automated single login access to Novell storage resources Kanaka for Mac 2.1 Providing Mac OS X automated single login access to Novell storage resources Doug Ouzts Technical Trainer douzts@condreycorp.com

Agenda Current Novell and Mac Integration Challenges Kanaka for Mac 2.1 Overview Kanaka for Mac 2.1 Technical Architecture Kanaka for Mac 2.1 Requirements Interactive Training

Integration Challenges Between Apple and Novell Developing software for Mac environments has not been a priority with Novell Client software is either nonexistent or out of date. Integration tends to be workarounds rather than solutions The problem is, actually integrating Macs in Novell networks. Developing software for Mac environments has not been a priority with Novell And Client software is either nonexistent or out of date. So customers are having to come up with workaround integration scenarios that are extremely complex to learn and configure. I will go over examples of these in the next few slides.

Complex to Configure Manually Configure for simple or universal password in the eDirectory tree Ensure AFP or CIFS is installed and configured Ensure that each Mac can resolve server’s host name Edit SSL certificate on each Mac Extend eDirectory schema Verify extended schema eDirectory first has to be configured for simple or universal password. Then you need to make sure that either that the Apple Filing Protocol or CIFS is installed and configured on the network. It’s at Step 3 where everything starts getting hard. To ensure that each Mac can resolve the server’s host name, you need to go to each Mac and create a local host line in the /etc/hosts You then need to edit the SSL certificate on each Mac. This is a lengthy process of entering new lines and deleting existing lines in each Mac’s certificate. Steps 3 and 4 can be made simpler if there is a methodology in place for imaging Mac OS X. To extend the schema, you can use iManager or ConsoleOne, but this is slower, so the instructor recommended using ldap command-line tools. You then check the schema through iManager, ConsoleOne or LDAP.

Complex to Configure Manually (cont.) Extend user objects Create mount volumes for each volume you want to access Configure each Mac to authenticate to eDirectory Set additional preferences in eDirectory User objects are extended in ConsoleOne, iManager, or LDAP through a complex command line. Mount volume objects involve first creating a container to store them, then using ConsoleOne, iManager, or LDAP to create mount objects for each server volume. You then need to go back to each Mac and, based on which Mac OS version is running, dig around and configure the LDAPv3 plug-in, manually create and edit a new LDAP connection, set up search and mappings, add LDAP v3 to the search policy, and test it. You then need to extend or create other objects as needed (such as Groups). Then you need to set additional preferences in eDirectory where needed. The disclaimer at the bottom is somewhat true because when the instructor demonstrated this, it failed to work. Provided you put in all of the time to learn to understand and perform each step, this approach might work.

Manual Configuration Requires On-going Configuration As users are added, moved, renamed, or removed, the extended user object needs reconfigured When a new Mac is added, one half of these steps must be repeated If a home directory path is moved, the mount objects need to be updated Now, assuming this does work, this configuration must be maintained and partially re-configured when users are added, moved, renamed or removed. By just adding a new Mac, you need to do many of the previous steps. And if you move a home directory, which is very common, you need to modify the mount objects.

What about the “Magic Triangle Configuration”? Capability of integrating Mac client system and two differing directories to provide the information for both login and management. Tips for doing so are scattered among Mac “Tips & Tricks” documents, forum discussions, and Apple Open Directory Admin Guide. Significant investment in time to learn and then implement. The term “Magic Triangle” comes up a lot when talking about manual configuration between Mac OS X, Apple Open Directory, and another directory such as Novell eDirectory or Microsoft Active Directory. Again, this is a very complex process that frankly, involves more time to learn, and deploy than the previous 10-step outline I just went over.

Why Make Things More Complex than They Have to Be? The way we look at it, why make things more complex than you have to. The simple solution for integrating your Macs in Novell networks is already out there, and it will save you hours of configuration and ongoing management time.

Simplified Integration with Kanaka Configure simple or universal password in the eDirectory tree Ensure AFP or CIFS is installed and configured Install the Kanaka Engine Run the Setup Wizard Install Kanaka on workstations Login and access storage resources Kanaka for Mac reduces the complexity by automating many of the configuration steps I covered earlier. Once you configure for simple or universal password in eDirectory and ensure that AFP or CIFs is installed and configured, you install the Kanaka Engine on a host server, run the Setup Wizard and configure storage resources and access policies. Next you install the Kanaka client or plugin on the Mac workstations, and then login as a Novell eDirectory user and access your storage resources.

