[Newsletter] WWDC Session, Automounts and VPN, WWDC Keynote Commentary, Apple Global Training

Paul Suh paul.suh at ps-enable.com
Mon Jun 11 18:55:38 EDT 2007 

Folks,

I've been pretty quiet on the newsletter for a while, for a reason.  
I'm presenting at a session on Friday at WWDC -- Session 542,  
Managing and Deploying Open Directory, 9:00 AM Pacific time.

I'll be posting my slides and demos a little bit later, but my part  
is a case study of a client where we're doing an Open Directory  
integration. In most of the case studies of directory services  
integration, people are taking Macs and tying them into some other  
directory services network -- generally Active Directory.

In this case, the company is using Open Directory as a central  
identity store, tying in other systems. Open Directory's standards- 
based design makes it easy to tie in other systems.

Automounts and VPN

I've discovered a royal pain in the neck resulting from VPN with  
automounted share points.

In my network at home I have automounts for /Network/Applications, / 
Network/Library, and a home directory automount at /Network/Servers/ 
crocus.goodeast.com/Volumes/raid/Users. This works fine for machines  
that are on the local network, but it turns into a problem for  
machines that connect via VPN.

Here's what happens: As long as I'm on the road with my laptop, it  
doesn't connect to the LDAP server so there's no automounts. However,  
when I connect via VPN the laptop gets an address on the local  
network and it loads the automounts -- and then the automounts  
happen. The problem comes when I disconnect from the VPN. The  
automounts are still connected, but the server is no longer  
accessible. The result is long-running beach balls and hung apps.  
Also, the portable home directory mount also runs into problems since  
it will also be triggered and then gets cut off when I disconnect.

To work around this, I changed the way that DNS was resolved for VPN,  
using BIND 9 views. (You can also do this by running a different DNS  
server for the VPN clients.) It helped that I configured my VPN so  
that it was in a neatly separable network range: 192.168.1.64-79. In  
CIDR notation this is 192.168.1.64/28. Since all of the automounts  
come from my file server, crocus.goodeast.com whose IP address is  
192.168.1.129. I set up a view that gave a different result for DNS  
clients in the VPN range. Instead of returning 192.168.1.129, the  
view returns 192.168.1.131 (an OpenBSD server that does not serve  
AFP). There is also a separate entry to allow for manual connections  
(where I  want to retrieve a file by hand from the Finder, and I will  
do a manual disconnect.)

WWDC Keynote Commentary

There is a lot of neat stuff from the keynote that we can discuss  
publicly. For me, the big pieces from Leopard are:

iChat Theater
Time Machine
Cross-client search
Quicklook

iChat theater is a radical improvement to remote collaboration.

Time Machine will transform the way we do backups.

Cross-client search will make it easy to find stuff. But the problem  
will be security and privacy in a networked environment. Who can get  
access to certain files across the network as a result of searches  
will be a serious issue.

Quicklook is neat, but I am seriously concerned in terms of security.  
Lots of Outlook worms on Windows work because of holes in the IE  
engine that allowed a malicious message to execute arbitrary code by  
just looking at it. A badly written Quicklooks plugin could lead to a  
buffer overflow and arbitrary code execution.

iPhone application development is Web 2.0/AJAX. This is really neat  
from a variety of angles. For an enterprise, it means that almost all  
of your existing apps just work with the iPhone if they work with  
Safari. The downside is that if you don't have cell coverage, none of  
your applications work. I'd like to see what I can find out as far as  
allowing Safari to access iPhone services. I wonder if I can somehow  
set up inbound access to the iPhone.

I won't be able to say much about the rest of the week, since we're  
under a non-disclosure agreement here.

Apple Global Training

The WorldWide Training and Certification department was merged with  
the Sales Training department, all of the training rooms in the Apple  
Market Centers will be closed, the course development will be  
outsourced, and Training Units will no longer be sold (although  
existing ones will be honored). A lot of details are still to be  
decided, and there's a meeting for us trainers tomorrow morning where  
we'll get more information.


--Paul


Paul Suh                                                          
http://www.ps-enable.com/
paul.suh at ps-enable.com                           (240) 672-4212



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2615 bytes
Desc: not available
Url : http://lists.ps-enable.com/pipermail/newsletter/attachments/20070611/631c35c2/smime.bin

More information about the Newsletter mailing list