beautypg.com

Using the attribute lookup method – Apple Mac OS X v10.4 User Manual

Page 11

background image

Chapter 2

Setting Up Your Smart Card

11

5

You bind the card to the user’s local directory domain by using the

sc_auth accept

command. Using the identity private key from the previous example, the command
looks like this:

sudo sc_auth accept -u myuser -h 01C2E294XP77B57B63B0A15B8F204C1

In Terminal, enter the following command, using the account’s short user name for

and the smart card’s identity private key for

<# Identity Private Key>

:

sudo sc_auth accept -u -h <# Identity Private Key>

The

sc_auth

command adds a field to the user's authentication called the

authentication_authority

property. You can see the

authentication_authority

property by using the

nidump

command. The following example shows the new

identity private key written into the user public key hash.

nidump -r /users/myuser

...

"authentication_authority" = ( ";ShadowHash;", ";pubkeyhash

01C2E294XP77B57B63B0A15B8F204C1" );

...

In the previous example with three hash keys, any of the key entries could have been
used for binding the card to the account. More than one smart card can be bound to a
single user account by running the script again with the hash for each additional card.

Note: Multiple cards can be bound to a single account, but a single card cannot be
bound to multiple accounts accessible from a single system.

Using the Attribute Lookup Method

If your network doesn’t use NetInfo with Open Directory, the attribute lookup method
should be used to bind the user account to the smart card. This method looks up the
user based on values drawn from the email signing certificate. Attribute lookup works
with user accounts from an existing directory service such as LDAP, NetInfo, NIS, or
Active Directory. You configure the smart card authorization plug-in to map an
attribute from a certificate on the smart card to a field in the directory.

Attribute lookup is mainly used by Common Access Card (CAC) smart cards although it
does work with other similarly designed smart cards. Attribute lookup is required for all
U.S. Federal Government smart cards.

The examples show commonly used attribute lookups. However, you need to be
familiar with the attributes and directory fields required by your particular directory
service. Check with your network administrator for configuration information specific to
your directory service.

See also other documents in the category Apple Software: