Login hook question

Similar Messages

• Portable Home Directories and Login Hooks

  We recently switched from Network Home Directories to Portable Home Directories. We used to use login hooks to do all kinds of nifty things to a user's home folder at login, but now it's complicated. I can't figure out at what point in the login+sync process the login hook executes.
  If the login hook executes before syncing, then I need to modify the network copy of the home folder, i.e. Network/Servers/servername/.../username. If the login hook executes after syncing, then I need to modify the local copy of the home folder, i.e. /Users/username. Unless I'm mistaken, you can't just use the tilde (~) in the script to denote the path the home folder, so you have to list the path explicitly.
  My testing seemed to result in inconsistent behavior. Can anyone give me some guidance?
  (Keywords: Loginhook Logouthook Login Script Logout Script Mobility Mobile PHD)

  Thank you for the advice, Syth, but I'm already aware of the basics of writing and implementing login and logout hooks. I wrote a lot of them when we were using Network Home Directories. The root of my question has to do with Portable Home Directories and login hooks.
  This is a computer lab environment where every user has their own account, network home folder, and "Mobility" preferences set in Workgroup Manager. When a user logs into a lab computer, syncing kicks in and they work from a local copy of their home folder which then syncs to the server at login and logout.
  So the core question is: Do login and logout hooks execute before or after login/logout home syncing occurs?
  For example, if a user with a brand new network account, i.e. who doesn't even have a network home yet, logs into a computer, what's the order of events? I would hope it would be:
  1) server creates network home
  2) computer creates local home, i.e. syncs
  3) login hook executes
  But my testing has been inconsistent. Anyone have any experience or insights to share?

• Debugging a non-working login hook

  I'm setting up labs in a school, some have 2008 iMacs, 2007 iMacs, 2007 Macbooks and powerbook g4's. I have a new 2008 iMac as my master image and I've set-up a LoginHook in com.apple.loginwindow.plist that runs a script that works just great. It does what I expect it too. I need this LoginHook to work on all the platforms. So far, when I migrate accounts from the iMac 2008 to a Macbook or Powerbook, that LoginHook no longer works. Period.
  The com.apple.loginhook.plist copies over, the filesize, permissions and ownerships are the same, the script copies over, permissions and ownerships are the same. I can manually sudo the script and it works. I've added echo statements to an output file in the script, but no output is created.
  And I see in the system.log file, in the system where this works, entries for my echo statements like:
  Aug 4 10:54:32 "hostname" com.apple.loginwindow[389]: this user is student
  which lets me see the script is running.
  I don't see mny messages like this on the system that doesn't work.
  I've also tried migrating accounts from a machines of the same type (ex: macbook > macbook), but the LoginHook doesn't work.
  What is in charge of launching the com.apple.loginwindow.plist? launchd?
  Any ideas on why the LoginHook would just conk out like this?

  did you make your login hook following these instructions? remember that the loginwindow plist that is used is the one in roots home directory not in /Library/Preferences. That said, I had some problems with login hooks too and never could figure out why mine didn't run so I created a separate launch daemon to run the script i wanted. you can put it in /Library/launchAgents and it will execute whenever anyone logs in. that worked for me.

• Yosemite profile manager login hook

  Hi.  We have recently purchased a Mini running Yosemite server.  The server is running profile manager and an open directory server, it is bound to active directory.  This is all working, however I would like to roll out a login script for users.  I have created this script and it works when run manually, however is there a way to specify this to run via Profile Manager?  If the script is located on a server, how can I have a client run this script remotely?  I want to push this out automatically so I don't need to go to all the laptops throughout the company.  Thanks

  If the Login Hook works on your machine, maybe the best way to share the script is using Apple Remote Desktop. But your machines have to be prepared for the remote maintenance.

• Login Hook

  Does anyone have any experience creating Apple MAC OS X 10.5.6 Login Hook scripts?
  I need to create one that maps a users network folder (stored on an Apple Xserve) to the desktop when they log onto a MAC. The Login Hook needs to work for roaming user accounts so that the network folder loads no matter what MAC the user logs onto...

