Directory/MetaDirectory Services
OpenAFS (Andrew File System)
Originally developed at Carnegie-Mellon, purchased by IBM/Transarc, and now released to the open-source community! The Andrew File System (AFS) is a multi-platform distributed file system which utilizes Kerberos for authentication. Although lacking some of the advanced features of its big brother DFS, AFS has a long history of stability and high performance. Free ports of AFS are available for all major UNIX flavors (AIX, Solaris, HP-UX, IRIX, Linux),
Windows 95/98, Windows NT/2000, and Macintosh OSX. Open AFS Windows clients
approach native SMB file access in speed.
See www.openafs.org for details on the OpenAFS project. Transarc (a division of IBM) still maintains the commercial version of this product. See www.transarc.com for commercial AFS servers and clients.
CODA
Coda is a distributed network file system developed at Carnegie-Mellon University. Coda was inspired by the AFS file system, but shares no code with it. Coda extends AFS by offering off line caching for disconnected work (in other words, a system running Coda will continue to operate even after it has been forcibly disconnected from the network.)
Although Coda can be installed on many different UNIX platforms, there has yet to be a good port to Windows. The CMU Coda folks are promising to put the largest development effort into Coda for Windows in the future. When they do, Coda may become the perfect cross-platform network file system. This would provide a network file system with a common name space and security model for all network clients. Under UVM's current model, DFS, Windows clients do not have direct access to the DCE/DFS security infrastructure. Under Coda they would. This, presumably, would simplify file system security management. See www.coda.cs.CMU.edu/ for details.
CODA is not really ready for full-production use, and development has slowed of
late. Unfortunately, this may soon become a dead project.
SAMBA
Enough information is available about this elsewhere. SAMBA is a UNIX implementation of the proprietary CIFS network file system used by Windows PCs. See www.samba.org for authoritative documentation and binary downloads.
GNOME
The "GNU Network Object Model Environment". GNOME is a beautiful desktop operating environment. It is not a file manager, desktop explorer, application suite, or programming interface, but rather a combination of all of those things. The GNOME project is enormous in scope and significance. Why? Because all of the source code in the Gnome project share the following characteristics: uses a common "widget set" (GTK+) for a consistent look-and-feel, shares common libraries for commonly-accessed routines (this make programming easier), are provided with code (thus allowing modifications and quality inspection), and are distributed under the GNU public license (in other words, IT'S ALL FREE!).
Some of the highlights of GNOME are the Sawfish window manager, GNOME Midnight Commander (a file system manager), Gnumeric spreadsheet, Abiword word processor, GNUCash financial management, GAIM Instant Messenger, and the incomparable GIMP (GNU Image Manipulation Program).
The "authoritative" distribution of Gnome comes from Ximian (formerly Helix code). Most aspects of GNOME are under active and rapid development. Check Ximian for frequent updates.
GNOME was ported to windows recently. In the near future, we may be able to run some of these excellent programs on the Windows platform with only a minimal struggle. This would allow users to have more applications common to UNIX and Windows platforms. See www.ximian.com for the Ximian gnome distribution and www.gnome.org for more general information on the Gnome project and associated applications.
KDE
KDE (K Desktop Environment) is another X-Windows based operating environment. KDE is based on the Trolltech Qt libraries. KDE is perhaps more stable than Gnome, and provides a number of excellent integrated productivity applications.
See www.kde.org for news and download information. See www.koffice.org for information on KDE's integrated office application suite. See dot.kde.org (or "the dot") for KDE news.
OpenOffice
OpenOffice is the successor of StarDivision's "StarOffice" (later bought by Sun). It is a full office suite with word processor, spreadsheet, presentation software, database, mail client, and web browser. OpenOffice will import and export many popular document formats, including MS Office documents. Best of all, OpenOffice is free! That's right, not $400 for a personal copy, $200 for an academic version, but free for everyone.
OpenOffice is in beta development at the present time, but it still works pretty well.
