I thumbed through the archive, but didn't find an answer. If I missed it,
perhaps someone will be kind enough to point me in the right direction.
I'm testing replacing our OpenDirectory server with a FreeIPA server for
authenticating our Mac systems. So far, I have the server and client running
in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and,
following a number of instructions found on the web, they are talking to each
other and I can log in from the Mac client to the FreeIPA server with a user
account on the FreeIPA server.
The final step in this is that I need to use smart card authentication instead
of username/password. I have managed to get the smart card's certificate added
to the user account on the FreeIPA server, but that's as far as I've managed.
In MacOS 10.7-10.11, the method of getting smart card authorization to work is
to get the hash of the certificate on the smart card and then add that to
AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
In 10.12, it will actually ask you if you want to pair the smart card with the
account, and if so, in the background it adds the hash as
;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only does
that to local accounts. to do it in Open Directory, you have to add it
In my ignorance, I'm guessing that I just somehow need to map the certificate
that's been added to the user account in FreeIPA to AuthenticationAuthority in
DirectoryUtility. Right now the only thing mapped in the bind for
AuthenticationAuthority is uid.
Could someone tell me what map I would need to make when setting up the bind to
make this work? Or if I'm totally heading in the wrong direction, could someone
send me in the right direction?
Nathan Kinder's blog was very helpful, but he mentions telling how to actually
set up login on the next installment, and that was over a year ago and there's
no next installment. Most of what I've been able to find covers how to use
sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but
I haven't been able to translate that to getting the Mac to authenticate.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project