Closer Look

10. Mac OS X Snow Leopard support
10 © Novell, Inc. All rights reserved.

11. Novell Open Enterprise Server 2 SP2
®
• Includes all you need to support Mac users
– AFP (or CIFS/Samba)
– Novell eDirectory ™
> LDAP
– iPrint
– Novell iFolder ®
– NetStorage
– Cluster Services
> All of the above components can be clustered
11 © Novell, Inc. All rights reserved.

12. File and print services
• AFP (and CIFS)
– Requires Universal Password
– Cross-protocol file locking between AFP, CIFS and NCP
– Does not support Dynamic Storage Technology
• Novell iFolder ®
– Client for Mac OS X available with Novell iFolder 3.7 and later
• NetStorage
– Safari is not a supported browser!
– WebDAV via Finder is broken
• iPrint
– Not suited to multi-user clients (stuck print jobs)
12 © Novell, Inc. All rights reserved.

13. Novell Open Enterprise Server 2 SP2
®

14. Before you start
• Ensure AFP is installed, configured and working
– Universal Password must be configured!
• Ensure Mac can resolve server's hostname
– With Leopard, simply adding entries to /etc/hosts will not work!
> # dscl localhost -create /Local/Default/Hosts/oeslinux.
example.com IPAddress 192.168.10.101
14 © Novell, Inc. All rights reserved.

15. Fix SSL certificates
• With Leopard OpenLDAP trusts no one!
(TLS_REQCERT demand)
– ldapsearch -b cn=admin,o=example -H ldaps://
oeslinux.example.com -v -x will error with 'certificate
verify failed'
• Grab and edit the certificate
– # echo | openssl s_client -connect oeslinux
example.com:636 -showcerts > /System/Library/
OpenSSL/certs/example.cert
– # vi /System/Library/OpenSSL/certs/example.
cert
> Delete everything except the second certificate (2x Organizational CA)
> So just left with section -----BEGIN CERTIFICATE-----
through to and including -----END CERTIFICATE-----
15 © Novell, Inc. All rights reserved.

16. Fix SSL certificates (continued)
• If only ever one tree
– # vi /etc/openldap/ldap.conf
> Add TLS_CACERT /System/Library/OpenSSL/certs/example.cert
• If multiple trees
– # vi /etc/openldap/ldap.conf
> Add TLS_CACERTDIR /System/Library/OpenSSL/certs
– For each tree
> # openssl x509 -noout -in example.cert -hash
» This will return a hexadecimal hash value
> # ln -s example.cert <hash value>.0
16 © Novell, Inc. All rights reserved.

17. Extend the Novell eDirectory Schema ®
™
• LDIF for Mac OS X 10.3 is available from
MacEnterprise.org
– LDIFs for 10.5 & 10.6 will be available via Cool Solutions
– Macs include schema files in /etc/openldap/schema
> … and iManager can apparently handle .schema files
– Make sure macAddress attribute type is pre-defined
> ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.
115.121.1.26{128} )
17 © Novell, Inc. All rights reserved.

18. Extend the Novell eDirectory Schema .
™
(continued)
• Extend schema
– Can use iManager
> Schema | Extend Schema | Add schema from a file
– Or ConsoleOne ®
> Wizards | NDS Import/Export... |  Import LDIF file
– But quicker via LDAP!
> ldapmodify -D cn=admin,o=example -f applev2.ldf -h
oeslinux.example.com -v -W -x -Z
• Check schema
– ldapsearch -b cn=schema -D cn=admin,o=example
-h oeslinux.example.com -s base -W -x -Z
objectClass=*
18 © Novell, Inc. All rights reserved.

19. Extend user objects
• Can use iManager (make sure you Apply before Edit)
– Schema | Object Extensions | select user object(s) | [Add] |
select apple-user | [OK] | [Close]
• Or ConsoleOne ®
– Right-click on user and choose 'Extensions of this object...'
– Click 'Add Extension...', select 'apple-user' and click [OK]
• Or LDAP (LDIF file) – assumes LUM-enabled
– objectClass: apple-user
– apple-user-homeDirectory: /Network/Servers/
oeslinux.example.com/oeslinux.USER/Users/user1
– apple-user-homeurl: <home_dir><url>afp://
oeslinux.example.com/oeslinux.USER</url><path>
Users/user1</path></home_dir>
19 © Novell, Inc. All rights reserved.

20. Extend user objects (continued)
• If users are not LUM-enabled
– objectClass: posixAccount
– uidNumber: <integer>
– gidNumber: <integer>
– homeDirectory: /home/user1
– loginShell: /bin/bash
> unless you don't want users to be able to access Terminal!
20 © Novell, Inc. All rights reserved.