Developed with Apple Directory Services Engineering Group Onsite cooperative engineering effort in 2005 Close developer association with Apple Apple Developer Connection member since 2005 Kanaka is recommended by Apple as a preferred solution for integrating Macs and Novell networks Kanaka was developed with the cooperative assistance from the Apple Directory Services Engineering Group. Condrey Corporation maintains a strong relationship with this group, and the group is so pleased with the result that they tend to recommend Kanaka to their customers that need integration with Novell networks.

How Kanaka Works Authentication and storage access through Kanaka is quite simple because Kanaka is an identity-based product. Users authenticate to eDirectory through either the Kanaka Plug-in or the Kanaka Desktop Client. The Plug-in has no interface. The user just enters his or her username and password in the Mac OS X login window. Where Kanaka, through eDirectory and the attributes stored for that user, determines user and collaborative storage resources to mount. For example, if the user has a home directory and is a member of groups with storage on multiple volumes, Kanaka finds these and mounts them for access from the Mac desktop. The process is the same for the Kanaka Desktop Client except the user authenticates through the specific Desktop Client login window.

Single Password Login Options Kanaka Plug-in: Simultaneous authentication to eDirectory during Mac login Mounts all user and group storage Kanaka Desktop Client: Client login authentication to eDirectory Both of these authentication and access methods are single password, contextless login methods and auto-mounts all user and group storage

Kanaka Plug-in Authentication Single Novell Simple or Universal password login. Home directory and collaborative storage attributes retrieved. Converts attributes into URL format for OS X to mount storage. URL can be AFP or CIFS. Checks to see if eDirectory authentication is required to gain access to the desktop. Here is the process for authenticating through the Kanaka Plug-in. Item 4 is an item that you can enable or disable based on the needs of your users.

Kanaka Desktop Client Authentication Single Novell Simple or Universal password login. Home directory and collaborative storage attributes retrieved. Converts attributes into URL format for OS X to mount storage. URL can be AFP or CIFS. The authentication process for the Kanaka Desktop Client is even simpler.

Why Two Authentication Methods? Kanaka Plug-in Users in a computer lab setting Mac OS X 10.4 users Kanaka Desktop Client Users with assigned workstations and local accounts Users who do not want to go through the Login Window to access network storage resources Users who do not want to lose their workstation settings when accessing network storage resources Mobile users who frequently work at home and connect through VPN Prior to Kanaka for Mac 2.0, the only authentication and access method we offered was the Kanaka Plug-in. This method was great for Mac users in computer labs, or for people that kept their Macs in the office and always wanted to mount their Novell storage whenever they logged in. But many of our users were workstation users who didn’t want to lose their workstation settings when accessing Novell storage areas, or were laptop users on the road who wanted the ability to mount Novell storage through VPN and only when needed. For these users, the Kanaka Desktop Client is probably a better option for single password authentication and access.

Identity Determines User and Collaborative Storage Resources Home directory and collaborative storage links built dynamically at login Group membership automatically mounts associated group storage No machine dependency for accessing storage No need to remember location of storage No need to traverse from root of a volume down to a user’s storage No need to visit each machine to manually mount volumes Like all of Condrey Corporation developed products, Kanaka leverages the power of identity built into directory services—in this case, Novell eDirectory. Identity, not login scripts, is the means of determining what storage a user has rights to and what to mount for the user once authenticated. Identity means that there is no machine dependency for accessing storage, no need to remember the location of storage to mount, no need to traverse down a file path to mount storage, and no need to configure this mounting on a workstation basis.

