iPlanet Certificate Management System Plug-ins Guide: Chapter 5 Mapper Plug-in Modules

Previous Contents Index Next

iPlanet Certificate Management System Plug-ins Guide

Chapter 5 Mapper Plug-in Modules

You can configure a Certificate Manager to publish certificates to an LDAP directory or flat file, and to publish CRLs to a directory, online validation authority, or flat file. If you configure the Certificate Manager to publish to any of these repositories, when the Certificate Manager is requested to issue a certificate or to update certificate information, it automatically updates the corresponding entry in the configured repository with relevant information. Similarly, when a certificate is revoked, the Certificate Manager automatically updates the configured repositoty with relevant CRL information. To locate the correct entry in the repository, the Certificate Manager relies on object-mapping rules and to update the located entry with relevant information, the Certificate Manager relies on object-publishing rules.
To enable you to construct object-mapping rules, the Certificate Manager provides a set of mapper plug-in modules. These modules are implemented as Java classes and are registered with the Certificate Manager's publishing framework.
This chapter explains the mapper modules that are installed with a Certificate Manager—it lists and briefly describes the modules and then explains each one in detail.
The chapter has the following sections:

Overview of Mapper Modules

LdapCaSimpleMap Plug-in Module

LdapDNCompsMap Plug-in Module

LdapDNExactMap Plug-in Module

LdapSimpleMap Plug-in Module

LdapSubjAttrMap Plug-in Module

Overview of Mapper Modules

If you configure a Certificate Manager to publish to a directory, whenever the server issues a certificate or updates a certificate or CRL, it needs to locate the entry in the directory in order to update it. For example, to find the correct directory entry to update, the Certificate Manager needs to present Directory Server with search criteria (so that it can initiate an LDAP search operation); the Certificate Manager considers the search successful only if Directory Server returns a single LDAP entry that exactly matches the search criteria.
The Certificate Manager uses object-mapping rules to find the directory entry that needs to be updated. When configuring a Certificate Manager for publishing certificates and CRLs, you define mapping rules that help the server to construct appropriate search criteria that find the entry that needs to be updated.
Mapper modules help you configure the Certificate Manager to use specific rules to map or locate a specific entry, such as a CA's entry or an end-entity's entry, in a specified directory; once the correct entry is located, the server publishes the certificate or CRL to the correct attribute in the entry using a publisher rule, as explained in Chapter 6 "Publisher Plug-in Modules".
By default, the Certificate Manager provides a set of mapper plug-in modules for mapping the CA certificate, end-entity certificates, and CRLs to the appropriate entries in an LDAP directory; because it's not required to map entries in a flat file and online validation authority, no mapper modules are provided for mapping objects in a flat file or an online validation authority.
Plug-in modules are implemented as Java classes and are registered in the CMS publishing framework. The Mapper Plugin Registration tab of the CMS window (Figure 5-1) lists all the modules and the corresponding classes that are registered by default with a Certificate Manager.
Note that the name of the Java class for a mapper plug-in module is in this format:
com.netscape.certsrv.ldap.<plugin_name>
where <plugin_name> is the name of a plug-in module. For example, the Java class for the LdapCaSimpleMap module would be:
com.netscape.certsrv.ldap.LdapCaSimpleMap
Figure 5-1    Default mapper modules registered with a Certificate Manager

Table 5-1 lists the mapper modules provided for the Certificate Manager.

Table 5-1    Default mapper plug-in modules for mapping certificates and CRLs

Plug-in module name

Function

LdapCaSimpleMap

Maps the CA certificate to the CA's directory entry by formulating the entry's DN from components specified in the certificate's issuer name and attribute variable assertion (AVA) constants. Optionally, the plugin can also create an entry for the CA in the directory. For details, see "LdapCaSimpleMap Plug-in Module".

LdapDNCompsMap

Maps a certificate to a directory entry by formulating the entry's DN from components (such as CN, OU, O, and C) in the certificate's subject name and using it as the search DN to locate the entry in the directory. For details, see "LdapDNCompsMap Plug-in Module".

