Chapter 5, Working with Server Security
137
Using Client Certificates
The second and subsequent lines in the named mapping match properties with
values. The
certmap.conf
file has six default properties (you can use the
certificate API to customize your own properties):
•
DNComps
is a list of comma-separated attributes used to determine where
in the LDAP directory the server should start searching for entries that
match the user’s information (that is, the owner of the client certificate). The
server gathers values for these attributes from the client certificate and uses
the values to form an LDAP DN, which then determines where the server
starts its search in the LDAP directory. For example, if you set
DNComps
to
use the
o
and
c
attributes of the DN, the server starts the search from the
o=<org>, c=<country>
entry in the LDAP directory, where <
org
> and
<country>
are replaced with values from the DN in the certificate.
Note the following situations:
•
If there isn’t a DNComps entry in the mapping, the server uses either
the
CmapLdapAttr
setting or the entire subject DN in the client
certificate (that is, the end-user’s information).
•
If the DNComps entry is present but has no value, the server searches
the entire LDAP tree for entries matching the filter.
•
FilterComps
is a list of comma-separated attributes used to create a filter
by gathering information from the user’s DN in the client certificate. The
server uses the values for these attributes to form the search criteria used to
match entries in the LDAP directory. If the server finds one or more entries
in the LDAP directory that match the user’s information gathered from the
certificate, the search is successful and the server optionally performs a
verification.
For example, if
FilterComps
is set to use the email and userid attributes
(
FilterComps=e,uid
), the server searches the directory for an entry
whose values for email and uid match the end user’s information gathered
from the client certificate. Email addresses and userids are good filters
because they are usually unique entries in the directory. The filter needs to
be specific enough to match one and only one entry in the LDAP database.
For a list of the x509v3 certificate attributes, see the following table:
Summary of Contents for Netscape Enterprise Server
Page 30: ...Contacting Technical Support 30 Netscape Enterprise Server Administrator s Guide ...
Page 32: ...32 Netscape Enterprise Server Administrator s Guide ...
Page 56: ...Sending Error Information to Netscape 56 Netscape Enterprise Server Administrator s Guide ...
Page 66: ...66 Netscape Enterprise Server Administrator s Guide ...
Page 112: ...Managing a Preferred Language List 112 Netscape Enterprise Server Administrator s Guide ...
Page 158: ...158 Netscape Enterprise Server Administrator s Guide ...
Page 182: ...Using the Watchdog uxwdog Process Unix 182 Netscape Enterprise Server Administrator s Guide ...
Page 196: ...Viewing Events Windows NT 196 Netscape Enterprise Server Administrator s Guide ...
Page 218: ...Enabling the Subagent 218 Netscape Enterprise Server Administrator s Guide ...
Page 266: ...266 Netscape Enterprise Server Administrator s Guide ...
Page 302: ...Enabling WAI Services 302 Netscape Enterprise Server Administrator s Guide ...
Page 310: ...310 Netscape Enterprise Server Administrator s Guide ...
Page 446: ...Customizing the Search Interface 446 Netscape Enterprise Server Administrator s Guide ...
Page 448: ...448 Netscape Enterprise Server Administrator s Guide ...
Page 454: ...Responses 454 Netscape Enterprise Server Administrator s Guide ...
Page 464: ...Referencing ACL Files in obj conf 464 Netscape Enterprise Server Administrator s Guide ...
Page 504: ...504 Netscape Enterprise Server Administrator s Guide ...