Folks,

I've been pretty quiet on the newsletter for a while, for a reason. I'm presenting at a session on Friday at WWDC — Session 542, Managing and Deploying Open Directory, 9:00 AM Pacific time.

I'll be posting my slides and demos a little bit later, but my part is a case study of a client where we're doing an Open Directory integration. In most of the case studies of directory services integration, people are taking Macs and tying them into some other directory services network -- generally Active Directory.

In this case, the company is using Open Directory as a central identity store, tying in other systems. Open Directory's standards-based design makes it easy to tie in other systems.

Automounts and VPN

I've discovered a royal pain in the neck resulting from VPN with automounted share points.

In my network at home I have automounts for /Network/Applications, /Network/Library, and a home directory automount at /Network/Servers/crocus.goodeast.com/Volumes/raid/Users. This works fine for machines that are on the local network, but it turns into a problem for machines that connect via VPN.

Here's what happens: As long as I'm on the road with my laptop, it doesn't connect to the LDAP server so there's no automounts. However, when I connect via VPN the laptop gets an address on the local network and it loads the automounts — and then the automounts happen. The problem comes when I disconnect from the VPN. The automounts are still connected, but the server is no longer accessible. The result is long-running beach balls and hung apps. Also, the portable home directory mount also runs into problems since it will also be triggered and then gets cut off when I disconnect.

To work around this, I changed the way that DNS was resolved for VPN, using BIND 9 views. (You can also do this by running a different DNS server for the VPN clients.) It helped that I configured my VPN so that it was in a neatly separable network range: 192.168.1.64-79. In CIDR notation this is 192.168.1.64/28. Since all of the automounts come from my file server, crocus.goodeast.com whose IP address is 192.168.1.129. I set up a view that gave a different result for DNS clients in the VPN range. Instead of returning 192.168.1.129, the view returns 192.168.1.131 (an OpenBSD server that does not serve AFP). There is also a separate entry to allow for manual connections (where I  want to retrieve a file by hand from the Finder, and I will do a manual disconnect.)

WWDC Keynote Commentary

There is a lot of neat stuff from the keynote that we can discuss publicly. For me, the big pieces from Leopard are:

iChat Theater
Time Machine
Cross-client search
Quicklook

iChat theater is a radical improvement to remote collaboration.

Time Machine will transform the way we do backups.

Cross-client search will make it easy to find stuff. But the problem will be security and privacy in a networked environment. Who can get access to certain files across the network as a result of searches will be a serious issue.

Quicklook is neat, but I am seriously concerned in terms of security. Lots of Outlook worms on Windows work because of holes in the IE engine that allowed a malicious message to execute arbitrary code by just looking at it. A badly written Quicklooks plugin could lead to a buffer overflow and arbitrary code execution.

iPhone application development is Web 2.0/AJAX. This is really neat from a variety of angles. For an enterprise, it means that almost all of your existing apps just work with the iPhone if they work with Safari. The downside is that if you don't have cell coverage, none of your applications work. I'd like to see what I can find out as far as allowing Safari to access iPhone services. I wonder if I can somehow set up inbound access to the iPhone.

I won't be able to say much about the rest of the week, since we're under a non-disclosure agreement here.

Apple Global Training

The WorldWide Training and Certification department was merged with the Sales Training department, all of the training rooms in the Apple Market Centers will be closed, the course development will be outsourced, and Training Units will no longer be sold (although existing ones will be honored). A lot of details are still to be decided, and there's a meeting for us trainers tomorrow morning where we'll get more information.


--Paul