LdapDNExactMap

Maps a certificate to a directory entry by searching for the entry whose DN exactly matches the certificate subject name. For details, see "LdapDNExactMap Plug-in Module".

LdapSimpleMap

Maps a certificate to a directory entry by formulating the entry's DN from components specified in the certificate's subject name and attribute variable assertion (AVA) constants. For details, see "LdapSimpleMap Plug-in Module".

LdapSubjAttrMap

Maps a certificate to a directory entry by searching for the entry that contains the LDAP attribute named certSubjNameAttr whose value exactly matches the certificate subject name. For details, see "LdapSubjAttrMap Plug-in Module".

After you take a look at the default mapper modules, if you determine that they do not meet your requirements entirely, you can develop a custom mapper module by implementing the following Java interface:
com.netscape.certsrv.ldappublish.ILdapMapper
For more information about this interface, check the CMS software development kit (SDK) installed at this location:
<server_root>/cms_sdk/cms_jdk
Be sure to take a look at the samples available at this location:
<server_root>/cms_sdk/cms_jdk/samples/mappers
When developing a custom mapper module, you may want to intercept LDAP error 52 and reword it so that the correct error message gets logged. To give you an example, if the publishing directory has been stopped, the server logs the following message in its error and system logs:
Error publishing CRL MasterCRL: Cannot find a match in the LDAP server for certificate. netscape.ldap.LDAPException: unable to establish connection (52); DSA is unavailable.
Notice that the error message incorrectly says DSA is unavailable instead of Directory Server is unavailable.
For instructions on how to configure a Certificate Manager to use a mapper module, see section "Configuring a Certificate Manager to Publish Certificates and CRLs" in Chapter 19, "Setting Up LDAP Publishing" of CMS Installation and Setup Guide.

LdapCaSimpleMap Plug-in Module

The LdapCaSimpleMap plug-in module implements the CA certificate mapper. This mapper enables you to configure a Certificate Manager to automatically create an entry for the CA in an LDAP directory and then map the CA's certificate to the directory entry by formulating the entry's DN from components specified in the certificate request, certificate subject name, certificate extension, and attribute variable assertion (AVA) constants. For more information on AVAs, check the directory documentation.
The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry, or to do both. For example, you can choose to manually create an entry for the CA in the directory and then configure the CA certificate mapper to just locate the entry by using attributes from the issuer name in the CA's signing certificate and AVA constants.
Note that if you already have one CA entry created in the publishing directory and if you change the value assigned to the dnPattern parameter of this mapper to something different, but with the same UID and O attributes, the mapper will fail to create the second CA entry. For example, if the directory already has a CA entry with UID=CA,OU=Marketing,O=Siroe.com and if you configure the mapper to create another CA entry with UID=CA,OU=Engineering,O=Siroe.com, the operation will fail.
The reason for the failure may be because you are using a directory (for example, the configuration directory) that has the uid uniqueness plug-in set to a specific base DN in the slapd.ldbm.conf file. This setting prevents the directory from having two entries with the same UID under that base DN. For example, it prevents the directory from having two entries under O=Siroe.com with the same UID, CA.
If the mapper fails to create a second CA entry, be sure to check the base DN that the uid uniqueness plug-in is set to (in the slapd.ldbm.conf file) and also check if an entry with the same UID already exists in the directory. If it's true, adjust the mapper setting, remove the old CA entry, comment out the plug-in, or create the entry manually using the CMS window.
During installation, the Certificate Manager automatically creates two instances (called mappers) of the CA certificate mapper module (see Figure 5-2). The mappers are named as follows:

LdapCrlMap for CRLs (see "LdapCrlMap Mapper")

LdapCaCertMap for CA certificates (see "LdapCaCertMap Mapper")
Figure 5-2    Default mappers created during installation

It is important that you review and customize these mappers. For instructions on modifying mappers or creating new mappers, section "Configuring a Certificate Manager to Publish Certificates and CRLs" in Chapter 19, "Setting Up LDAP Publishing" of CMS Installation and Setup Guide.

