On Wed, Nov 30, 2016 at 06:46:38PM +0000, Daly, John L CIV NAVAIR, 4G0000D wrote: > Hi Sumit. > > Here's an example of a user that works with smartcard authentication to an > Open Directory server. > the key is the ;pubkeyhash; in authentication authority. in 10.12 it's the > ;tokenidenity; that does it.
Thank you for the details but I think I was looking in to wrong direction. You want to allow clients to authenticate with a certificate against the FreeIPA LDAP server. There was a thread "user certificate ldap EXTERNAL authentication" on this list ealier this year https://www.redhat.com/archives/freeipa-users/2016-March/msg00024.html which resulted in a howto page http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP. The page also contains links to the official 389ds/Directory Server documentation which should explain even more details. I hope this will help you to get started with MacOS clients and Smartcard authentication against FreeIPA. bye, Sumit > > Thank you, > John > __________________________ > dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount > apple-user extensibleObject organizationalPerson top person > AltSecurityIdentities: Kerberos:u...@server.domain.name > AppleMetaNodeLocation: /LDAPv3/server.domain.name > AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name > AuthenticationAuthority: > ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35 > 137153981046475199943945843867332692680750197424744096859870797093676645749027380403427308966078902581285961066749586341210370640493694174807003238022253128816071402321107596780023824943279942604404381371976466757866276940266744128110435619726808591040123586775364081346530916319469827937868172697966549077993 > r...@server.domain.name:192.168.0.1 > ;pubkeyhash;CFF322DE5D9F21E1FEF8957548EF94D846E6B43C > ;pubkeyhash;A89153274F7EF7132FAAF4507078064AA522E78D > ;tokenidentity;44AFDECA841C27354223BFVE1F3A91VEDC48C65A > Comment: > sysadmin extraordinaire.. sort of > EMailAddress: user@server.domain > GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2 > LastName: 99 > MCXFlags: > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > <plist version="1.0"> > <dict> > <key>simultaneous_login_enabled</key> > <true/> > </dict> > </plist> > > NFSHomeDirectory: > /Network/Servers/server.domain.name/Volumes/shares/netusers/user > Password: ******** > PrimaryGroupID: 80 > RealName: > User Name > RecordName: user > RecordType: dsRecTypeStandard:Users > ServicesLocator: > 793D4083-126E-44A7-A3FF-85251F39556D:E245FF24-D266-4F7E-BCF4-709611F539A6:calendar > (null):(null):calendar > UniqueID: 1025 > UserShell: /bin/bash > > Message: 5 > Date: Wed, 30 Nov 2016 09:46:42 +0100 > From: Sumit Bose <sb...@redhat.com> > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication > to FreeIPA server. > Message-ID: > <20161130084642.GD21759@p.Speedport_W_724V_Typ_A_05011603_00_009> > Content-Type: text/plain; charset=us-ascii > ______________________________________ > > > On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D > wrote: > > Greetings, > > I thumbed through the archive, but didn't find an answer. If I missed it, > > perhaps someone will be kind enough to point me in the right direction. > > > > I'm testing replacing our OpenDirectory server with a FreeIPA server for > > authenticating our Mac systems. So far, I have the server and client > > running in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS > > 10.12.1), and, following a number of instructions found on the web, they > > are talking to each other and I can log in from the Mac client to the > > FreeIPA server with a user account on the FreeIPA server. > > > > The final step in this is that I need to use smart card authentication > > instead of username/password. I have managed to get the smart card's > > certificate added to the user account on the FreeIPA server, but that's as > > far as I've managed. > > > > In MacOS 10.7-10.11, the method of getting smart card authorization to work > > is to get the hash of the certificate on the smart card and then add that > > to AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate > > hash> > > In 10.12, it will actually ask you if you want to pair the smart card with > > the account, and if so, in the background it adds the hash as > > ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only > > does that to local accounts. to do it in Open Directory, you have to add > > it manually still) > > > > In my ignorance, I'm guessing that I just somehow need to map the > > certificate that's been added to the user account in FreeIPA to > > AuthenticationAuthority in DirectoryUtility. Right now the only thing > > mapped in the bind for AuthenticationAuthority is uid. > > Can you send me an example of an user object from OpenDirectory which > has all the needed attributes to make Smartcard authentication work? > > bye, > Sumit > > > > > Could someone tell me what map I would need to make when setting up the > > bind to make this work? Or if I'm totally heading in the wrong direction, > > could someone send me in the right direction? > > > > Nathan Kinder's blog was very helpful, but he mentions telling how to > > actually set up login on the next installment, and that was over a year ago > > and there's no next installment. Most of what I've been able to find > > covers how to use sssd to get a linux machine to authenticate with the > > smartcard to FreeIPA, but I haven't been able to translate that to getting > > the Mac to authenticate. > > > > Thank you, > > John > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project