Liberty: LDAP certificate map mode

The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER in Liberty.

The EXACT_DN means that the Distinguished Name (DN) in the certificate must exactly match the user entry in the LDAP server, including case and spaces. To use the specified certificate filter for the mapping, you can use the CERTIFICATE_FILTER.

Certificate filter
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry.
If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax this filter is:
LDAP attribute=${Client certificate attribute}
.

An example of a simple certificate filter is: uid=${SubjectCN}.

You can also specify multiple properties and values as part of a certificate filter. The LDAP attribute of the filter specification depends on the schema that your LDAP server is configured to use. The client certificate attribute is one of the public attributes in your client certificate. The client certificate attribute must begin with a dollar sign, $, and opening brace, {, and end with a closing brace, }. The attributes are case-sensitive.
The following LDAP attributes are supported:
  • uid
  • initials
  • sAMAccountName
  • displayName
  • distinguishedName
  • displayName
  • description
The following client certificate attributes are supported:
  • ${SubjectCN}
  • ${SubjectDN}
  • ${IssuerCN}
  • ${IssuerDN}
  • ${SerialNumber}
An example of an LDAP configuration with certificate filter mode enabled:
<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm" 
      host="myldap.ibm.com" port="389" ignoreCase="true" 
      baseDN="o=ibm,c=us" 
      certificateMapMode="CERTIFICATE_FILTER" 
      certificateFilter="uid=${SubjectCN}" 
      userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
          (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" 
      userIdMap="*:uid" 
      groupIdMap="*:cn" 
      groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
          groupOfNames:member;groupOfUniqueNames:uniqueMember" 
      ldapType="IBM Tivoli Directory Server" searchTimeout="8m" /> 

Icon that indicates the type of topic Reference topic

File name: rwlp_sec_ldap_certmap.html