Chapter 8. Configuration File Reference
Most Directory Server feature you configure are in the cn=config
entry in the directory. However, for certain features, Directory Server reads settings from configuration files. This chapter describe these files and their settings.
8.1. certmap.conf
If you set up certificate-based authentication, the /etc/dirsrv/slapd-instance_name/certmap.conf
file manages how Directory Server dynamically maps a certificate to a user entry.
The /etc/dirsrv/slapd-instance_name/certmap.conf
file uses the following format:
certmap alias_name certificate_issuer_DN alias_name:parameter_name value
You can specify individual settings for different certificate issuer Distinguished Names (DN). For issuer DNs that do not have a separate configuration, the settings from the default
entry will be used. The following is the required minimum configuration for the default
entry:
certmap default default
Additionally, you can set all available parameters for the default
entry. Directory Server will use them if they are not specified in individual configurations for issuer DNs.
Example 8.1. Configuration for the default
Entry and a Specific Issuer DN
The following configuration sets individual settings for certificates having the o=Example Inc.,c=US
issuer DN set. Other certificates will use the settings from the default
entry.
certmap default default default:DNComps dc default:FilterComps mail, cn default:VerifyCert on certmap example o=Example Inc.,c=US example:DNComps
You can set the following parameters:
- DNComps
The
DNComps
parameter determines how Directory Server generates the base DN used to search for a user in the directory:If attributes in the
subject
field of the certificate match the base DN, set theDNComps
parameter to these attributes. Separate multiple attribute with commas. However, the order of the attributes in theDNComps
parameter must match the order in the subject of the certificate.For example, if your certificate’s subject is
e=user_name@example.com,cn=user_name,o=Example Inc.,c=US
, and you want Directory Server to usecn=user_name,o=Example Inc.,c=US
as base DN when searching for the user, set theDNComps
parameter tocn, o, c
.ImportantThe values of attributes set in the
DNComps
parameter must be unique in the database.Set the parameter to an empty value if the base DN cannot be generated from the
subject
field of the certificate. In this situation, Directory Server searches the for user in the entire directory using a filter generated from the setting in theFilterComps
parameter.For example, if the certificate’s subject is
e=user_name@example.com,cn=user_name,o=Example Inc.,c=US
, but Directory Server stores its data in thedc=example,dc=com
entry, Directory Server cannot generate a valid base DN from the subject of the certificate, because the required components are not part of the subject. In this case, setDNComps
to an empty string to search for the user in the entire directory.Comment out or do not set this parameter, if either the
subject
field of the certificate matches exactly the DN of the user in Directory Server or if you want to use the setting from theCmapLdapAttr
parameter.Alternatively, set the
nsslapd-certmap-basedn
parameter in thecn=config
entry to use a hard-coded base DN.
- FilterComps
This parameter sets which attributes from the
subject
field of the certificate Directory Server uses to generate the search filter to locate the user:Set this parameter to a comma-separated list of attributes used in the certificate’s subject. Directory Server will use these attributes in an
AND
operation in the filter.NoteCertificate Subjects use the
e
attribute for the email address, which does not exist in the default Directory Server schema. For this reason, Directory Server automatically maps this attribute to themail
attribute. This means, if you use themail
attribute in theFilterComps
parameter, Directory Server reads the value of thee
attribute from the subject of the certificate.For example, if the subject of a certificate is
e=user_name@example.com,cn=user_name,dc=example,dc=com,o=Example Inc.,c=US
and you want to dynamically generate the(&(mail=username@domain)(cn=user_name))
filter, set theFilterComps
parameter tomail,cn
.-
If the parameter is commented out or set to an empty value, the
(objectclass=*)
filter will be used.
- verifycert
Directory Server always verifies if the certificate has been issued by a trusted Certificate Authority (CA). However, if you additionally set the
verifycert
parameter toon
, Directory Server additionally verifies that the certificate matches the Distinguished Encoding Rules (DER)-formatted certificate stored in theuserCertificate
binary attribute of the user.If you do not set this parameter,
verifycert
is disabled.- CmapLdapAttr
-
If your user entries contain an attribute that stores the subject DN of the user certificate, set the
CmapLdapAttr
to this attribute name. Directory Server will use this attribute and the subject DN to locate the user. In this case the no filter is generated based on the attributes in theFilterComps
parameter. - library
- Sets the path name to a shared library or Dynamic Link Library (DLL) file. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.
- InitFn
-
Sets the name of the
init
function, if you use a custom library. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.
When Directory Server searches the matching user, the search must return exactly one entry. If the search returns multiple entries, Directory Server logs a multiple matches
error and authentication fails.
For further details, see the corresponding section in the Directory Server Administration Guide.