Novell is now a part of Micro Focus

Introduction to NDS for Developers

Articles and Tips: article

CHRIS ANDREW
RAD/Scripting/Solutions Manager
Java Technology Group

ED SHROPSHIRE
NDS Developer Program Manager
Developer Services

01 May 1999


This article is an excerpt from Novell's NDS Developer's Guide published by Novell Press in 1999. It presents some reasons you might not have thought of for using NDS and the high-level tools available for development. It discusses why a directory is necessary, what the components of a directory are, which Novell applications use NDS, and why it is important for you to enable your applications with NDS.

Introduction

The following article is an excerpt from Novell's NDS Developer's Guide published by Novell Press in 1999. The authors of this book are a select group of Novell internal engineers chosen for their expertise and experience. Each is directly involved in development of the specific technologies covered in this book:

  • Chris Andrew, RAD/Scripting/Solutions Manager, Java Technology Group

  • Bill G. Bodine, Senior Software Consultant, Novell Consulting Services

  • Kent Boogert, Senior Software Engineer, Java Technology Group

  • Brian G. Brown, Senior Software Engineer, Java Technology Group

  • Karl Bunnell, Senior Software Engineer, Novell Consulting Services

  • David Fox, Software Engineer Consultant, Java Technology Group

  • Michael G. Hiatt, Senior SDK Writer, Java Technology Group

  • David Shelley, Software Engineer, Java Technology Group

  • Ed Shropshire, NDS Developer Program Manager, Developer Services

  • Jim Thatcher, Senior Software Engineer, Advanced Development

  • David Ward, Software Engineer, Java Technology Group

  • Daniel Wilson, Senior Software Engineer, ConsoleOne Development

The purpose of this book is to provide a guide for all programmers regardless of the language and interface they are using. It shows why NDS is so valuable and easy for you to use. Chapters 1 through 6 look more at high-level development, whereas Chapters 7 through 13 look at low-level interfaces.

Also included with this book is exclusive Novell software included on CD-ROM which includes sample code, developer kits, program information, and support material that will speed your study and implementation of the programming concepts presented. For ordering information see the Novell Press Web site at http://www.novell.com/books.

Until recently, many people have thought of directory services such as Novell Directory Services (NDS) as a great way to manage network users and resources. Now, developers are starting to realize the advantages of using a directory.

As Dr. Eric Schmidt, President and CEO of Novell, Inc. recently said, "The directory is as important as SQL was to databases 15 years ago." Dr. Schmidt also stated, "Without a directory you can't do much of anything in a networked world."

Developing directory-enabled applications allows developers to build applications faster that are more powerful and have a lower Total Cost of Ownership (TCO). This article helps you to understand how developers can really benefit from using a directory.

Directory and Directory Service Basics

A directory is more essential today than ever before, because location-independence is the force defining networking in the 1990s. The line between the Internet, intranets, and corporate networks is blurring, because digital information is flying everywhere, and end-users usually don't know where the information originates and don't care as long as they can access it. Like information, people too are mobile as never before. Fewer end-users and administrators are tied to single desktops and specific geographical work locations. Workgroups are fluid. And wherever people are located, they require access to digital information.

The typical business network is becoming location-independent. The directory provides information, applications, and communications to people wherever they might be, inside and outside the organization often from servers scattered around the globe. Because of this trend, directory services, which organize network resources and make them readily accessible, are hot technologies.

A directory service is a database of objects, users, applications, network devices, and other resources that you might find on a network. A directory service, at least in part, is an object-oriented database representing network users and resources. It helps to manage relationships between people and networks, network devices, network applications, and information on the network.

A directory service provides administrators with a single, logical, and concise view of all network resources and services. It offers access through a secure login and organizes network resources (users, printers, workgroups, applications, volumes, file servers, database servers, objects, and so on) hierarchically in a directory tree. A directory service provides security by controlling access and supplying some degree of fault tolerance.

Two ways that a directory manages relationships are through authentication and authorization. For authentication to take place, both the user and the network components need to identify themselves to each other, to ensure that both are who they say they are and to prevent anyone from getting in between to steal information. Authorization occurs once a user is authenticated. The network allows authenticated users to manage or use network resources for which they have rights. Rights are distributed globally, organizationally, or across workgroups and then managed by exception at the individual user levels.

Until recently, the value of a directory service was linked almost exclusively to centralized file and print service management. But developers and other IT professionals are discovering the power of directory services for user access, system management, and application development.