21. Create mount objects
• Create container to store them
• Mount object per server/volume – name is unimportant
• Using iManager (similar for ConsoleOne ) ®
– Directory Administration | Create Object |  Show all object
classes | select 'mount'
• Using LDAP (LDIF file)
– objectClass: mount
– apple-mountDirectory: /Network/Servers
– apple-mountOption: net
– apple-mountOption: url==afp://;AUTH=NO%20USER
%20AUTHENT@oeslinux.example.com/oeslinux.USER
– apple-mountType: url
21 © Novell, Inc. All rights reserved.

22. Connect Mac to Novell eDirectory ®
™
• Launch Directory Utility and click Services
– Leopard and earlier - /Applications/Utilities
– Snow Leopard – /System/Library/Core Services
• Configure the LDAPv3 plug-in
– Create and edit a new LDAP connection (Manual)
– Set up Search & Mappings
> Mappings equate to LDAP queries – default is to match all (AND)
> Start with Open Directory Server
> Delete shadowAccount from Users and extensibleObject from Users, Groups,
ComputerGroups and People
> Change User NFSHomeDirectory to map to apple-homeDirectory
> Prefix Mount mappings with apple- (so mountDirectory becomes apple-mountDirectory)
> Check search bases for Users, Groups, Computers and Computer Groups (or Lists)
22 © Novell, Inc. All rights reserved.

23. Connect Mac to Novell eDirectory ®
™
(continued)
• Add LDAPv3 to Search Policy
• Prefix with # to use a local static mapping
• Use $variable$ to use a local variable mapping
• Can also use dsconfigldap and dscl to set up
• Use dscl to test
– dscl /LDAPv3/oeslinux.example.com read
Users/user1
23 © Novell, Inc. All rights reserved.

24. Extend or create other objects
• Groups (Workgroups)
– objectClass: apple-group
• Computers
– objectClass: apple-computer
– macAddress: 01:23:45:67:89:ab
• Computer Groups
– Introduced in Leopard
> objectClass: apple-group
– Previously Computer Lists
> objectClass: apple-computer-list
24 © Novell, Inc. All rights reserved.

25. Managing preferences
• Can be applied to Users, Computers, Computer
Groups and Workgroups
• Extend relevant objects - can't currently use iManager
– apple-mcxflags: <leave blank>
– apple-mcxsettings: <leave blank>
– apple-mcxsettings2: <leave blank>
> Optional – continuation of apple-mcxsettings
• Use Workgroup Manager
– Command+D to skip initial authentication dialog
– Enable the Inspector to allow you to see raw directory data
> Workgroup Manager | Preferences... |  Show “All records” tab and inspector
25 © Novell, Inc. All rights reserved.

26. Demonstration

27. Issues
• For Administrators
– Fiddly to set up
– Tricky to manage, especially from a Mac
• For Users
– Finder does not understand NSS rights
> “iManager is the recommended method for managing rights” !
» Novell AFP for Linux Administration Guide (section 9.2.4)
®
– Changing password via System Preferences has not
always worked
> Can also change password via Finder
> Or create custom script to change password via LDAP
27 © Novell, Inc. All rights reserved.

28. Suggestions
• Rename your AFP volumes to remove server element
– So server.VOLUME becomes VOLUME
– Normally suggested for cluster environments
– Will then match CIFS experience – easier for users
• Create a LoginHook that runs a script to set up a user's
home directory when they log in
– The ? icon in Dock might alarm some users
– When user logs in for the first time Desktop, Downloads and
Library folders are created in home directory
> Documents, Music and Pictures folders are initially missing and are created
as necessary
– /System/Library/User Template/<Language>.lproj/ is not used
28 © Novell, Inc. All rights reserved.

29. Other Options?

30. Domain Services for Windows
• Directory Utility includes an Active Directory plug-in
• No need to make schema changes to the AD domain
to get basic user account information
• Samba access to NSS volumes
• Configure Macs using Directory Utility or dsconfigad
– Change Mappings under Advanced Settings and Options
> UID: uidNumber
> user GID: gidNumber
> group GID: groupMembership?
• Time is important (as always!)
– Beware Mac helpfully rewrites server lines in /etc/ntp.conf
30 © Novell, Inc. All rights reserved.

31. Kanaka (Condrey Corporation)
• Current version requires a Novell NetWare server
® ®
– Version 2 will not
• Supports AFP and CIFS (SMB)
• Simple or Universal Password
• Windows-based install of server component ...
• Web interface via Novell Remote Manager (port 8009)
– As per DocXchanger
• Minimal additions to Novell eDirectory schema
™
• Mac clients can receive MCX Settings from Kanaka
– Or from Mac OS X Server
31 © Novell, Inc. All rights reserved.

32. Dynamic File Services for Windows
• Perhaps you're already running Microsoft Windows
Servers … ?
• We already know Macs like Windows Servers
• Connect to network shares (SMB)
• Use a third-party AFP product?
32 © Novell, Inc. All rights reserved.

