Mapping Client Certificates to LDAP
This section describes the process followed by the Sun Java System Web Server to map a client certificate to an entry in an LDAP directory.
When the server gets a request from a client, it asks for the client’s certificate before proceeding. Some clients send the client certificate to the server along with the request.
Note –
Before mapping client certificates to LDAP, you need to set up the required ACLs. For more information, see Chapter 10, Controlling Access to Your Server.
The server tries to match the CA to the list of trusted CAs in the Administration Server. If there is no match, the Sun Java System Web Server terminates the connection. If a match occurs, the server continues processing the request.
After verifying that the certificate is from a trusted CA, the server maps the certificate to an LDAP entry using the following methods:
-
Mapping the issuer and subject DN from the client certificate to a branch point in the LDAP directory.
-
Searching the LDAP directory for an entry that matches the information about the subject (end-user) of the client certificate.
-
(Optional) Verifying the client certificate with another certificate in the LDAP entry that corresponds to the DN.
The server uses a certificate mapping file called the certmap.conffile to determine how to do conduct LDAP search. The mapping file provides the server with values to get from the client certificate (such as the end-user’s name and email address). The server uses these values to search for a user entry in the LDAP directory. First the server needs to determine where in the LDAP directory it needs to start its search. The certificate mapping file also tells the server where to start.
Once the server knows where to start its search and what it needs to search for (step 1), it performs the search in the LDAP directory (step 2). If it finds no matching entry or more than one matching entry, and the mapping is not set to verify the certificate, the search fails. For a complete list of the expected search result behavior, see the following Table 6-1. Note that you can specify the expected behavior in an ACL. For example, you can specify that Sun Java System Web Server accepts only you if the certificate match fails. For more information regarding how to set ACL preferences, see Using Access Control Files.
Table 6–1 LDAP Search Results|
LDAP Search Result |
Certificate Verification ON |
Certificate Verification OFF |
|---|---|---|
|
No entry found |
Authentication fails |
Authentication fails |
|
Exactly one entry found |
Authentication fails |
Authentication succeeds |
|
More than one entry found |
Authentication fails |
Authorization fails |
After the server finds a matching entry and certificate in the LDAP directory, it can use that information to process the transaction. For example, some servers use certificate-to-LDAP mapping to determine access to another server.
- © 2010, Oracle Corporation and/or its affiliates