Certificate mapping determines how a server looks up a user entry in the LDAP directory. You can use the certmap.conf file to configure how a certificate, designated by name, is mapped to an LDAP entry. You edit this file and add entries to match the organization of your LDAP directory, and to list the certificates you want your users to have. Users can be authenticated based on user ID, email address, or any other value used in the subjectDN. Specifically, the mapping file defines the following information:
■ Where in the LDAP tree the server should begin the search
■ What certificate attributes the server should use as search criteria when searching for the entry in the LDAP directory
■ Whether the server goes through an additional verification process The certificate mapping file is found in the following location:
server-root/userdb/certmap.conf
The file contains one or more named mappings, each applying to a different CA. A mapping has the following syntax:
certmapname issuerDNname:property [value]
The first line specifies a name for the entry and the attributes that form the distinguished name found in the CA certificate. The name is arbitrary and can be defined to whatever you prefer. However, issuerDN must exactly match the issuer DN of the CA that issued the client certificate. For example, the following two issuer DN lines differ only in the spaces separating the
attributes, but the server treats these two entries as different:
certmap sun1 ou=Sun Certificate Authority,o=Sun,c=UScertmap sun2 ou=Sun Certificate Authority, o=Sun, c=US
Note –If you are using Oracle Directory Server Enterprise Edition and experiencing problems in matching the issuer DN, check the Directory Server error logs for useful information.
The second and subsequent lines in the named mapping match properties with values. The certmap.conffile has six default properties. You can also use the certificate API to customize your own properties. The default properties are:
■ DNCompsis a list of comma-separated attributes used to determine where in the LDAP directory the server should start searching for entries that match the user’s information, that is, the owner of the client certificate. The server gathers values for these attributes from the client certificate and uses the values to form an LDAP DN, which then determines where the server starts its search in the LDAP directory. For example, if DNComps is set to use the o and cattributes of the DN, the server starts the search from the o=org, c= country entry in the LDAP directory, where org and country are replaced with values from the DN in the certificate.
Note the following situations:
■ If there is no DNComps entry in the mapping, the server uses either the CmapLdapAttr setting or the entire subject DN in the client certificate, that is, the end user’s information.
■ If the DNComps entry is present but has no value, the server searches the entire LDAP tree for entries matching the filter.
FilterCompsis a list of comma-separated attributes used to create a filter by gathering information from the user’s DN in the client certificate. The server uses the values for these attributes to form the search criteria used to match entries in the LDAP directory. If the server finds one or more entries in the LDAP directory that match the user’s information gathered from the certificate, the search is successful and the server optionally performs a verification.
For example, if FilterComps is set to use the email address and user ID attributes
(FilterComps=e,uid), the server searches the directory for an entry whose values for email and user ID match the end user’s information gathered from the client certificate. Email addresses and user IDs are good filters because they are usually unique entries in the directory. The filter must be specific enough to match one and only one entry in the LDAP database.
The attribute names for the filters need to be attribute names from the certificate, not from the LDAP directory. For example, some certificates have an e attribute for the user’s email address, whereas LDAP calls that attribute mail.
The following table lists the attributes for x509v3 certificates.
TABLE 5–2 Attributes for x509v3 Certificates Attribute Description c Country o Organization cn Common name l Location st State ou Organizational unit
uid UNIX/Linux userid
email Email address
■ verifycerttells the server whether the client’s certificate should be compared with the certificate found in the LDAP directory. Property takes two values: on and off. Use this property only if your LDAP directory contains certificates. This feature is useful to ensure that end users have a valid, unrevoked certificate.
■ CmapLdapAttris a name for the attribute in the LDAP directory that contains subject DNs from all certificates belonging to the user. The default for this property is certSubjectDN. This attribute is not a standard LDAP attribute, so to use this property, you must extend the LDAP schema. For more information, see Introduction to SSL.
If this property exists in the certmap.conf file, the server searches the entire LDAP directory for an entry whose attribute named with this property matches the subject’s full DN taken from the certificate. If no entries are found, the server retries the search using the DNCompsand FilterComps mappings.
This approach to matching a certificate to an LDAP entry is useful when matching entries using DNComps and FilterComps is difficult.
■ Libraryis the path name to a shared library or DLL. Use this property only if you create your own properties using the certificate API.
■ InitFnis the name of an init function from a custom library. Use this property only if you create your own properties using the certificate API.
For more information about these properties, refer to the examples described in“Sample Mappings” on page 105.