1CERTMAP.CONF(5)               File Formats Manual              CERTMAP.CONF(5)
2
3
4

NAME

6       /etc/dirsrv/config/certmap.conf  -  Configuration  file  for TLS client
7       authentication in 389 Directory Server.
8
9

SYNOPSIS

11       /etc/dirsrv/config/certmap.conf
12
13

DESCRIPTION

15       certmap.conf
16
17       This file configures how a certificate is mapped to an LDAP entry.  See
18       the    documentation    for    more    information    on   this   file:
19       https://access.redhat.com/documentation/en-us/red_hat_direc
20       tory_server/10/html/configuration_command_and_file_reference/configura‐
21       tion_file_reference#certmap_conf
22
23

SYNTAX

25       The format of this file is as follows:
26            certmap <name> <issuerDN>
27            <name>:<prop1> [<val1>]
28            <name>:<prop2> [<val2>]
29
30       Notes:
31
32        1.  Mapping can be defined per issuer of a  certificate.   If  mapping
33       doesn't
34            exists  for  a  particular  'issuerDN'  then  the  server uses the
35       default
36            mapping.
37
38        2.  There must be an entry for <name>=default and issuerDN "default".
39            This mapping is the default mapping.
40
41        3.  '#' can be used to comment out a line.
42
43        4.  DNComps & FilterComps are used to form  the  base  DN  and  filter
44       responsible for
45            performing  an LDAP search while mapping the certificate to a user
46       entry.
47
48

OPTIONS

50       DNComps
51              The DNComps parameter determines how Directory Server  generates
52              the  base  DN  used to search for a user in the directory.  This
53              setting accepts a comma separated list of attributes to  form  a
54              DN.  However, the order of the attributes in the DNComps parame‐
55              ter must match the order in the subject of the certificate.  For
56              example,  if  your  certificate's  subject is "e=user_name@exam‐
57              ple.com,cn=user_name,o=Example Inc.,c=US", and you  want  Direc‐
58              tory  Server  to  use  "cn=user_name,o=Example Inc.,c=US" as the
59              base DN when searching for the user, set the  DNComps  parameter
60              to "cn, o, c".
61
62              Comment  out or do not set this parameter, if either the subject
63              field of the certificate matches exactly the DN of the  user  in
64              Directory  Server  or  if  you  want to use the setting from the
65              CmapLdapAttr parameter.
66
67              If the value is empty, it will search the entire  LDAP  tree  by
68              using the FilterComps parameter.
69
70
71       FilterComps
72              This  parameter  sets which attributes from the subject field of
73              the certificate Directory Server uses  to  generate  the  search
74              filter to locate the user.
75
76              Set  this parameter to a comma-separated list of attributes used
77              in the certificate's subject. Directory Server  will  use  these
78              attributes in an AND operation in the filter.
79
80              Note  -  Certificate  Subjects use the e attribute for the email
81              address, which does not exist in the  default  Directory  Server
82              schema.  For  this  reason,  Directory Server automatically maps
83              this attribute to the mail attribute. This means, if you use the
84              mail  attribute  in  the FilterComps parameter, Directory Server
85              reads the value of the e attribute from the subject of the  cer‐
86              tificate.
87
88              For    example,   if   the   subject   of   a   certificate   is
89              "e=user_name@example.com,cn=user_name,dc=example,dc=com,o=Exam‐
90              ple   Inc.,c=US"  and  you  want  to  dynamically  generate  the
91              "(&(mail=username@domain)(cn=user_name))" filter, set  the  Fil‐
92              terComps parameter to "mail, cn".
93
94              If  the parameter is commented out or set to an empty value, the
95              (objectclass=*) filter will be used.
96
97
98       verifycert
99              Directory Server always verifies if  the  certificate  has  been
100              issued  by a trusted Certificate Authority (CA). However, if you
101              additionally set  the  verifycert  parameter  to  on,  Directory
102              Server  additionally  verifies  that the certificate matches the
103              Distinguished Encoding Rules (DER)-formatted certificate  stored
104              in the userCertificate binary attribute of the user.
105
106              If you do not set this parameter, verifycert is disabled
107
108
109       CmapLdapAttr
110              If  your  user entries contain an attribute that stores the sub‐
111              ject DN of the user certificate, set the  CmapLdapAttr  to  this
112              attribute name. Directory Server will use this attribute and the
113              subject DN to locate the user. In this case  the  no  filter  is
114              generated based on the attributes in the FilterComps parameter.
115
116
117

EXAMPLES

119       certmap default         default
120       default:DNComps         cn, o, c
121       #default:FilterComps    e, uid
122       #default:verifycert     on
123       #default:CmapLdapAttr   certSubjectDN
124
125       certmap example         o=Example Inc.,c=US
126       example:DNComps
127
128

AUTHOR

130       certmap.conf was written by the 389 Project.
131

REPORTING BUGS

133       Report bugs to https://github.com/389ds/389-ds-base/issues/new
134
136       Copyright © 2018 Red Hat, Inc.
137
138
139
140
141                                 Jun 26, 2018                  CERTMAP.CONF(5)
Impressum