Configuration Parameters of LdapCaSimpleMap

In the CMS configuration file, the LdapCaSimpleMap module is identified as
ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.
certsrv.ldap.LdapCaSimpleMap.
In the CMS window, the module is identified as LdapCaSimpleMap. Figure 5-3 shows how the configurable parameters for the module are displayed in the CMS window.
Figure 5-3    Parameters defined in the LdapCaSimpleMap module

Table 5-2 describes these parameters.

Table 5-2    Description of parameters defined in the LdapCaSimpleMap module

Parameter

Description

createCAEntry

Specifies whether the Certificate Manager should create an entry for the CA in the publishing directory. Check the box if you want the server to create a CA's entry (default). Uncheck the box if you don't want the server to create an entry.
If you check the box, the Certificate Manager first attempts to create an entry for the CA in the directory. If the Certificate Manager succeeds in creating the entry, it then attempts to publish the CA's certificate to the entry. Note that the CA's entry DN in the directory will match the pattern you specify in the dnPattern field. For example, if the issuer DN (specified in the CA's signing certificate) is CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US, and the dnPattern is set to CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US, the Certificate Manager creates an entry with CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US as its DN.

dnPattern

Specifies the DN pattern the Certificate Manager should use to construct the DN in order to search for the CA's entry in the publishing directory. The value of dnPattern can be a list of AVAs separated by commas. An AVA can be a variable, such as CN=$subj.cn, that the Certificate Manager can derive from the certificate subject name, or a constant, such as O=Siroe Corporation.
Note that if your CA certificate does not have the CN component in its subject name, be sure to adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published. For example, if your CA certificate subject DN is O=Siroe Corporation and the CA's entry in the directory is cn=Certificate Authority, o=Siroe Corporation, the pattern should look like this: cn=Certificate Authority, o=$subj.o
(This rule applies to other mappers as well.)
Permissible values: A valid pattern that will enable the Certificate Manager to construct the DN for the CA's entry.
Example 1: uid=CertMgr, o=Siroe Corporation
Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US
Example 3: uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj.ou
In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.

LdapCaCertMap Mapper

The mapper named LdapCaCertMap is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.
You can use this mapper for creating an entry for the CA in the directory and for mapping the CA certificate to the CA's entry in the directory.
By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:
UID=$subj.cn,OU=people,O=$subj.o

LdapCrlMap Mapper

The mapper named LdapCrlMap is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.
You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA's entry in the directory.
By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:
UID=$subj.cn,OU=people,O=$subj.o

LdapDNCompsMap Plug-in Module

The LdapDNCompsMap plug-in module implements the DN components mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by constructing the entry's distinguished name from components (such as CN, OU, O, and C) specified in the certificate subject name, and then using it as the search DN to locate the entry in the directory. You can use this mapper to locate the following:

The CA's entry in the directory for publishing the CA certificate and the CRL.

End-entity entries in the directory for publishing end-entity certificates.
The mapper requires you to specify values for three parameters, filterComps, dnComps, and baseDN, which are explained in Table 5-3. In general, the mapper takes DN components to build the search DN. The mapper also takes an optional root search DN. The server uses the DN components to form an LDAP entry to begin a subtree search and the filter components to form a search filter for the subtree. If none of the DN components are configured, the server uses the base DN for the subtree. If the base DN is null and none of the DN components match, an error is returned. If none of the DN components and filter components match, an error is returned. If the filter components are null, a base search is performed.
Note that both DNComps and filterComps parameters accept valid DN components or attributes separated by commas. The parameters don't accept multiple entries of an attribute; for example, you can set filterComps to CN,OU, but not to CN,OU2,OU1. If there's a need for you to support such a filter, for example, if your directory entries contain multiple OUs and you want to use multiple OUs in your filterComps for filtering entries, you can modify the source code for the LdapDNCompsMap module. The java class for the module is in this directory: <server_root>/cms_sdk/cms_jdk/samples/mappers
The discussion below explains how mapping by DN components works. It is recommended that you read this before configuring a Certificate Manager to use this mapper.
Subject names in certificates are in distinguished-name format. A distinguished name (DN) uniquely identifies an entry in an LDAP directory. The DN consists of components that help identify the entry; for details, see Appendix , "Distinguished Names."
The following components are commonly used in DNs:

