HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

481

482

483

484

485

486

487

488

489

490

Three things are required for the Directory Server to allow client authentication:

• The server must have SSL turned on. See “Starting the server with TLS/SSL enabled” (page

480) for more information.

• The Administration Server must trust the CA who issued the certificate to the client, as described

in step 6 of “Step 4: Trust the certificate authority” (page 476).

• The subject DN in the certificate must be mapped in the user DN through a mapping in the

certmap.conf file, as in “Mapping DNs to certificates” (page 490).

12.7.1 Configuring Directory Server to accept certificate-based authentication from

LDAP clients

Client authentication to the Directory Server will require or allow a user to use a certificate to

establish its identity, in addition to the server having to present a certification. This is also called

certificate-based authentication.

1. On the client system, obtain a client certificate from the CA.

2. Install the client certificate on the client system.

Regardless how the certificate is sent (either in email or on a web page), there should be a

link to click to install the certificate.

Record the certificate information that is sent from the CA, especially the subject DN of the

certificate because the server must be configured to map it to an entry in the directory. The

client certificate resembles the following:

-----BEGIN CERTIFICATE-----

MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh

MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w

GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC

BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3

WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm

V0c2NhcGUgRGlyZWN0b3

------END CERTIFICATE-----

3. Convert the client certificate into binary format using the certutil utility.

certutil -L -d certdbPath -n userCertName -r > userCert.bin

certdbPath is the directory that contains the certificate database; for example, a user

certificate for Mozilla Thunderbird is stored in $HOME/.thunderbird. userCertName is

the name of the certificate, and userCert.bin is the name of the output file for binary

format.

4. On the server, map the subject DN of the certificate to the appropriate directory entry by

editing the certmap.conf file.

NOTE:

Do not map a certificate-based authentication certificate to a distinguished name under

cn=monitor. Mapping a certificate to a DN under cn=monitor causes the bind operation

to fail. Map the certificate to a target located elsewhere in the directory information tree. Make

sure that the verifyCert parameter is set to on in the certmap.conf file. If this parameter

is not set to on, Directory Server simply searches for an entry in the directory that matches the

information in the certmap.conf file. If the search is successful, it grants access without

actually checking the value of the userCertification and userCertificate;binary

attributes.

5. In the Directory Server, modify the directory entry for the user or identity (if it is another server)

who owns the client certificate to add the userCertificate attribute.

12.7 Using certificate-based authentication 489