420 likes | 530 Views
TJU/H Mission. Patient care Education Research. TJU/H Demographics. 9,000 faculty/staff 3,500 students. TJU/H IT Infrastructure. ATM network 5,000 PC’s, Macs IBM mainframe Tandem mainframe Unix/Linux servers NT servers NetWare servers. Application Infrastructure.
E N D
TJU/H Mission • Patient care • Education • Research
TJU/H Demographics • 9,000 faculty/staff • 3,500 students
TJU/H IT Infrastructure • ATM network • 5,000 PC’s, Macs • IBM mainframe • Tandem mainframe • Unix/Linux servers • NT servers • NetWare servers
Application Infrastructure • Mail*Hub mail switch/X.500 directory • Authentication • Role data • HP OpenMail (4,500 faculty/staff) • CS&T OpenTime (2,100 clients) • PeopleSoft • IDX/Last Word
The Problem • Migration from NetWare to NT • NT admin tool issues • NT security model issues • Support staff training issues • Competing business models • Generalized fear and loathing
NT Admin Tool Issues • GUI Interface not ideal for batch updates • Command line control limited • Batch file scripting limited • Scripting host proprietary • Platform-limited remote control capabilities
NT Security Model Issues • Not very granular (as exposed by the GUI tools) • Not hierarchical (like NetWare 4.XX) • No obvious link to our X.500 directory • Didn’t fit our IT support roles
Support Staff Training Issues • GUI tools unfocused • Command line approach not user friendly
Competing Business Models • Microsoft’s take on security different than ours • Monolithic technology vs. diverse technologies • Proprietary vs. open solutions • Commercial vs. non-profit environments
Fear and Loathing • Microsoft replaces our favorite technologies • Microsoft replaces us • ‘The Dark Side’ Syndrome
General Problem Vendor’s Reality
General Problem Vendor’s Reality Our Reality
General Solution Vendor’s Reality Filter Our Reality
General Solution Vendor’s Reality Filter Our Reality
General Solution Vendor’s Reality Filter Our Reality P e r l
The Solution - Perl • Powerful • Cross platform • Easy entrée to NT internals • Roll our own admin tools • Make them networkable • Tie in our legacy systems
Phase 1 - Local Administration • Standardize on Perl • Start by ‘back-ticking’ various command line functions • Replace with Perl/NT admin API packages as they become available
Useful NT Admin Packages • Win32::NetAdmin.pm • Win32API::Net.pm • Win32::AdminMisc.pm • Win32::DomainAdmin.pm • Win32::FileSecurity.pm
Phase 2 - Remote Administration • IO::Socket-based client • inetd from Pragma Systems • Useful companion for pre-fork NT Perl • Also provides telnet daemon • Perl-based request server called by inetd • Server interfaces with modular “methods” package • System can work with command line or web delivery mechanisms
Web Admin Overview X.500 Directory Authentication User Interface CGI Processing Authentication Client Process Server Process Perl NT Methods NT Environment
Platform Overview HP/UX X.500 Directory NT Authentication User Interface CGI Processing Authentication Client Process Server Process Linux/Apache Perl NT Methods NT Environment
NT Admin Walkthru • Authentication
NT Admin Walkthru • X.500 Name/Password
NT Admin Walkthru • Main Menu
NT Admin Walkthru • Create Client Object Use K_Client; my $client = K_Client->new(host => ‘pdc.jeff.com’, port => 2000, sender => $param{‘sender’}, pwd => $param{‘pwd’}, key_file => ‘/usr/local/keys/nt.txt’, );
NT Admin Walkthru • Send Request $client->build_request(method => ‘get_user_list’, server => ‘’, ); my $ok = $client->send_receive(); my $err = $client->get_errorcode(0); my @users = $client->get_result(0); my $msg = $client->get_msg(0); return ($ok,$err,$msg,\@users);
NT Admin Walkthru • Server Object use K_Server; use K_Methods::NT_Admin; use X500_Auth; my $hosts = { www.jeff.edu => 1, pdc.jeff.edu => 1 }; my $methods = K_Methods::NT_Admin->new(); my $server = K_Server->new(methods_obj => $admin, auth_sub => \&X500_Auth::auth_client, work_dir => 'd:/ntadmsrv’, server_name => 'K_Server', log_file => ’d:/logs/k_admin.log', key_file => ’d:/keys/nt.txt', event_log => 1, ok_hosts => $hosts, ); $server->handle_request();
NT Admin Walkthru • Methods data structure $self->{‘methods’} = { get_user_list => { method => sub { $self->get_user_list(@_) }, params => [ server ], role => $ops, event_id => 15, false_msg => sub { my %p = @_; return "Failed to get user list." }, true_msg => sub { my %p = @_; return "Got user list." }, }, . . .
NT Admin Walkthru • Methods role attribute $self->{‘roles’} = { super_acct => 3, acct => 2, ops => 1, all => 0, };
NT Admin Walkthru • Core subroutine # generate list of users sub get_user_list { my $self = shift; my %params = @_; my (@users); Win32::AdminMisc::GetUsers($params{'server'},'',\@users); return \@users; }
NT Admin Walkthru • Create Account
NT Admin Walkthru • Create Account
NT Admin Walkthru • Create Account $client->build_request(method => ‘create_user’, server => ‘’, user => $param{‘user’}, type => ‘user’, abort => 1, ); $client->build_request(method => ‘set_user_pwd’, server => ‘’, user => $param{‘user’}, pwd => ‘tmp_pass’, ); $ok = $client->send_receive(); @msgs = $client->get_msgs(); return ($ok,\@msgs);
NT Admin Walkthru • Create Account
NT Admin Walkthru • Main Menu
NT Admin Walkthru • Change Account
NT Admin Walkthru • Get Account Info $client->build_request(method => ‘get_user_attrs’, server => params{‘server’}, user => params{‘user’}); $client->build_request(method => ‘get_user_global_groups’, server => params{‘server’}, user => params{‘user’}); $client->build_request(method => ‘get_global_groups’, server => params{‘server’}); $ok = $send_receive(); @msgs = $client->get_msgs(); %attrs = $client->get_result(0); @user_grps = $client->get_result(1) @grps = $client->get_result(2); return ($ok,\@msgs,\%attrs,\@user_grps,\@grps);
NT Admin Walkthru • Account Info
NT Admin Walkthru • Back end logging
Project Results • Our security policies enforced • NT becomes part of larger IT infrastructure • IT staff supports NT with minimal training • Change effectively managed (Win2K) • Innovation modulated by our business realities
NT Admin Futures • Replace inetd with Perl fork • Recode admin methods to support LDAP/Active Directory • Spend more time on web client interface