Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

G Searching the Directory for User Certificates

Starting with 10g Release 2 (10.1.2), you can perform a command-line search of the binary attribute usercertificate.

Prior to 10g Release 2 (10.1.2.0.2), the only way to identify a user from the certificate was through the DN specified in the certificate. This is known as certificate matching. Starting with 10g Release 2 (10.1.2.0.2), Oracle Internet Directory supports certificate mapping, in addition to certificate matching. Certificate matching requires that a user certificate be provisioned in the directory. Certificate mapping does not require provisioning of a user certificate.

This chapter includes the following topics:

G.1 Certificate Mapping

Certificate mapping allows a customer to define rules for mapping the certificate to the user's DN. A certificate mapping rule is a set of rules for parsing the certificate and for querying the directory for the user's identity. Only custom extensions of certificates can be used in mapping rules.

The following examples show how to add, delete, and modify a certificate mapping rule.

Adding a Certificate Mapping Rule

Add a mapping rule using ldapmodify, as follows:

ldapmodify -h hostName -p  port_number -f certMapRuleAdd.ldif

The file certMapRuleAdd.ldif should look something like this:

dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations
cn: maprule1
objectclass: orclidmapping
objectclass: orclcertidmapping
orclSearchScope: subtree
orclSearchFilter: (cn=$\(2.16.750.5.14.2.81.2.5.1\))
orclcertExtensionOID: 2.16.750.5.14.2.81.2.5
orclcertExtensionAttribute: 2.16.750.5.14.2.81.2.5.1

Deleting a Certificate Mapping Rule

Delete a mapping rule using ldapdelete, as follows:

ldapdelete hostName -p  port_number "cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations"

Modifying a Certificate Mapping Rule

Modify a mapping rule using ldapmodify, as follows:

ldapmodify -h hostName -p  port_number -f certMapRuleMod.ldif

The file certMapRuleMod.ldif should look something like this:

dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations
changetype:modify
replace: <attrName>
<attrName>: <attrValue>

G.2 Search Types

You can use two kinds of ldapsearch filters:


Notes:

  • The usercertificate attribute cannot be searched using a substring filter.

  • In an exact-match search, the search filter can contain only one attribute value assertion.

  • Only one-level and subtree searches are supported.

  • The catalog.sh tool does not support catalogs for user certificates—namely ct_orclcertificatehash and ct_orclcertificatematch

  • The introduction in 10g Release 2 (10.1.2) of certificate hash values requires that certificates be upgraded from earlier releases. See the "upgradecert.pl" command-line tool reference in Oracle Identity Management User Reference.