A directory-enabled application uses and/or stores information in a directory. Applications that are not directory-enabled may soon be isolated islands. Their value will be compromised, because network users and administrators will be unable to find them on the network. NDS, a true directory services product, provides secure, location-independent access to the widely dispersed Internet/intranet/network resources that today's increasingly mobile end-users need.

Just as individuals have identities within an organization based on their individual needs, departmental needs, and organizational needs, identities are created in NDS to provide users with access to the resources they need to successfully complete their assignments. For example, all employees in an organization are given an office, desk, and telephone just because they are employed. The network should do exactly the same. Every individual in an organization should have access to specific resources, such as the employee benefits and telephone databases. Beyond this, individuals within a particular division or group should automatically be given access to network resources associated with their division or group. This access should be effective when the user account is created or dynamically applied to existing users.

Dynamic inheritance within NDS makes this concept of a digital persona possible. Users may have requirements that are specific to their individual and organizational needs. For example, a user may be given access to specific network resources associated with the user's employment in the Accounting department. Additional network access may be granted because the user is also a member of a task force that is investigating a specific issue. Additional privileges may be granted based upon location. And, certain privileges may be granted to all members of the organization. The dynamic inheritance of NDS creates the effective rights of the user by combining all of these access privileges.

NDS provides the framework to build these hierarchical relationships into the network. NDS then grants access to network resources, based both on the privileges that are given specifically to the individual and on the privileges that the individual inherits due to group memberships and location within NDS. This ability to grant network access to individuals and have the individual inherit additional access privileges creates each individual's unique digital persona.

By building applications that consume the functionality provided by NDS, you create software with features that are far more flexible and robust than they would be without NDS. Moreover, you don't have to build and promote your own access and administration methods. As a result, you can speed up your product cycle and concentrate on your own areas of development and marketing expertise and let Novell build and market the directory component of your application. No reason exists to do it all from scratch when an outstanding, cost-saving solution is ready-made and accessible today.

NDS: A True Directory Service

Unlike products with limited functionality that are called "directories" or "directory services," NDS is a true directory service, because it is a database that lists and provides access to every resource on your network. This database helps you to manage relationships between people and networks, network devices, network applications, and information on the network.

NDS provides administrators with a single, logical, and concise view of all network resources and services. It offers single sign-on access through a secure login and organizes network resources (users, printers, workgroups, applications, volumes, file servers, database servers, routers, objects, and so on) hierarchically. And, of course, it provides security by keeping the criminals and the curious from logging on. The bottom line is that NDS simplifies, automates, and protects information and information technology.

NDS provides maximum flexibility and control in building and deploying applications. Simply, applications that you build that are directory-enabled are aware of the network. Enabled applications can query and log in to network services, discover new services, and register application-specific information that can then be administered, managed, and secured across the network, rather than on individual client or server machines.

NDS adds tremendous functionality to your application, with minimal investment of your time or money. Beyond global directory lookups, NDS not only provides the better-known benefits of a single sign-on and a single point of administration, NDS also gives you a powerful network database and the potential for new levels of automation and interactivity for your application.

For example, with the extensibility of NDS, you can modify the directory schema to add application-specific attributes or information that automates how applications and users interact. Just as users and resources are managed across the network from the directory, your application can also benefit from the anytime, anywhere access control, management, and security attributes of a global directory. So, instead of requiring your application to perform its own login and password security access, it can leverage NDS for this information.

NDS provides the ability to automate how an application can log in to the network and gain access to services, thus lowering your application's TCO by providing a single point of administration, management, and distribution. NDS can serve as the universal link between disparate (and distant) workstations, servers, hubs, routers, databases, operating systems, network environments, individual users, workgroups, organizations, and your application.

NDS acts as a repository of information. It enables you to keep tabs on every resource on the entire network and increase the availability and security of business-critical resources. For example, NDS is distributed, fully replicated, and fault-tolerant. Because of replication, users can log in once and access services from any server on the network. In the event of a server failure, NDS automatically reroutes user requests to the closest replicated server, without users taking any action.

NDS organizes network resources (called objects) in a hierarchical tree structure, called the directory tree. A company or organization can arrange objects in the directory tree according to its organizational structure (like an org chart), which usually represents how people access and use company resources.

An NDS object is contained in an Organizational Unit (OU), which in turn can be contained in another OU. Granting resource access to a single user is possible, as is granting resource access to an OU, in which case all objects (such as users) inherit the access granted to the OU they are in. OUs are discussed in more detail in Chapter 2.

