Enterprise Mac Test Plan 1. Introduction The purpose of this effort is to evaluate each of the pre-selected options for integrating Mac desktops into the greater campus directory and authentication infrastructure. 2. Requirements These are the functional requirements that have been developed by canvassing the campus Mac User community to determine what the minimum set of functionality that is required to enable the most positive end user experience while providing the most maintainable management process. 2.1. Central Account Management The ability to access a central repository of user accounts instead of maintaining accounts locally on each Mac. 2.2. Kerberos Single Sign-on (SSO) The ability to authenticate one time during console login and have full access to Kerberos/network services system-wide. 2.3. Mobile Accounts The ability of the system to cache user account information for use when the system is off the network and/or no longer in touch with campus infrastructure resources. 2.4. Access Controls The ability to control system access locally at the console and remotely via network protocols. 2.5. Group Policies The ability to apply policies and/or customizations to all Mac users or a subset of users. 3. Evaluation Criteria 3.1. Cost The cost associated with implementing the option. These include; one-time costs, hardware/software lifecycle costs and ongoing staff resources? 3.2. Future-proofing How resilient is the option to future changes by one or more vendors? 3.3. Security 3.3.1. Operating System Security Control and secure the underlying operating system that hosts the infrastructure services. 3.3.2. Data Security Control access to the account and directory database. 3.3.3. Authorization Security Control access to the authorization database. 3.3.4. Physical Security Control physical access to the server hardware. 3.4. Client Support for Jason to fill in… 3.5. Scalability How well does the option scale relative to number of total users and concurrent users? 3.6. Maintainability What is the level of effort required to maintain the option? 3.7. Integration How well does the option integrate with the rest of the campus infrastructure? 4. Test Configuration(s) 4.1. Option 1: Native Apple Open Directory 4.1.1. Hardware Xserve 4.1.2. Software OSX Server ver. 10.5.5 4.1.3. Connections None 4.1.4. Modifications None 4.2. Option 2b: Augmented Open Directory (magic triangle) with MIT K5 Authorization 4.2.1. Hardware Xserve 4.2.2. Software OSX Server ver. 10.5.5 4.2.3. Connections None 4.2.4. Modifications None 4.3. Option 3a: Active Directory Modified with Mac-specific Schema Attributes 4.3.1. Hardware Xserve 4.3.2. Software OSX Server ver. 10.5.5 4.3.3. Connections None 4.3.4. Modifications None 4.4. Option 4: OpenLDAP Modified with Mac-specific Schema Attributes 4.4.1. Hardware Xserve 4.4.2. Software OSX Server ver. 10.5.5 4.4.3. Connections None 4.4.4. Modifications None 5. Test Procedures 5.1. Option 1: Native Apple Open Directory 5.1.1. Configure the server as an Open Directory Master. 5.1.2. Configure a client Mac to bind to this Open Directory Master. 5.1.3. Logon to client using network account. (Rqmt 2.1) 5.1.4. Open OSX WGM and create a group containing test user. 5.1.5. Create a group directory on the server and set access for Kerberos only. 5.1.6. From the client, access the group folder ensuring no additional authentication is required. (Rqmt 2.2) 5.1.7. From the client, logout and remove network connectivity (unplug the client from the wall jack). 5.1.8. At the client, login using the network account. (Rqmt 2.3) 5.1.9. Open OSX WGM and remove local login accept for the test account and the local admin account. 5.1.10. Attempt to login using a network login that is NOT the test user with access. (Rqmt 2.4) 5.1.11. Login with the authorized account to ensure access is correctly set. (Rqmt 2.4) 5.1.12. Open OSX WGM and apply customization to the test account. Modify the user’s dock, limit the time the user is allowed to login. 5.1.13. At the client, login with the test account and validate the policies have been applied correctly. (Rqmt 2.5) 5.1.14. Open Address Book and search for _______. Verify access to Stanford-only attributes. Verify no access for private attributes. 5.1.15. Login infrastructure binding. 5.1.16. Registry Groups. SUPrivGrp. 5.1.17. Acct deactivation 5.1.18. Password change propagation. 5.2. Option 2b: Augmented Open Directory (magic triangle) with MIT K5 Authorization 5.2.1. Bind the Mac server to OpenLDAP using the Directory Utility. 