Integrating Yubikey Token details within LDAP with FreeIPA and Red Hat Enterprise Linux 6

Adding Yubikey ID’s to a FreeIPA user.

Step 4. Adding users
As this is not a built in feature of FreeIPA, you won’t have a nice and simple “ipa” command to run to add a token ID to your FreeIPA users.
That being said, as FreeIPA is LDAP based, any system you can run “ldapmodify” with, you will be able to add the key details.

I have created myself a FreeIPA user. See below.

[root@ds01 ~]# ipa user-add
First name: Dale
Last name: Macartney
User login [dmacartney]: 
Added user "dmacartney"
  User login: dmacartney
  First name: Dale
  Last name: Macartney
  Full name: Dale Macartney
  Display name: Dale Macartney
  Initials: DM
  Home directory: /home/dmacartney
  GECOS field: Dale Macartney
  Login shell: /bin/sh
  Kerberos principal: dmacartney@EXAMPLE.COM
  Email address:
  UID: 1167000003
  GID: 1167000003
  Password: False
  Kerberos keys available: False
[root@ds01 ~]#


Step 5. Import Token ID’s.

To add a yubkeyID with the ipa command run the following.

[root@ds01 ~]# ipa user-mod --addattr="objectClass=yubiKeyUser" --addattr="yubiKeyID=ccccc1234567" dmacartney

Obviously this is adding the key ccccc1234567 to the user dmacartney.
Step 6. Verify token information

To verify using the ipa command, run the following

[root@ds01 ~]# ipa user-show --all --raw dmacartney
  dn: uid=dmacartney,cn=users,cn=accounts,dc=example,dc=com
  uid: dmacartney
  givenname: Dale
  sn: Macartney
  cn: Dale Macartney
  displayname: Dale Macartney
  initials: DM
  homedirectory: /home/dbmacartney
  gecos: Dale Macartney
  loginshell: /bin/sh
  krbprincipalname: dmacartney@EXAMPLE.COM
  uidnumber: 409400001
  gidnumber: 409400001
  nsaccountlock: False
  has_password: True
  has_keytab: True
  ipauniqueid: 5ff2c402-4941-11e2-8e9e-001a4a000000
  krbextradata: AAL97tBQa2FkbWluZEBFWEFNUExFLkNPTQA=
  krblastpwdchange: 20121218223229Z
  krblastsuccessfulauth: 20121218224850Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20130318223229Z
  krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
  krbticketflags: 128
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
  mepmanagedentry: cn=dbmacartney,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry
  objectclass: yubiKeyUser
  yubikeyid: ccccc1234567
[root@ds01 ~]#


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>