HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

NOTE:

Do not map a certificate-based authentication certificate to a distinguished name under

cn=monitor. Mapping a certificate to a DN under cn=monitor causes the bind operation

to fail. Map the certificate to a target located elsewhere in the directory information tree.

Make sure that the verifyCert parameter is set to on in the certmap.conf file. If this

parameter is not set to on, Directory Server simply searches for an entry in the directory

that matches the information in the certmap.conf file. If the search is successful, it grants

access without actually checking the value of the userCertification and

userCertificate;binary attributes.

5. In the Directory Server, modify the directory entry for the user or identity (if it is another

server) who owns the client certificate to add the userCertificate attribute.

a. Select the Directory tab, and navigate to the user entry.

b. Double-click the user entry, and use the Property Editor to add the userCertificate

attribute, with the binary subtype.

When adding this attribute, instead of an editable field, the server provides a Set Value

button.

c. Click Set Value.

A file selector opens. Use it to select the binary file created in step 3.

For information on using the Directory Server Console to edit entries, see “Modifying

directory entries”

For information on how to use TLS/SSL with ldapmodify, ldapdelete, and ldapsearch,

see “Connecting to the Directory Server with certificate-based authentication” and the HP-UX

Directory Server configuration, command, and file reference.

12.7.2 Mapping DNs to certificates

When a server performs client authentication, it interprets a certificate, extracts user information,

then searches the directory for that information. In order to process certificates from different

CAs, the server uses a file called certmap.conf. This file contains instructions on how to

interpret different certificates and how to search the directory for the information that those

certificates contain.

In the Directory Server, a user entry has a format like the following:

dn: uid=jsmith,ou=People,dc=example,dc=com

...

cn: John Smith

mail: jsmith@example.com

A subject DN, however, is almost always formatted differently from an LDAP DN. For example:

cn=John Smith, e=jsmith@example.com, c=US, o=Example.com

The email attribute in the directory is almost always unique within the organization, as is the

common name of the user. These attributes are also indexed by default, so they are easily searched,

and are common attributes to be used in the subject names of certificates. The certmap.conf

file can be configured so that the server looks for any mail or common name elements in the

subject DN and matches them against the entries in the directory. Much like an ldapsearch,

the cert mapping defines a search base (DNComps) and search filter (FilterComps).

certmap Example o=Example.com,c=US

Example:DNComps dc

Example:FilterComps mail,cn

The certmap.conf file is stored in the /etc/opt/dirsrv/slapd-instance_name directory.

The file contains a default mapping as well as mappings for specific CAs.

492 Managing SSL