Presentation on theme: "automated single login access to Novell storage resources"— Presentation transcript:
1automated single login access to Novell storage resources Kanaka for Mac 2.1Providing Mac OS Xautomated single login access toNovell storage resourcesDoug OuztsTechnical Trainer
2Agenda Current Novell and Mac Integration Challenges Kanaka for Mac 2.1 OverviewKanaka for Mac 2.1 Technical ArchitectureKanaka for Mac 2.1 RequirementsInteractive Training
3Integration Challenges Between Apple and Novell Developing software for Mac environments has not been a priority with NovellClient software is either nonexistent or out of date.Integration tends to be workarounds rather than solutionsThe problem is, actually integrating Macs in Novell networks.Developing software for Mac environments has not been a priority with NovellAnd Client software is either nonexistent or out of date.So customers are having to come up with workaround integration scenarios that are extremely complex to learn and configure. I will go over examples of these in the next few slides.
4Complex to Configure Manually Configure for simple or universal password in the eDirectory treeEnsure AFP or CIFS is installed and configuredEnsure that each Mac can resolve server’s host nameEdit SSL certificate on each MacExtend eDirectory schemaVerify extended schemaeDirectory first has to be configured for simple or universal password.Then you need to make sure that either that the Apple Filing Protocol or CIFS is installed and configured on the network.It’s at Step 3 where everything starts getting hard. To ensure that each Mac can resolve the server’s host name, you need to go to each Mac and create a local host line in the /etc/hostsYou then need to edit the SSL certificate on each Mac. This is a lengthy process of entering new lines and deleting existing lines in each Mac’s certificate.Steps 3 and 4 can be made simpler if there is a methodology in place for imaging Mac OS X.To extend the schema, you can use iManager or ConsoleOne, but this is slower, so the instructor recommended using ldap command-line tools.You then check the schema through iManager, ConsoleOne or LDAP.
5Complex to Configure Manually (cont.) Extend user objectsCreate mount volumes for each volume you want to accessConfigure each Mac to authenticate to eDirectorySet additional preferences in eDirectoryUser objects are extended in ConsoleOne, iManager, or LDAP through a complex command line.Mount volume objects involve first creating a container to store them, then using ConsoleOne, iManager, or LDAP to create mount objects for each server volume.You then need to go back to each Mac and, based on which Mac OS version is running, dig around and configure the LDAPv3 plug-in, manually create and edit a new LDAP connection, set up search and mappings, add LDAP v3 to the search policy, and test it. You then need to extend or create other objects as needed (such as Groups).Then you need to set additional preferences in eDirectory where needed.The disclaimer at the bottom is somewhat true because when the instructor demonstrated this, it failed to work.Provided you put in all of the time to learn to understand and perform each step, this approach might work.
6Manual Configuration Requires On-going Configuration As users are added, moved, renamed, or removed, the extended user object needs reconfiguredWhen a new Mac is added, one half of these steps must be repeatedIf a home directory path is moved, the mount objects need to be updatedNow, assuming this does work, this configuration must be maintained and partially re-configured when users are added, moved, renamed or removed.By just adding a new Mac, you need to do many of the previous steps.And if you move a home directory, which is very common, you need to modify the mount objects.
7What about the “Magic Triangle Configuration”? Capability of integrating Mac client system and two differing directories to provide the information for both login and management.Tips for doing so are scattered among Mac “Tips & Tricks” documents, forum discussions, and Apple Open Directory Admin Guide.Significant investment in time to learn and then implement.The term “Magic Triangle” comes up a lot when talking about manual configuration between Mac OS X, Apple Open Directory, and another directory such as Novell eDirectory or Microsoft Active Directory.Again, this is a very complex process that frankly, involves more time to learn, and deploy than the previous 10-step outline I just went over.
8Why Make Things More Complex than They Have to Be? The way we look at it, why make things more complex than you have to. The simple solution for integrating your Macs in Novell networks is already out there, and it will save you hours of configuration and ongoing management time.
9Simplified Integration with Kanaka Configure simple or universal password in the eDirectory treeEnsure AFP or CIFS is installed and configuredInstall the Kanaka EngineRun the Setup WizardInstall Kanaka on workstationsLogin and access storage resourcesKanaka for Mac reduces the complexity by automating many of the configuration steps I covered earlier. Once you configure for simple or universal password in eDirectory and ensure that AFP or CIFs is installed and configured, you install the Kanaka Engine on a host server, run the Setup Wizard and configure storage resources and access policies. Next you install the Kanaka client or plugin on the Mac workstations, and then login as a Novell eDirectory user and access your storage resources.
10Developed with Apple Directory Services Engineering Group Onsite cooperative engineering effort in 2005Close developer association with AppleApple Developer Connection member since 2005Kanaka is recommended by Apple as a preferred solution for integrating Macs and Novell networksKanaka was developed with the cooperative assistance from the Apple Directory Services Engineering Group. Condrey Corporation maintains a strong relationship with this group, and the group is so pleased with the result that they tend to recommend Kanaka to their customers that need integration with Novell networks.
11How Kanaka WorksAuthentication and storage access through Kanaka is quite simple because Kanaka is an identity-based product.Users authenticate to eDirectory through either the Kanaka Plug-in or the Kanaka Desktop Client. The Plug-in has no interface. The user just enters his or her username and password in the Mac OS X login window. Where Kanaka, through eDirectory and the attributes stored for that user, determines user and collaborative storage resources to mount. For example, if the user has a home directory and is a member of groups with storage on multiple volumes, Kanaka finds these and mounts them for access from the Mac desktop.The process is the same for the Kanaka Desktop Client except the user authenticates through the specific Desktop Client login window.
12Single Password Login Options Kanaka Plug-in:Simultaneous authentication to eDirectory during Mac loginMounts all user and group storageKanaka Desktop Client:Client login authentication to eDirectoryBoth of these authentication and access methods are single password, contextless login methods and auto-mounts all user and group storage
13Kanaka Plug-in Authentication Single Novell Simple or Universal password login.Home directory and collaborative storage attributes retrieved.Converts attributes into URL format for OS X to mount storage. URL can be AFP or CIFS.Checks to see if eDirectory authentication is required to gain access to the desktop.Here is the process for authenticating through the Kanaka Plug-in. Item 4 is an item that you can enable or disable based on the needs of your users.
14Kanaka Desktop Client Authentication Single Novell Simple or Universal password login.Home directory and collaborative storage attributes retrieved.Converts attributes into URL format for OS X to mount storage. URL can be AFP or CIFS.The authentication process for the Kanaka Desktop Client is even simpler.
15Why Two Authentication Methods? Kanaka Plug-inUsers in a computer lab settingMac OS X 10.4 usersKanaka Desktop ClientUsers with assigned workstations and local accountsUsers who do not want to go through the Login Window to access network storage resourcesUsers who do not want to lose their workstation settings when accessing network storage resourcesMobile users who frequently work at home and connect through VPNPrior to Kanaka for Mac 2.0, the only authentication and access method we offered was the Kanaka Plug-in. This method was great for Mac users in computer labs, or for people that kept their Macs in the office and always wanted to mount their Novell storage whenever they logged in.But many of our users were workstation users who didn’t want to lose their workstation settings when accessing Novell storage areas, or were laptop users on the road who wanted the ability to mount Novell storage through VPN and only when needed. For these users, the Kanaka Desktop Client is probably a better option for single password authentication and access.
16Identity Determines User and Collaborative Storage Resources Home directory and collaborative storage links built dynamically at loginGroup membership automatically mounts associated group storageNo machine dependency for accessing storageNo need to remember location of storageNo need to traverse from root of a volume down to a user’s storageNo need to visit each machine to manually mount volumesLike all of Condrey Corporation developed products, Kanaka leverages the power of identity built into directory services—in this case, Novell eDirectory. Identity, not login scripts, is the means of determining what storage a user has rights to and what to mount for the user once authenticated.Identity means that there is no machine dependency for accessing storage, no need to remember the location of storage to mount, no need to traverse down a file path to mount storage, and no need to configure this mounting on a workstation basis.
