On Sep 29, 2009, at 4:42 PM, Michele (Mike) Hjorleifsson wrote:

Anyone integrated Smart Card Service logon with Open Directory ? Been looking for some how to's but no luck so far.
I imagine it would be a matter of modifying the LDAP Authorization attributes, unless password server supports this which i dont think it does.

Mike,

There are two methods available today that were documented in an old Apple KBase article (which needs to be updated) , but a third one is what most folks are looking for and it is coming in the future....

Available Today

Method 1: PubKeyHash Designates Identity to be used for Challenge

- Adds a ;pubkeyhash; value to AuthenticationAuthority attribute

Method 2: Attribute Matching Designates Attributes to be used for Lookup in DS for Match prior to Challenge

- Defined within the cacloginconfig.plist file for defined matching

Coming in the future from Apple but available from third-party products today

Method 3: PKINIT

Which gives you SSO to your DS from your Smart Card (X.509 Cert)

3rd-Party Products

"ADmitMac for CAC" Thursby Software Systems

"DirectControl" Centrify

__________________________________________________

Shawn Geddis geddis@mac.com

Security Consulting Engineer

MacOSForge Project Lead: Smart Card Services

Web: http://smartcardservices.macosforge.org/

Lists: http://lists.macosforge.org/mailman/listinfo

__________________________________________________