certmap.conf(4) (Sun Directory Server Enterprise Edition 7.0 Man Page Reference)

Sun Directory Server Enterprise Edition 7.0 Man Page Reference

certmap.conf(4)

Name

certmap.conf– Map certificates to directory entries

Synopsis

Location: instance-path/alias/certmap.conf

# This is a comment.
certmap default default
[default:property1 [value1]]
[default:property2 [value2]]
[…]

[certmap name issuerDN
[name:property1 [value1]]
[name:property2 [value2]]
…
]

Description

The certmap.conf file defines how Directory Server maps certificates to directory entries.

Comment lines are those starting with #.

CERTIFICATE MAPPINGS

The certmap.conf file consists of a series of certificate maps. It begins with a default certificate map, starting with the line:

certmap default default

Each subsequent certificate map starts with a line identifying the name of the map and the certificate authority issuer DN of the certificates to which the map applies.

The issuerDN string specified in the certificate map must correspond exactly to the issuer DN shown in the certificates. In particular, whitespace in the issuer DN is significant.

PROPERTIES AND VALUES

A certificate map also optionally specifies values for the following properties.

DNComps

Specifies a comma separated list of relative distinguished name components of the base DN for an LDAP search to find the user entry matching the certificate. The components are taken from the subject DN of the certificate.

When the value of this property value is left empty, the base DN is the null suffix. In this particular case, searching against the null suffix in Directory Server searches every suffix in the directory. Thus leaving DNComps empty can have negative impact on performance.

The default behavior, when this property is commented out or not specified, is to take as the base DN the subject DN of the certificate.

FilterComps

Specifies a comma separated list of LDAP attributes to form a filter for an LDAP search to find the user entry matching the certificate. The values for the filter are taken from the certificate, which can hold the following attributes.

c: Country
cn: Common name
e mail: Email address
l: Location
o: Organization
ou: Organizational unit
st: State
uid: UNIX user ID

For example, consider a certificate map named example containing the following FilterComps specification.

example:FilterComps e,uid

Then searches for the user entry matching the certificate use the filter "(&(mail=email-addr-from-cert)(uid-from-cert))".

The default behavior, when this property is commented out or not specified, is to use the filter "(objectclass=*)".

verifycert

Specifies whether the client application certificate is checked to make sure it is valid and not revoked.

This property can be usefully set to on if the directory stores client application certificates.

The default behavior is the same as off, meaning client certificates are not checked to be valid and not revoked.

CmapLdapAttr

Specifies the name of the LDAP attribute in the directory containing the subject DN of the certificate.

The implied default value is certSubjectDN, not a standard LDAP attribute.

Note –

If the LDAP attribute used is not of syntax DN, its value must match the subject DN provided exactly as the LDAP server does normalize DN values that are not stored in attributes with DN syntax.

library

Specifies a shared plug-in library or DLL containing custom certificate mapping code.

There is no default.

InitFn

Specifies the initialization function for the custom certificate mapping code in the library referenced by the value of the library property.

There is no default.

Examples

The following certmap.conf file specifies both a default certificate map, and an additional certificate map for certificates from the US subsidiary of Example.com.

# Example certmap.conf
certmap default default

certmap examplecerts ou=Example.com, o=examplecerts, c=US
examplecerts:DNComps ou,o,c
examplecerts:FilterComps e
examplecerts:verifycert on

When the server gets a certificate issued by any certificate authority other than the US subsidiary of Example.com, it uses the default mapping. If the certificate however has been issued by the US subsidiary of Example.com, the server looks for entries under the branch for the organizational unit and searches for entries using the client email address. It also verifies that such certificates are valid and that they are not revoked.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWdsee7
Stability Level	Evolving