[Freeipa-users] Mac OS X 10.12 Smart card authentication to FreeIPA server.

Sumit Bose sbose at redhat.com
Thu Dec 1 10:35:28 UTC 2016 

On Wed, Nov 30, 2016 at 06:46:38PM +0000, Daly, John L CIV NAVAIR, 4G0000D wrote:
> Hi Sumit.
> 
> Here's an example of a user that works with smartcard authentication to an Open Directory server.
> the key is the ;pubkeyhash;  in authentication authority.  in 10.12 it's the ;tokenidenity; that does it.

Thank you for the details but I think I was looking in to wrong
direction. You want to allow clients to authenticate with a certificate
against the FreeIPA LDAP server.

There was a thread "user certificate ldap EXTERNAL authentication" on
this list ealier this year
https://www.redhat.com/archives/freeipa-users/2016-March/msg00024.html
which resulted in a howto page
http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP.
The page also contains links to the official 389ds/Directory Server
documentation which should explain even more details.

I hope this will help you to get started with MacOS clients and
Smartcard authentication against FreeIPA.

bye,
Sumit

> 
> Thank you,
> John
> __________________________
> dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensibleObject organizationalPerson top person
> AltSecurityIdentities: Kerberos:user at SERVER.DOMAIN.NAME
> AppleMetaNodeLocation: /LDAPv3/server.domain.name
> AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name
> AuthenticationAuthority:
>  ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35 137153981046475199943945843867332692680750197424744096859870797093676645749027380403427308966078902581285961066749586341210370640493694174807003238022253128816071402321107596780023824943279942604404381371976466757866276940266744128110435619726808591040123586775364081346530916319469827937868172697966549077993 root at server.domain.name:192.168.0.1
>  ;pubkeyhash;CFF322DE5D9F21E1FEF8957548EF94D846E6B43C
>  ;pubkeyhash;A89153274F7EF7132FAAF4507078064AA522E78D
>  ;tokenidentity;44AFDECA841C27354223BFVE1F3A91VEDC48C65A
> Comment:
>  sysadmin extraordinaire.. sort of
> EMailAddress: user at server.domain
> GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2
> LastName: 99
> MCXFlags:
>  <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> 	<key>simultaneous_login_enabled</key>
> 	<true/>
> </dict>
> </plist>
> 
> NFSHomeDirectory: /Network/Servers/server.domain.name/Volumes/shares/netusers/user
> Password: ********
> PrimaryGroupID: 80
> RealName:
>  User Name
> RecordName: user
> RecordType: dsRecTypeStandard:Users
> ServicesLocator: 793D4083-126E-44A7-A3FF-85251F39556D:E245FF24-D266-4F7E-BCF4-709611F539A6:calendar (null):(null):calendar
> UniqueID: 1025
> UserShell: /bin/bash
> 
> Message: 5
> Date: Wed, 30 Nov 2016 09:46:42 +0100
> From: Sumit Bose <sbose at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
>         to FreeIPA server.
> Message-ID:
>         <20161130084642.GD21759 at p.Speedport_W_724V_Typ_A_05011603_00_009>
> Content-Type: text/plain; charset=us-ascii
> ______________________________________
> 
> 
> On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D wrote:
> > Greetings,
> > I thumbed through the archive, but didn't find an answer.  If I missed it, perhaps someone will be kind enough to point me in the right direction.
> > 
> > I'm testing replacing our OpenDirectory server with a FreeIPA server for authenticating our Mac systems.  So far, I have the server and client running in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and, following a number of instructions found on the web, they are talking to each other and I can log in from the Mac client to the FreeIPA server with a user account on the FreeIPA server.
> > 
> > The final step in this is that I need to use smart card authentication instead of username/password.  I have managed to get the smart card's certificate added to the user account on the FreeIPA server, but that's as far as I've managed.
> > 
> > In MacOS 10.7-10.11, the method of getting smart card authorization to work is to get the hash of the certificate on the smart card and then add that to AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
> > In 10.12, it will actually ask you if you want to pair the smart card with the account, and if so, in the background it adds the hash as ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only does that to local accounts.  to do it in Open Directory, you have to add it manually still)
> > 
> > In my ignorance, I'm guessing that I just somehow need to map the certificate that's been added to the user account in FreeIPA to AuthenticationAuthority in DirectoryUtility.  Right now the only thing mapped in the bind for AuthenticationAuthority is uid.
> 
> Can you send me an example of an user object from OpenDirectory which
> has all the needed attributes to make Smartcard authentication work?
> 
> bye,
> Sumit
> 
> > 
> > Could someone tell me what map I would need to make when setting up the bind to make this work? Or if I'm totally heading in the wrong direction, could someone send me in the right direction?
> > 
> > Nathan Kinder's blog was very helpful, but he mentions telling how to actually set up login on the next installment, and that was over a year ago and there's no next installment.  Most of what I've been able to find covers how to use sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but I haven't been able to translate that to getting the Mac to authenticate.
> > 
> > Thank you,
> > John
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list