# This is a comment. certmap default default [default:property1 [value1]] [default:property2 [value2]] […] [certmap name issuerDN [name:property1 [value1]] [name:property2 [value2]] … ]
The certmap.conf file defines how Directory Server maps certificates to directory entries.
Comment lines are those starting with #.
certmap default default
Each subsequent certificate map starts with a line identifying the name of the map and the certificate authority issuer DN of the certificates to which the map applies.
The issuerDN string specified in the certificate map must correspond exactly to the issuer DN shown in the certificates. In particular, whitespace in the issuer DN is significant.
A certificate map also optionally specifies values for the following properties.
Specifies a comma separated list of relative distinguished name components of the base DN for an LDAP search to find the user entry matching the certificate. The components are taken from the subject DN of the certificate.
When the value of this property value is left empty, the base DN is the null suffix. In this particular case, searching against the null suffix in Directory Server searches every suffix in the directory. Thus leaving DNComps empty can have negative impact on performance.
The default behavior, when this property is commented out or not specified, is to take as the base DN the subject DN of the certificate.
Specifies a comma separated list of LDAP attributes to form a filter for an LDAP search to find the user entry matching the certificate. The values for the filter are taken from the certificate, which can hold the following attributes.
UNIX user ID
For example, consider a certificate map named example containing the following FilterComps specification.
Then searches for the user entry matching the certificate use the filter "(&(mail=email-addr-from-cert)(uid-from-cert))".
The default behavior, when this property is commented out or not specified, is to use the filter "(objectclass=*)".
Specifies whether the client application certificate is checked to make sure it is valid and not revoked.
This property can be usefully set to on if the directory stores client application certificates.
The default behavior is the same as off, meaning client certificates are not checked to be valid and not revoked.
Specifies the name of the LDAP attribute in the directory containing the subject DN of the certificate.
The implied default value is certSubjectDN, not a standard LDAP attribute.
If the LDAP attribute used is not of syntax DN, its value must match the subject DN provided exactly as the LDAP server does normalize DN values that are not stored in attributes with DN syntax.
Specifies a shared plug-in library or DLL containing custom certificate mapping code.
There is no default.
Specifies the initialization function for the custom certificate mapping code in the library referenced by the value of the library property.
There is no default.
The following certmap.conf file specifies both a default certificate map, and an additional certificate map for certificates from the US subsidiary of Example.com.
# Example certmap.conf certmap default default certmap examplecerts ou=Example.com, o=examplecerts, c=US examplecerts:DNComps ou,o,c examplecerts:FilterComps e examplecerts:verifycert on
When the server gets a certificate issued by any certificate authority other than the US subsidiary of Example.com, it uses the default mapping. If the certificate however has been issued by the US subsidiary of Example.com, the server looks for entries under the branch for the organizational unit and searches for entries using the client email address. It also verifies that such certificates are valid and that they are not revoked.
See attributes(5) for descriptions of the following attributes: