HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
a. Select the Directory tab, and navigate to the user entry.
b. Double-click the user entry, and use the Property Editor to add the userCertificate
attribute, with the binary subtype.
When adding this attribute, instead of an editable field, the server provides a Set Value
button.
c. Click Set Value.
A file selector opens. Use it to select the binary file created in step 3.
For information on using the Directory Server Console to edit entries, see “Modifying directory
entries” (page 101)
For information on how to use TLS/SSL with ldapmodify, ldapdelete, and ldapsearch, see
“Connecting to the Directory Server with certificate-based authentication” (page 496) and the HP-UX
Directory Server configuration, command, and file reference.
12.7.2 Mapping DNs to certificates
When a server performs client authentication, it interprets a certificate, extracts user information,
then searches the directory for that information. In order to process certificates from different CAs,
the server uses a file called certmap.conf. This file contains instructions on how to interpret
different certificates and how to search the directory for the information that those certificates
contain.
In the Directory Server, a user entry has a format like the following:
dn: uid=jsmith,ou=People,dc=example,dc=com
...
cn: John Smith
mail: jsmith@example.com
A subject DN, however, is almost always formatted differently from an LDAP DN. For example:
cn=John Smith, e=jsmith@example.com, c=US, o=Example.com
The email attribute in the directory is almost always unique within the organization, as is the
common name of the user. These attributes are also indexed by default, so they are easily searched,
and are common attributes to be used in the subject names of certificates. The certmap.conf
file can be configured so that the server looks for any mail or common name elements in the subject
DN and matches them against the entries in the directory. Much like an ldapsearch, the cert
mapping defines a search base (DNComps) and search filter (FilterComps).
certmap Example o=Example.com,c=US
Example:DNComps dc
Example:FilterComps mail,cn
The certmap.conf file is stored in the /etc/opt/dirsrv/slapd-instance_name directory.
The file contains a default mapping as well as mappings for specific CAs.
The default mapping specifies what the server should do if a client certificate was issued by a CA
that is not listed in certmap.conf. The mappings for specific CAs specify what the server should
do for client certificates issued by those CAs. All mappings define the following:
• Where in the directory the server should begin its search
• What certificate attributes the server should use as search criteria
• Whether the server should verify the certificate with one that is stored in the directory
Mappings have the following syntax:
certmap name issuer DN
name:property [value]
name:property [value]
...
490 Managing SSL