OS X custom login authentication

Hai, I need to authenticate the users at login with my own logic like, For eg: calling an external authentication server and using OpenDirectory in case if the server is not reachable.


I know that i need to create an authorization plugin like the apple's sample code (NullAuthPlugin,NameAndPassword) and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this. NameAndPassword sample suggests to use different UI(using SFAuthorizationPluginView) other than the "loginwindow:login" to customize the login. Can I able to achieve my requirement without replacing the loginwindow GUI ie the mechanism "loginwindow:login"?? ie, Can i able to achieve this by keeping the existing mac's login screen as such and obtain the credentials to perform my own authentication ?? If possbile where should i place my mechanism at 'system.login.console' ?


I think of replacing the

<string>builtin:authenticate,privileged</string>
with my own plugin to achieve my requirement ? Is it OK to replace the buitin login mechanism ?

Is my approach correct ? Can anyone help me to clarify regarding this ?

Replies

I need to authenticate the users at login with my own logic … calling an external authentication server and using OpenDirectory in case if the server is not reachable.

I think of replacing the

<string>builtin:authenticate,privileged</string>
with my own plugin to achieve my requirement?

There are lots of different ways to get involved in the login process (authorisation plug-ins,

SFAuthorizationPluginView
, OD modules, and so on) but, given your requirements, I think this is approach is a probably the best.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So, you are saying that it is okay to replace the default built-in authentication mechanism ? If so won't it affect other authentication modes and operations written in the OS X's login pam module ??

So, you are saying that it is okay to replace the default built-in authentication mechanism ?

That’s what I was saying, and I actually think it’ll work, but on further consideration I’m not prepared to commit to that without a much deeper investigation. My recommendation is that you open a DTS tech support incident and we can discuss this there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
  • Hi,

    I am working on a similar feature, and need to use a custom login screen. Any news or new insights regarding the issue?

    Will replacing the login screen with a custom one, affect the other authentication modes and operations written in the OS X's login pam module ?

    cheers

Add a Comment

I am working on a similar feature, and need to use a custom login screen

Oh wow, it’s authorisation plug-in day today here on DevForums. I’m going to give you the same advice I gave Anwesh_M.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Add a Comment