Common Authentication and Network Services –

Generation 2:

The CAN-2 Services Project

 

A Common LAN Service deployed and managed by Alex Scortzaru, Lynne Meeks, Philip Phourde, and Geoff Duke has brought reliable, highly available file and print services to the UVM community.  This service shifted  the challenges of server management from individual departments to CIT.  With few exceptions, this has been a very well received project.

 

But now, three years later, the servers and software used in the development of CLS are becomming antiquated and unstable.  Whither Common LAN?  We in Client Services believe that an upgrade and extension of Common LAN (leveraging our existing investment in NetWare NDS technology) could have substantial benefits to the University computing community.

 

This new project will embrace our existing file and print services, add desperately needed workstation management tools, and extend our authentication services to a variety of new platforms.  Thus, Common LAN Services (CLS) will become Common Authentication and Network Services, Generation 2 (CAN2 Services).

 

Why now?  What is the hurry?  Below are outlined several reasons why this project must begin immediately:

 

1.Security

The currently used incarnation of NetWare (4.11) does not support strong encryption.  No additional security patches or encryption patches will be forthcoming.

 

2.Hardware Age

The current Pandora and Calypso file server hardware is reaching the end of its warranty period.  Other systems of the same age on campus have started to fail (these were admittedly in harsher climates than the machine room).  We will have to upgrade hardware soon or face substantial downtime.

 

3.Hardware Limits

In the near-term, our servers are low on physical memory and storage space.  Use of the new SAN would be a great benefit, but this would be more easily accomplished with a more current NetWare version.

These systems also take up huge amount of rack space.  Newer systems would require less space and power.

 

4.Software obsolescence:

NetWare 4.11 (our current platform) will cease to be supported this year.  At that time, we will no longer be able to obtain additional connection licenses, Novell support services, or any additional service and security updates.  Considering the longstanding issues with traditional (queue-based) Novell print services, IPX connectivity, and FTP services (all of which were fixed with the release of NetWare 5), this discontinuation of support will leave Common LAN in an unfortunate position.  We will be unable to fix or stabilize known issues.

We really starting to feel the pain of maintaining an outdated OS:  IPX services are being pushed beyond their design limits and taxing Network Services, Traditional NetWare storage volumes take excessive amounts of time reinitialize after server failure and have very  constraining “directory entry” limits,  our FTP services are unstable,  uor print services balk at large (<100 page) print jobs.

 

5.Departmental Server Absorbtion Opportunities:

With the imminent demise of "PhiloUVM", "UVMBWell", the recent attacks on "Career", and backup issues with "Cosmos", we have an excellent opportunity to retire several departmental servers and migrate their users to central services.  This would reduce the number of distributed server support calls fielded by Client Services and improve stabilize services for all involved parties.

 

 

Over the past few years, the argument has been made that we should move from the NetWare platform to a different file sharing protocol.  There have been several reasons given for this proposal:  NetWare is a dying platform, the NetWare client is unstable, the world is moving toward Microsoft-based services, Samba is cheaper, NetWare does not use “Zoo authentication”.  Let’s look at these arguments.

 

1.      NetWare is dead:

It is true that over the past few years, NetWare has lost a great deal of the file and print server market.  At one time, NetWare accounted for about 75% of all file and print servers.  By 2004, many experts predict that NetWare will have a mere 10% of the market. 

But does this mean that NetWare is dead?  No.  10% is a huge market.  Compare this to Solaris (~1%) and AIX (<.5%) and the picture becomes more clear.

 

2.      The world is moving towards Microsoft:

True.  Does this mean that everyone will use MS services in the future?  Perhaps.  Within the next 10 years?  Probably not.  MS still has terrible cross-platform integration services.  Too many people need to ride out the service lives of their existing solutions before migrating fully to Microsoft services.  Until MS makes this easier to do, the world will not fully embrace Microsoft’s service offerings.

 

3.      The NetWare client is unstable:

This really is not as true as it once was.  Since the release of NetWare Client 32 v3.2 and NetWare NT client 4.7 (over a year ago), the product has been rock-solid.  However, new NetWare services (Native File Access server, iFolder, Web Access Portal) reduce our dependency on the NetWare client.  If a system does not need advanced NetWare features (Novell Directed Print Services, Workstation Management, Remote Control), then the client does not need to be installed.

 

4.      Samba is cheaper:

Although Samba is a “free” service, it is not without substantial implementation costs.  We in CIT still do not have encrypted Samba authentication or full NT Domain emulation active in our Samba implementation.  Samba has less robust login scripting, more antiquated print services, poorer group management, and merely adequate Windows 2000 integration.  We have not even begun to weigh the true migration and training costs of switching our users to Samba.

 

5.      NetWare does not use “Zoo authentication”:

True.  This is not to say that it can’t in the future.  NetWare 5 is fully LDAP (X.509v3) compliant, and it supports various bulk account import features.  We could configure a new Common LAN Service to create accounts from CSO or CatCard office extracts.  Of course, we would need to make sure that these data feeds could be kept current and accurate:  Will all “Department of Nero-Psycho-Xeno-Biology” employees be entered as such?  When an employee shifts departments, will their entry be updated?  When their phone and email addresses are changed, will this be reflected in their entry?

Alternatively, the NDS has authentication plug-ins for AIX, Solaris, NT, Win 2000, and Linux.  These servers could reference NDS directly.  Using Novell's new NDS services across platforms, we may even be able to integrate the current Zoo-based home directories with NetWare based shared directories.  A preliminary look at these services for UNIX does not look overly promising, but in the interest of developing a unified "university directory", we should investigate these possibilities.

 

 

Of course, upgrading our current NetWare servers will not be without migration costs, either.  Why not move to a new platform while we are at it?  What Windows, AFS, or Samba migration a particularly difficult proposal?  What is so great about NetWare 5 and 6 that we should spend money on it?

 

1.Dependent processes

Many administrative departments make heavy use of Novell shared directories with advanced permissions management.  Although many/most of these tasks could be accomplished with OpenAFS or Microsoft Win2k/Active Directory, migration will be expensive/time consuming.

Some departments with heavy CLS dependency:

a.Executive Offices

b.Human Resources

c.Financial Records

d.Risk Management

 

2.Workstation software management:

A common barrier to the implementation of projects on campus is the inability of CIT Staff to rollout client software to our users.  Novell has long offered Workstation management and application installation services.  An upgrade to NetWare 5/6 would allow us to use these services to ease deployment and upgrade of Applications to user’s desktops.

 

3.Workstation remote control

The campus layout makes frequent visits to client desktops a great time consumer.  Also, the inability of helpline staff to “see” the client problem exactly as it appears hampers the easy resolution of technical support calls.  Remote desktop viewing and control software would ease these problems.  Unfortunately, the Open Source community offers few remote control solutions, and those that exist are problematic from a security perspective.  The use of Novell ZenWorks remote control would fill the need for desktop remote control without compromising security.

 

4.Directory Services

Novell currently offers a LDAP v3 compliant x.509 Directory Service with partitioning, cross platform support (Solaris, Linux, NT, 2000, NetWare) and authentication plug-ins for many additional platforms (including AIX 4.3).  Novell NDS would increase the availability of a central, CIT supported directory to servers and applications throughout the campus.

 

5.Native File Access:

For users who wish to avoid the NetWare client, or who use unsupported platforms, NetWare now offers SMB and AppleShare/IP file access services.  No client necessary, just authenticate and share.

 

6.Web Access:

NetWare 5 and later includes a NetWare port of Netscape Enterprise Server.  NES has an implementation of webDav that mimics Microsoft “Web Folders”.  This allows MS Office applications to access web directories as though they are mapped drives.  It is another “client-free” file access method.  Additionally, NES supports has a browser interface that allows users to upload and download files over SSL.  It is a simple way to gain file access over the Internet from anywhere in the world, with or without a NetWare client.

 

7.iFolder:

Beyond Native File Access, NetWare now offers iFolder:  a WebDav based file sotrage service which offers “anywhere access” to your files.  Using either a Windows-native iFolder client or a Web browser, users can connect to and update their files on the server.  iFolder supports “offline caching” of files.  Files appear to be stored locally and can be accessed when disconnected from the server.  When the client is reconnected, cached files are uploaded and synchronized with the server.

 

In conclusion, Common LAN has provided an excellent platform for File and Print services at UVM for many years.  Unfortunately, our ability to expand this service has reached a bottleneck.  Lacking better solutions at this time, we propose the upgrade of Common LAN to current NetWare offering from Novell.  We may also want to investigate the additional authentication services offered by Novell as part of this project.