On Wed, Nov 30, 2016 at 06:46:38PM +0000, Daly, John L CIV NAVAIR, 4G0000D
> Hi Sumit.
> Here's an example of a user that works with smartcard authentication to an
> Open Directory server.
> the key is the ;pubkeyhash; in authentication authority. in 10.12 it's the
> ;tokenidenity; that does it.
Thank you for the details but I think I was looking in to wrong
direction. You want to allow clients to authenticate with a certificate
against the FreeIPA LDAP server.
There was a thread "user certificate ldap EXTERNAL authentication" on
this list ealier this year
which resulted in a howto page
The page also contains links to the official 389ds/Directory Server
documentation which should explain even more details.
I hope this will help you to get started with MacOS clients and
Smartcard authentication against FreeIPA.
> Thank you,
> dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount
> apple-user extensibleObject organizationalPerson top person
> AltSecurityIdentities: Kerberos:u...@server.domain.name
> AppleMetaNodeLocation: /LDAPv3/server.domain.name
> AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name
> ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35
> sysadmin extraordinaire.. sort of
> EMailAddress: email@example.com
> GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2
> LastName: 99
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
> <plist version="1.0">
> Password: ********
> PrimaryGroupID: 80
> User Name
> RecordName: user
> RecordType: dsRecTypeStandard:Users
> UniqueID: 1025
> UserShell: /bin/bash
> Message: 5
> Date: Wed, 30 Nov 2016 09:46:42 +0100
> From: Sumit Bose <sb...@redhat.com>
> To: firstname.lastname@example.org
> Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
> to FreeIPA server.
> Content-Type: text/plain; charset=us-ascii
> On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D
> > Greetings,
> > I thumbed through the archive, but didn't find an answer. If I missed it,
> > perhaps someone will be kind enough to point me in the right direction.
> > I'm testing replacing our OpenDirectory server with a FreeIPA server for
> > authenticating our Mac systems. So far, I have the server and client
> > running in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS
> > 10.12.1), and, following a number of instructions found on the web, they
> > are talking to each other and I can log in from the Mac client to the
> > FreeIPA server with a user account on the FreeIPA server.
> > The final step in this is that I need to use smart card authentication
> > instead of username/password. I have managed to get the smart card's
> > certificate added to the user account on the FreeIPA server, but that's as
> > far as I've managed.
> > In MacOS 10.7-10.11, the method of getting smart card authorization to work
> > is to get the hash of the certificate on the smart card and then add that
> > to AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate
> > hash>
> > In 10.12, it will actually ask you if you want to pair the smart card with
> > the account, and if so, in the background it adds the hash as
> > ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only
> > does that to local accounts. to do it in Open Directory, you have to add
> > it manually still)
> > In my ignorance, I'm guessing that I just somehow need to map the
> > certificate that's been added to the user account in FreeIPA to
> > AuthenticationAuthority in DirectoryUtility. Right now the only thing
> > mapped in the bind for AuthenticationAuthority is uid.
> Can you send me an example of an user object from OpenDirectory which
> has all the needed attributes to make Smartcard authentication work?
> > Could someone tell me what map I would need to make when setting up the
> > bind to make this work? Or if I'm totally heading in the wrong direction,
> > could someone send me in the right direction?
> > Nathan Kinder's blog was very helpful, but he mentions telling how to
> > actually set up login on the next installment, and that was over a year ago
> > and there's no next installment. Most of what I've been able to find
> > covers how to use sssd to get a linux machine to authenticate with the
> > smartcard to FreeIPA, but I haven't been able to translate that to getting
> > the Mac to authenticate.
> > Thank you,
> > John
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project