WAS v8.5 > Reference > Developer detailed usage information

Liberty profile: LDAP certificate map mode

The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXTACT_DN or CERTIFICATE_FILTER in the Liberty profile.

The EXTACT_DN means the DN in the certificate must exactly match the user entry in the LDAP server, including case and spaces. To use the specified certificate filter for the mapping, we can use the CERTIFICATE_FILTER.

Certificate filter

Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry.

If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:LDAP attribute=${Client certificate attribute}.

An example of a simple certificate filter is: uid=${SubjectCN}.

We can also specify multiple properties and values as part of the certificate filter. The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). The case of the strings is important.

The following LDAP attributes (left side) are supported:

  • uid
  • initials
  • sAMAccountName
  • displayName
  • distinguishedName
  • displayName
  • description

The following client certificate attribute (right side) are supported:

  • ${SubjectCN}
  • ${SubjectDN}
  • ${IssuerCN}
  • ${IssuerDN}
  • ${SerialNumber}

An example of an LDAP configuration with certificate filter mode enabled: 

< ldapRegistry id="ldap" realm="SampleLdapIDSRealm" 
      host="myldap.ibm.com" port="389" ignoreCase="true" 
      baseDN="o=ibm,c=us" 
      certificateMapMode="CERTIFICATE_FILTER" 
      certificateFilter="uid=${SubjectCN}" 
      userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
          (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" 
      userIdMap="*:uid" 
      groupIdMap="*:cn" 
      groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
          groupOfNames:member;groupOfUniqueNames:uniqueMember" 
      ldapType="IBM Tivoli Directory Server" searchTimeout="8m" />


Parent topic: Configure an LDAP user registry with the Liberty profile


|