OpenOffice runs on Windows, Linux, and Solaris. Beta binaries can be downloaded from www.openoffice.org, but do not expect much. The software is bugware at this time.
StarOffice
StarOffice 5.2 is available for free personal use at the sun web site. Star Office is not a beta or "bugware" product. It is a fully featured office suite ready for production use. Like OpenOffice, StarOffice contains word processor, spreadsheet, presentation software, database, mail client, and web browser components. StarOffice 5.2 is available for download at the Sun web site. You must register with Sun to complete the download. See www.sun.com/staroffice for details.
Directory/Meta Directory Services:
Novell Account Management/Novell Directory Services (NDS)
In the mid 1990s, Novell released a new version of their flagship product, NetWare, with a new directory called "NDS". NDS provided a visual database of all resources on the NetWare network. It brought directory partitioning and replication to the network, thus allowing users to log in from any networked workstation with single user ID and password. Over the past few years, Novell supn off NDS as a separate project. It now can be integrated into Windows NT and 2000 servers, as well as Linux and Solaris devices. With the advent of the latest incarnation of NDS, Novell Account Management, no NetWare server is required at all! Users now can access resources on NT, 2000, NetWare, and Solaris servers using a single username and password. Additionally, Novell offers SmartCard authentication mechanisms.
Authentication modules are available for an even greater diversity of platforms, including AIX, HP-UX, and Tru64 UNIX.
A new offering from Novell titled "DirXML" makes it possible to synchronize many
types of database information with NDS account data using an XML
intermediary. DirXML ships with Lotus Notes and Microsoft Exchange
connectors, but other connectors should be available soon. In the
meantime, platform integrators will have to develop their own connectors from
the DirXML toolkit.
As usual, all Novell products are commercial only, and no source code is available. However, Novell has gotten better about providing standard APIs for software developers. Any PAM-based applications which run on supported platforms can call on Novell for authentication.
Novell maintains an excellent web site with a very useful searchable knowledge base, fully indexed product manuals, and white papers. Visit www.novell.com for more information.
IBM/Tivoli SecureWay
An interesting suite of products, similar in may ways to Novell NDS, but using different back-end technologies and different platform base. SecureWay offers user account management tools for OS/390 and OS/400 mainframes, 3270 applications, AIX, Solaris, OS/2 Warp, and NT servers, Novell NetWare systems, DCE applications, and numerous databases. Additionally, SecureWay includes a public key infrastructure with LDAP and DB2 backend technologies.
SecureWay is not really a directory service by itself, but rather a meta-directory which pulls in and manages accounts from diverse application and OS directories. This approach differs somewhat from the NDS approach which attempts to replace local directory services. The SecureWay approach offers better cross-platform compatibility, has more potential for mis-management.
IBM and Tivoli provide a fair amount of loose documentation on these products as well as some free downloads. You can get started at www.tivoli.com/products/solutions/security/. Information specific to the IBM SecureWay directory product can be found in the IBM web maze at www-4.ibm.com/software/network/directory/.
iPlanet Meta Directory
iPlanet is simalar in many regards to Tivoli SecureWay and NDS. The iPlanet suite developers place greater emphasis on "iPlanet applications"- programs written specifically to use the iPlanet directory service- than do Tivoli. Novell attempted a similar feat some years back with "GroupWise", an NDS enabled groupware product. But unlike Novell, iPlanet also attempts to provide a meta-directory service to manage directories on platforms not written to iPlanet specs. iPlanet currently provides account management and authentication services for NT Domains, Solaris, AIX, HP-UX, Linux, Oracle, SQL, Sybase, Lotus Notes, and MS Exchange. iPlanet-enabled applications include messenging, calendar, and e-commerce transaction services.
iPlanet is undergoing rapid development and expansion. As this is a new project, its success will depend greatly on early acceptance by developers. Working on it's side is the adoption of iPlanet technologies for the eduPerson cross-university meta-directory project. iPlanet uses several open standards including LDAP, Perl, PKI, SSL and X.509 to enable easy development and cross-platform deployment.
Lengthy marketese-laden product information and FAQs can be found at the iPlanet web site: www.iplanet.com.
Kerberos
I do not know if you can really call Kerberos a "Directory Service", it is really more of an authentication protocol. Kerberos was developed at MIT and other academic institutions in order to provide secure authentication to information systems applications. Kerberos uses strong, two-way encryption to protect passwords and other data traveling on the network. Many UNIX-based services can be make to authenticate against Kerberos (email, web, telnet, ssh... pretty much everything), but more sophisticated establishment of credentials is not possible with Kerberos. Personal computer desktop authentication is one stumbling block with Kerberos.
See http://web.mit.edu/kerberos/www/ for authoritative information, source code, and binary downloads of Kerberos.
Note that DCE is a Kerberos-5 based system.
PAM (Plugable Authentication Modules)
PAM is a technology developed at SUN microsystems, but now fully ported to Linux. PAM provides a standard authentication for applications developed on PAM-enabled platforms. When an application (such as logon, xserver, telnet, SSH, and FTP) required user authentication, it makes a call to the PAM subsystem. PAM queries its installed authentication modules using parameters defined for each service. PAM can query many sources for credentials, but untimately sends a simple accepted/denied response to the application.
PAM modules have been written to query a myriad of security resources. These sources include DCE, NDS, NT Directory Services, Kerberos 4+5, LDAP, and the UNIX password db.
For more information on PAM for Linux, see www.kernel.org/pub/linux/libs/pam/. More general documentation developed by Sun Microsystems can be found at www.sun.com/solaris/pam/.
NSS (Name Service Switch)
A mainstay of directory service authentication, NSS provides username, password, group, mail alias, hostname, and other types of user/system information resolution to may UNIX platforms. NSS modules, when integrated with PAM, provide almost seamless redirection of authentication requests to an external directory service from Linux, Solaris, and other UNIX servers.
I can find no really good sources of information on NSS. Good luck.
Interfaces to above:
Various PAM and NSS (Name Service Switch) tools have been developed to aid in the integration of different platforms into a common authentication directory. Perhaps most promising among these are the "Padl" LDAP tools. Padl provides a NSS modules for LDAP (nss_ldap), PAM modules for LDAP (pam_ldap), and API for Kerberos authentication within LDAP (GSSSASL), and various other LDAP import and migration tools.
In the Kerberos world, there are many PAM modules available. Perhaps the most commonly used "pam_krb5" modules is developed by Nalin Dahyabhai, now on behalf of Red Hat Linux. Nalin has a bare-bones home page with links to more current information.
There are many, many more NSS and PAM modules connecting UNIX platforms everywhere to NT Domains, SQL databases, Novell NDS, Radius, and a few other common directory sources.
There was a fairly exciting (but now dead) effort to port PAM to Windows NT 4 called "NI_PAM". Although the project reached production-quality code, workstation authentication never seemed to make it out to the general internet user community. No Windows 2000 port has emerged, and no one has picked up the project from the original developer.
This NI_PAM distribution came with Kerberos 4/5 and NetWare modules, a GINA replacement (the Graphical Identification aNd Authentication interface for NT), and the PAM dll's. NI_PAM was developed at the University of Michigan with information available from the developer's home page at: http://www-personal.engin.umich.edu/~itoi/. Do not expect this page to stay up forever.
DCE/DFS
Once the great hope of systems integration, DCE (Distributed Computing Environment) was a Multi-Platform Kerberos 5-based authentication system with an integrated Distributed Files System (DFS). Unfortunately, multi-platform development for DCE/DFS has died off, and DCE-aware application development never took off at all.
With the advent of MS Active Directory, the term "DFS" is almost always associated with Microsoft. Microsoft also stole the DFS ACL field to hold Mircosoft access tokens, thus ensuring the incompatibility of Active Directory and DCE/DFS.
For integration into existing DCE environments, Entegrity Solutions (www.entegrity.com) sells and supports a DCE client for Microsoft Windows NT and 2000. Not the best product, but it helps.
VNC and Citrix
VNC stands for "Virtual Network Computing" (depending who you ask). It is a free, open-source utility for desktop remote-control. When a system runs a VNC server, it's desktop can be accessed with a small "viewer" application from anyplace in the world with internet access. A standard web browser can be used in place of the viewer. The function is similar to that of the "PC Anywhere" application, but with additional capabilities similar to "Citrix". VNC will run on all Windows 32-bit operating systems, most flavors of UNIX, and Macintosh. When run on a UNIX system, VNC Server can deliver multiple X sessions, thus allowing the system to function as a terminal server. This is an improvement over regular X-forwarding as it works well over low-speed dial-up connections. When used in conjunction with SSH, VNC offers a secure method for accessing remote applications and desktops. VNC is very well documented. You can read more about it at www.uk.research.att.com/vnc/.
A branch VNC development of AT&T's VNC product is TridiaVNC. Tridia offers several enhancements over the original VNC including improved compression algorithms. Source and binaries for many platforms are available from:
www.tridiavnc.com
Citrix is the leading commercial thin-client applications and terminal server. It is available for Windows NT, 2000, Solaris, AIX, and HP-UX servers, and clients are available for almost any platform. Citrix offers better performance, easy configuration, and better cross-platform integration than VNC. Citrix is an elegant product, but in this case, elegance will cost you a fair amount. Much more information is available at the company web site www.citrix.com.
SSH2 and OpenSSH
SSH stands for "Secure Shell". It is a client/server suite for allowing encrypted character-mode access to remote hosts. The SSH suite also provides secure port forwarding, secure X-forwarding, SCP (or secure file copy). The commercial SSH2 extends Open SSH with SFTP (or Secure File Transfer Protocol), and simplified public key/private key authentication. There are many uses for a SSH, the main one being a secure replacement for telnet and FTP. SSH uses open cryptography mechanisms for securing any type of data transmission. These mechanisms have been subjected to extensive public scrutiny and are very well respected.
Both SSH1 and SSH2 servers are available for all UNIX platforms, and there have been some commercial and free ports of the SSH server to Windows servers as well. SSH clients are available for Windows, UNIX, and Macintosh, though SSH2 is available in commercial packages only. Educational and non-commercial users can get SSH2 clients for Windows and UNIX at no charge, but SSH2 Macintosh are available only for a fee.
Check out www.openssh.com for more information on the rapidly developing OpenSSH project. Many good OpenSSH resource links can be found at www.freessh.org. SSH Secure Communications provides the licensed Windows SSH client in use at UVM. Their web site is www.ssh.com. Data Fellows corporation makes the only SSH2 client currently available for the Macintosh computer. They can be found at http://www.datafellows.com/products/ssh/client/.
Another execllent option is the MindTerm pure-Java SSH client. This client will run on any platform with a recent Java runtime. It supports SSH1 and SSH2 protocols, tunneling, and command-line SFTP. MindTerm 1.2 is available under the GPL (GNU Public License). MindTerm 2.0 will not be released under the GPL, but will be available free-of-charge for non-commercial and educational institutions. See www.mindbright.se for details.
U/Win and Cygwin
U/Win is a clever set of libraries which allow the compilation and execution of UNIX code on Win32 systems. U/Win is under collaborative development by several tech companies. The AT&T research distribution is free for non-commercial and educational use. A version of GNOME was compiled for Windows using U/Win. See www.research.att.com/sw/tools/uwin/ for details.
A closely related project, Cygwin, is distributed under the GNU public license. Cygwin was in development limbo for awhile, but the project is under active development once again. See www.cygwin.com.
Last modified September 17 2001 12:21 PM
