I need to authenticate the users at MAC login with my own logic like, For eg: calling an external authentication server
I know that i need to create an authorization plugin like the apple's sample code (NullAuthPlugin,NameAndPassword) and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this (SFAuthorizationPluginView)
But i need to invoke my plugin after MAC's default logon screen (second factor Authentication)
My plugin name is CustomLogin and its function name is invoke so i am using
In the plist file where should i place CustomLogin:invoke to make sure the plugin gets invoked after normal MAC AD authentication screen
Do I have to do something else apart from this? Please suggest a solution.
Normally the auth macos happens in the
<string> rule builtin: authenticate, privileged </ string>, so if you want your mechanism to be executed after you have to place it after that.It will be without modification of the IU, the success or failure will be silent; If you want to change an element of ui to inform the user of the failure I think that you will have to do a sfauthorizationpluginview and add a test before the original login;
Otherwise you can also write a PAM module, it is often simpler but the login UI of macOS does not handle rigth the PAM conversation function of what I can see, so it is only suitable for a module without UI. The PAM stack is just invoked on it:
<string> builtin: authenticate, privileged </ string>.