Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
491492493494495496497498499500
Example 24 An additional mapping
certmap default default
default:DNComps
default:FilterComps e, uid
certmap MyCA ou=MySpecialTrust,o=MyOrg,c=US
MyCA:DNComps ou,o,c
MyCA:FilterComps e
MyCA:verifycert on
When the server gets a certificate from a CA other than MyCA, the server uses the default mapping,
which starts at the top of the directory tree and searches for an entry matching the client's email
address (e) and user ID (uid). If the certificate is from MyCA, the server starts its search at the
directory branch containing the organizational unit specified in the subject DN and searches for
email addresses (e) that match the one specified in the certificate. If the certificate is from MyCA,
the server verifies the certificate. If the certificate is from another CA, the server does not verify it.
Example 25 “A Mapping with an attribute searchuses the CmapLdapAttr property to search
the directory for an attribute called certSubjectDN whose value exactly matches the entire
subject DN in the client certificate:
Example 25 A Mapping with an attribute search
certmap MyCo ou=My Company Inc, o=MyCo, c=US
MyCo:CmapLdapAttr certSubjectDN
MyCo:DNComps o, c
MyCo:FilterComps mail, uid
MyCo:verifycert on
If the subject DN in the client certificate is uid=jsmith, o=example Inc, c=US, then the
server searches for entries that have certSubjectDN=uid=jsmith, o=example Inc, c=US.
If one or more matching entries are found, the server proceeds to verify the entries. If no matching
entries are found, the server uses DNComps and FilterComps to search for matching entries.
For the client certificate described above, the server would search for uid=jsmith in all entries
under o=example Inc, c=US.
12.7.5 Allowing and requiring client authentication to the console
Client authentication must be explicitly set in the Directory Server.
1. Click the Configuration tab.
2. With the top server entry highlighted in the left navigation pane, click the Encryption tab in
the main window.
3. Set whether to require or allow client authentication to the Directory Server.
494 Managing SSL