The Subject Attribute to User Attribute certificate mapper attempts to map a client certificate to a user entry based on a set of attributes that they have in common. In particular, it takes the values of a specified set of attributes from the certificate subject and attempts to locate user entries that contain those same values in a corresponding set of attributes.
Use dsconfig to set the properties of this certificate mapper:
subject-attribute-mapping. Specifies a multivalued property that is used to map attributes from the certificate subject to attributes in user entries. Values for this attribute consist of the name of the attribute in the certificate subject followed by a colon and the name of the corresponding attribute in the user's entry. For example, the value e:mail maps the e attribute from the certificate subject to the mail attribute in user entries. At least one attribute mapping must be defined.
user-base-dn. Specifies a multivalued property that is used to specify the set of base DNs below which the server is to look for matching entries. If this is not present, then the server searches below all public naming contexts.
The following example uses dsconfig to configure the Subject Attribute to User Attribute certificate mapper:
$ dsconfig -D "cn=directory manager" -w password -n set-certificate-mapper-prop \ --mapper-name "Subject Attribute to User Attribute" --advanced
If multiple attribute mappings are defined, then the server combines them with an AND search. For example, if two mappings are defined cn:cn and e:mail, and the server is presented with a certificate having a subject of Eemail@example.com,CN=John Doe,O=Example Corp,C=US, then it generates a search filter of (&(cn=John Doe)(firstname.lastname@example.org)). Any attribute for which a mapping is defined but is not contained in the certificate subject is not included in the generated search filter. All attributes that can be used in generated search filters should have corresponding indexes in all back-end databases that can be searched by this certificate mapper.
For the mapping to be successful, the generated search filter must match exactly one user in the directory (within the scope of the base DNs for the mapper). If no users match the generated criteria or if multiple users match, then the mapping fails.