On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D wrote: > Greetings, > I thumbed through the archive, but didn't find an answer. If I missed it, > perhaps someone will be kind enough to point me in the right direction. > > I'm testing replacing our OpenDirectory server with a FreeIPA server for > authenticating our Mac systems. So far, I have the server and client running > in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), > and, following a number of instructions found on the web, they are talking to > each other and I can log in from the Mac client to the FreeIPA server with a > user account on the FreeIPA server. > > The final step in this is that I need to use smart card authentication > instead of username/password. I have managed to get the smart card's > certificate added to the user account on the FreeIPA server, but that's as > far as I've managed. > > In MacOS 10.7-10.11, the method of getting smart card authorization to work > is to get the hash of the certificate on the smart card and then add that to > AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash> > In 10.12, it will actually ask you if you want to pair the smart card with > the account, and if so, in the background it adds the hash as > ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only > does that to local accounts. to do it in Open Directory, you have to add it > manually still) > > In my ignorance, I'm guessing that I just somehow need to map the certificate > that's been added to the user account in FreeIPA to AuthenticationAuthority > in DirectoryUtility. Right now the only thing mapped in the bind for > AuthenticationAuthority is uid.
Can you send me an example of an user object from OpenDirectory which has all the needed attributes to make Smartcard authentication work? bye, Sumit > > Could someone tell me what map I would need to make when setting up the bind > to make this work? Or if I'm totally heading in the wrong direction, could > someone send me in the right direction? > > Nathan Kinder's blog was very helpful, but he mentions telling how to > actually set up login on the next installment, and that was over a year ago > and there's no next installment. Most of what I've been able to find covers > how to use sssd to get a linux machine to authenticate with the smartcard to > FreeIPA, but I haven't been able to translate that to getting the Mac to > authenticate. > > Thank you, > John > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project