[Freeipa-users] Mac OS X 10.12 Smart card authentication to FreeIPA server.

Daly, John L CIV NAVAIR, 4G0000D john.l.daly at navy.mil
Tue Nov 29 18:21:11 UTC 2016 

Greetings,
I thumbed through the archive, but didn't find an answer.  If I missed it, perhaps someone will be kind enough to point me in the right direction.

I'm testing replacing our OpenDirectory server with a FreeIPA server for authenticating our Mac systems.  So far, I have the server and client running in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and, following a number of instructions found on the web, they are talking to each other and I can log in from the Mac client to the FreeIPA server with a user account on the FreeIPA server.

The final step in this is that I need to use smart card authentication instead of username/password.  I have managed to get the smart card's certificate added to the user account on the FreeIPA server, but that's as far as I've managed.

In MacOS 10.7-10.11, the method of getting smart card authorization to work is to get the hash of the certificate on the smart card and then add that to AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
In 10.12, it will actually ask you if you want to pair the smart card with the account, and if so, in the background it adds the hash as ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only does that to local accounts.  to do it in Open Directory, you have to add it manually still)

In my ignorance, I'm guessing that I just somehow need to map the certificate that's been added to the user account in FreeIPA to AuthenticationAuthority in DirectoryUtility.  Right now the only thing mapped in the bind for AuthenticationAuthority is uid.

Could someone tell me what map I would need to make when setting up the bind to make this work? Or if I'm totally heading in the wrong direction, could someone send me in the right direction?

Nathan Kinder's blog was very helpful, but he mentions telling how to actually set up login on the next installment, and that was over a year ago and there's no next installment.  Most of what I've been able to find covers how to use sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but I haven't been able to translate that to getting the Mac to authenticate.

Thank you,
John

More information about the Freeipa-users mailing list