User mapping rules evaluator

The user mapping rules evaluator evaluates user mapping rules within the constraints that are required by the user mapping engine. Pre-configured rules are supplied in a configuration file to the new CDAS.

The user mapping rules evaluator takes the rule policy along with the XML representation of the certificate and passes this to the XSL processor for evaluation.

The input for the transformation is the XML version of the client certificate (as defined above). XSL transformation rules decide how the Security Verify Access user name is mapped from the supplied certificate information. Two inputs are used when making the decision:

• the XML representation of the client certificate, and
• the XSL rule, which determines how the XML is interpreted.

The output from the decision is a single string which is used to determine the Security Verify Access user identity.

The user mapping engine expects the rules evaluation to result in the return of one of the string identifiers listed below. These identifiers ensure uniqueness in the event that an XSL rule is written incorrectly and the evaluation returns incorrect information. Delimiting the identifiers with an exclamation point (!) enables the evaluator to identify errant cases.

The string must conform to one of the following definitions:

!free format text!

Free format text, which could also include elements from the source XML. This string will be used as the Security Verify Access user identity. For example:

!cn=testuser,o=ibm,c=au!
!<xsl:value-of select="stsuuser:Attribute[@name='SerialNumber']/
stsuuser:Value"/>!

!userreg base='%base%' attr='%name%'!%ldap-search-filter%!

That the user registry should be searched for the Security Verify Access user identity, based on the supplied search string. The attr value is used to define the name of the LDAP attribute which holds the Security Verify Access user identity. The search string should conform to RFC 2254. For example:

!userreg base='o=ibm,c=au' attr='cn'! (&(objectClass=ePerson)
(serialNum=<xsl:value-of select="stsuuser:Attribute[@name=
'SerialNumber']/stsuuser:Value"/>))! 

!no-matching-rule!

That no matching rule was found for the supplied client certificate. If this string is returned from the rule evaluation the CDAS will return an error. For example:

!no-matching-rule!

The ampersand (&) character cannot be used in XSLT documents or it will produce errors when processed. This character must be transcribed as &.

• Format and constraints of rules
  
• Examples of user mapping rules
  

Parent topic: Client Certificate User Mapping