Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
Starting with 10g Release 2 (10.1.2), you can perform a command-line search of the binary attribute usercertificate
.
Prior to 10g Release 2 (10.1.2.0.2), the only way to identify a user from the certificate was through the DN specified in the certificate. This is known as certificate matching. Starting with 10g Release 2 (10.1.2.0.2), Oracle Internet Directory supports certificate mapping, in addition to certificate matching. Certificate matching requires that a user certificate be provisioned in the directory. Certificate mapping does not require provisioning of a user certificate.
This chapter includes the following topics:
Certificate mapping allows a customer to define rules for mapping the certificate to the user's DN. A certificate mapping rule is a set of rules for parsing the certificate and for querying the directory for the user's identity. Only custom extensions of certificates can be used in mapping rules.
The following examples show how to add, delete, and modify a certificate mapping rule.
Adding a Certificate Mapping Rule
Add a mapping rule using ldapmodify
, as follows:
ldapmodify -h hostName -p port_number -f certMapRuleAdd.ldif
The file certMapRuleAdd.ldif
should look something like this:
dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations cn: maprule1 objectclass: orclidmapping objectclass: orclcertidmapping orclSearchScope: subtree orclSearchFilter: (cn=$\(2.16.750.5.14.2.81.2.5.1\)) orclcertExtensionOID: 2.16.750.5.14.2.81.2.5 orclcertExtensionAttribute: 2.16.750.5.14.2.81.2.5.1
Deleting a Certificate Mapping Rule
Delete a mapping rule using ldapdelete
, as follows:
ldapdelete hostName -p port_number "cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations"
Modifying a Certificate Mapping Rule
Modify a mapping rule using ldapmodify
, as follows:
ldapmodify -h hostName -p port_number -f certMapRuleMod.ldif
The file certMapRuleMod.ldif
should look something like this:
dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations changetype:modify replace: <attrName> <attrName>: <attrValue>
You can use two kinds of ldapsearch
filters:
A filter of the form "usercertificate=
certificate_serial_number
$
certificate_issuer_DN
"
. A combination of the certificate serial number and the certificate issuer's DN is used to locate the certificate. This combination is called the certificate match value.
A filter of the form"usercertificate;binary=
base_64_encoded_value_of_certificate
"
. Using this filter, one of six types of searches is possible, depending upon two things:
The value of the DSA configuration set attribute (DN: "cn=dsaconfig,cn=configsets,cn=oracle internet directory"
), orclpkimatchingrule
.
The presence or absence of the LDAP control 2.16.840.1.113894.1.8.23
The six types of searches possible with a filter of the form "usercertificate;binary=
base_64_encoded_value_of_certificate
"
are:
Presence of LDAP control | Value of orclpkimatchingrule | Search Behavior |
---|---|---|
Absent | Not used | The hashed value of the client certificate is used to locate usercertificate .
|
Present | 0 | An exact-match search is performed. The subject DN of the client certificate is the search base. This DN is compared with the user DN in the directory. The search scope is Base . The filter is "objectclass=*" .
|
Present | 1 | The hashed value of the client certificate is used to locate usercertificate .
|
Present | 2 (Default) | The hashed value of the client certificate is used to locate usercertificate . If this search yields nothing, An exact-match search is performed.
|
Present | 3 | The mapping rule is used. |
Present | 4 | First, the mapping rule is used. If that search yields nothing, then the search proceeds as if the value were 2. |
Use the ldapmodify
tool to set orclpkimatchingrule
to the desired value.
Notes:
|