HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
12.7.3 Editing the certmap.conf file
1. In a text editor, open /etc/opt/dirsrv/slapd-instance/certmap.conf
2. If necessary, make changes to the default mapping.
For example, change the value for DNComps or FilterComps. To comment out a line, insert
a # before it.
3. If desired, create a mapping for a specific CA.
The mapping should take the form certmap mappingName issuerDN.
For example, to create a mapping named Example CA that has the issuer DN ou=example
CA, o=example, c=US, enter the following:
certmap Example CA ou=example CA, o=example, c=US
4. Add property settings for a specific CA's mapping.
Specify the Library and InitFn properties before adding any additional properties.
When adding a property, use the form mappingName:propertyName value.
For example, add a DNComps value of o, c for Example CA by entering the following line:
example CA:DNComps o, c
For the Library and InitFn properties, a complete mapping looks like this:
certmap Example CA ou=example CA, o=example, c=US
Example CA:Library /ldapserver/ldap/servers/slapd/plugin.c
Example CA:InitFn plugin_init_dn
Example CA:DNComps o, c
Example CA:FilterComps e, uid
Example CA:VerifyCert on
Example CA:CmapLdapAttr certSubjectDN
5. Save the certmap.conf file.
12.7.4 Example certmap.conf mappings
In Example 23 “Default mapping”, the server starts its search at the directory branch point containing
the entry ou=organizationalUnit, o=organization, c=country, where the italics represent
values from the subject's DN in the client certificate.
Example 23 Default mapping
certmap default default
default:DNComps ou, o, c
default:FilterComps e, uid
default:verifycert on
The server then uses the values for e (email address) and uid (user ID) from the certificate to search
for a match in the directory before authenticating the user. When it finds a matching entry, the
server verifies the certificate by comparing the certificate the client sent to the certificate stored in
the directory.
Example 24 “An additional mapping” shows the contents of a sample certmap.conf file that
defines a default mapping as well as a mapping for MyCA:
12.7 Using certificate-based authentication 493