Fix Pack 8501

Liberty profile: LDAP certificate map mode

The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER in the Liberty profile.

The EXACT_DN means that the Distinguished Name (DN) in the certificate must exactly match the user entry in the LDAP server, including case and spaces. To use the specified certificate filter for the mapping, you can use the CERTIFICATE_FILTER.

Certificate filter
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry.
If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax this filter is:
LDAP attribute=${Client certificate attribute}
.

An example of a simple certificate filter is: uid=${SubjectCN}.

You can also specify multiple properties and values as part of a certificate filter. The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and open brace ({) and end with a close brace (}). The attributes are case sensentive.
The following LDAP attributes (left side) are supported:
  • uid
  • initials
  • sAMAccountName
  • displayName
  • distinguishedName
  • displayName
  • description
The following client certificate attributes (right side) are supported:
  • ${SubjectCN}
  • ${SubjectDN}
  • ${IssuerCN}
  • ${IssuerDN}
  • ${SerialNumber}
An example of an LDAP configuration with certificate filter mode enabled:
<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm" 
      host="myldap.ibm.com" port="389" ignoreCase="true" 
      baseDN="o=ibm,c=us" 
      certificateMapMode="CERTIFICATE_FILTER" 
      certificateFilter="uid=${SubjectCN}" 
      userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
          (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" 
      userIdMap="*:uid" 
      groupIdMap="*:cn" 
      groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
          groupOfNames:member;groupOfUniqueNames:uniqueMember" 
      ldapType="IBM Tivoli Directory Server" searchTimeout="8m" /> 

Icon that indicates the type of topic Reference topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-iseries&topic=rwlp_sec_ldap_certmap
File name: rwlp_sec_ldap_certmap.html