  ..."unzip com.prefs.zip […]
  the original owner is "user:staf" but change to "root:admin""...
  Login window hooks run as "root" so when unzipping, the newly expanded files, which by default take the owner of the user performing the unzip, will be owned by "root". Perhaps try 'unzip -X' as one possible option if the original zip was created from files with the intended "user" and "group".
  Another possibility is to run '/usr/bin/sudo -u username /usr/bin/unzip'... so that "unzip" is run as the user (and don't forget the $1 option to run as whatever user is logging in, although that fails in some network settings, or at least it did in earlier versions).
  Depending on the situation, using a launch agent to run the script might be more appropriate...

• Automatic "j_security_check" form login submission question

  I've been using J2EE 1.4 declarative security with no problems.
  It works great. I define the security constraints to the server and
  when the relevant pages are hit the login.jsp page gets invoked
  where users can login. I happen to be using Tomcat 5 right now, but again it all works fine.
  But now I have to receive http User Login requests from a non-java server and automatically log the user in if they were logged in on the prior server since I support the same User-Ids/Passwords.
  My question is simple and may only be an HTML trick. On the login page code specifically for users where I already have their User-Id and Password how do I auto-submit the form without requiring user's to press the "submit" button? For this type of user where I know the UserID and Password I will not have any displayed HTML since the user does not have to do anything. For traditional manual login, I always used the following format with the submit button, but again, now I want to bypass the JSP/JSTL/HTML display and submit automatically (using code) instead of requiring the user to press the submit button.
  <form method="POST" action="j_security_check" >
  <input type="text" name="j_username" size="8" maxlength="8" />
  <input type="password" name="j_password" value="FMTPPSWD" size="8" maxlength="8" />
  <input type="submit" value=" Login " />
  </form>
  Help!
  I've already orchestrated the solution in my login.jsp configuration to separate between the JSP Display page supporting manual login (using jsp:forward) and non-display auto-login. So my question is only how do I submit a form programatically without using the submit button?
  Thanks.

  For the benefit of others here is the JSP/JSTL & javascript solution.
  This allowed me to create an automated login and use declarative security ...
  The following code requires param.UserID and param.PassWord to be set before it is executed...
  <form name="AutoLogin" method="POST" action="j_security_check" >     
  <input type="hidden" name="j_username" value="<%= request.getParameter("UserID") %>" size="8" maxlength="8" />
  <input type="hidden" name="j_password" value="<%= request.getParameter("PassWord") %>" size="8" maxlength="8" />
  </form>
  <script type="text/javascript" language="JavaScript">
  document.AutoLogin.submit();
  </script>

• Secure Mail Login (Lame question) Is there a secure IMAP login without SSL?

  We want to protect our external users' passwords from easy sniffing on the wire in the wild Internet (since users are in LDAP, these passwords may also be used for interactive logins to the servers, so keeping them in the open is not a good idea). As you may infer from my questions, I'm not too strong in this area yet.
  I understand that we can set up SSL/TLS wrappers or use native support for SMTPS, POP3S and IMAPS, or even set up a VPN server; however there are a number of clients (i.e. certain PDA's and cell phones) which don't suggest even tweaking the server port number, and only work over standard SMTP/IMAP/POP3.
  As much as I understand, this security stuff has long ago been such a problem that SMTP evolved several different ways of secure authentication. One is STARTTLS where a supporting SMTP server/relay and client can use enhanced commands on a normal SMTP port (tcp/25) to switch from plaintext to TLS-protected dialog on-the-fly (and use authentication after this step).
  I believe (but may be wrong doing so) there may also be a way when the user password submission for SMTP authentication is cryptographically protected, but the rest of the dialog is in plaintext. (Basically, IIRC, one or a few lines are protected by sending a hash of the password instead of the plain or BASE64 password string).
  I wonder if similar standard mechanisms exist for POP3 and IMAP at all, and if they are implemented in Sun Messaging Server in particular.
  And where should I best read up on these subjects? :)