UID, which represents the user ID of a user in the directory

CN, which represents the common name of a user in the directory

OU, which represents an organizational unit in the directory

O, which represents an organization in the directory

L, which represents a locality in the directory

ST, which represents a state in the directory

C, which represents a country in the directory
For example, the following DN represents the user named Jane Doe who works for the Sales department at Siroe Corporation, which is located in Mountain View in the state of California, United States:
CN=Jane Doe, E=jdoe@siroe.com, OU=Sales, O=Siroe Corporation, L=Mountain View, ST=California, C=US
The Certificate Manager uses the components in subject names to construct a DN that it can use as the base for searching specific directory entries in order to publish the corresponding certificate information.
For example, suppose the subject name in the certificate is in this form:
CN=Jane Doe, OU=Sales, O=Siroe Corporation, L=Mountain View, ST=California, C=US
The Certificate Manager can use some or all of these components (CN, OU, O, L, ST, and C) to build a DN for searching the directory. When creating a mapper rule, you can specify the components the server should use to build a DN (that is, components to match attributes in the directory). You do this by configuring the dnComps parameter; for details, see Table 5-3.
For example, assume you entered components CN, E, OU, O, and C as values for the dnComps parameter. For locating Jane Doe's entry in the directory, the Certificate Manager constructs the following DN by reading the DN attribute values from the certificate, and uses the DN as the base for searching the directory:
CN=Jane Doe, OU=Sales, O=Siroe Corporation, C=US
Note the following:

A subject name does not need to have all of the components that you specify for the dnComps parameter. The server ignores any components that are not part of the subject name (such as L, ST, and E in this example).

Unspecified components are not used to build the DN. In the example, if you did not include the OU component, the server would use this DN as the base for searching the directory: CN=Jane Doe, O=Siroe Corporation, C=US
In general, for the dnComps parameter, you should enter those DN components that the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory. Then, the Certificate Manager might not get a single, distinct matching entry from the DN. For example, the subject name
CN=Jane Doe, OU=Sales, O=Siroe Corporation, C=US
might match two users with the name Jane Doe in the directory. If that occurred, the Certificate Manager would need additional criteria to determine which entry corresponds to the subject of the certificate.
To specify the components the Certificate Manager must use to distinguish between different entries in the directory, use the filterComps parameter; for details, see Table 5-3. For example, if you entered CN, OU, O, and C as values for the dnComps parameter, enter L for the filterComps parameter only if the L attribute can be used to distinguish between entries with identical CN, OU, O, and C values.
Consider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute:
Assume that the two Jane Doe entries are distinguished by the value of the UID attribute. One entry's UID value is janedoe1 and the other entry's UID value is janedoe2. Because the UID attribute corresponds to the UID component in a DN, you can set up the subject names of certificates to include the UID component.

Note Generally, the E, L, and ST components are not included in the standard set of certificate request forms provided for end entities. You can add these components to the forms, or you can have the issuing agents insert these components when editing the subject name in the certificate issuance forms.

Configuration Parameters of LdapDNCompsMap

In the configuration file, the LdapCertCompsMap module is identified as
ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.
certsrv.ldap.LdapCertCompsMap.
In the CMS window, the module is identified as LdapDNCompsMap. Figure 5-4 shows how the configurable parameters for the module are displayed in the CMS window.
Figure 5-4    Parameters defined in the LdapDNCompsMap module

With this configuration, a Certificate Manager maps its certificates with the ones in the LDAP directory by using the dnComps values to form a DN and the filterComps values to form a search filter for the subtree.

