HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

The default mapping specifies what the server should do if a client certificate was issued by a

CA that is not listed in certmap.conf. The mappings for specific CAs specify what the server

should do for client certificates issued by those CAs. All mappings define the following:

• Where in the directory the server should begin its search

• What certificate attributes the server should use as search criteria

• Whether the server should verify the certificate with one that is stored in the directory

Mappings have the following syntax:

certmap name issuer DN

name:property [value]

...

The first line of a mapping specifies the mapping's name as well as the DN for the issuer of the

client certificate. The mapping can have any name, but the issuerDN must exactly match the

issuer DN of the CA that issued the client certificate. For example, the following two issuerDN

lines differ only in the number of spaces they contain, but the server would treat these two entries

as different:

certmap moz ou=Example CA,o=Example,c=US

certmap moz ou=Example CA, o=Example, c=US

The second and subsequent lines of a mapping identify the rules that the server should use when

searching the directory for information extracted from a certificate. These rules are specified

through the use of one or more of the following properties:

• DNComps

• FilterComps

• VerifyCert

• CmapLdapAttr

• Library

• InitFn

DNComps DNComps is a comma-separated list of relative distinguished name (RDN) keywords

used to determine where in the user directory the server should start searching for entries that

match the information for the owner of the client certificate. The server gathers values for these

keywords from the client certificate and uses the values to form a DN, which determines where

the server starts its search in the directory.

For example, if the DNComps is set to use the o and c RDN keywords, the server starts the search

from the o=org, c=country entry in the directory, where org and country are replaced with

values from the DN in the certificate.

• If there is not a DNComps entry in the mapping, the server uses either the CmapLdapAttr

setting or the entire subject DN in the client certificate to determine where to start searching.

• If the DNComps entry is present but has no value, the server searches the entire directory

tree for entries matching the filter specified by FilterComps.

The following RDN keywords are supported for DNComps:

• cn

• ou

• o

• c

• l

• st

• e or mail (but not both)

• mail

Keywords can be in either lower case or upper case.

12.7 Using certificate-based authentication 493