Why not use a proxy that authenticates to AD?
On 27/02/09 00:55, "Bob Doolittle" <[email protected]> wrote: > CJ Keist wrote: >> Bob, >> Thanks for the reply. This is the situation that has come down the >> pipes. We have sun kiosk stations around campus set up as open with >> just a web browser running. They now want to authenticate users >> before giving them a kiosk session. This is to cut down the number of >> non-student types camping out at the kiosk stations. >> The problem I have is all central user accounts here are stored in >> Windows AD. The central IT folks will not touch AD. So no NIS UNIX >> extensions, and no third party app to sync AD with UNIX LDAP server. >> So only option I have is a web auth tool the central IT folks have for >> me to use. Hence why I was asking if AMGH could get password info. >> Is there a way to evoke a AMGH style redirect to a DTU from say my >> own little Java app that could be run in the kiosk session? My java >> app would prompt for the user name password and then I can use the web >> auth tools to authenticate and then redirect to a kiosk server if >> pass, or a more internet restricted kiosk server if not. > > There are a couple of ways you could go with this. I'd think that the > best would be to call pam_authenticate from some JNI code inside of your > Java app, *after* authenticating with AD. Create your own custom PAM > stack/service in /etc/pam.conf (or pam.d if this is Linux) that simply > has pam_sunray_amgh on the stack. I've never tried this, obviously, but > I *think* it should work :). It'll probably have a side effect of > blowing away the session running your Java app when done, but that may > be what you want anyway. I'd love to hear if this works for you. > > The other course is to roll your own. It's not that hard to write your > own code to look up the smartcard->user ->host mappings and then just > call utswitch. > > -Bob > >> >> >> >> Bob Doolittle wrote: >>> CJ Keist wrote: >>>> Is it possible to get user password with AMGH? Right now it looks >>>> like AMGH scripts get called when you have user name but no password >>>> info. Is there way to get user password info using AMGH? >>> >>> No. That seems like a very bad idea from a security POV. You might >>> almost as well use Kiosk mode, or disable passwords. >>> >>> -Bob >>> >>> _______________________________________________ >>> SunRay-Users mailing list >>> [email protected] >>> http://www.filibeto.org/mailman/listinfo/sunray-users >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> SunRay-Users mailing list >> [email protected] >> http://www.filibeto.org/mailman/listinfo/sunray-users >> > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users -- Axio Systems NV Tel. : +32 (0)9 365 45 45 Wouter Coppens Direct: +32 (0)9 365 45 44 Neerhonderd 15/1 Fax : +32 (0)9 369 49 59 B-9230 Wetteren Belgium http://www.axio.be/ Mail: [email protected] _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