  JimKlimov wrote:
  As much as I understand, this security stuff has long ago been such a problem that SMTP evolved several different ways of secure authentication. One is STARTTLS where a supporting SMTP server/relay and client can use enhanced commands on a normal SMTP port (tcp/25) to switch from plaintext to TLS-protected dialog on-the-fly (and use authentication after this step). Messaging server supports providing a SSL encrypted port (465) and also providing STARTTLS on a plain-text port (e.g. 25).
  The quickest way to enable this is to run:
  ./msgcert generate-certDB
  ./imsimta cnbuild;./imsimta restartThis will generate a self-signed certificate (not appropriate for production usage but fine for testing). To verify that it is working perform the following steps:
  telnet <mail-server> 25
  ehlo blah.comYou should see a line that says "250-STARTTLS".
  If you want to enable the SSL port (465), uncomment the following line in the dispatcher.cnf file:
  TLS_PORT=465You will need to run ./imsimta cnbuild;./imsimta restart for the change to become active.
  I believe (but may be wrong doing so) there may also be a way when the user password submission for SMTP authentication is cryptographically protected, but the rest of the dialog is in plaintext. (Basically, IIRC, one or a few lines are protected by sending a hash of the password instead of the plain or BASE64 password string).The mechanisms you refer to are all discussed here:
  http://docs.sun.com/app/docs/doc/819-4428/bgbau?a=view
  Note however that "To work, the CRAM-MD5, DIGEST-MD5, or APOP SASL authentication methods require access to the users’ plaintext passwords. ".
  I wonder if similar standard mechanisms exist for POP3 and IMAP at all, and if they are implemented in Sun Messaging Server in particular.
  And where should I best read up on these subjects? :)Refer to manual page listed earlier and the following manual page:
  http://docs.sun.com/app/docs/doc/819-4428/bgbba?a=view
  Regards,
  Shane.

• 1.4 Logging (shutdown hook question really)

  If I have a handler configured and log a record inside a thread running as a shutdown hook, more times than not I get nothing in the log file (or console, or wherever) and have to resort to System.err.println().
  Now, from studying the code for LogManager this turns out to be the result of the inner Cleaner thread (which is the log managers shutdown hook) calling reset() on the manager.
  So, this question morphs itself into how to get my shutdown hook to run before the one that resets the log manager.
  Any ideas or adjsting the priority (order of execution) of shutdown hooks?

  Guys (silkm, trejkaz and the good doctor),
  That's for the input. Appreciate it.
  On shutdown hooks being bad design - interesting. In the case I'm thinking of, the entry point class for a distributed task manager (see http://forum.java.sun.com/thread.jsp?forum=4&thread=335843&tstart=0&trange=30) is "embedded" in consumer code and does indead have a clean shutdown method that we hope the consumer code will invoke before shutting itself down. But in the same was as the logging subsystem can not rely on it's consumer code to "do the right thing", we can't rely on our consumer code to behave itself. In addition, we do want to catch the case where an operator re-starts the consumer system (internal procedure demands unix processes are sent an interrupt rather than a kill). The code invoked by the clean shutdown and the caught shutdown persists (as XML) the state of the task manager which is read on re-start to perform recovery operations. Now, before you all dive in and say "save the state every time it changes" let me say that the state changes very rapidly and the I/O overhead of saving it is considerable. Also, having a background thread that persists state on a regular basis was considered, but it introduces the problem that it becomes different to gaurantee the validity of the persisted state.
  On setting the thread priority - that had occured to me and I shall be using this as one of my test cases to see what happens. As mentioned, the effects this has will vary by platform and VM. However, as the component in question will be running in a controlled environment we should be able to pick a configuration that works.
  On Linux threads and processes - Good point. But do unstarted threads have a process? This is significant to us as the target platforms for the task manager are Solaris and Linux.
  On java.lang.Runtime's implementation of shutdown hooks - I tend to agree that it's a bit simplistic. Maybe we should raise a change request to allow greater control over how hooks are executed.
  Thanks again and please chip in if you have any other ideas.

