23.4. Configuring a User Name Hint Policy for Smart-card Authentication
As an Identity Management administrator, you can configure a user name hint policy for smart cards linked with multiple accounts.
23.4.1. User Name Hints in Identity Management
The user name hint policy configures Identity Management to prompt smart card users for their user name. When a user tries to authenticate with a smart card certificate that matches multiple user accounts in Identity Management, one of the following occurs:
- If the user name hint policy is enabled, the user is prompted for a user name and then can proceed with authentication.
- If the user name hint policy is disabled, the authentication fails without prompting.
Identity Management adds the user name hint to applications that would by default prompt for a smart card PIN without asking for a user name. On Red Hat Enterprise Linux, this is currently only the Gnome Desktop Manager (GDM) login.
Figure 23.14. User name hint in the Gnome Desktop Manager
Identity Management does not add the user name hint to applications that ask for a user name by default, for example:
- The Identity Management web UI authentication, because the GUI always displays the
sshuses the current user’s login name or the name provided with the
-loption or in the
- Console authentication, where the login name is always supplied
In these situations, authentication with a certificate that matches multiple users is always allowed.
23.4.2. Enabling User Name Hints in Identity Management
The Identity Management administrator sets the user name hint policy centrally. The policy applies to all hosts enrolled into the Identity Management domain.
Perform these steps on any Identity Management system.
Command Line: Enabling User Name Hints in Identity Management
- Log in as the Identity Management administrator:
$ kinit admin Password for admin@IDM.EXAMPLE.COM:
- Enable user name hints by using the ipa certmapconfig-mod command with the
$ ipa certmapconfig-mod --promptusername=TRUE Prompt for the username: TRUETo disable user name hints, use the
Web UI: Enabling User Name Hints in Identity Management
- Click Authentication → Certificate Identity Mapping Rules → Certificate Identity Mapping Global Configuration.
- Select Prompt for the username, and click Save.
Figure 23.15. Enabling user name hints in the web UI
- For details on the ipa certmapconfig-mod command, execute it with the