Mapping Client Certificates to LDAP

This section describes the process the Proxy Server uses to map a client certificate to an entry in an LDAP directory.

When the server receives a request from a client, it asks for the client’s certificate before proceeding. Some clients send the client certificate to the server along with the request.

Before mapping client certificates to LDAP, you must also configure the required ACLs. For more information, see Chapter 8, Controlling Access to Your Server.

The server tries to match the CA to the list of trusted CAs in the Administration Server. If there is no match, Proxy Server ends the connection. If there is a match, the server continues processing the request.

After verifying the certificate is from a trusted CA, the server maps the certificate to an LDAP entry by doing the following:

• Mapping the issuer and subject DN from the client certificate to a branch point in the LDAP directory.

• Searching the LDAP directory for an entry that matches the information about the subject (end user) of the client certificate.

• (Optional) Verifying the client certificate with one in the LDAP entry that corresponds to the DN.

The server uses a certificate mapping file called certmap.conf to determine how the LDAP search is performed. The mapping file tells the server what values to take from the client certificate (such as the end user’s name, e-mail address, and so on). The server uses these values to search for a user entry in the LDAP directory, but first the server must determine where in the LDAP directory to start the search. The certificate mapping file also tells the server where to start.

Once the server knows where to start the search and what to search for (first point, above), it performs the search in the LDAP directory (second point). If it finds no matching entry or more than one matching entry, and the mapping is not set to verify the certificate, the search fails.

The following table lists the expected search result behavior. Note that you can specify the expected behavior in the ACL. For example, you can specify that the Proxy Server accepts only you if the certificate match fails. For more information about how to set the ACL preferences, see Using Access Control Files.

After the server finds a matching entry and certificate in the LDAP directory, it can use that information to process the transaction. For example, some servers use certificate-to-LDAP mapping to determine access to a server.