<HTML>
<HEAD>
<TITLE>Re: [UniMacTech] AD authentication and restricting logins</TITLE>
</HEAD>
<BODY>
<FONT FACE="Tahoma, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'>Do you name your computers to the physical location? If so you could build on the below by using the computer name in a script.<BR>
<BR>
<BR>
</SPAN></FONT><FONT SIZE="4"><FONT FACE="Century Gothic"><SPAN STYLE='font-size:12pt'>Ben W Young<BR>
</SPAN></FONT></FONT><FONT FACE="Century Gothic"><FONT SIZE="2"><SPAN STYLE='font-size:9pt'>Technology Services Administrator<BR>
</SPAN></FONT><SPAN STYLE='font-size:10pt'><B><BR>
</B></SPAN></FONT><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial"><BR>
<BR>
<BR>
On 6/04/09 7:48 AM, "Matiu Carr" <<a href="m.carr@auckland.ac.nz">m.carr@auckland.ac.nz</a>> wrote:<BR>
<BR>
</FONT></SPAN><BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial">Yes, RADIUS via Microsoft IAS.<BR>
<BR>
Access could be controlled at the network layer via group policy if you have devices that can do the gating (eg. Airport Extreme).<BR>
<BR>
Another way of achieving what you want is to use some kind of loginhook to test group membership of the connecting person.<BR>
<BR>
If you use the active directory plugin then users arrive on the box with all their group information in the user record. For instance on the student file server (OS X.5 in AD)<BR>
<BR>
</FONT></SPAN><BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial">fileserver:~ mylogin$ id <BR>
uid=1836357057(mylogin) gid=1522854277(EC\domain users) groups=1522854277(EC\domain users)<BR>
1194167463(EC\tamakilabs.fos)<BR>
1534136336(EC\dialin.itss)<BR>
1486277511(EC\student.psrwi)<BR>
.<BR>
.<BR>
.<BR>
760710041(EC\wifiaccess)<BR>
1474264128(EC\statlabs.fos)<BR>
304261082(EC\ecwiki)<BR>
</FONT></SPAN></BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial"><BR>
Note, I have tidied up the output a bit, the groups come as a comma separated list. It would not be too difficult to look for a particular group membership in the list and act on the presence or lack of such memberships. eg:<BR>
<BR>
</FONT></SPAN><BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial">#!/bin/tcsh -f<BR>
<BR>
# assumes that this is being run as part of the log in process<BR>
# and the user has been authenticated, and we have access to<BR>
# group data via LDAP, AD etc. $1 should contain the login<BR>
# name -what you would expect in a login hook<BR>
<BR>
set MUSTBEAMEMBER = DOMAIN\\canlogon # check this carefully<BR>
set ALLOWLOGIN = no<BR>
<BR>
foreach thegroup (`id -nG $1`)<BR>
if ($thegroup = $MUSTBEAMEMBER) then<BR>
set ALLOWLOGIN = yes<BR>
endif<BR>
end<BR>
<BR>
if ($ALLOWLOGIN = no) then<BR>
logout<BR>
exit 1<BR>
endif<BR>
<BR>
<BR>
# do login stuff...<BR>
<BR>
exit 0<BR>
</FONT></SPAN></BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Tahoma, Verdana, Helvetica, Arial"><BR>
<BR>
Then you can manage access via groups on the AD.<BR>
<BR>
There may be a way of doing this with PAM<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</FONT></SPAN><FONT SIZE="2"><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:7.5pt'>Mat<BR>
--<BR>
Matiu Carr <<a href="m.carr@auckland.ac.nz">m.carr@auckland.ac.nz</a>><BR>
<BR>
IT Manager<BR>
National Institute of Creative Arts and Industries<BR>
<BR>
+64 9 3737 599 x86511<BR>
<a href="http://www.people.auckland.ac.nz/Mat/">http://www.people.auckland.ac.nz/Mat/</a><BR>
</SPAN></FONT><FONT FACE="Helvetica, Verdana, Arial"><SPAN STYLE='font-size:9pt'><BR>
</SPAN></FONT><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:7.5pt'><BR>
</SPAN></FONT></FONT><FONT FACE="Tahoma, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'> <BR>
<BR>
<BR>
<HR ALIGN=CENTER SIZE="3" WIDTH="95%">_______________________________________________<BR>
unimactech mailing list<BR>
<a href="unimactech@auc.edu.au">unimactech@auc.edu.au</a><BR>
<a href="http://www.auc.edu.au/mailman/listinfo/unimactech">http://www.auc.edu.au/mailman/listinfo/unimactech</a><BR>
</SPAN></FONT></BLOCKQUOTE>
<FONT face="Courier New" size=2>
<P><BR>**********************************************************************<BR>This
message is intended for the addressee named and may contain <BR>privileged
information or confidential information or both. If you <BR>are not the intended
recipient please delete it and notify the
sender.<BR>**********************************************************************
</FONT></P>
</BODY>
</HTML>