[UniMacTech] AD authentication and restricting logins

Tue Apr 7 10:13:29 EST 2009

Thanks, everyone, for the thought.

Terry's answer looks like it'll do the trick and I very much like the look 
of Matiu's login hook suggestion. (Login hooks - I never think of them at 
the right time...) RADIUS, however, remains a mystery to me. 

d

Darryl Rosin

Server Administrator, Digital Arts Project
Griffith University AUC Developer Fund Coordinator

Research Computing Services
Division of Information Services
South Bank Campus
Griffith University 4111 Australia

d.rosin at griffith.edu.au
t: 04 1876 0956

PRIVILEGED – PRIVATE AND CONFIDENTIAL
This email and any files transmitted with it are intended solely for the 
use of the addressee(s) and may contain information which is confidential 
or privileged.  If you receive this email and you are not the addressee(s) 
[or responsible for delivery of the email to the addressee(s)], please 
disregard the contents of the email, delete the email and notify the 
author immediately

From:
Matiu Carr <m.carr at auckland.ac.nz>
To:
University Macintosh Technical Mailing List <unimactech at auc.edu.au>
Date:
06/04/09 06:49 AM
Subject:
Re: [UniMacTech] AD authentication and restricting logins

Yes, RADIUS via Microsoft IAS.

Access could be controlled at the network layer via group policy if you 
have devices that can do the gating (eg. Airport Extreme).

Another way of achieving what you want is to use some kind of loginhook to 
test group membership of the connecting person.

If you use the active directory plugin then users arrive on the box with 
all their group information in the user record. For instance on the 
student file server (OS X.5 in AD)

fileserver:~ mylogin$ id 
uid=1836357057(mylogin) gid=1522854277(EC\domain users) 
groups=1522854277(EC\domain users)
1194167463(EC\tamakilabs.fos)
1534136336(EC\dialin.itss)
1486277511(EC\student.psrwi)
.
.
.
760710041(EC\wifiaccess)
1474264128(EC\statlabs.fos)
304261082(EC\ecwiki)

Note, I have tidied up the output a bit, the groups come as a comma 
separated list. It would not be too difficult to look for a particular 
group membership in the list and act on the presence or lack of such 
memberships. eg:

#!/bin/tcsh -f

# assumes that this is being run as part of the log in process
# and the user has been authenticated, and we have access to
# group data via LDAP, AD etc. $1 should contain the login
# name -what you would expect in a login hook

set MUSTBEAMEMBER = DOMAIN\\canlogon # check this carefully
set ALLOWLOGIN = no

foreach thegroup (`id -nG $1`)
if ($thegroup = $MUSTBEAMEMBER) then
set ALLOWLOGIN = yes
endif
end

if ($ALLOWLOGIN = no) then
logout
exit 1
endif

# do login stuff...

exit 0

Then you can manage access via groups on the AD.

There may be a way of doing this with PAM

Mat
--
Matiu Carr  <m.carr at auckland.ac.nz>

IT Manager
National Institute of Creative Arts and Industries

+64 9 3737 599 x86511
http://www.people.auckland.ac.nz/Mat/

_______________________________________________
unimactech mailing list
unimactech at auc.edu.au
http://www.auc.edu.au/mailman/listinfo/unimactech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20090407/b9a03151/attachment-0001.html