Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION, Admin Manual

Page: 508 / 564

Appendix C. Publishing Module Reference
486
•
Section C.2.5, “LdapDNCompsMap”
C.2.1. LdapCaSimpleMap
The
LdapCaSimpleMap
plug-in module configures a Certificate Manager to create an entry for the
CA in an LDAP directory automatically and then map the CA's certificate to the directory entry by
formulating the entry's DN from components specified in the certificate request, certificate subject
name, certificate extension, and attribute variable assertion (AVA) constants. For more information on
AVAs, check the directory documentation.
The CA certificate mapper specifies whether to create an entry for the CA, to map the certificate to an
existing entry, or to do both.
If a CA entry already exists in the publishing directory and the value assigned to the
dnPattern
parameter of this mapper is changed, but the
uid
and
o
attributes are the same, the mapper
fails to create the second CA entry. For example, if the directory already has a CA entry for
uid=CA,ou=Marketing,o=example.com
and a mapper is configured to create another CA entry
with
uid=CA,ou=Engineering,o=example.com
, the operation fails.
The operation may fail because the directory has the
UID Uniqueness
plug-in set to a specific base
DN. This setting prevents the directory from having two entries with the same UID under that base
DN. In this example, it prevents the directory from having two entries under
o=example.com
with the
same UID,
CA
.
If the mapper fails to create a second CA entry, check the base DN to which the UID Uniqueness plug-
in is set, and check if an entry with the same UID already exists in the directory. If necessary, adjust
the mapper setting, remove the old CA entry, comment out the plug-in, or create the entry manually.
During installation, the Certificate Manager automatically creates two instances of the CA certificate
mapper module. The mappers are named as follows:
•
LdapCrlMap
for CRLs (see
Section C.2.1.2, “LdapCrlMap”
)
•
LdapCaCertMap
for CA certificates (see
Section C.2.1.1, “LdapCaCertMap”
).
Parameter Description
createCAEntry
Creates a CA's entry, if selected (default).
If selected, the Certificate Manager first attempts to create an entry for the CA in the directory. If the Certificate Manager succeeds in
creating the entry, it then attempts to publish the CA's certificate to the entry. If this is not selected, the entry must already be present
in order to publish to it.
dnPattern
Specifies the DN pattern the Certificate Manager should use to construct to search for the CA's entry in the publishing directory.
The value of
dnPattern
can be a list of AVAs separated by commas. An AVA can be a variable, such as
cn=$subj.cn
, that the
Certificate Manager can derive from the certificate subject name or a constant, such as
o=Example Corporation
.
If the CA certificate does not have the
cn
component in its subject name, adjust the CA certificate mapping DN pattern to reflect
the DN of the entry in the directory where the CA certificate is to be published. For example, if the CA certificate subject DN is
o=Example Corporation
and the CA's entry in the directory is
cn=Certificate Authority, o=Example Corporation
,
the pattern is
cn=Certificate Authority, o=$subj.o
.
• Example 1:
uid=CertMgr, o=Example Corporation
• Example 2:
cn=$subj.cn,ou=$subj.ou,o=$subj.o,c=US