If the formed DN is null, the server uses the baseDN value for the subtree. If both the formed DN and base DN are null, the server logs an error.

If the filter is null, the server uses the baseDN value for the search. If both the filter and base DN are null, the server logs an error.
Table 5-3 describes these parameters.

Table 5-3    Description of parameters defined in the LdapDNCompsMap module

Parameter

Description

baseDN

Specifies the DN to start searching for an entry in the publishing directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory.
Permissible values: Alphanumeric string up to 255 characters; see "Base Distinguished Name".
Example: O=siroe.com

dnComps

Specifies where in the publishing directory the Certificate Manager should start searching for an LDAP entry that matches the CA's or the end entity's information (that is, the owner of the certificate).
The server uses the dnComps values to form an LDAP entry to begin a subtree search. The server gathers values for these attributes from the certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=<org>, C=<country> entry in the directory, where <org> and <country> are replaced with values from the DN in the certificate.
If you leave the dnComps field empty, the server checks the baseDN field and searches the directory tree specified by that DN for entries matching the filter specified by filterComps parameter values.
Permissible values: Valid DN components or attributes separated by commas.
Example: O,C

filterComps

Specifies components the Certificate Manager should use to filter entries from the search result. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory.
If the server finds one or more entries in the LDAP directory that match the information gathered from the certificate, the search is successful and the server optionally performs a verification. For example, if filterComps is set to use the email and user ID attributes (filterComps=e, uid), the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate.
Email addresses and user IDs are good filters because they are usually unique entries in the directory. Keep in mind that email is not always included in the certificate subject name. The filter needs to be specific enough to match one and only one entry in the LDAP database.
Permissible values: Valid directory attributes (in the certificate DN) separated by commas. The attribute names for the filters need to be attribute names from the certificate, not from ones in the LDAP directory. For example, most certificates have an E attribute for the user's email address; LDAP calls that attribute mail.
Example: UID

LdapDNExactMap Plug-in Module

The LdapDNExactMap plug-in module implements the subject name mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name. Note that to be able to use this mapper, each certificate subject name must exactly match a DN in a directory entry. For example, assume the certificate subject name is this: UID=jdoe, O=Siroe Corporation, C=US
When searching the directory for the entry, the Certificate Manager only searches for an entry whose DN is this: UID=jdoe, O=Siroe Corporation, C=US
If no matching entries are found, the server returns an error and does not publish the certificate.
This mapper does not require you to specify any values for any parameters because it obtains all values from the certificate (Figure 5-5).

Configuration Parameters of LdapDNExactMap

In the configuration file, the LdapDNExactMap module is identified as
ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.certsrv
.ldap.LdapCertExactMap.
In the CMS window, the module is identified as LdapDNExactMap. Figure 5-5 shows how the module looks when viewed in the CMS window.
Figure 5-5    The LdapDNExactMap module

LdapSimpleMap Plug-in Module

The LdapSimpleMap plug-in module implements the simple mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by formulating the entry's DN from components specified in the certificate request, certificate's subject name, certificate extension, and attribute variable assertion (AVA) constants. For more information on AVAs, see the directory documentation.
The simple mapper requires you to specify just one parameter, which is named dnPattern. The value of dnPattern can be a list of AVAs separated by commas. An AVA can be a variable, such as UID=$subj.UID, , or a constant, such as O=Siroe Corporation. Thr examples below illustrate how you can use AVAs to form the DN pattern.
Example 1: uid=CertMgr, o=Siroe Corporation
Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US
Example 3: uid=$req.HTTP_PARAMS.uid,
E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj.ou
In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.
By default, the Certificate Manager uses mapper rules that are based on the simple mapper. During installation, the Certificate Manager automatically creates an instance (called a mapper) of the simple mapper module. The mapper is named LdapUserCertMap (see Figure 5-2). You can use the default mapper to map various types of end-entity certificates the server will issue to their corresponding directory entries. For details, see "LdapUserCertMap Mapper".
It is important that you review and customize this mapper. For instructions on modifying mappers or creating new mappers, section "Configuring a Certificate Manager to Publish Certificates and CRLs" in Chapter 19, "Setting Up LDAP Publishing" of CMS Installation and Setup Guide.

