I thumbed through the archive, but didn't find an answer.  If I missed it, 
perhaps someone will be kind enough to point me in the right direction.

I'm testing replacing our OpenDirectory server with a FreeIPA server for 
authenticating our Mac systems.  So far, I have the server and client running 
in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and, 
following a number of instructions found on the web, they are talking to each 
other and I can log in from the Mac client to the FreeIPA server with a user 
account on the FreeIPA server.

The final step in this is that I need to use smart card authentication instead 
of username/password.  I have managed to get the smart card's certificate added 
to the user account on the FreeIPA server, but that's as far as I've managed.

In MacOS 10.7-10.11, the method of getting smart card authorization to work is 
to get the hash of the certificate on the smart card and then add that to 
AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
In 10.12, it will actually ask you if you want to pair the smart card with the 
account, and if so, in the background it adds the hash as 
;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only does 
that to local accounts.  to do it in Open Directory, you have to add it 
manually still)

In my ignorance, I'm guessing that I just somehow need to map the certificate 
that's been added to the user account in FreeIPA to AuthenticationAuthority in 
DirectoryUtility.  Right now the only thing mapped in the bind for 
AuthenticationAuthority is uid.

Could someone tell me what map I would need to make when setting up the bind to 
make this work? Or if I'm totally heading in the wrong direction, could someone 
send me in the right direction?

Nathan Kinder's blog was very helpful, but he mentions telling how to actually 
set up login on the next installment, and that was over a year ago and there's 
no next installment.  Most of what I've been able to find covers how to use 
sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but 
I haven't been able to translate that to getting the Mac to authenticate.

Thank you,

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to