HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

For example, if FilterComps is set to use the e and uid attribute keywords

(FilterComps=e,uid), the server searches the directory for an entry whose values for e and

uid match the user's information gathered from the client certificate. Email addresses and user

IDs are good filters because they are usually unique entries in the directory.

The filter needs to be specific enough to match one and only one entry in the directory.

The following RDN keywords are supported for FilterComps:

• cn

• ou

• o

• c

• l

• st

• e or mail (but not both)

• mail

Keywords can be in either lower case or upper case.

VerifyCert

verifycert tells the server whether it should compare the client's certificate with the certificate

found in the user's directory entry. The value is either on or off. Setting the value to on ensures

that the server will not authenticate the client unless the certificate presented exactly matches the

certificate stored in the directory. Setting the value to off disables the verification process.

CmapLdapAttr

CmapLdapAttr is the name of the attribute in the directory that contains subject DNs from all

certificates belonging to the user. Because this attribute is not a standard LDAP attribute, this attribute

must be added to the schema. See “Creating attributes” (page 433) for information on adding

schema elements.

If the CmapLdapAttr property exists in a certmap.conf mapping, the server searches the entire

directory for an entry that contains the subject's full DN. The search criteria are the attribute named

by CmapLdapAttr and the subject's full DN as listed in the certificate. If the search does not yield

any entries, the server retries the search using the DNComps and FilterComps mappings. The

search will take place more quickly if the attribute specified by CmapLdapAttr is indexed. For

more information on indexing attributes, see “Managing Indexes” (page 449).

Using CmapLdapAttr to match a certificate to a directory entry is useful when it is difficult to

match entries using DNComps and FilterComps.

Library

Library is the pathname to a shared library or DLL. Use this property only to extend or replace

the standard functions that map information in certmap.conf to entries in the directory. This

property is typically not necessary unless there are very specialized mapping requirements.

InitFn

InitFn is the name of an init function from a custom library. You need to use this property only

if you want to extend or replace the functions that map information in certmap.conf to entries

in the directory. This property is typically not necessary unless you have very specialized mapping

requirements.

492 Managing SSL