+

Search Tips   |   Advanced Search

LDAP certificate map mode

The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER in the Liberty profile.

The EXACT_DN means that the Distinguished Name (DN) in the certificate must exactly match the user entry in the LDAP server, including case and spaces. To use the specified certificate filter for the mapping, we can use the CERTIFICATE_FILTER.

Certificate filter

Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry.

If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax this filter is:

    LDAP attribute=${Client certificate attribute}

.

An example of a simple certificate filter is: uid=${SubjectCN}.

We can also specify multiple properties and values as part of a certificate filter. The LDAP attribute of the filter specification depends on the schema that the LDAP server is configured to use. The client certificate attribute is one of the public attributes in your client certificate. The client certificate attribute must begin with a dollar sign, $, and opening brace, {, and end with a closing brace, }. The attributes are case-sensitive.

The following LDAP attributes are supported:

  • uid

  • initials

  • sAMAccountName

  • displayName

  • distinguishedName

  • displayName

  • description

The following client certificate attributes are supported:

  • ${SubjectCN}

  • ${SubjectDN}

  • ${IssuerCN}

  • ${IssuerDN}

  • ${SerialNumber}

An example of an LDAP configuration with certificate filter mode enabled: 

<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm" 
      host="myldap.ibm.com" port="389" ignoreCase="true" 
      baseDN="o=ibm,c=us" 
      certificateMapMode="CERTIFICATE_FILTER" 
      certificateFilter="uid=${SubjectCN}" 
      userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
          (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" 
      userIdMap="*:uid" 
      groupIdMap="*:cn" 
      groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
          groupOfNames:member;groupOfUniqueNames:uniqueMember" 
      ldapType="IBM Tivoli Directory Server" searchTimeout="8m" />


Parent topic: Configure LDAP user registries with the Liberty profile