| Previous Contents Index Next |
| iPlanet Directory Server Access Management Edition Administration Guide |
Chapter 8 Certificate Authentication Attributes
The Certificate Authentication attributes are organization attributes. The values applied to them under Service Management become the default values for the Certificate Authentication template. A template is created for each organization when the organization registers for a service. The default values can be changed after registration by the organization's administrator. Organization attributes are not inherited by entries in the subtrees of the organization. The Certificate Authentication attributes are:
Match Certificate in LDAP
Attribute In Cert To Use To Search LDAP
Attribute In Cert To Use To Search CRL
LDAP Access Authentication Type
LDAP Server Principal Password
Field in Cert to Use to Access User Profile
Match Certificate in LDAP
This option specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.
Note A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See "Match Certificate to CRL".
Attribute In Cert To Use To Search LDAP
This field specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. The actual value will be used for the search. The default is CN.
Match Certificate to CRL
This option specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. This check is performed against a user certificate after a matching user profile is found (see "Match Certificate in LDAP"). If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.
Attribute In Cert To Use To Search CRL
This field specifies the attribute of the received certificate's subjectDN value that will be used to search LDAP for revoked certificates. The actual value will be used for the search. The default is CN.
LDAP Server and Port
This field specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when DSAME was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is host_name:port.
LDAP Start Search DN
This field specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.
LDAP Access Authentication Type
This menu specifies whether the name and password of the principal user are required for LDAP access and whether those values are sent as plain or encrypted text. The user ID of the principal user is specified in the LDAP Server Principal User field. The default value is none. The valid values are:
none — Access to LDAP does not require the name or password of the principal user.
simple — Access to LDAP requires a user name and password. These values are sent to LDAP in plain text.
CRAM-MD5 — Access to LDAP requires a user name and password. These values are sent to LDAP in encrypted text.
LDAP Server Principal User
This field accepts the DN of the principal user (usually Directory Manager) for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.
LDAP Server Principal Password
This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user.
Note This value is stored as readable text in the directory.
LDAP Attribute for Profile ID
This field specifies the attribute in the Directory Server entry that matches the certificate whose value should be used to identify the correct user profile. There is no default value for this field which will recognize any valid attribute in a user entry (cn, sn, and so on) that can be used as the user ID.
SSL On For LDAP Access
This option specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Field in Cert to Use to Access User Profile
This menu specifies which field in the certificate should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:
email address
Alternate Attribute Name To Use To Access User Profile
If the value of the Field in Cert to Use to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.
Authentication Level
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. (The value in this attribute is not specifically used by DSAME but by any external application that may chose to use it.) If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0, the lowest authentication level.
Note If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Auth Level. See "Default Auth Level" for details.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 09, 2002