For example, users Joe and Mary on the Marketing team at Oracle have login names: Joe.mktg.oracle and Mary.mktg.oracle, respectively. The Marketing team requires access to a printer in another group called ColorPrinter.sales.oracle. The administrator can either grant Joe and Mary access to this printer separately (two steps) or grant the entire Marketing OU (mktg.oracle) access to this printer (one step).

Granting access to the OU simplifies administration, because adding a third member to the Marketing team and giving that person access to this printer simply involves adding the new member into the Marketing OU. The new person automatically inherits the access rights of the Marketing OU. Inheritance is an example of rule-based administration and is what differentiates NDS (a hierarchical directory tree) from its competitors, which offer only a flat file-name service.

NDS and X.500

NDS is a fully functional directory service that is based on the X.500 international standard. The International Standards Organization (ISO) and Consultative Committee for International Telegraphy and Telephony (CCITT) created X.500 to provide standards to enable the creation of a truly interoperable, distributed, worldwide directory service.

In fact, Sara Radicati, founder of the Radicati Group, a directory services consultancy, states in her book, X.500 Directory Services Technology and Deployment, that NDS "uses the exact X.500 design specification for the naming model, directory database, and the server to server operations. Yes, all of the features and functions described in the X.500 standard are implemented in NDS. NDS, however, provides significant functionality beyond the X.500 specification, providing a complete networking infrastructure that links users to network services, applications and data."

Although NDS is very closely aligned with X.500, some differences exist between the two, specifically in the protocols used in NDS, not in the architecture. Novell chose to implement lighter-weight protocols over the heavyweight Open System Interconnection (OSI) defined by X.500. Because the differences are in the protocols only, you can easily provide interoperability solutions to enable NDS and X.500 to interoperate fully.

Also worth noting is that, because NDS is based on X.500 and LDAP is based on the X.500 directory access protocol (DAP), NDS and Lightweight Directory Access Protocol (LDAP) form a great synergistic fit due to their common lineage.

NDS Features and Benefits

Aside from being rock-solid and making it easy to discover and access applications on the network, NDS adds value to your applications in other ways. Some of the features that make NDS so beneficial include the following:

  • Single point of administration

  • Single sign-on

  • Security

  • Fault tolerance and accessibility

  • Scalability

  • Adaptability

  • Shared Object Store database

  • Service location

By enabling and leveraging these features in your applications, you will simplify the network administrator's workload, gain the approval of end-users, and save money. Any product that can do all that will certainly get a second look from IT decision-makers as they watch their bottom line. The next several sections look closer at each of these features.

Single Point of Administration

In Fortune 1000 companies today, a user is likely to be registered in as many as 14 different proprietary directories. So, not surprisingly, according to a recent Gartner Group study, approximately 73 percent of the total cost of owning a network is incurred in administration costs alone.

NDS lowers TCO and dramatically reduces grunt work for administrators by storing and replicating information across servers. NDS is accessible at a single point anywhere on the map, and personal user information can be updated across applications with a single entry. In addition, with NDS, network administrators no longer have to spend hours visiting each user's workstation to install or upgrade applications.

Single Sign-on

NDS enables users to access applications through a single sign-on, which means that one-password access to any authorized resource on the network is possible. Your application can verify that a user object has been authenticated to NDS and leverage this authentication. For example, a user can log on to the network with a single password and user ID and then access an Oracle database securely, without having to go through a different login/authentication process all over again.

Logging in to the directory tree is done through an authentication service that is based on RSA public-key/private-key encryption technology. This authentication mechanism (discussed in more detail in the next section) guarantees secure and controlled access to services, applications, and data with a single sign-on and authentication.

Security

Network security is an issue of critical importance these days. By developing your application to integrate with NDS, you can leverage the integrity and security of the directory itself. Instead of having the user profile information located on the client machine, it can be stored in NDS. That way, the profile information is centrally located for fault-tolerance and management, and access is tightly controlled.

As previously stated, to give users access to network services, NDS uses an authentication service that is based on the RSA public-key/private-key encryption/decryption algorithms. This authentication mechanism uses a private key attribute and a digital signature to verify a user's identity. Authentication is session-oriented, and the client's signature is valid only for the duration of the current session. However, the client doesn't have to be reauthenticated every time that the user asks for additional services or applications, because reauthentication takes place automatically in the background. Thus, the integrity of directory-enabled applications is protected and secure, and the user can access resources globally and easily.

NDS provides powerful access control that enables developers to ensure that only the data that they want to expose ever reaches the light of day. For example, your product might require that a Social Security attribute be added to the user object. NDS, through its access control lists (ACLs), provides the capacity to restrict access to an individual attribute, so that only authorized personnel in Human Resources can read this or any other kind of confidential information.