Configuration Parameters of LdapSimpleMap

In the CMS configuration file, the LdapSimpleMap module is identified as
ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.certsrv.
ldap.LdapSimpleMap.
In the CMS window, the module is identified as LdapSimpleMap. Figure 5-6 shows how configurable parameters for the module are displayed in the CMS window.
Figure 5-6    Parameters defined in the LdapSimpleMap module

LdapUserCertMap Mapper

The rule named LdapUserCertMap is an instance of the LdapSimpleMap module. The Certificate Manager automatically creates this mapper during installation.
You can use this mapper for mapping end-user certificates to users' directory entries. The default DN pattern for locating end-user entries is as follows:
UID=$subj.UID, OU=people, O=$subj.o
The default pattern indicates that the Certificate Manager should use the UID and O values from the certificate subject name and a constant OU=people to construct the DN pattern in order to search for an entry.
For example, if the certificate subject name is
CN=Jane Doe, UID=jdoe, OU=people, O=Siroe Corporation, C=US
the Certificate Manager will construct the following DN to search the directory for the entry:
UID=jdoe, OU=people, O=Siroe Corporation

LdapSubjAttrMap Plug-in Module

The LdapSubjAttrMap plug-in module implements the subject attribute mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by using the LDAP attribute named certSubjectDN. Note that for you to be able to use this mapper, your directory entries must include the certSubjectDN attribute.
This mapper requires you to specify the exact pattern of the subject DN because the Certificate Manager searches the directory for the certSubjectDN attribute whose value exactly matches the entire subject DN specified in the mapper configuration. For example, assume the certificate subject name is this:
UID=jdoe, O=Siroe Corporation, C=US
When searching the directory for the entry, the Certificate Manager first searches for entries that have these attributes in common
certSubjectDN=UID=jdoe, O=Siroe Corporation, C=US
and then narrows down the search to an entry that has only this:
certSubjectDN=UID=jdoe, O=Siroe Corporation, C=US
If no matching entries are found, the server returns an error and writes it to the log; see section "Monitoring CMS Logs" in Chapter 23, "Managing CMS Logs" of CMS Installation and Setup Guide.

Configuration Parameters of LdapSubjAttrMap

In the configuration file, the LdapSubjAttrMap module is identified as
ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.
certsrv.ldap.LdapCertSubjMap.
In the CMS window, the module is identified as LdapSubjAttrMap. Figure 5-7 shows how configurable parameters for the module are displayed in the CMS window.
Figure 5-7    Parameters defined in the LdapSubjAttrMap module

Table 5-4 describes these parameters.

Table 5-4    Description of parameters defined in the LdapSubjAttrMap module

Parameter

Description

certSubjNameAttr

Specifies the name of the LDAP attribute that contains a certificate subject name as its value.
Permissible values: Must be certSubjectName.
Example: certSubjectName

searchBase

Specifies the base DN for starting the attribute search.
Permissible values: A valid DN of an LDAP entry.
Example: O=siroe.com, C=US

Plug-in module name	Function
LdapCaSimpleMap	Maps the CA certificate to the CA's directory entry by formulating the entry's DN from components specified in the certificate's issuer name and attribute variable assertion (AVA) constants. Optionally, the plugin can also create an entry for the CA in the directory. For details, see "LdapCaSimpleMap Plug-in Module".
LdapDNCompsMap	Maps a certificate to a directory entry by formulating the entry's DN from components (such as CN, OU, O, and C) in the certificate's subject name and using it as the search DN to locate the entry in the directory. For details, see "LdapDNCompsMap Plug-in Module".
LdapDNExactMap	Maps a certificate to a directory entry by searching for the entry whose DN exactly matches the certificate subject name. For details, see "LdapDNExactMap Plug-in Module".
LdapSimpleMap	Maps a certificate to a directory entry by formulating the entry's DN from components specified in the certificate's subject name and attribute variable assertion (AVA) constants. For details, see "LdapSimpleMap Plug-in Module".
LdapSubjAttrMap	Maps a certificate to a directory entry by searching for the entry that contains the LDAP attribute named certSubjNameAttr whose value exactly matches the certificate subject name. For details, see "LdapSubjAttrMap Plug-in Module".

