Hi Sumit.

Here's an example of a user that works with smartcard authentication to an Open 
Directory server.
the key is the ;pubkeyhash;  in authentication authority.  in 10.12 it's the 
;tokenidenity; that does it.

Thank you,
John
__________________________
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount 
apple-user extensibleObject organizationalPerson top person
AltSecurityIdentities: Kerberos:u...@server.domain.name
AppleMetaNodeLocation: /LDAPv3/server.domain.name
AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name
AuthenticationAuthority:
 ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35 
137153981046475199943945843867332692680750197424744096859870797093676645749027380403427308966078902581285961066749586341210370640493694174807003238022253128816071402321107596780023824943279942604404381371976466757866276940266744128110435619726808591040123586775364081346530916319469827937868172697966549077993
 r...@server.domain.name:192.168.0.1
 ;pubkeyhash;CFF322DE5D9F21E1FEF8957548EF94D846E6B43C
 ;pubkeyhash;A89153274F7EF7132FAAF4507078064AA522E78D
 ;tokenidentity;44AFDECA841C27354223BFVE1F3A91VEDC48C65A
Comment:
 sysadmin extraordinaire.. sort of
EMailAddress: user@server.domain
GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2
LastName: 99
MCXFlags:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
        <key>simultaneous_login_enabled</key>
        <true/>
</dict>
</plist>

NFSHomeDirectory: 
/Network/Servers/server.domain.name/Volumes/shares/netusers/user
Password: ********
PrimaryGroupID: 80
RealName:
 User Name
RecordName: user
RecordType: dsRecTypeStandard:Users
ServicesLocator: 
793D4083-126E-44A7-A3FF-85251F39556D:E245FF24-D266-4F7E-BCF4-709611F539A6:calendar
 (null):(null):calendar
UniqueID: 1025
UserShell: /bin/bash

Message: 5
Date: Wed, 30 Nov 2016 09:46:42 +0100
From: Sumit Bose <sb...@redhat.com>
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
        to FreeIPA server.
Message-ID:
        <20161130084642.GD21759@p.Speedport_W_724V_Typ_A_05011603_00_009>
Content-Type: text/plain; charset=us-ascii
______________________________________


On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D 
wrote:
> Greetings,
> I thumbed through the archive, but didn't find an answer.  If I missed it, 
> perhaps someone will be kind enough to point me in the right direction.
> 
> I'm testing replacing our OpenDirectory server with a FreeIPA server for 
> authenticating our Mac systems.  So far, I have the server and client running 
> in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), 
> and, following a number of instructions found on the web, they are talking to 
> each other and I can log in from the Mac client to the FreeIPA server with a 
> user account on the FreeIPA server.
> 
> The final step in this is that I need to use smart card authentication 
> instead of username/password.  I have managed to get the smart card's 
> certificate added to the user account on the FreeIPA server, but that's as 
> far as I've managed.
> 
> In MacOS 10.7-10.11, the method of getting smart card authorization to work 
> is to get the hash of the certificate on the smart card and then add that to 
> AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
> In 10.12, it will actually ask you if you want to pair the smart card with 
> the account, and if so, in the background it adds the hash as 
> ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only 
> does that to local accounts.  to do it in Open Directory, you have to add it 
> manually still)
> 
> In my ignorance, I'm guessing that I just somehow need to map the certificate 
> that's been added to the user account in FreeIPA to AuthenticationAuthority 
> in DirectoryUtility.  Right now the only thing mapped in the bind for 
> AuthenticationAuthority is uid.

Can you send me an example of an user object from OpenDirectory which
has all the needed attributes to make Smartcard authentication work?

bye,
Sumit

> 
> Could someone tell me what map I would need to make when setting up the bind 
> to make this work? Or if I'm totally heading in the wrong direction, could 
> someone send me in the right direction?
> 
> Nathan Kinder's blog was very helpful, but he mentions telling how to 
> actually set up login on the next installment, and that was over a year ago 
> and there's no next installment.  Most of what I've been able to find covers 
> how to use sssd to get a linux machine to authenticate with the smartcard to 
> FreeIPA, but I haven't been able to translate that to getting the Mac to 
> authenticate.
> 
> Thank you,
> John
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to