Red Hat Training

A Red Hat training course is available for Red Hat Linux

23.4. Configuring a User Name Hint Policy for Smart-card Authentication

As an Identity Management administrator, you can configure a user name hint policy for smart cards linked with multiple accounts.

23.4.1. User Name Hints in Identity Management

The user name hint policy configures Identity Management to prompt smart card users for their user name. When a user tries to authenticate with a smart card certificate that matches multiple user accounts in Identity Management, one of the following occurs:
  • If the user name hint policy is enabled, the user is prompted for a user name and then can proceed with authentication.
  • If the user name hint policy is disabled, the authentication fails without prompting.
Identity Management adds the user name hint to applications that would by default prompt for a smart card PIN without asking for a user name. On Red Hat Enterprise Linux, this is currently only the Gnome Desktop Manager (GDM) login.
User name hint in the Gnome Desktop Manager

Figure 23.4. User name hint in the Gnome Desktop Manager

Identity Management does not add the user name hint to applications that ask for a user name by default, for example:
  • The Identity Management web UI authentication, because the GUI always displays the Username field
  • ssh authentication, because ssh uses the current user’s login name or the name provided with the -l option or in the username@host format
  • Console authentication, where the login name is always supplied
In these situations, authentication with a certificate that matches multiple users is always allowed.

23.4.2. Enabling User Name Hints in Identity Management

The Identity Management administrator sets the user name hint policy centrally. The policy applies to all hosts enrolled into the Identity Management domain.
Perform these steps on any Identity Management system.

Command Line: Enabling User Name Hints in Identity Management

  1. Log in as the Identity Management administrator:
    $ kinit admin
    Password for admin@IDM.EXAMPLE.COM:
  2. Enable user name hints by using the ipa certmapconfig-mod command with the --promptusername=True option.
    $ ipa certmapconfig-mod --promptusername=TRUE
    Prompt for the username: TRUE
    To disable user name hints, use the --promptusername=False option.

Web UI: Enabling User Name Hints in Identity Management

  1. Click AuthenticationCertificate Identity Mapping RulesCertificate Identity Mapping Global Configuration.
  2. Select Prompt for the username, and click Save.
    Enabling user name hints in the web UI

    Figure 23.5. Enabling user name hints in the web UI

Additional Resources

  • For details on the ipa certmapconfig-mod command, execute it with the --help option.