NDS is virtually impossible to crack from the outside. Authentication to NDS enables the network to verify who's gaining access and which resources are located where, and the administrator is the only person who can alter the configuration of the network and directory.

And, as NDS continues to gain momentum toward becoming the universal, cross-platform, Internet/intranet directory, its security will continue to stand out. NDS, as a fully authenticated global directory with built-in RSA encryption and C2-level certification, safeguards data within any directory-enabled, internetworking application or service another strong incentive to NDS-enable your products.

Fault Tolerance and Accessibility

NDS is a fully distributed and replicated database. But why should that matter to you? Because fault tolerance is achieved by segmenting the NDS database into manageable pieces (partitioning) and distributing it across the network (replicating). In addition, NDS data can be placed close to your users who need it, thereby providing optimal performance when you access the network.

NDS partitions are copied or replicated across the entire network as many times as necessary. If a primary or master partition is lost, the network begins using other copies of the partition. This dynamic directory increases your network's reliability and enables you to construct a system in which server failure, maintenance of a server, or temporary loss of a communications link does not affect your users. The benefits of maintaining a constant network, as well as being able to recover from a disaster, can be immeasurable in today's networks.

Scalability

Because your application is designed to work in a variety of settings, you expect a company's network to be equally dynamic. NDS is scalable to any size and type of network. Because of its flexible partitioning and replication, NDS makes all the parts fit, from the OU down to individual applications, objects, and nodes on the network. NDS's schema is extensible and customizable; for example, a user object can be extended to include a social security number, an emergency contact number, and shoe size. Application objects can also be extended to include any number of attributes. And, whether a company is growing, merging, or downsizing, the people in the company will always be able to access your directory-enabled software. NDS is designed to accommodate growth, and new resources can be added to the network with a simple point and click of the mouse. NDS is also perfectly appropriate for small networks the kind of single-server installations with fewer than 25 users that use intraNetWare for Small Business. For such networks, NDS helps to organize the operation internally, while establishing links to the Internet and to other network platforms used by suppliers and customers.

Adaptability

The structure of a directory tree is regulated by the directory schema, a rules system that defines how the directory tree is structured, including what objects can be defined, what attributes can be associated with objects, what properties objects inherit, and what positions objects occupy in the directory tree. For example, a user object can be extended to include a social security number and an emergency contact name and telephone number. You can also add third-party services to the network; for example, you can add fax-server functionality by adding a fax server object and application to the directory tree.

Shared Object Store Database

With your expertise in software development and Novell's know-how in directory services, you can focus on creating a killer application while leaving the creation of an object store database up to Novell. Object store databases have become extremely important with the growing popularity of objects and components in the developer environment and across the Internet and intranets. By leveraging NDS, you simplify your workload while enabling your application to take advantage of object- and component-based computing. And that's smart work.

Service Location

The traditional way of making a service viable on a network is to use a Service Advertising Protocol (SAP) to announce its existence. Generally, the SAP is broadcast every 60 seconds, by default, either through every segment of the network or to specific network segments using a NetBIOS name server. NDS is essentially a tool for locating and using network resources and by making services objects on the directory, NDS obviates the need for SAPs, thus reducing network traffic and making the developer's job a lot easier.

On the client side, the end-user or network administrator can browse the directory and determine whether a particular kind of service object is available that suits them. Moreover, it will be a secure object one that has been registered and authenticated to the network.

Novell Products and NDS

Novell's CEO, Dr. Eric Schmidt, lauds many of Novell's products that "tap the power of NDS." As he has said, "NDS is the best directory for. . . enabling applications to become distributed network services." This section explains how Novell is using the power of NDS in the following products:

  • Z.E.N.works

  • BorderManager

  • NDS for NT

  • GroupWise

  • Novell Distributed Print Services (NDPS)

This discussion should provide you with a better idea of some of the ways that you can use NDS to improve your products.

Z.E.N.works

The cost of managing the workstations that are attached to the network is the single largest cost of owning and maintaining any network. IT organizations are focused on the TCO. Users often wait days or even weeks to have a desktop issue resolved. Novell's Z.E.N.works (Zero Effort Networking) provides directory-enabled software management and distribution, as well as desktop management, to reduce the complexity of workstation management and lower the TCO.

By keeping the power of the PC with the user, Z.E.N.works removes barriers to user productivity and allows the experts (network administrators) to leverage NDS for greater productivity.

NDS stores a digital identity for every employee in an organization. Z.E.N.works establishes, manages, and maintains this digital persona.

Enhancing Information Stored Within NDS

Z.E.N.works stores the following types of information in NDS:

  • Which applications an individual is able to access

  • Which printers the individual requires access to

  • Where the individual should go for help when a problem occurs

  • How the PC should look and feel (its background, screen saver, and so forth)

  • Who, if anyone, is able to remotely access the individual's PC

This configuration information is then automatically delivered to any PC anywhere in the organization. The configuration information enables network users to always get a familiar interface and to access network resources that have been assigned to their digital persona, regardless of the PC that is used. This is possible because the dependencies that have historically been stored at the local PC are transferred to NDS.

Application Distribution

Access to the latest applications is key to user productivity. Yet, getting software and upgrades to desktops can be a costly and never-ending chore. Network administrators need an efficient solution to give users throughout the company, regardless of location, easy and consistent access to the latest applications.

The application-management solution in Z.E.N.works leverages NDS to reduce the cost and complexities of distributing and managing applications. The same tools that are used to manage the entire network (users, groups, printers, and so forth) can now be used to manage the applications that are used throughout the network. These applications can be installed and executed on the network or on each individual's PC.

Desktop Maintenance

Through Z.E.N.works, network administrators can create an NDS help desk policy that contains information such as the E-mail addresses and phone numbers of the help desk. Users have access to this data through the Z.E.N.works Help Request application.

With a few mouse clicks, network administrators can use Z.E.N.works to distribute the Help Request application to all users in an organization. Thereafter, when a user needs help, the user simply clicks the Help Request icon, which gives the user the choice of sending E-mail or calling for help. If the user clicks mail, the message is routed to the appropriate help desk staff, as defined in the HelpRequest policy. Then, Z.E.N.works automatically adds information to the E-mail, such as the user's NDS context (location in the tree) and the NDS context of the workstation that the user currently is using. This E-mail can be sent by using GroupWise or any MAPI interface.

BorderManager

BorderManager provides directory-enabled centralized management for maximum flexibility with maximum benefit. In many companies, more than two-thirds of a typical IS budget is allocated for administration and troubleshooting. BorderManager is integrated with Novell NetWare and NDS to provide an integrated, enterprise-wide user database and configuration database, to save time and money.

BorderManager's centralized administration reduces the personnel requirements, cost, and configuration errors that can occur with a distributed administration scheme. Some border-management solutions take a server-based approach to management. However, in a large enterprise, the need to manage the intranet on a server-by-server basis places enormous demands on the system-management team. In addition to having to manage each server independently, the server-based approach requires the management team to make sure that business and access rules are accurately maintained at each Web server in the enterprise, as well as on each internal LAN network.

Integration with NDS assures simple, central management and user-level granularity. BorderManager's network-centric border-management system eliminates the administrative bottleneck that often occurs when providing users access to the services they need. BorderManager provides a single point of administration across all network borders, including the Internet, corporate intranet, E-mail accounts, and the corporate network. NDS applies access rules, defined in BorderManager, seamlessly throughout the enterprise and reduces chances of error.

BorderManager's integration with NDS also enables administrators to manage people, not just IP addresses. This unique feature of NDS allows BorderManager to apply security policies uniformly from wherever the user logs in an assigned workstation, a mobile laptop, or a business associate's computer. Border products oriented to IP addresses track machines, not people, and lead to unnecessary complexity in implementing and managing security rules.

System managers take advantage of the centrally administered NDS user database to define security and service rules at whatever level of granularity is required. Simple point-and-click controls allow administrators to specify access rules at any level, for maximum flexibility, including the user, group, IP device, server, global, application, or time level. Even URL content can be defined as a parameter through Microsystems CyberPatrol Internet content filter.

Administrators can control access to Internet/intranet content in the following ways:

  • User: Any specific user can be allowed or denied access wherever a user authenticates to the network, not just from the user's primary access node.

  • Group access: Specific user groups can be allowed or denied access.

  • IP device: Specific IP devices or IP networks can be allowed or denied access to all or part of the Internet/intranet.

  • DNS host name: Specific DNS hosts can be allowed or denied access to all or part of the Internet/intranet.

  • Server: Gateway access and some network controls can be set at the host server level.

  • Global: Global rules can be set to deliver a uniform security policy for a company's entire network.

  • Application: Access can be set to authorize or disallow the Hypert ext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Real Audio, Real Video, and other application-level protocols.

