Adding Yubikey ID’s to a FreeIPA user.
Step 4. Adding users
As this is not a built in feature of FreeIPA, you won’t have a nice and simple “ipa” command to run to add a token ID to your FreeIPA users.
That being said, as FreeIPA is LDAP based, any system you can run “ldapmodify” with, you will be able to add the key details.
I have created myself a FreeIPA user. See below.
[root@ds01 ~]# ipa user-add First name: Dale Last name: Macartney User login [dmacartney]: ----------------- Added user "dmacartney" ----------------- User login: dmacartney First name: Dale Last name: Macartney Full name: Dale Macartney Display name: Dale Macartney Initials: DM Home directory: /home/dmacartney GECOS field: Dale Macartney Login shell: /bin/sh Kerberos principal: dmacartney@EXAMPLE.COM Email address: dmacartney@example.com UID: 1167000003 GID: 1167000003 Password: False Kerberos keys available: False [root@ds01 ~]#
Step 5. Import Token ID’s.
To add a yubkeyID with the ipa command run the following.
[root@ds01 ~]# ipa user-mod --addattr="objectClass=yubiKeyUser" --addattr="yubiKeyID=ccccc1234567" dmacartney
Obviously this is adding the key ccccc1234567 to the user dmacartney.
Step 6. Verify token information
To verify using the ipa command, run the following
[root@ds01 ~]# ipa user-show --all --raw dmacartney dn: uid=dmacartney,cn=users,cn=accounts,dc=example,dc=com uid: dmacartney givenname: Dale sn: Macartney cn: Dale Macartney displayname: Dale Macartney initials: DM homedirectory: /home/dbmacartney gecos: Dale Macartney loginshell: /bin/sh krbprincipalname: dmacartney@EXAMPLE.COM mail: dmacartney@example.com uidnumber: 409400001 gidnumber: 409400001 nsaccountlock: False has_password: True has_keytab: True ipauniqueid: 5ff2c402-4941-11e2-8e9e-001a4a000000 krbextradata: AAL97tBQa2FkbWluZEBFWEFNUExFLkNPTQA= krblastpwdchange: 20121218223229Z krblastsuccessfulauth: 20121218224850Z krbloginfailedcount: 0 krbpasswordexpiration: 20130318223229Z krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbticketflags: 128 memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com mepmanagedentry: cn=dbmacartney,cn=groups,cn=accounts,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry objectclass: yubiKeyUser yubikeyid: ccccc1234567 [root@ds01 ~]#