HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

Example 12-2 An additional mapping

certmap default default

default:DNComps

default:FilterComps e, uid

certmap MyCA ou=MySpecialTrust,o=MyOrg,c=US

MyCA:DNComps ou,o,c

MyCA:FilterComps e

MyCA:verifycert on

When the server gets a certificate from a CA other than MyCA, the server uses the default

mapping, which starts at the top of the directory tree and searches for an entry matching the

client's email address (e) and user ID (uid). If the certificate is from MyCA, the server starts its

search at the directory branch containing the organizational unit specified in the subject DN and

searches for email addresses (e) that match the one specified in the certificate. If the certificate

is from MyCA, the server verifies the certificate. If the certificate is from another CA, the server

does not verify it.

Example 12-3 “A Mapping with an attribute search” uses the CmapLdapAttr property to search

the directory for an attribute called certSubjectDN whose value exactly matches the entire

subject DN in the client certificate:

Example 12-3 A Mapping with an attribute search

certmap MyCo ou=My Company Inc, o=MyCo, c=US

MyCo:CmapLdapAttr certSubjectDN

MyCo:DNComps o, c

MyCo:FilterComps mail, uid

MyCo:verifycert on

If the subject DN in the client certificate is uid=jsmith, o=example Inc, c=US, then the

server searches for entries that have certSubjectDN=uid=jsmith, o=example Inc,

c=US.

If one or more matching entries are found, the server proceeds to verify the entries. If no matching

entries are found, the server uses DNComps and FilterComps to search for matching entries.

For the client certificate described above, the server would search for uid=jsmith in all entries

under o=example Inc, c=US.

12.7.5 Allowing and requiring client authentication to the console

Client authentication must be explicitly set in the Directory Server.

1. Click the Configuration tab.

2. With the top server entry highlighted in the left navigation pane, click the Encryption tab

in the main window.

3. Set whether to require or allow client authentication to the Directory Server.

496 Managing SSL