In addition, with Novell BorderManager and using the power of NDS, enterprises can enhance back-end security in the following ways:

  • Control outbound access from intranets to the Internet

  • Control worldwide inbound access from the Internet to intranets, such as access to internal Web servers, with appropriate security controls in place

Through the power of NDS, Novell BorderManager enables organizations to connect their intranets to the Internet in an integrated, flexible, and secure manner, while boosting performance. BorderManager also enables organizations to take advantage of the broad reach and low cost of the Internet to link sites through worldwide Virtual Private Networks (VPNs). VPNs combine sites into subnetworks that run on top of their existing enterprise networks. In turn, VPNs combine the intranet and the Internet and allow organizations to serve multiple constituencies internal workers, customers, vendors, and so on over the same network. Each constituency sees only the VPN that it is authorized to use, and NDS makes it all possible. As workgroups and enterprises continue the trend toward geographically dispersed, global IS infrastructures, VPNs and other Internet-based solutions will become commonplace, as will the need for NDS.

NDS for NT

Novell is in the network services business. More than ever, NT provides the opportunity to integrate the entire network and lower the cost and complexity for your intranet and Internet. To have services that work across the network, you have to have a directory service that spans the network. But talking about directory services is like talking about how the television picture gets into your home. Frankly, users probably don't care, just as long as it works and they don't have to call an expert every time they want to tune in a new channel.

So, the fact that NDS is being delivered for NT shouldn't make a big difference to you, and you'll probably realize that you have more network resources without having to log in several times or call your IS person. NDS for NT is simple yet powerful and does the following for your network:

  • Gives you a single login

  • Provides a single point of administration for your entire network

  • Dramatically cuts your total cost of owning a network

  • Makes your network more reliable, scalable, and secure

  • Makes your network available every hour of every day, anywhere in the world

In addition to the previous NDS benefits, NDS for NT enhances domains in the following ways:

  • Reduces the complexity and cost of managing domains

  • Simplifies the deployment of NT applications

GroupWise

GroupWise uses Novell Directory Services to lower the cost of network ownership. NDS helps to reduce administrative time and effort.

Directory Replication and Synchronization

The GroupWise directory is synchronized with NDS. GroupWise replicates the address book information from NDS into the GroupWise directory. GroupWise is able to obtain user information from NDS without requiring that it be reentered just for GroupWise. The GroupWise directory is built on top of an indexed database. This fully replicated database provides very fast lookups for the GroupWise address book.

Management and Administration

GroupWise uses NetWare Administrator (NWAdmin) for application and user management, which provides several benefits for systems administrators. One benefit is that administrators don't need to learn how to use a new tool to administer GroupWise. The second benefit is that administrative information is stored in NDS. Because the information comes from NDS, the information needs to be entered only once. For example, the same phone information entered for a NetWare user account is used in GroupWise, too.

NWAdmin is written to enable applications to "snap in" and to extend the NWAdmin User Interface to support extensions to NDS. GroupWise's NWAdmin Snapin provides the ability to edit GroupWise-specific objects and attributes in NDS. In addition, the GroupWise NWAdmin Snapin adds interfaces for all the GroupWise object classes previously described, and allows all GroupWise utilities to be accessed from the tools menu in NWAdmin.

User Authentication (Single Sign-on)

Starting with the release of GroupWise 5.5, NDS authentication is used to provide users with single sign-on. This helps both users and administrators users have one less password to remember, and administrators don't have to take the time to help users who forget their passwords.

Novell Distributed Print Services

Novell Distributed Print Services (NDPS) is designed to take full advantage of Novell Directory Services. Users receive all the benefits of NDS security and the easy management provided by an advanced and robust directory service. For example, administrators can group and manage all of their printers by department, by workgroup, or by location. Users can search for printers with specific capabilities, because those capabilities are properties of the NDPS printer object.

NDPS Is Backward-Compatible

NDPS is fully backward-compatible, which makes NDPS well-suited for heterogeneous networks. In addition, NDPS is fully compatible with all types of printers, regardless of whether they have been configured to take advantage of the advanced features that NDPS offers. NDPS can be configured to work with NPRINTER and queue-based technology, in conjunction with NetWare 4.11. The backward-compatibility and cross-platform support offered by NDPS ensure that any current printers that are configured with NPRINTER and QMS will work just as they always have, even if you don't convert them to NDPS status when you initially install NDPS on your system.

Reduced Network Traffic

Currently, when new printers are added to a network, they immediately begin advertising their availability, which results in increased network traffic. This advertising continues as long as the printer is active. Under NDPS, however, when printers are added to the network, they are registered with the NDPS Service Registry, a single registration agent that takes over responsibility for notifying clients of each printer's availability. Printers will no longer slow down a network due to SAP traffic.