The Players eDirectory Mac OS X Apple Filing Protocol Following context-less, single login, used by Kanaka to determine user and collaborative storage resources. Mac OS X Initiates login process. Causes Kanaka Plug-in to authenticate to eDirectory and retrieve necessary user information. Apple Filing Protocol After Kanaka determines home and collaborative storage attributes, AFP can be used to mount volumes. Novell Native File Access Receives control structures from OS X. Eliminates need to log in to multiple servers. CIFS/SMB After Kanaka determines home and collaborative storage attributes, CIFS/SMB can be used to mount volumes. Apple Open Directory Kanaka integrates with Apple Open Directory to extend management of Mac OS X via Workgroup Manager. Kanaka utilizes a lot of players to make single password authentication and simplified access to Novell storage resources possible. I’ve mentioned eDirectory’s identity attributes already. AFP and CIFS/SMB are the standard protocol types that Kanaka converts home and collaborative storage attributes to so that they can be used for mounting via NFAP protocols. Kanaka utilizes some of the client capabilities built into Mac OS X for authentication. Novell Native File Access enables single password login and mounting of volumes via supported protocols. Apple Open Directory via Workgroup Manager provides added Mac OS X management features.

Mounting Home and Group Storage Network resources are displayed on the desktop. Home directory and group storage mounts on the Dock or in the Mac Finder. Once authenticated, storage is mounted and can be configured to be accessed right from the Mac Dock. Here you see network resources, along with a home and group storage directories mounted.

Kanaka Mobility Leverages Apple’s Mobile Account feature Provides Mac network and local login Flexibility to configure mirroring so that network home directory and local home directory always contain same data Capable of reducing network traffic and network home directory quotas By supporting Mac OS X Mobile Accounts, the Kanaka Plug-in allows you to set-up an environment that reduces the amount of traffic on your network compared to that of Network Accounts. In lab environments, mobility provides the capability to login to Mac OS X even if there is a network interruption.

Kanaka Plug-in Console Allows for the user to manage his or her eDirectory password. The Kanaka Plug-in Console is available only when using the Kanaka Plug-in. One of the capabilities it provides to end users is the ability to change their eDirectory passwords.

Kanaka Plug-in Console (cont.) Displays identity information from Novell eDirectory. It also provides the ability for the user to view some of the identity information stored about the user in eDirectory. Here you can even see information on when the eDirectory password is going to expire.

Kanaka Plug-in Console (cont.) Indicates storage capacity and usage. The Kanaka Plug-in Console can also display storage capacity and usage data for a home directory or a group storage area.

Enhancements to Kanaka 2.1 No NetWare dependencies Kanaka Engine can be hosted on either a Novell Open Enterprise Server 2 Microsoft Windows Server 2008 or Windows 7 Improved management capabilities Improved support for extended characters and object names The most notable enhancement to Kanaka 2.1 is the elimination of NetWare as the host for the Kanaka Engine. The Kanaka Engine now runs on either Novell Open Enterprise Server 2 or Microsoft Windows Server 2008 or Windows 7 host. There are some improvements in the management capabilities including an updated management interface. Managing license consumption no longer requires stopping and restarting the Kanaka Engine. Instead, you can pick and choose which workstations consume a license. And there is improved support for extended characters and object names.

Technical Architecture and Requirements Kanaka for Mac 2.1 Technical Architecture and Requirements

Architecture Mac Windows / OES 2 eDirectory OS X Kanaka Engine Context-less Authentication Auto-mount Storage Resources User Group OS X eDirectory Windows / OES 2 MCX Directives Password Change Disk Quota Kanaka Engine Kanaka Client <HTTPS> Policy Kanaka Plug-In OES 2 NetWare <AFP/CIFS/SMB> MCX Open Directory Workgroup Manager

Kanaka Requirements Engine Desktop Client / Plug-In Linux Windows Open Enterprise Server 2 (OES 2) SP2 or later Windows OS Requirement Windows Server 2008 or later Windows 7 or later Novell Client 2 SP1 IR4 or later Desktop Client Mac OS X 10.5 or later Plug-In Mac OS X 10.4 or later Plug-In Console

Kanaka 2.1 Prerequisites Kanaka clients leverage eDirectory and Native File Access (NFA) technologies from Novell, therefore, the configuration of these components is prerequisite to the installation and configuration of the Kanaka client software on Mac OS X. Please reference the Kanaka Admin guide for more information on configuring NFA and Password Management

Product Web Page http://www.condreycorp.com

Interactive Training Exercises

Questions and Answers Q & A