33. SUSE Linux Enterprise Server
®
• Netatalk (or Samba)
– Spotlight can index volumes
– Can use volume as Backup Disk for Time Machine
> Version 2.0.5
– Question about scalability
• OpenLDAP
– Extend schema by copying files to /etc/openldap/schema
– Create objects as per Novell Open Enterprise Server process
®
33 © Novell, Inc. All rights reserved.

34. Novell Identity Manager ®
• Can be used to provision users in Novell eDirectory ™
– or Active Directory (free Novell Identity Manager Bundle Edition)
– or Open Directory
> Scripting Driver is supported on Mac OS X (Intel)
• Can be used to extend user and other objects
34 © Novell, Inc. All rights reserved.

35. The Administrative Experience

36. iManager for Mac OS X … !
36 © Novell, Inc. All rights reserved.

37. Administration
• iManager
– Safari is not a supported web browser!
– No version of iManager Workstation for Mac OS X
• ConsoleOne ®
– Unsupported except for Novell GroupWise 8 and ZENworks 7
® ®
– No version for Mac OS X
• LDAP
– Use LDIF files
• Apple Workgroup Manager
– Included with Server Admin Tools available for free from Apple
– Use for managing MCX settings
37 © Novell, Inc. All rights reserved.

38. Administration (continued)
• Novell Identity Manager
®
– Designer can be made to run on Mac OS X
> Limited functionality (missing JClient so no NCP access)
> www.novell.com/communities/node/9637/idm-designer-your-macintosh
• Novell Support Advisor
– Linux install can be copied to Mac OS X and run
> Limited functionality
> Plans to produce Mac installable version
• Apache Directory Studio
– Use to test LDAP and create LDIF files
– directory.apache.org
38 © Novell, Inc. All rights reserved.

39. What else can you do?
• NetBoot Server (bootp/dhcp, tftp and nfs/http)
– Apple's use of dhcp does not quite observe RFC 2131!
• Bonjour
– Avahi added in Novell Open Enterprise Server 2 SP2
®
– … but January 2010 Scheduled Maintenance 20100130 patch
breaks AFP on 32-bit servers
> See TID 7005351
– By default only Apple File Sharing, Workgroup Manager and
SSH services advertised
> Can easily advertise additional services (e.g. for iPrint)
39 © Novell, Inc. All rights reserved.

40. Other Novell Products?
®

41. Other Novell products? ®
• Access Manager (BorderManager replacement?)
®
– Includes SSL VPN client for Mac (PowerPC 10.4, Intel 10.5)
• GroupWise ®
– Includes client for Mac (but Snow Leopard not officially
supported until Novell GroupWise 8.0 Support Pack 2)
– Safari is a supported web browser for WebAccess client
• Teaming
– Safari is a supported web browser
• ZENworks ®
– Asset Management can inventory Mac OS X clients (10.2.4 +)
– Patch Management supports Mac OS X clients and servers
(10.2.8 - 10.4.7)
41 © Novell, Inc. All rights reserved.

42. Other Apple devices?
• Specifically iPad, iPhone and iPod Touch
• ITIC's 2009 Global IT and Technology Trends Survey
– “... 50% [respondents] ... plan to increase integration with ...
products such as the iPhone to allow users to access corporate
Email and other applications”
• ActiveSync Connector (Datasync)
• MonoTouch
– Allows developers to create C# and .NET based applications
– Requires an Intel-based Mac, Apple's iPhone SDK and
membership of Apple's iPhone Developer Program
42 © Novell, Inc. All rights reserved.

43. Discussion

44. Some ideas
• Novell Client for Mac? ™
• Directory Services for Mac?
– Since we have Domain Services for Windows ...
• ZENworks Configuration Management
®
– Allow us to manage Mac OS X clients (MCX?)
• Novell GroupWise vs. Exchange
® ®
– Snow Leopard has built-in support for Microsoft Exchange
Server 2007 ...
• Novell Open Enterprise Server
– Add support for Dynamic Storage Technology, Spotlight and
Time Machine to AFP
• Support Safari!
44 © Novell, Inc. All rights reserved.

45. Mac community support from Novell ®
Good?
Bad?
Ugly?
45 © Novell, Inc. All rights reserved.

46. Log enhancement requests
www.novell.com/rms
46 © Novell, Inc. All rights reserved.

47. Other Sessions
• CL115 Novell Open Enterprise Server:
®
Roadmap and Futures
• CL116 File Access in Novell Open Enterprise
Server 2 SP2
47 © Novell, Inc. All rights reserved.

48. Resources
• MacEnterprise.org
• AFP548.com
• www.novell.com/communities/coolsolutions/ (smflood)
• forums.novell.com
– Native File Access
• www.apple.com/business/resources/
• support.apple.com/kb/HT3186
– Enabling Directory Service debug logging in Mac OS X 10.5+
48 © Novell, Inc. All rights reserved.

49. And finally ...
Apple once urged us to think different
Simon says think Novell !
®
49 © Novell, Inc. All rights reserved.

51. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.