HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

FilterComps FilterComps is a comma-separated list of RDN keywords used to create a filter

by gathering information from the user's DN in the client certificate. The server uses the values

for these keywords to form the search criteria for matching entries in the LDAP directory. If the

server finds one or more entries in the directory that match the user's information gathered from

the certificate, the search is successful and the server performs a verification (if verifycert is

set to on).

For example, if FilterComps is set to use the e and uid attribute keywords

(FilterComps=e,uid), the server searches the directory for an entry whose values for e and

uid match the user's information gathered from the client certificate. Email addresses and user

IDs are good filters because they are usually unique entries in the directory.

The filter needs to be specific enough to match one and only one entry in the directory.

The following RDN keywords are supported for FilterComps:

• cn

• ou

• o

• c

• l

• st

• e or mail (but not both)

• mail

Keywords can be in either lower case or upper case.

VerifyCert verifycert tells the server whether it should compare the client's certificate with

the certificate found in the user's directory entry. The value is either on or off. Setting the value

to on ensures that the server will not authenticate the client unless the certificate presented exactly

matches the certificate stored in the directory. Setting the value to off disables the verification

process.

CmapLdapAttr CmapLdapAttr is the name of the attribute in the directory that contains subject

DNs from all certificates belonging to the user. Because this attribute is not a standard LDAP

attribute, this attribute must be added to the schema. See “Creating attributes” for information

on adding schema elements.

If the CmapLdapAttr property exists in a certmap.conf mapping, the server searches the

entire directory for an entry that contains the subject's full DN. The search criteria are the attribute

named by CmapLdapAttr and the subject's full DN as listed in the certificate. If the search does

not yield any entries, the server retries the search using the DNComps and FilterComps

mappings. The search will take place more quickly if the attribute specified by CmapLdapAttr

is indexed. For more information on indexing attributes, see Chapter 11 “Managing indexes”.

Using CmapLdapAttr to match a certificate to a directory entry is useful when it is difficult to

match entries using DNComps and FilterComps.

Library Library is the pathname to a shared library or DLL. Use this property only to extend

or replace the standard functions that map information in certmap.conf to entries in the

directory. This property is typically not necessary unless there are very specialized mapping

requirements.

InitFn InitFn is the name of an init function from a custom library. You need to use this

property only if you want to extend or replace the functions that map information in

certmap.conf to entries in the directory. This property is typically not necessary unless you

have very specialized mapping requirements.

494 Managing SSL