HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
A single configuration parameter, nsslapd-certdir, in cn=config in dse.ldif lists the
directory containing the key, certificate, and security files. The directory name should be unique
and specific to the server. For example, the /etc/opt/dirsrv/slapd-instance_name
directory contains the key and certificate databases only for the Directory Server instance called
instance_name. That directory will not contain key and certificate databases for any other server
or client, nor will any of the key, certificate, or other security-related files for instance_name be
located in any other directory.
Directory Server used to keep separate configuration attributes for the key and certificate databases.
With the change to Filesystem Hierarchy Standard, the certificate and key configuration attributes
have been consolidated into a single attribute, nsslapd-certdir, and the key and certificate
files are stored in the /etc/opt/dirsrv/slapd-instance_name directory.
Previous versions of Directory Server used a single directory, /var/opt/netscape/server7/
alias, for all security-related files for all servers, and required a unique prefix, such as
slapd-instance-, for the key, certificate, and security-related files. The Directory Server used
the attributes nsCertFile and nsKeyFile to give the locations for the key and certificate
databases.
When a server receives a request from a client, it can ask for the client's certificate before
proceeding.
After checking that a client certificate chain ends with a trusted CA, the server can optionally
determine which user is identified by the client certificate, then look up that user's entry in the
directory. Each certificate has the name of the identity it verifies in a subject name, called the
subject DN. The server authenticates the user by comparing the information in the subject DN with
the DN of the user's directory entry.
In order to locate user entries in the directory, a server must know how to interpret the subject
names of certificates from different CAs. The mapping between the subject names of the certificates
and the user DNs is defined in the certmap.conf file. This file provides three kinds of information
for each listed CA:
• It maps the distinguished name (DN) in the certificate to a branch point in the LDAP directory.
• It specifies which DN values from the certificate (user name, email address, and so on) the
server should use for the purpose of searching the directory.
• It specifies whether the server should go through an additional verification process. This process
involves comparing the certificate presented for authentication with the certificate stored in
the user's directory entry. By comparing the certificate, the server determines whether to allow
access or whether to revoke a certificate by removing it from the user's entry.
If more than one directory entry contains the information in the user's certificate, the server can
examine all matching entries in order to determine which user is trying to authenticate. When
examining a directory entry, the server compares the presented certificate with the one stored in
the entry. If the presented certificate does not match any certificates or if the matching entries do
not contain certificates, client authentication fails.
After the server finds a matching entry and certificate in the directory, it can determine the
appropriate kind of authorization for the client. For example, some servers use information from
a user's entry to determine group membership, which in turn can be used during evaluation of
ACIs to determine what resources the user is authorized to access.
488 Managing SSL