On 07/29/11 08:07, Ivar Janmaat wrote:
Hello Craig,

I did not know of this option. Looks interesting for large numbers of OVDC 
clients when migrating to Sun rays from PC's
But I believe Paul only has one Ipad so to write an executable for this might 
be a bit to much to ask.

Yes, in that case simply using utuser to register the iPad is the simplest 
approach.

I created the ATI interface for one specific (big!) customer way back when, and 
I'd love to see it prove more widely useful. So in the interest of promoting 
its use I've written this script for you. Attached.

I'd attach the script to my blog, along with the AMGH examples and How-To I'd 
provided, but that was all lost in the move from Sun since I hadn't updated it 
recently (so it was presumed inactive/unimportant :-( ).

This script does rely on an assumption that iPad OVDC always creates tokens of the form 
"S1.*" and that no other OVDC clients do so. I don't know if this is true, 
since I don't have an iPad. Nor do I know if it's expected to be true going into the 
future - the token naming is not a documented/public interface so OVDC hasn't provided 
any stability guarantee regarding it (AFAIK), and is therefore free to change the naming 
convention in future. So caveat emptor and all that.

And of course it would not be difficult for somebody with some software chops 
to hack the client or the platform to cause the OVDC token to be rewritten so 
that it appears this way from non-iPad platforms, so as previously stated this 
isn't a secure solution.

As Joerg and I pointed out, utpolicy is all about creating secure access 
policies. If you're trying to prevent casual mis-use, but not protect against 
determined abusers, then this might be an acceptable approach. I don't want to 
see a front page NY Times story about this having been used to protect a bank's 
infrastructure, OK? ;-)

-Bob

Isn't it possible to register a token for the OVDC session? I thought i read 
something about people copying the smartcard token to the OVDC session so one 
could even hotdesk to de OVDC.

I need to look into this further. Interesting stuff this OVDC on the Ipad!

As for the netwerk security. You would not want to have unkown laptops in your 
network at all!
At best arrange for a separate wifi guest network access with no access to any 
server infra.

Ivar

Craig Bender schreef:
Did anyone see the suggestion I posted?  Registered mode for non-card use.

In fact, couldn't one use the Automated Token Import plugin and automatically have it automatically 
register all tokens that begin with "S1." and registered them as an "OVDC User"

http://wikis.sun.com/display/SRSS4dot2/Solaris+Sun+Ray+Interface+Plugins+-+man%283%29#SolarisSunRayInterfacePlugins-man%283%29-manutatiscriptinterface3



On 7/28/11 8:14 PM, Paul Whitener wrote:
Ivar you hit the nail on the head.  I wanted to give access to an iPad
but require cards on the DTUs.  The DTUs are in a clinic at a
university.  So we want cards for the doctors and nurses so students can
not "play".  Then iPads can be used to access in the office.

/paul


_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

#!/bin/ksh -p

# Written by Bob Doolittle, Oracle Corporation, July 29, 2011

# Sun Ray ATI script to detect OVDC clients which generate tokens of
# the form "S1.*" (iPad?) and automatically register them, so a
# registered-pseudo-token policy can be used which allows access for
# such OVDC clients but no DTUs or other types of OVDC clients.

# Note this approach does not provide robust security, and cannot be
# used to differentiate such OVDC clients in a secure fashion.

while read INPUT; do
        if [ ${INPUT%%=*} = insert_token ]; then
                VAL=${INPUT#*=}
                TOK_TYPE=${VAL%%.*}
                if [ $TOK_TYPE = S1 ]; then
                        # flush the rest of the input to avoid
                        # something like SIGPIPE to caller
                        while read INPUT; do
                                :
                        done
                        
                        print registered=1
                        print name="OVDC iPad User"
                        exit 0
                fi
        fi
done

print registered=0
exit 0
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

Reply via email to