[Macpartners] authentication->loginhook->authorization

Kerem B Limon k_limon at MIT.EDU
Fri Jun 10 14:24:58 EDT 2005 

Hmm...I don't have exact solutions, but I'll comment a bit on what we've played
with at CSAIL, adding more questions.

You obviously are aware of the verified and non-verified /etc/authorization
methods of authenticating users using an external MIT KDC. There is a also the
post-login authentication (simply put, just runs kinit after login, passing on
local username and password--not elegant).

With the former, we can hook up to Active Directory or LDAP, but things break
for us since the Mac OS X AD plug-in in Panther (and Tiger, we tried) doesn't
support cross-realm authentication. Thursby's ADmitMac claims to be able to do
so, and we're looking to play with that next.

Another alternative is to create /etc/passwd files or use a similar mechanism to
populate the local NetInfo database. Since authentication is handled via
Kerberos, the local accounts would either not be necessary or have random
strong password (a lot like what win.mit.edu does with Windows).

Nice thing about using LDAP/AD is that you can push a variety of things like
home directory, matching UIDs, etc. all from the directory store. Of course you
could put that into the NetInfo db or the password file.

I don't believe Athena makes their user directory info (easily) publicly
available (I don't know). If so, with a bit finagling you could make that into
an /etc/passwd file and script it to (cron, launchd) to run periodically to get
the latest info. Then, you won't need any interim login hooks.

-Kerem


Quoting Duncan Kincaid <dsk at MIT.EDU>:

> a (silly?) question:
> has anyone succeeded in having a loginhook script run BEFORE a 
> directory services lookup is executed during login sequence?
> 
> thanks
> dk
> 
> reason for question below (if interested):
> 
> objective: have any athena user login to our 'macathenised' macs 
> without our having to provide LDAP directory services. (there is no OS 
> X Directory Access plug-in for moira... yet... ever?)
> 
> plan: user authenticates against KDC, then loginhook shell script runs 
> which creates user's netinfo record on the fly, then login continues by 
> accessing the just created local netinfo record and completes.
> 
> thought this might work given loginwindow documentation. but doesn't 
> seem to.
> in particular, it appears loginhook simply does not run unless the mac 
> can find a netinfo (or LDAP, i.e. Directory Services) entry for the 
> user logging in. in other words, contrary to my understanding, 
> loginwindow executes a directory services lookup immediately following 
> authentication THEN runs loginhook if user record found. i suppose this 
> perfectly reasonable, but no less disappointing.
> 
> any ideas as to how i might get a script running AFTER user 
> authenticates, but BEFORE loginwindow's directory services lookup would 
> be most welcome.
> 
> [the aforementioned loginhook shell script grabs the username, gets the 
> user's uid with a 'pts examine', and calculates the athena home 
> directory.
> then builds a local netfino record for user (if one doesn't already 
> exist) using niutil]
> 
> OS X 10.3.9
> 
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners
> 


Kerem B. Limon
kerem.limon at mit.edu /e-mail

More information about the Macpartners mailing list