Hi Sumit.

Here's an example of a user that works with smartcard authentication to an Open 
Directory server.
the key is the ;pubkeyhash;  in authentication authority.  in 10.12 it's the 
;tokenidenity; that does it.

Thank you,
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount 
apple-user extensibleObject organizationalPerson top person
AltSecurityIdentities: Kerberos:u...@server.domain.name
AppleMetaNodeLocation: /LDAPv3/server.domain.name
AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name
 ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35 
 sysadmin extraordinaire.. sort of
EMailAddress: user@server.domain
GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2
LastName: 99
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
<plist version="1.0">

Password: ********
PrimaryGroupID: 80
 User Name
RecordName: user
RecordType: dsRecTypeStandard:Users
UniqueID: 1025
UserShell: /bin/bash

Message: 5
Date: Wed, 30 Nov 2016 09:46:42 +0100
From: Sumit Bose <sb...@redhat.com>
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
        to FreeIPA server.
Content-Type: text/plain; charset=us-ascii

On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D 
> Greetings,
> I thumbed through the archive, but didn't find an answer.  If I missed it, 
> perhaps someone will be kind enough to point me in the right direction.
> I'm testing replacing our OpenDirectory server with a FreeIPA server for 
> authenticating our Mac systems.  So far, I have the server and client running 
> in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), 
> and, following a number of instructions found on the web, they are talking to 
> each other and I can log in from the Mac client to the FreeIPA server with a 
> user account on the FreeIPA server.
> The final step in this is that I need to use smart card authentication 
> instead of username/password.  I have managed to get the smart card's 
> certificate added to the user account on the FreeIPA server, but that's as 
> far as I've managed.
> In MacOS 10.7-10.11, the method of getting smart card authorization to work 
> is to get the hash of the certificate on the smart card and then add that to 
> AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
> In 10.12, it will actually ask you if you want to pair the smart card with 
> the account, and if so, in the background it adds the hash as 
> ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only 
> does that to local accounts.  to do it in Open Directory, you have to add it 
> manually still)
> In my ignorance, I'm guessing that I just somehow need to map the certificate 
> that's been added to the user account in FreeIPA to AuthenticationAuthority 
> in DirectoryUtility.  Right now the only thing mapped in the bind for 
> AuthenticationAuthority is uid.

Can you send me an example of an user object from OpenDirectory which
has all the needed attributes to make Smartcard authentication work?


> Could someone tell me what map I would need to make when setting up the bind 
> to make this work? Or if I'm totally heading in the wrong direction, could 
> someone send me in the right direction?
> Nathan Kinder's blog was very helpful, but he mentions telling how to 
> actually set up login on the next installment, and that was over a year ago 
> and there's no next installment.  Most of what I've been able to find covers 
> how to use sssd to get a linux machine to authenticate with the smartcard to 
> FreeIPA, but I haven't been able to translate that to getting the Mac to 
> authenticate.
> Thank you,
> John
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to