Here's an example of a user that works with smartcard authentication to an Open
the key is the ;pubkeyhash; in authentication authority. in 10.12 it's the
;tokenidenity; that does it.
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount
apple-user extensibleObject organizationalPerson top person
sysadmin extraordinaire.. sort of
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
Date: Wed, 30 Nov 2016 09:46:42 +0100
From: Sumit Bose <sb...@redhat.com>
Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
to FreeIPA server.
Content-Type: text/plain; charset=us-ascii
On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D
> I thumbed through the archive, but didn't find an answer. If I missed it,
> perhaps someone will be kind enough to point me in the right direction.
> I'm testing replacing our OpenDirectory server with a FreeIPA server for
> authenticating our Mac systems. So far, I have the server and client running
> in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1),
> and, following a number of instructions found on the web, they are talking to
> each other and I can log in from the Mac client to the FreeIPA server with a
> user account on the FreeIPA server.
> The final step in this is that I need to use smart card authentication
> instead of username/password. I have managed to get the smart card's
> certificate added to the user account on the FreeIPA server, but that's as
> far as I've managed.
> In MacOS 10.7-10.11, the method of getting smart card authorization to work
> is to get the hash of the certificate on the smart card and then add that to
> AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
> In 10.12, it will actually ask you if you want to pair the smart card with
> the account, and if so, in the background it adds the hash as
> ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only
> does that to local accounts. to do it in Open Directory, you have to add it
> manually still)
> In my ignorance, I'm guessing that I just somehow need to map the certificate
> that's been added to the user account in FreeIPA to AuthenticationAuthority
> in DirectoryUtility. Right now the only thing mapped in the bind for
> AuthenticationAuthority is uid.
Can you send me an example of an user object from OpenDirectory which
has all the needed attributes to make Smartcard authentication work?
> Could someone tell me what map I would need to make when setting up the bind
> to make this work? Or if I'm totally heading in the wrong direction, could
> someone send me in the right direction?
> Nathan Kinder's blog was very helpful, but he mentions telling how to
> actually set up login on the next installment, and that was over a year ago
> and there's no next installment. Most of what I've been able to find covers
> how to use sssd to get a linux machine to authenticate with the smartcard to
> FreeIPA, but I haven't been able to translate that to getting the Mac to
> Thank you,
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project