Integrating Yubikey Token details within LDAP with FreeIPA and Red Hat Enterprise Linux 6

Modify Yubikey client systems

Once you have verified your import, now its time to depreciate the old “authfile” option on all of your client workstations and servers to point to an LDAP lookup, instead of a text file.

Chances are, your client systems will be cofigured in pam to use the following line.
I use the below in my /etc/pam.d/system-auth file.

auth        required    pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey

All you need to do in order to point your systems to LDAP is change the above line to look like the below.
Don’t forget to change “ldaps://ds01.example.com to point to your own FQDN of your FreeIPA server.

auth required pam_yubico.so id=1 ldap_uri=ldaps://ds01.example.com ldapdn=cn=users,cn=accounts,dc=example,dc=com user_attr=uid yubi_attr=yubiKeyId

 

That’s it for the integration process. All in all, it shouldn’t take longer than 15-20 minutes to get up and running. Below are a few screenshots of Fedora 18 using FreeIPA login’s with Yubikey authentication as well. Enjoy!

 

Fedora 18 User Login

Fedora 18 - User Login

 

Fedora 18 – Yubikey OTP

Fedora 18 - Yubikey OTP

 

Fedora 18 – FreeIPA Password

Fedora 18 - FreeIPA Password

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>