How Novell Partners and Customers Use NDS in Their Applications

This section is about how Oracle, a major Novell partner, enhances its applications by using NDS, and how Clemson University is using NDS to simplify and enhance its network. In addition, hundreds of other companies are using NDS to enhance their products.

Oracle

Oracle integrates its database software with NDS to provide single sign-on and native naming capabilities to its users. The single sign-on feature automatically authenticates users to an Oracle database, based on their operating system (NDS) login. No Oracle username and password are needed, and the login is secure. The native naming feature enables users to connect to an Oracle database by specifying the database object name in the directory tree, instead of specifying an Oracle service name. These powerful capabilities ease administration in a multiserver, multidatabase network.

Integrating with NDS enables Oracle to exploit the power of NDS. The cost of administration is reduced, because much of the user account configuration needs to be done only at the operating system level. Oracle's integration with NDS is independent of the networking protocol being used to connect to the Oracle7 Server. As long as the client workstation has an NDS login, the user can use TCP/IP to connect to Oracle and still take full advantage of all the features of Oracle's integration with NDS. The following are the standard Oracle operating system security features that have been enhanced by integrating Oracle with NDS:

  • User Authentication (Single Sign-on)

  • Administrator Authentication

  • Role Identification

  • User Mappings

  • Native Naming

User Authentication (Single Sign-on)

Oracle authenticates users who are connecting to Oracle from a secure operating system connection. Users are created with the same name as the user's operating system name plus an optional prefix. With NDS, administrators can build a flexible mapping of NDS users to Oracle users. For example, an NDS user connects as an Oracle user, a group of NDS users connects as one Oracle user, or all NDS users in an OU connect as one Oracle user. This last example is a powerful feature, because it enables an administrator to give database access to a new user in an organization simply by creating the user in the appropriate location in the directory tree.

Administrator Authentication

Oracle uses an operating system (OS) group to authenticate users who are connecting as SYSDBA or SYSOPER. Members who are authenticated to connect to Oracle as SYSDBA or SYSOPER have the right to start or stop the Oracle server. With NDS, administrators can assign these privileges to an NDS user or group of users through Novell's NWADMIN utility (NetWare Administrator, a utility that is used to manage the entire network from a single location).

Role Identification

Oracle enables roles when a user connects based on the user's OS group membership. OS groups must be named in a specific way for Oracle to recognize and grant the roles. With NDS, administrators can build a flexible mapping of NDS groups to Oracle roles.

The preceding features have been greatly enhanced by taking advantage of NDS. Oracle has extended the NDS schema to include an Oracle Instance class. The Oracle Instance object is a regular NDS object that has an administration interface based on the NetWare Administrator interface. The Oracle Instance object behaves as a native NDS object, and is administered from the NetWare Administrator in exactly the same way as any other NDS object. Access to the Oracle Instance object is completely controlled by the usual access rights, as defined in the NetWare Administrator for other NDS objects. In addition, attributes have been added to the User, Group, and OU objects to support the services previously explained. Furthermore, Oracle uses the NWADMIN to completely administer all Oracle user functionality.

The Oracle Instance object acts as a mediator between the Oracle and NDS security domains. This object is an object-oriented abstraction of the Oracle Instance in the directory tree. All configuration of OS-authenticated users and OS role identification is performed through this object. In fact, for administrator convenience, all possible Oracle user configuration operations can be achieved directly from this object.

User Mappings

User Mappings enables users to create free-form mappings between NDS users and Oracle users, for the purpose of operating system authentication (single sign-on). The User Mappings screen enables users to connect to Oracle directly, so that "live" mappings can be made between NDS users and Oracle users. While connected, new Oracle users can be created directly. All Oracle user administration can be achieved directly from within this interface: assign default and temporary tablespaces, set tablespace quotas, assign a profile, and grant system privileges and roles.

The User Mappings screen supports a free-form mapping between any NDS user, Group, or OU to any Oracle external user. No limit exists on the naming conventions for Oracle users. The mapping of Groups or OUs allows an unlimited number of people to share the same Oracle user account. This practice is common for applications that are built using Oracle, because it makes administration of the application schema easier.

NDS provides global naming for NetWare services, and the same is true for Oracle's use of NDS. The NDS user who logs in to the Oracle7 Server doesn't need to be created on, or logged in to, the NetWare server on which Oracle is running. As long as the user and the server are defined in the same NDS tree, authentication works transparently and securely.