Parameter	Description
createCAEntry	Specifies whether the Certificate Manager should create an entry for the CA in the publishing directory. Check the box if you want the server to create a CA's entry (default). Uncheck the box if you don't want the server to create an entry. If you check the box, the Certificate Manager first attempts to create an entry for the CA in the directory. If the Certificate Manager succeeds in creating the entry, it then attempts to publish the CA's certificate to the entry. Note that the CA's entry DN in the directory will match the pattern you specify in the dnPattern field. For example, if the issuer DN (specified in the CA's signing certificate) is CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US, and the dnPattern is set to CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US, the Certificate Manager creates an entry with CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US as its DN.
dnPattern	Specifies the DN pattern the Certificate Manager should use to construct the DN in order to search for the CA's entry in the publishing directory. The value of dnPattern can be a list of AVAs separated by commas. An AVA can be a variable, such as CN=$subj.cn, that the Certificate Manager can derive from the certificate subject name, or a constant, such as O=Siroe Corporation. Note that if your CA certificate does not have the CN component in its subject name, be sure to adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published. For example, if your CA certificate subject DN is O=Siroe Corporation and the CA's entry in the directory is cn=Certificate Authority, o=Siroe Corporation, the pattern should look like this: cn=Certificate Authority, o=$subj.o (This rule applies to other mappers as well.) Permissible values: A valid pattern that will enable the Certificate Manager to construct the DN for the CA's entry. Example 1: uid=CertMgr, o=Siroe Corporation Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US Example 3: uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj.ou In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.

Parameter	Description
baseDN	Specifies the DN to start searching for an entry in the publishing directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory. Permissible values: Alphanumeric string up to 255 characters; see "Base Distinguished Name". Example: O=siroe.com
dnComps	Specifies where in the publishing directory the Certificate Manager should start searching for an LDAP entry that matches the CA's or the end entity's information (that is, the owner of the certificate). The server uses the dnComps values to form an LDAP entry to begin a subtree search. The server gathers values for these attributes from the certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=<org>, C=<country> entry in the directory, where <org> and <country> are replaced with values from the DN in the certificate. If you leave the dnComps field empty, the server checks the baseDN field and searches the directory tree specified by that DN for entries matching the filter specified by filterComps parameter values. Permissible values: Valid DN components or attributes separated by commas. Example: O,C
filterComps	Specifies components the Certificate Manager should use to filter entries from the search result. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory. If the server finds one or more entries in the LDAP directory that match the information gathered from the certificate, the search is successful and the server optionally performs a verification. For example, if filterComps is set to use the email and user ID attributes (filterComps=e, uid), the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate. Email addresses and user IDs are good filters because they are usually unique entries in the directory. Keep in mind that email is not always included in the certificate subject name. The filter needs to be specific enough to match one and only one entry in the LDAP database. Permissible values: Valid directory attributes (in the certificate DN) separated by commas. The attribute names for the filters need to be attribute names from the certificate, not from ones in the LDAP directory. For example, most certificates have an E attribute for the user's email address; LDAP calls that attribute mail. Example: UID

Parameter	Description
certSubjNameAttr	Specifies the name of the LDAP attribute that contains a certificate subject name as its value. Permissible values: Must be certSubjectName. Example: certSubjectName
searchBase	Specifies the base DN for starting the attribute search. Permissible values: A valid DN of an LDAP entry. Example: O=siroe.com, C=US

Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 02, 2001