• Newbie trying to setup schoolwide login hook

  I don't know if this is the proper setting to ask this question, but here goes...I knew nothing about UNIX until about 2 weeks ago when I was asked by my school district's IT admin to develop a login script to reset each student's dock when they login to a standard setting. He'd finally found a way to use the district's LDAP/eDirectory logins for the Macs through software called Kanaka. I came up with the following script (based on a template off Bombich's site) but it's not working. Does anyone have any hints? Thanks for any possible help! Without this, our admin is threatening to take all Macs off the high school's network...
  #!/bin/sh -f
  set localAdmin = admin
  ### Script action ###
  # If this is not the admin user...
  if ( $1 != $localAdmin ) then
  # Replace old Dock with required default Dock
  sudo cp -f /Users/Shared/com.apple.dock.plist ~/Library/Preferences/
  # Restart the Dock
  killall Dock
  endif
  ### Always exit with 0 status
  exit 0

  All the computers are up to 10.4 (I was surprised!). There are various versions of 10.4 though. The machine I'm developing/debugging on is a G5 dual core with 10.4.5. I don't know if I should try reinstalling the BSD subsystem to make sure the available shells have everything they require--like I said, I'm new at this. I didn't set up the machine I'm working on, but I thought BSD was installed by default, or has to be installed for OS X to work, but I'm not sure. I'm going to try the script at home this weekend on my iMac which has the developer tools, etc., installed to see if that makes any difference.
  It appears the script is running because of the short bit of additional time required to login, but nothing in the docks for any of the accounts changes upon successful login.
  Also, Bombich's original script had csh at the end of the first intro line to the script instead of just sh for the bash shell. I don't know if this would make any difference in the final outcome.
  Again, thanks for all of your help thusfar...I think I even understand almost everything in the script you sent me! Although I can say that high school French seems like it was a lot easier to learn; but then again, that wasn't a timed trial by fire like my intro to UNIX has been!
  Damian

• HT204088 Please help login security questiona

  Hi I have an security question which I have not done before so that I could not download my iTunes download

  First I followed the instruction from the following website to setup the driver. http://www.deitel.com/books/simplyJava1/simplyjava1_AccessDatabaseInstructions.pdf
  Then I added the following REALM to my App2.xml
     <Realm  className="org.apache.catalina.realm.JDBCRealm"
            driverName="sun.jdbc.odbc.JdbcOdbcDriver"
         connectionURL="jdbc:odbc:DATABASE"
             userTable="user" userNameCol="usr" userCredCol="pswrd"
         userRoleTable="role" roleNameCol="role" />Here is what i have in my web.xml
      <security-constraint>
        <display-name>Security Constraint</display-name>
        <web-resource-collection>
           <web-resource-name>Protected</web-resource-name>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
           <!-- Anyone with one of the listed roles may access this area -->
           <role-name>Manager</role-name>
        </auth-constraint>
      </security-constraint>
      <!-- Default login configuration uses form-based authentication -->
      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Form-Based Authentication</realm-name>
        <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
      </login-config>
      <!-- Security roles referenced by this web application -->
      <security-role>
         <role-name>Manager</role-name>
      </security-role>

• Creating a login hook?

  I am looking to create a script that runs each time when i log in to my mac.
  Although I am stuck at what to write in the script?
  I am looking for the script to open 'Safari' (2 tabs if possible) and 'Microsoft Messenger for Mac' at log in.
  Any help would be appreciated.
  Thanks in advance.

  Hello, I can get you 2/3's the way there. Open System Preferences>Accounts then make sure your account is highlighted. Then, above your pic, click on "login Items".
  These are the items that will automatically start when you boot. To add Safari and Messenger, click on the "+" in the lower left. Navigate to the Applications folder and choose the apps.
  I will have to look at opening two tabs but that will get you started.
  Cheers,
  Glynn

• Another Login Channel Question?

  I want to use the Login Channel such that my user is presented with static content and along with Login Channel. When the user enters Login & Password he/she is taken to the domain they belong to. And, when they do Login I also want to capture their username & password to access use in channels that allow the user to log into another application (database, CRM, etc).
  I guess I want to do some custom authentication, but how at login can I direct the user to the appropriate domain? And, what type of Authentication is used by the Default Channel I haven't found any source for the Default Login Channel, if I want to customize the Authentication associated with it where/how would I start?