Native Naming

The directory is the repository for all services on the network, and access to any network service should use the directory to find the service. In previous releases of NetWare, services would advertise themselves via SAP and then would be recorded in binderies on NetWare servers across the network. NDS replaces the need for advertising via SAP, because services can be found by querying the directory. Oracle has taken advantage of this feature directly.

The Oracle integration with NDS represents the most flexible security integration with any operating system currently available for Oracle. This enables an Oracle database administrator to delegate security administration completely to a network administrator, who may have little knowledge of Oracle, but will still be able to set up or update an Oracle user's security access through NDS. In addition, because the Oracle Instance object is just another object in the directory tree, even the right to browse this object can be denied, and hence make the Oracle Instance object invisible to selected users.

The combination of Oracle and NDS makes a flexible, powerful, and manageable solution for security management and provides a maintenance-free client configuration environment.

Clemson University

Clemson's vision for integrating its computing infrastructure with NDS was aggressive. The mission: provide over 30,000 users (students, faculty, and campus employees) with easy access to personal storage space and collaborative work space. Clemson's LAN Systems team envisioned everyone students, employees, and even friends of Clemson connected easily through a vast network in which even printers could be defined in labs, lecture halls, offices, dormitories, and remote locations. The university faced an ever-increasing state of distributed computing, with various flavors of UNIX (including a mail server based on Sun Microsystems' Solaris OS and an IBM MVS mainframe system) as well as departmental and workgroup Windows NT servers in the mix. Lastly, Clemson needed a way to protect Web pages, and the information behind them, when being accessed by various Web-serving software.

Integrating NDS campus-wide in 1995 solved some big problems for Clemson's user base and IT administration; however, bringing NDS into full production introduced another not-unexpected hurdle. Everyone was using NDS authentication and a single password to log in to various systems on campus, but users still had to log in to the campus mainframe with a separate password. This meant that over 30,000 people still had to log in separately to the mainframe for housing and course-registration access a source of confusion for students, faculty, and others, as well as a support bottleneck for administrators.

Clemson has always been a strong development shop, so it set about designing a system to meet its needs. Its first efforts to synchronize the passwords proved to be quite challenging, because NDS's strong security makes trapping a password change in NDS and forwarding it on to other systems nearly impossible. Also, Clemson discovered from working with NDS that data synchronization is tricky without reliable time synchronization between systems as a basis. Clemson's team of developers decided that, instead of trying to synchronize passwords with other systems, other systems would simply use NDS to authenticate in real time.

Clemson's authentication server project, referred to as CUPID, pushed the development of NDS APIs by developing tools to manage numerous user IDs, home directories, and collaborative storage spaces. Clemson's development team added a variety of functions that push NDS security out onto its network, to embrace all the heterogeneous systems on the campus network. For example, Clemson's implementation of NDS can authenticate a user and verify whether that user has permission to access data on a specific system to which the user wants to log in. To accomplish this, Clemson's developers wrote a set of NetWare Loadable Modules (NLMs) to accept requests from other systems, and created hooks on the other systems to redirect both local user authentication and password change requests to the NLM. The team spent two months prototyping and four months more developing and testing the production version of the code.

As a result of integrating these various systems through NDS, the Clemson network administrators now keep the entire system including the campus mainframe secure and organized, offering users trouble-free login access. All userid operations are automated. As students register for the first time and later graduate, userids are generated and deleted automatically. Similarly, employee accounts are automated as people are hired and leave the university. In addition to providing users with single-password logon to access information resources, another important benefit of Clemson's NDS integration is the location-independent access to information enjoyed by everyone whether on or off campus. Clemson University's campus-wide NDS integration illustrates the functional and market advantages of NDS for building high-performing directory-based solutions that operate seamlessly in mixed environments. Clemson's implementation of NDS as a cornerstone of its technology infrastructure is clearly a winning application.

Novell's DeveloperNet Program

Before you write your first NDS application, you should go to the Novell developer Web site and join Novell's developer program, DeveloperNet. Entry-level membership is free and gives you access to all development tools, products, information, and technical support that you need to build and deliver NDS-enabled applications and leverage Novell's many other network services.

Aside from a multitude of development options and myriad new services to come, Novell is supporting developers in every way possible, with the goal of providing a straight and simple path to a common services engine for all major operating systems. By leveraging NDS, developers, administrators, and end-users alike can take advantage of whatever services they want with technology enabling instead of impeding the process. Novell has a long tradition of integrating systems and products from multiple vendors. No company has as much experience as Novell at melding diverse technologies and existing IT infrastructures into cohesive, manageable networks, which is a big reason why more than 60 million users connect to Novell servers and networks every day.

* Originally published in Novell AppNotes


Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates