Integrating Cendio ThinLinc in a Novell Environment
Whitepaper for ThinLinc version 3.1.2
2. Integrating with Existing Directory Services – eDirectory
- 2.1 Initial Configuration
- 2.2 Adapting Existing User and Group Objects
- 2.3 Using User and Group Objects with ThinLinc
- 2.4 Supporting Forced Password Changes
1 Preface
This whitepaper contains guidelines for technically oriented personnel.
Many of the Cendio ThinLinc sites have an environment that is based on software from Novell. File services are provided by Novell Netware or Novell Open Enterprise Server (OES), and directory services are provided by Novell eDirectory.
In this whitepaper we will show how ThinLinc tools are used to provide a good integration with the existing environment, to allow a ThinLinc installation to use existing file server and directory resources, and to allow existing users to access their data via the ThinLinc installation.
Illustration 1 ThinLinc in a Novell Environment Integrating Cendio ThinLinc in a Novell Environment 4(5)
2 Integrating with Existing Directory Services – eDirectory
Novell eDirectory is an enterprise-class directory solution, able to store data about all objects that matter in a computer network. Data about computers, users, groups, storage, permissions etc can be stored. The data can be accessed using several different protocols, and the administration interfaces for managing the data are very good.
For a ThinLinc installation, there are several types of data available in an eDirectory installation that are of interest. Information about existing users, groups and where the home directories of each user reside are used to create a seamless installation, where existing users log in using the same user name and password they are used to, accessing the same data from the same file servers that they accessed in their previous environment. This enables a smooth transition from a system with fat workstations to a thin client environment based on ThinLinc.
A ThinLinc installation uses eDirectory's ability to speak LDAP (Lightweight Directory Access Protocol) to access the information needed.
2.1 Initial Configuration
When a ThinLinc system is installed into an existing eDirectory environment, some customization of the eDirectory servers is needed. Two user objects need to be created and given permissions to read and modify some of the attributes on user and group objects, the index configuration needs to be adapted to give proper performance, and on some versions of eDirectory, the attribute map configuration needs to be adapted for correct operation.
To aid in this process, ThinLinc provides a tool called the ThinLinc Novell Configurator (TLNC). This is a web-based tool which takes care of all the tasks needed at installation time. It can also be run later to make sure newly added eDirectory servers are properly configured.
More information on this tool is available in the ThinLinc Administrator's Guide.
2.2 Adapting Existing User and Group Objects
On a site where the standard administration tools provided by Novell, such as ConsoleOne, iManager and in some cases NWADMIN, or by batch tools such as Novell Identity Manager (previously known as DirXML), have been used to create and manage eDirectory user and group objects, the objects lack values needed for them to be usable in a ThinLinc environment. Technically speaking, they lack values defined by the posixAccount and posixGroup object classes, which means for example a numeric user ID (uidNumber), information about which UNIX shell to use (loginShell), the location of the UNIX home directory, etc.
Adding these values by hand to each user object would be an administrative nightmare, especially at large installations with thousands of user and group objects. Not only would it be a very time-consuming task, it is also vitally important that, for example, the uidNumber is assigned a value that is unique on the system. Trying to guarantee this in a scenario where the objects are manually modified would be close to impossible.
ThinLinc provides two tools to solve this problem: tl-nds-posixuser, used to adapt user objects, and tl-nds-posixgroup, used to adapt group objects. Both tools operate by searching eDirectory via LDAP. They search for objects that need to be modified, and then modify them to suit the needs of the ThinLinc installation.
In a typical scenario, tl-nds-posixuser and tl-nds-posixgroup are run manually at installation to adapt the existing user and group objects, and are then configured to run automatically at an appropriate interval to make sure newly added users and groups are modified when they appear.
Neither tool adds any heavy load to eDirectory, as the LDAP search questions performed are adapted to use available indices. Further information on this functionality can be found in the ThinLinc Administrator's Guide.
