HP-UX Directory Server 8.1 administrator guide
stored in the user's directory entry. By comparing the certificate, the server determines
whether to allow access or whether to revoke a certificate by removing it from the user's
entry.
If more than one directory entry contains the information in the user's certificate, the server can
examine all matching entries in order to determine which user is trying to authenticate. When
examining a directory entry, the server compares the presented certificate with the one stored
in the entry. If the presented certificate does not match any certificates or if the matching entries
do not contain certificates, client authentication fails.
After the server finds a matching entry and certificate in the directory, it can determine the
appropriate kind of authorization for the client. For example, some servers use information from
a user's entry to determine group membership, which in turn can be used during evaluation of
ACIs to determine what resources the user is authorized to access.
Three things are required for the Directory Server to allow client authentication:
• The server must have SSL turned on. See “Starting the server with TLS/SSL enabled” for
more information.
• The Administration Server must trust the CA who issued the certificate to the client, as
described in step 6 of “Step 4: Trust the certificate authority”.
• The subject DN in the certificate must be mapped in the user DN through a mapping in the
certmap.conf file, as in “Mapping DNs to certificates”.
12.7.1 Configuring Directory Server to accept certificate-based authentication from
LDAP clients
Client authentication to the Directory Server will require or allow a user to use a certificate to
establish its identity, in addition to the server having to present a certification. This is also called
certificate-based authentication.
1. On the client system, obtain a client certificate from the CA.
2. Install the client certificate on the client system.
Regardless how the certificate is sent (either in email or on a web page), there should be a
link to click to install the certificate.
Record the certificate information that is sent from the CA, especially the subject DN of the
certificate because the server must be configured to map it to an entry in the directory. The
client certificate resembles the following:
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh
MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w
GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC
BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3
WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm
V0c2NhcGUgRGlyZWN0b3
------END CERTIFICATE-----
3. Convert the client certificate into binary format using the certutil utility.
certutil -L -d certdbPath -n userCertName -r > userCert.bin
certdbPath is the directory that contains the certificate database; for example, a user
certificate for Mozilla Thunderbird is stored in $HOME/.thunderbird. userCertName is
the name of the certificate, and userCert.bin is the name of the output file for binary
format.
4. On the server, map the subject DN of the certificate to the appropriate directory entry by
editing the certmap.conf file.
12.7 Using certificate-based authentication 491