[UniMacTech] AD authentication and restricting logins
Ben W Young
ben.w.young at det.nsw.edu.au
Mon Apr 6 09:23:42 EST 2009
Do you name your computers to the physical location? If so you could build
on the below by using the computer name in a script.
Ben W Young
Technology Services Administrator
On 6/04/09 7:48 AM, "Matiu Carr" <m.carr at auckland.ac.nz> wrote:
> Yes, RADIUS via Microsoft IAS.
>
> Access could be controlled at the network layer via group policy if you have
> devices that can do the gating (eg. Airport Extreme).
>
> Another way of achieving what you want is to use some kind of loginhook to
> test group membership of the connecting person.
>
> If you use the active directory plugin then users arrive on the box with all
> their group information in the user record. For instance on the student file
> server (OS X.5 in AD)
>
>> fileserver:~ mylogin$ id
>> uid=1836357057(mylogin) gid=1522854277(EC\domain users)
>> groups=1522854277(EC\domain users)
>> 1194167463(EC\tamakilabs.fos)
>> 1534136336(EC\dialin.itss)
>> 1486277511(EC\student.psrwi)
>> .
>> .
>> .
>> 760710041(EC\wifiaccess)
>> 1474264128(EC\statlabs.fos)
>> 304261082(EC\ecwiki)
>
> Note, I have tidied up the output a bit, the groups come as a comma separated
> list. It would not be too difficult to look for a particular group membership
> in the list and act on the presence or lack of such memberships. eg:
>
>> #!/bin/tcsh -f
>>
>> # assumes that this is being run as part of the log in process
>> # and the user has been authenticated, and we have access to
>> # group data via LDAP, AD etc. $1 should contain the login
>> # name -what you would expect in a login hook
>>
>> set MUSTBEAMEMBER = DOMAIN\\canlogon # check this carefully
>> set ALLOWLOGIN = no
>>
>> foreach thegroup (`id -nG $1`)
>> if ($thegroup = $MUSTBEAMEMBER) then
>> set ALLOWLOGIN = yes
>> endif
>> end
>>
>> if ($ALLOWLOGIN = no) then
>> logout
>> exit 1
>> endif
>>
>>
>> # do login stuff...
>>
>> exit 0
>
>
> Then you can manage access via groups on the AD.
>
> There may be a way of doing this with PAM
>
>
>
>
>
> Mat
> --
> Matiu Carr <m.carr at auckland.ac.nz>
>
> IT Manager
> National Institute of Creative Arts and Industries
>
> +64 9 3737 599 x86511
> http://www.people.auckland.ac.nz/Mat/
>
>
>
>
>
>
> _______________________________________________
> unimactech mailing list
> unimactech at auc.edu.au
> http://www.auc.edu.au/mailman/listinfo/unimactech
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20090406/6694c930/attachment.html
More information about the unimactech
mailing list