  You are directed to a domain even before login, you login based on the authentication configuration for that domain.
  For e.g.if you are using portal, the way you authenticate is
  http://portalserver:8080/login/domain_name_1 and ofcourse you can appropriately configure the domain also to be mapped to any url like
  http://myportal.mydomain.com for domain_name_1
  What the login channel does is load the authentication screen based on the appropriate display.html present in
  /etc/opt/SUNWips/desktop/default/iwtLoginProvider
  What you can do is write a custom auth provider that takes the password token string and help you handle your backend authentication you need to do with your backend server . You can then configure iwtLoginProvider to use your authentication module instead of the default Membership login ..
  Details of how to configure the Login Provider for any authentication is given in sp3a release notes, look for the topic Modifying the Login Channel ..
  To write your own authentication module, there are samples provided and the membership auth module code is also distributed through support based on request ..
  HTH ...

• Login Scripts question

  I have cobbled together a script which display a users quota information when logging in. The script works fine and I can get it to run from the login script managed preference set in workgroup manager. The problem I have is that the script is reporting the user as root rather than the login user. My understanding is that login scripts (not loginhooks) run as the login user rather than the root account or is this incorrect? Trust level is set to anonymous at the moment.
  Here is the script so its more clear what im doing:
  #!/bin/sh
  # quotas - displays usage levels on server.
  # get user's short name.
  thisUser=`whoami`
  # get quota from LDAP
  maxSpace=`ldapsearch -h myserver.com -b "dc=myserver,dc=com" -x -LLL uid=$thisUser apple-user-homequota|grep apple|awk {'print $2'}`
  # convert to MB
  maxMegs=`expr $maxSpace / 1024 / 1024`
  maxGigs=`expr $maxSpace / 1024 / 1024 / 1024`
  # Returns user's home directory disk usage in 1024 KB blocks.
  currentSpace=`du -sk ~ | awk '{print $1}'`
  # convert to MB
  currentMegs=`expr $currentSpace / 1024`
  # floating point math for percentage used
  spaceUsed=`echo "scale=2; $currentMegs / $maxMegs" | bc`
  percentUsed=`echo "scale=0; $spaceUsed * 100" | bc | sed -e "s/.00//g"`
  /usr/bin/osascript <<-EOF
  tell application "System Events"
  activate
  display dialog "Disk Usage for user: $thisUser used: $currentMegs Mb max: $maxGigs Gb percent: $percentUsed %"
  end tell
  EOF
  exit

  In the future, please post your Code Snippits between
  ... your code here ...
  That will preserve all your formatting and prevent the forum formatting code from stealing some of your characters.
  And it will make it easy for people to see what you really wrote as your script.
  PS. Why not just use the quota command?
  Message was edited by: BobHarris

• Login keychain question

  I've forgotten the password to my login keychain. Various functions want to use the login keychain.
  Would it be possible to delete (or alternately rename) the login keychain?
  Then, I would make a new keychain named "login" to which I would know the password.
  Any thoughts on the above?
  By the way, I've created a new keychain, where I've been storing login information.

  Thanks for the response. Now I've really hosed things up.
  My current keychain is named new-system.keychain. It had about 95 entries, and I use unique passwords per site.
  This is what I thought I did:
  1. renamed login.keychain to save it
  2. renamed new-system.keychain to login.keychain
  except there are two problems:
  1. The renaming of login.keychain does not appear to have happened
  2. I can't find new-system.keychain
  I used TimeMachine, but it's nowhere to be found.
  Thoughts please.

• Shutdown hook question.

  I want to add a shutdown hook to my program printing the last exception being thrown in my program, printing information similiar to exception.printStackTrace. In other words, i want to see the exception that caused my program to halt abnormally.

  A shutdown hook isn't going to be of much help since you'll have to record that last exception somewhere for the shutdown hook to process, and you might as well have printed it then.