17The Players eDirectory Mac OS X Apple Filing Protocol Following context-less, single login, used by Kanaka to determine user and collaborative storage resources.Mac OS XInitiates login process. Causes Kanaka Plug-in to authenticate to eDirectory and retrieve necessary user information.Apple Filing ProtocolAfter Kanaka determines home and collaborative storage attributes, AFP can be used to mount volumes.Novell Native File AccessReceives control structures from OS X. Eliminates need to log in to multiple servers.CIFS/SMBAfter Kanaka determines home and collaborative storage attributes, CIFS/SMB can be used to mount volumes.Apple Open DirectoryKanaka integrates with Apple Open Directory to extend management of Mac OS X via Workgroup Manager.Kanaka utilizes a lot of players to make single password authentication and simplified access to Novell storage resources possible. I’ve mentioned eDirectory’s identity attributes already.AFP and CIFS/SMB are the standard protocol types that Kanaka converts home and collaborative storage attributes to so that they can be used for mounting via NFAP protocols.Kanaka utilizes some of the client capabilities built into Mac OS X for authentication.Novell Native File Access enables single password login and mounting of volumes via supported protocols.Apple Open Directory via Workgroup Manager provides added Mac OS X management features.
18Mounting Home and Group Storage Network resources are displayed on the desktop.Home directory and group storage mounts on the Dock or in the Mac Finder.Once authenticated, storage is mounted and can be configured to be accessed right from the Mac Dock. Here you see network resources, along with a home and group storage directories mounted.
19Kanaka Mobility Leverages Apple’s Mobile Account feature Provides Mac network and local loginFlexibility to configure mirroring so that network home directory and local home directory always contain same dataCapable of reducing network traffic and network home directory quotasBy supporting Mac OS X Mobile Accounts, the Kanaka Plug-in allows you to set-up an environment that reduces the amount of traffic on your network compared to that of Network Accounts.In lab environments, mobility provides the capability to login to Mac OS X even if there is a network interruption.
20Kanaka Plug-in Console Allows for the user to manage his or her eDirectory password.The Kanaka Plug-in Console is available only when using the Kanaka Plug-in.One of the capabilities it provides to end users is the ability to change their eDirectory passwords.
21Kanaka Plug-in Console (cont.) Displays identity information from Novell eDirectory.It also provides the ability for the user to view some of the identity information stored about the user in eDirectory. Here you can even see information on when the eDirectory password is going to expire.
22Kanaka Plug-in Console (cont.) Indicates storage capacity and usage.The Kanaka Plug-in Console can also display storage capacity and usage data for a home directory or a group storage area.
23Enhancements to Kanaka 2.1 No NetWare dependenciesKanaka Engine can be hosted on either aNovell Open Enterprise Server 2Microsoft Windows Server 2008 or Windows 7Improved management capabilitiesImproved support for extended characters and object namesThe most notable enhancement to Kanaka 2.1 is the elimination of NetWare as the host for the Kanaka Engine. The Kanaka Engine now runs on either Novell Open Enterprise Server 2 or Microsoft Windows Server 2008 or Windows 7 host.There are some improvements in the management capabilities including an updated management interface. Managing license consumption no longer requires stopping and restarting the Kanaka Engine. Instead, you can pick and choose which workstations consume a license.And there is improved support for extended characters and object names.
24Technical Architecture and Requirements Kanaka for Mac 2.1Technical Architecture and Requirements
25Architecture Mac Windows / OES 2 eDirectory OS X Kanaka Engine Context-less AuthenticationAuto-mount Storage ResourcesUserGroupOS XeDirectoryWindows / OES 2MCX DirectivesPassword ChangeDisk QuotaKanaka EngineKanaka Client<HTTPS>PolicyKanaka Plug-InOES 2NetWare<AFP/CIFS/SMB>MCXOpen DirectoryWorkgroup Manager
26Kanaka Requirements Engine Desktop Client / Plug-In Linux Windows Open Enterprise Server 2 (OES 2) SP2 or laterWindowsOS RequirementWindows Server 2008 or laterWindows 7 or laterNovell Client 2 SP1 IR4 or laterDesktop ClientMac OS X 10.5 or laterPlug-InMac OS X 10.4 or laterPlug-In Console
27Kanaka 2.1 PrerequisitesKanaka clients leverage eDirectory and Native File Access (NFA)technologies from Novell, therefore, the configuration of thesecomponents is prerequisite to the installation andconfiguration of the Kanaka client software on Mac OS X.Please reference the Kanaka Admin guide for moreinformation on configuring NFA and Password Management