HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

The first line of a mapping specifies the mapping's name as well as the DN for the issuer of the

client certificate. The mapping can have any name, but the issuerDN must exactly match the

issuer DN of the CA that issued the client certificate. For example, the following two issuerDN

lines differ only in the number of spaces they contain, but the server would treat these two entries

as different:

certmap moz ou=Example CA,o=Example,c=US

certmap moz ou=Example CA, o=Example, c=US

The second and subsequent lines of a mapping identify the rules that the server should use when

searching the directory for information extracted from a certificate. These rules are specified through

the use of one or more of the following properties:

• DNComps

• FilterComps

• VerifyCert

• CmapLdapAttr

• Library

• InitFn

DNComps

DNComps is a comma-separated list of relative distinguished name (RDN) keywords used to

determine where in the user directory the server should start searching for entries that match the

information for the owner of the client certificate. The server gathers values for these keywords

from the client certificate and uses the values to form a DN, which determines where the server

starts its search in the directory.

For example, if the DNComps is set to use the o and c RDN keywords, the server starts the search

from the o=org, c=country entry in the directory, where org and country are replaced with

values from the DN in the certificate.

• If there is not a DNComps entry in the mapping, the server uses either the CmapLdapAttr

setting or the entire subject DN in the client certificate to determine where to start searching.

• If the DNComps entry is present but has no value, the server searches the entire directory tree

for entries matching the filter specified by FilterComps.

The following RDN keywords are supported for DNComps:

• cn

• ou

• o

• c

• l

• st

• e or mail (but not both)

• mail

Keywords can be in either lower case or upper case.

FilterComps

FilterComps is a comma-separated list of RDN keywords used to create a filter by gathering

information from the user's DN in the client certificate. The server uses the values for these keywords

to form the search criteria for matching entries in the LDAP directory. If the server finds one or more

entries in the directory that match the user's information gathered from the certificate, the search

is successful and the server performs a verification (if verifycert is set to on).

12.7 Using certificate-based authentication 491