[UniMacTech] AD authentication and restricting logins

[Matiu Carr]

Yes, RADIUS via Microsoft IAS.

Access could be controlled at the network layer via group policy if  
you have devices that can do the gating (eg. Airport Extreme).

Another way of achieving what you want is to use some kind of  
loginhook to test group membership of the connecting person.

If you use the active directory plugin then users arrive on the box  
with all their group information in the user record. For instance on  
the student file server (OS X.5 in AD)

fileserver:~ mylogin$ id
uid=1836357057(mylogin) gid=1522854277(EC\domain users)  
groups=1522854277(EC\domain users)
1194167463(EC\tamakilabs.fos)
1534136336(EC\dialin.itss)
1486277511(EC\student.psrwi)
.
.
.
760710041(EC\wifiaccess)
1474264128(EC\statlabs.fos)
304261082(EC\ecwiki)

Note, I have tidied up the output a bit, the groups come as a comma  
separated list. It would not be too difficult to look for a particular  
group membership in the list and act on the presence or lack of such  
memberships. eg:

#!/bin/tcsh -f

#	assumes that this is being run as part of the log in process
#	and the user has been authenticated, and we have access to
#	group data via LDAP, AD etc. $1 should contain the login
#	name -what you would expect in a login hook

set MUSTBEAMEMBER = DOMAIN\\canlogon	# check this carefully
set ALLOWLOGIN = no

foreach thegroup (`id -nG $1`)
	if ($thegroup = $MUSTBEAMEMBER) then
		set ALLOWLOGIN = yes
	endif
end

if ($ALLOWLOGIN = no) then
	logout
	exit 1
endif


# do login stuff...

exit 0


Then you can manage access via groups on the AD.

There may be a way of doing this with PAM




Mat
--
Matiu Carr  <m.carr at auckland.ac.nz>

IT Manager
National Institute of Creative Arts and Industries

+64 9 3737 599 x86511
http://www.people.auckland.ac.nz/Mat/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20090406/ed956fe4/attachment.html