On Sep 29, 2009, at 4:42 PM, Michele (Mike) Hjorleifsson wrote:
Anyone integrated Smart Card Service logon with Open Directory ? Been looking for some how to's but no luck so far. I imagine it would be a matter of modifying the LDAP Authorization attributes, unless password server supports this which i dont think it does.
Mike, There are two methods available today that were documented in an old Apple KBase article (which needs to be updated) , but a third one is what most folks are looking for and it is coming in the future.... Available Today Method 1: PubKeyHash Designates Identity to be used for Challenge - Adds a ;pubkeyhash; value to AuthenticationAuthority attribute Method 2: Attribute Matching Designates Attributes to be used for Lookup in DS for Match prior to Challenge - Defined within the cacloginconfig.plist file for defined matching Coming in the future from Apple but available from third-party products today Method 3: PKINIT Which gives you SSO to your DS from your Smart Card (X.509 Cert) 3rd-Party Products "ADmitMac for CAC" Thursby Software Systems "DirectControl" Centrify __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________