5.2.2. Configure the Mac server as an Open Directory Master. 5.2.3. Bind a client Mac to OpenLDAP using the Directory Utility. 5.2.4. Configure a client Mac to bind to the Open Directory Master. 5.2.5. Logon to client using the network account. (Rqmt 2.1) 5.2.6. Open OSX Workgroup Manager and create a group containing the test user. 5.2.7. Create a group directory on the server and set access for Kerberos only. 5.2.8. From the client, access the group folder ensuring no additional authentication is required. (Rqmt 2.2) 5.2.9. From the client, logout and remove network connectivity (unplug the client from the wall jack and turn off wireless). 5.2.10. At the client, login using the network account. (Rqmt 2.3) 5.2.11. Open OSX WGM and remove local login accept for the test account and the local admin account. 5.2.12. Attempt to login using a network login that is NOT the test user with access. (Rqmt 2.4) 5.2.13. Login with the authorized account to ensure access remains correctly set. (Rqmt 2.4) 5.2.14. Open OSX WGM and apply customization to the test account. Modify the user’s dock, limit the time the user is allowed to login. 5.2.15. At the client, login with the test account and validate the policies have been applied correctly. (Rqmt 2.5) 5.2.16. Open Address Book and search for _______. Verify access to Stanford-only attributes. Verify no access for private attributes. 5.2.17. Login infrastructure binding. 5.2.18. Registry Groups. SUPrivGrp. 5.2.19. Acct deactivation. 5.2.20. Password change propagation. 5.3. Option 3a: Active Directory Modified with Mac-specific Schema Attributes 5.3.1. Configure a client Mac to bind to Active Directory. 5.3.2. Logon to client using network account. (Rqmt 2.1) 5.3.3. Open OSX WGM and create a group containing test user. 5.3.4. Create a group directory on the server and set access for Kerberos only. 5.3.5. From the client, access the group folder ensuring no additional authentication is required. (Rqmt 2.2) 5.3.6. From the client, logout and remove network connectivity (unplug the client from the wall jack). 5.3.7. At the client, login using the network account. (Rqmt 2.3) 5.3.8. Open OSX WGM and remove local login accept for the test account and the local admin account. 5.3.9. Attempt to login using a network login that is NOT the test user with access. (Rqmt 2.4) 5.3.10. Login with the authorized account to ensure access is correctly set. (Rqmt 2.4) 5.3.11. Open OSX WGM and apply customization to the test account. Modify the user’s dock, limit the time the user is allowed to login. 5.3.12. At the client, login with the test account and validate the policies have been applied correctly. (Rqmt 2.5) 5.3.13. Open Address Book and search for _______. Verify access to Stanford-only attributes. Verify no access for private attributes. 5.3.14. Login infrastructure binding. 5.3.15. Registry Groups. SUPrivGrp. 5.3.16. Acct deactivation. 5.3.17. Password change propagation. 5.4. Option 4: OpenLDAP Modified with Mac-specific Schema Attributes 5.4.1. Configure a client Mac to bind to the OpenLDAP server. 5.4.2. Logon to client using network account. (Rqmt 2.1) 5.4.3. Open OSX WGM and create a group containing test user. 5.4.4. Create a group directory on the server and set access for Kerberos only. 5.4.5. From the client, access the group folder ensuring no additional authentication is required. (Rqmt 2.2) 6. 7. 8. 9. 5.4.6. From the client, logout and remove network connectivity (unplug the client from the wall jack). 5.4.7. At the client, login using the network account. (Rqmt 2.3) 5.4.8. Open OSX WGM and remove local login accept for the test account and the local admin account. 5.4.9. Attempt to login using a network login that is NOT the test user with access. (Rqmt 2.4) 5.4.10. Login with the authorized account to ensure access is correctly set. (Rqmt 2.4) 5.4.11. Open OSX WGM and apply customization to the test account. Modify the user’s dock, limit the time the user is allowed to login. 5.4.12. At the client, login with the test account and validate the policies have been applied correctly. (Rqmt 2.5) 5.4.13. Open Address Book and search for _______. Verify access to Stanford-only attributes. Verify no access for private attributes. 5.4.14. Login infrastructure binding. 5.4.15. Registry Groups. SUPrivGrp. 5.4.16. Acct deactivation. 5.4.17. Password change propagation. Schedule TBD Resources TBD Evaluation Matrix TBD Summary TBD