[Freeipa-users] Mac OS X 10.12 Smart card authentication to FreeIPA server.

Daly, John L CIV NAVAIR, 4G0000D john.l.daly at navy.mil
Wed Nov 30 18:46:38 UTC 2016


Hi Sumit.

Here's an example of a user that works with smartcard authentication to an Open Directory server.
the key is the ;pubkeyhash;  in authentication authority.  in 10.12 it's the ;tokenidenity; that does it.

Thank you,
John
__________________________
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensibleObject organizationalPerson top person
AltSecurityIdentities: Kerberos:user at SERVER.DOMAIN.NAME
AppleMetaNodeLocation: /LDAPv3/server.domain.name
AppleMetaRecordName: uid=user,cn=users,dc=server,dc=domain,dc=name
AuthenticationAuthority:
 ;ApplePasswordServer;0x5230e3e66bef0ef40000007f00000070,1024 35 137153981046475199943945843867332692680750197424744096859870797093676645749027380403427308966078902581285961066749586341210370640493694174807003238022253128816071402321107596780023824943279942604404381371976466757866276940266744128110435619726808591040123586775364081346530916319469827937868172697966549077993 root at server.domain.name:192.168.0.1
 ;pubkeyhash;CFF322DE5D9F21E1FEF8957548EF94D846E6B43C
 ;pubkeyhash;A89153274F7EF7132FAAF4507078064AA522E78D
 ;tokenidentity;44AFDECA841C27354223BFVE1F3A91VEDC48C65A
Comment:
 sysadmin extraordinaire.. sort of
EMailAddress: user at server.domain
GeneratedUID: FDCEB042-BD89-11D9-BFEE-0003939529C2
LastName: 99
MCXFlags:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>simultaneous_login_enabled</key>
	<true/>
</dict>
</plist>

NFSHomeDirectory: /Network/Servers/server.domain.name/Volumes/shares/netusers/user
Password: ********
PrimaryGroupID: 80
RealName:
 User Name
RecordName: user
RecordType: dsRecTypeStandard:Users
ServicesLocator: 793D4083-126E-44A7-A3FF-85251F39556D:E245FF24-D266-4F7E-BCF4-709611F539A6:calendar (null):(null):calendar
UniqueID: 1025
UserShell: /bin/bash

Message: 5
Date: Wed, 30 Nov 2016 09:46:42 +0100
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Mac OS X 10.12 Smart card authentication
        to FreeIPA server.
Message-ID:
        <20161130084642.GD21759 at p.Speedport_W_724V_Typ_A_05011603_00_009>
Content-Type: text/plain; charset=us-ascii
______________________________________


On Tue, Nov 29, 2016 at 06:21:11PM +0000, Daly, John L CIV NAVAIR, 4G0000D wrote:
> Greetings,
> I thumbed through the archive, but didn't find an answer.  If I missed it, perhaps someone will be kind enough to point me in the right direction.
> 
> I'm testing replacing our OpenDirectory server with a FreeIPA server for authenticating our Mac systems.  So far, I have the server and client running in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and, following a number of instructions found on the web, they are talking to each other and I can log in from the Mac client to the FreeIPA server with a user account on the FreeIPA server.
> 
> The final step in this is that I need to use smart card authentication instead of username/password.  I have managed to get the smart card's certificate added to the user account on the FreeIPA server, but that's as far as I've managed.
> 
> In MacOS 10.7-10.11, the method of getting smart card authorization to work is to get the hash of the certificate on the smart card and then add that to AuthenticationAuthority in Directory Utility as ;pubkeyhash;<Certificate hash>
> In 10.12, it will actually ask you if you want to pair the smart card with the account, and if so, in the background it adds the hash as ;tokenIdentity;<Certificate hash> to AuthenticationAuthority (but it only does that to local accounts.  to do it in Open Directory, you have to add it manually still)
> 
> In my ignorance, I'm guessing that I just somehow need to map the certificate that's been added to the user account in FreeIPA to AuthenticationAuthority in DirectoryUtility.  Right now the only thing mapped in the bind for AuthenticationAuthority is uid.

Can you send me an example of an user object from OpenDirectory which
has all the needed attributes to make Smartcard authentication work?

bye,
Sumit

> 
> Could someone tell me what map I would need to make when setting up the bind to make this work? Or if I'm totally heading in the wrong direction, could someone send me in the right direction?
> 
> Nathan Kinder's blog was very helpful, but he mentions telling how to actually set up login on the next installment, and that was over a year ago and there's no next installment.  Most of what I've been able to find covers how to use sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but I haven't been able to translate that to getting the Mac to authenticate.
> 
> Thank you,
> John
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




More information about the Freeipa-users mailing list