2.3 Using User and Group Objects with ThinLinc
When the user and group objects have been adapted by tl-nds-posixuser and tl-nds-posixgroup, they are made available in the operating system on the ThinLinc host using the thirdparty software pam_ldap and nss_ldap. All users and groups from eDirectory can then be used in ThinLinc. Existing users can login, and groups defined in eDirectory can be used for different purposes, for example for assigning applications to different user groups.
2.4 Supporting Forced Password Changes
At some sites, a password change policy based on functionality in eDirectory is used to enhance overall security. ThinLinc contains software that can be used to warn a user that their password is about to expire, informing them of the time or number of login attempts left before their account is closed. This tool also allows the user to change the password. This means that sites with this kind of configuration can continue using the same kind of security measure with ThinLinc.
Further information on this feature is available in the ThinLinc Administrator's Guide.
3 Integrating with Existing File Services
For a successful ThinLinc installation, it is crucial that the users of the system can continue to use their existing data. ThinLinc contains several components that help with the integration of ThinLinc with existing Novell-based file services.
ThinLinc servers can access File Servers running Novell Netware or Novell OES using two different protocols. Either NCP (Netware Core Protocol) or NFS (Network File System) can be used.
The environment and demands of each site are used to determine which of the two protocols to use. More information on this can be found in the ThinLinc Administrator's Guide. Integrating Cendio ThinLinc in a Novell Environment 5(5)
3.1 Accessing Novell File Servers via NCP
ThinLinc provides two different ways to connect to Novell File Server via NCP – via the kernel module ncpfs, or via Novell's Native Linux client. Which variant to use depends on site parameters such as which Linux distribution is being used for the ThinLinc servers.
Using ncpfs
When connecting to Novell File Servers using the kernel module ncpfs, ThinLinc provides a tool named tl-mount-ncp which adds functionality to the underlying commandline tools. It has support for supplying the user's password to the file server via the ThinLinc Single Sign-On mechanism, and it can automatically find the home directory of each user by making an LDAP query, which makes it easy to mount the existing Novell home directory. Other file resources such as shared directories can also be mounted, with the Novell permissions system in place.
Due to limitations in the NCP file sharing protocol, it is currently not recommended to mount NCP file resources as /home/<username> using ncpfs. Instead, we recommend that NCP file resources are mounted in a directory below the Linux home directory. ThinLinc contains software (homecreatefilter) that can be used to prevent users from saving files in other locations than the directories mounted from the NCP file server.
Using Novell's Native Linux Client
When connecting to Novell File Servers using Novell's Native Linux Client, ThinLinc provides two wrapper scripts, tl-nwlogin and tl-nwlogout, that extend the unctionality of the commandline tools shipped as part of the client. The wrapper scripts can supply the user's password via the ThinLinc Single Sign-On functionality, and also automatically find out and add required commandline parameters for tree and context.
The Native Linux Client is able to run login scripts just as other Novell Clients. Similar to the ncpfs solution above, it is not able to mount NCP file resources as /home/<username>, but instead mounts in subdirectories of the Linux home directory.
Further documentation on using NCP to access Novell file servers can be found in the ThinLinc Administrator's Guide.
3.2 Accessing Novell File Servers via NFS
When using NFS to access Novell File Servers, a tool named tl-nds-mountpath which ships with ThinLinc can be used together with the automounter in Linux to automatically mount the home directory of each user from the correct mount path on each Novell file server. This tool queries eDirectory via LDAP to find the correct mount path on the Novell file servers, and automatically detects when the path to the home directory as returned by the LDAP query is incorrect with respect to case.
Also, the tl-nds-posixuser tool can be used to assign uidNumber and gidNumber values to the directories exported from Novell file servers via NFS, which is needed for proper permissions.
Further documentation on using NFS to access Novell file servers can be found in the ThinLinc Administrator's Guide.
4 References
NetWare, and Open Enterprise Server are registered trademarks of Novell, Inc.