1CERTMAP.CONF(5) File Formats Manual CERTMAP.CONF(5)
2
3
4
6 /etc/dirsrv/config/certmap.conf - Configuration file for TLS client
7 authentication in 389 Directory Server.
8
9
11 /etc/dirsrv/config/certmap.conf
12
13
15 certmap.conf
16
17 This file configures how a certificate is mapped to an LDAP entry. See
18 the documentation for more information on this file:
19 https://access.redhat.com/documentation/en-us/red_hat_direc‐
20 tory_server/10/html/configuration_command_and_file_reference/configura‐
21 tion_file_reference#certmap_conf
22
23
25 The format of this file is as follows:
26 certmap <name> <issuerDN>
27 <name>:<prop1> [<val1>]
28 <name>:<prop2> [<val2>]
29
30 Notes:
31
32 1. Mapping can be defined per issuer of a certificate. If mapping
33 doesn't
34 exists for a particular 'issuerDN' then the server uses the
35 default
36 mapping.
37
38 2. There must be an entry for <name>=default and issuerDN "default".
39 This mapping is the default mapping.
40
41 3. '#' can be used to comment out a line.
42
43 4. DNComps & FilterComps are used to form the base DN and filter
44 responsible for
45 performing an LDAP search while mapping the certificate to a user
46 entry.
47
48
50 DNComps
51 The DNComps parameter determines how Directory Server generates
52 the base DN used to search for a user in the directory. This
53 setting accepts a comma separated list of attributes to form a
54 DN. However, the order of the attributes in the DNComps parame‐
55 ter must match the order in the subject of the certificate. For
56 example, if your certificate's subject is "e=user_name@exam‐
57 ple.com,cn=user_name,o=Example Inc.,c=US", and you want Direc‐
58 tory Server to use "cn=user_name,o=Example Inc.,c=US" as the
59 base DN when searching for the user, set the DNComps parameter
60 to "cn, o, c".
61
62 Comment out or do not set this parameter, if either the subject
63 field of the certificate matches exactly the DN of the user in
64 Directory Server or if you want to use the setting from the
65 CmapLdapAttr parameter.
66
67 If the value is empty, it will search the entire LDAP tree by
68 using the FilterComps parameter.
69
70
71 FilterComps
72 This parameter sets which attributes from the subject field of
73 the certificate Directory Server uses to generate the search
74 filter to locate the user.
75
76 Set this parameter to a comma-separated list of attributes used
77 in the certificate's subject. Directory Server will use these
78 attributes in an AND operation in the filter.
79
80 Note - Certificate Subjects use the e attribute for the email
81 address, which does not exist in the default Directory Server
82 schema. For this reason, Directory Server automatically maps
83 this attribute to the mail attribute. This means, if you use the
84 mail attribute in the FilterComps parameter, Directory Server
85 reads the value of the e attribute from the subject of the cer‐
86 tificate.
87
88 For example, if the subject of a certificate is
89 "e=user_name@example.com,cn=user_name,dc=example,dc=com,o=Exam‐
90 ple Inc.,c=US" and you want to dynamically generate the
91 "(&(mail=username@domain)(cn=user_name))" filter, set the Fil‐
92 terComps parameter to "mail, cn".
93
94 If the parameter is commented out or set to an empty value, the
95 (objectclass=*) filter will be used.
96
97
98 verifycert
99 Directory Server always verifies if the certificate has been
100 issued by a trusted Certificate Authority (CA). However, if you
101 additionally set the verifycert parameter to on, Directory
102 Server additionally verifies that the certificate matches the
103 Distinguished Encoding Rules (DER)-formatted certificate stored
104 in the userCertificate binary attribute of the user.
105
106 If you do not set this parameter, verifycert is disabled
107
108
109 CmapLdapAttr
110 If your user entries contain an attribute that stores the sub‐
111 ject DN of the user certificate, set the CmapLdapAttr to this
112 attribute name. Directory Server will use this attribute and the
113 subject DN to locate the user. In this case the no filter is
114 generated based on the attributes in the FilterComps parameter.
115
116
117
119 certmap default default
120 default:DNComps cn, o, c
121 #default:FilterComps e, uid
122 #default:verifycert on
123 #default:CmapLdapAttr certSubjectDN
124
125 certmap example o=Example Inc.,c=US
126 example:DNComps
127
128
130 certmap.conf was written by the 389 Project.
131
133 Report bugs to https://pagure.io/389-ds-base/new_issue
134
136 Copyright © 2018 Red Hat, Inc.
137
138
139
140
141 Jun 26, 2018 CERTMAP.CONF(5)