On 07/29/11 08:07, Ivar Janmaat wrote:
Hello Craig,
I did not know of this option. Looks interesting for large numbers of OVDC
clients when migrating to Sun rays from PC's
But I believe Paul only has one Ipad so to write an executable for this might
be a bit to much to ask.
Yes, in that case simply using utuser to register the iPad is the simplest
approach.
I created the ATI interface for one specific (big!) customer way back when, and
I'd love to see it prove more widely useful. So in the interest of promoting
its use I've written this script for you. Attached.
I'd attach the script to my blog, along with the AMGH examples and How-To I'd
provided, but that was all lost in the move from Sun since I hadn't updated it
recently (so it was presumed inactive/unimportant :-( ).
This script does rely on an assumption that iPad OVDC always creates tokens of the form
"S1.*" and that no other OVDC clients do so. I don't know if this is true,
since I don't have an iPad. Nor do I know if it's expected to be true going into the
future - the token naming is not a documented/public interface so OVDC hasn't provided
any stability guarantee regarding it (AFAIK), and is therefore free to change the naming
convention in future. So caveat emptor and all that.
And of course it would not be difficult for somebody with some software chops
to hack the client or the platform to cause the OVDC token to be rewritten so
that it appears this way from non-iPad platforms, so as previously stated this
isn't a secure solution.
As Joerg and I pointed out, utpolicy is all about creating secure access
policies. If you're trying to prevent casual mis-use, but not protect against
determined abusers, then this might be an acceptable approach. I don't want to
see a front page NY Times story about this having been used to protect a bank's
infrastructure, OK? ;-)
-Bob
Isn't it possible to register a token for the OVDC session? I thought i read
something about people copying the smartcard token to the OVDC session so one
could even hotdesk to de OVDC.
I need to look into this further. Interesting stuff this OVDC on the Ipad!
As for the netwerk security. You would not want to have unkown laptops in your
network at all!
At best arrange for a separate wifi guest network access with no access to any
server infra.
Ivar
Craig Bender schreef:
Did anyone see the suggestion I posted? Registered mode for non-card use.
In fact, couldn't one use the Automated Token Import plugin and automatically have it automatically
register all tokens that begin with "S1." and registered them as an "OVDC User"
http://wikis.sun.com/display/SRSS4dot2/Solaris+Sun+Ray+Interface+Plugins+-+man%283%29#SolarisSunRayInterfacePlugins-man%283%29-manutatiscriptinterface3
On 7/28/11 8:14 PM, Paul Whitener wrote:
Ivar you hit the nail on the head. I wanted to give access to an iPad
but require cards on the DTUs. The DTUs are in a clinic at a
university. So we want cards for the doctors and nurses so students can
not "play". Then iPads can be used to access in the office.
/paul
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
#!/bin/ksh -p
# Written by Bob Doolittle, Oracle Corporation, July 29, 2011
# Sun Ray ATI script to detect OVDC clients which generate tokens of
# the form "S1.*" (iPad?) and automatically register them, so a
# registered-pseudo-token policy can be used which allows access for
# such OVDC clients but no DTUs or other types of OVDC clients.
# Note this approach does not provide robust security, and cannot be
# used to differentiate such OVDC clients in a secure fashion.
while read INPUT; do
if [ ${INPUT%%=*} = insert_token ]; then
VAL=${INPUT#*=}
TOK_TYPE=${VAL%%.*}
if [ $TOK_TYPE = S1 ]; then
# flush the rest of the input to avoid
# something like SIGPIPE to caller
while read INPUT; do
:
done
print registered=1
print name="OVDC iPad User"
exit 0
fi
fi
done
print registered=0
exit 0
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
