My Requirement
I need to authenticate the users at login with my own logic like, For eg: calling an external authentication server and using OpenDirectory in case if the server is not reachable.
What I know
I know that i need to create an authorization plugin like the apple's sample NullAuthPlugin and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this.
What I need
Can I able to achieve my requirement without replacing the loginwindow GUI ie the mechanism <string>loginwindow:login</string>??
ie,Can i able to achieve this by keeping the existing mac's login screen as such and obtain the credentials to perform my own authentication ?? If possbile where should i place my mechanism at 'system.login.console' ?
My idea
I think of replacing the <string>builtin:authenticate,privileged</string> with my own plugin to achieve my requirement ? Is it OK to replace the buitin login mechanism ?
Is my approach correct ? Can anyone help me to clarify regarding this ?
From what I understood you can create an authorizationplugin and put it after <string> loginwindow: login </ string>.
It will not replace the macOS auth but it will add a layer, I'm not sure what it will look like if you remove <string> builtin: authenticate, privileged </ string>, but I think I remember that I tried something like that and it was crashing.
Otherwise you can also write a PAM module, the PAM stack is just invoked on it: <string> builtin: authenticate, privileged </ string>
If you add a module with sufficient control flag on /etc/pam.d/authorization file it will do the job.