10.2. Components of an identity mapping rule in IdM

The mapping rule component associates (or maps) a certificate with one or more user accounts. The rule defines an LDAP search filter that associates a certificate with the intended user account.

Certificates issued by different certificate authorities (CAs) might have different properties and might be used in different domains. Therefore, IdM does not apply mapping rules unconditionally, but only to the appropriate certificates. The appropriate certificates are defined using matching rules.

Note that if you leave the mapping rule option empty, the certificates are searched in the userCertificate attribute as a DER encoded binary file.

Define the mapping rule in the CLI using the --maprule option.

The matching rule component selects a certificate to which you want to apply the mapping rule. The default matching rule matches certificates with the digitalSignature key usage and clientAuth extended key usage.

For the matching, the subject name, which is stored in DER encoded ASN.1, is converted into a string according to RFC 4514. This means the most specific name component comes first.

Define the matching rule in the CLI using the --matchrule option.

For example, ipa certmaprule-mod with matching rule: <ISSUER>C=US,O=EXAMPLE.COM,CN=Global CA1 does not work for certificate with issuer=C=US,O=EXAMPLE.COM,CN=Global CA1.

The correct syntax for matching rule should be <ISSUER>CN=Global CA1,O=EXAMPLE.COM,C=US, in which the most specific component CN and O come before C, for example:

# ipa certmaprule-mod "Certificate mapping match" --matchrule '<ISSUER>CN=Global CA1,O=EXAMPLE.COM,C=US'
----------------------------------------------------------------------
Modified Certificate Identity Mapping Rule "Certificate mapping match"
----------------------------------------------------------------------
  Rule name: Certificate mapping match
  Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
  Matching rule: <ISSUER>CN=Global CA1,O=EXAMPLE.COM,C=US
  Priority: 1
  Enabled: True

The domain list specifies the identity domains in which you want IdM to search the users when processing identity mapping rules. If you leave the option unspecified, IdM searches the users only in the local domain to which the IdM client belongs.

Define the domain in the CLI using the --domain option.

When multiple rules are applicable to a certificate, the rule with the highest priority takes precedence. All other rules are ignored.

Define the mapping rule priority in the CLI using the --priority option.

To define, using the CLI, a certificate mapping rule called simple_rule that allows authentication for a certificate issued by the Smart Card CA of the EXAMPLE.ORG organization if the Subject on that certificate matches a certmapdata entry in a user account in IdM:

# ipa certmaprule-add simple_rule --matchrule '<ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG' --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'