[SmartcardServices-Users] OpenDirectory

[Shawn A. Geddis]

On Sep 29, 2009, at 4:42 PM, Michele (Mike) Hjorleifsson wrote:
> Anyone integrated Smart Card Service logon with Open Directory ?  
> Been looking for some how to's but no luck so far.
> I imagine it would be a matter of modifying the LDAP Authorization  
> attributes, unless password server supports this which i dont think  
> it does.


Mike,

There are two methods available today that were documented in an old  
Apple KBase article (which needs to be updated) , but a third one is  
what most folks are looking for and it is coming in the future....

Available Today
Method 1:	PubKeyHash		Designates Identity to be used for Challenge
								- Adds a ;pubkeyhash;  value to AuthenticationAuthority  
attribute
Method 2:	Attribute Matching	Designates Attributes to be used for  
Lookup in DS for Match prior to Challenge
								- Defined within the cacloginconfig.plist file for defined  
matching


Coming in the future from Apple but available from third-party  
products today
Method 3:	PKINIT	
	
	Which gives you SSO to your DS from your Smart Card (X.509 Cert)

	3rd-Party Products
	"ADmitMac for CAC"		Thursby Software Systems
	"DirectControl"			Centrify

__________________________________________________
Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer

MacOSForge Project Lead:                           Smart Card Services
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20090929/1c031067/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20090929/1c031067/attachment-0001.bin>